Windows Defender detected a trojan, renos.jm, that kaspersky failed to detect. I immediatedly ran a kaspersky scan, only for the program to close without an error message less than a minute into the scan. Im now told by windows that I do not have permission to run avp.exe, and cannot boot up kaspersky. I tried repairing it, but once again I do not have permission. My internet is also erratic, and im automatically being directed to various ad sites and random search engines. I've since unplugged my internet and am using my mates PC.

Theres also an unknown exe named 'a.exe' in my temp folder which I am unable to delete. Defender keeps informing me about the trojan, yet fails to delete it every time.

Any help would be appreciate, since I've university work which requires use of the internet, not to mention I am an avid gamer

I've already attached my avz log. Cheers for the help in advance.

Welcome. Run this script, instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678368 PC will reboot:

After run script, attach a Combofix log, please review and follow these instructions carefully.

Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Tried running the avz script, but within seconds the program was closed down and its permissions changed so that I can no longer access it. I tried again in safe mode with another copy of avz, and also changed the name, but the same thing occured.

I am at a loss. Perhaps I should try a system restore?

Ok, I tried to access system restore but every time I try to open it nothing happens. Tried to run combofix, but both in and out of the result was a bluescreen followed by instant restart. Can anyone help me at all? I've tried everything and am at my wits end.

Please try to run the script with this renamed avz, ownload it from here: http://www.malwarecrawler.com/a-v-z.exe

Didnt work im afraid. The program shut down just like before, and the permissions were changed to deny me access to it. Interestingly, if I run it from my USB pen the program shuts down when I run the script but I can still access it afterwards.

I dont think any antivirus software is going to work - whenever a program tries to delete or quarantine the virus, that program is terminated and its permissions edited. Is there some other way I can get rid of this? Im by no means an advanced user, but with enough explanation I can edit a registry or use a command prompt. Is there no other solution?

Boot using Windows CD, go into recovery console and rename the suspect files by typing in the commands:
Rename C:\Windows\msa.exe msa.old
Rename C:\Users\James\AppData\Local\Temp\a.exe a.old
exit

Remove your Windows CD when it restarts.
Send msa.old and a.old to Kaspersky's viruslab - http://support.kaspersky.com/virlab/helpdesk.html.

Insert your Windows CD into the computer, click Start - Run and type in sfc /scannow
Download Combofix again (renember to rename it when saving). Can you run it successfully as per Richbuff's instructions in post#2?

Unfortunately, being at university I dont have a Windows Vista CD at hand.

However, I have successfully deleted the trojan using a utility refered to me by a friend, 'SUPERAntiSpyware'. After deleting the trojan I found that I couldnt boot my PC with the internet plugged in - this turned out to be because Kaspersky was set to boot on startup, and I still dont have permission to access it. I've disabled it using msconfig, but I dont really want to use the internet without it.

So my new question is - how do I change the permissions to allow me to run kaspersky again, and to delete all the failed avz.exe programs on my desktop?

Removing the malware should do it (may need to re-install Kaspersky again).

Delete AVZs which did not run manually.

The one which did run, use it to create a new AVZ log of your computer and attach it to your next post (to check the malware has been removed).

Heres my new avz log.

I had to download another copy of avz, since the ones I already have (as well as the Kaspersky avp.exe) still will not run. The exact error I get is "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access this item." Due to this it is also impossible to delete or even move any of the avz files, and I've had to download AVG as a temporary antivirus until Kaspersky works again. I've tried repairing and uninstalling Kaspersky, but both times I've been told I do not have the permissions.

Download Win32kdiag.exe and save it to your desktop. Run it.
When its finished, press any key to close it.
It will make a log file on your desktop. Attach the log to your next post.

Will do. In the meantime, I found a program called Unlocker that allowed me to delete all the avz.exe programs on my desktop. I also deleted the avp.exe, since it was all I could do to modify it, and am in the process of reinstalling kaspersky.

You mean you deleted avp.exe from Kaspersky's directory?
If yes, use this tool to remove Kaspersky (the uninstaller may break if all files which should be there are not there) - http://support.kaspersky.com/faq/?qid=208279463

I just reinstalled Kaspersky before reading your message, by using the modify/repair/remove tool and reinstalling with a fresh download. However, upon trying to start a fresh scan after a successful installation, I am told "Service part of the program was unloaded from computer memory". I am now getting the same errors as before and cannot boot up Kaspersky because I do not have permission. Should I completely remove it with that tool, and try again? Or is there a virus/trojan still at large?

Edit: Also, the program you sent me crashes with an unnamed error a few seconds after I start to run it.

Its upto you if you want to try to Uninstall-Install Kaspersky again.

There is still an infection on your system - also explains why you still cant use Kaspersky.


You mean Win32kdiag crashes?
Try to exit AVG and then download and run it again. If that doesn't work, try in safemode.

AVG is switched off and Win32kdiag still crashes, both in and out of safemode.

Heres a screenshot.

Exit AVG and all non-essential programs.
Ensure you have administrator access and are running the file under administrator credentials.

Copy Win32kDiag to your c:\ drive (so its at c:\win32kdiag.exe)
Open Command prompt under administrator credentials - http://www.petri.co.il/vista_command_prompt.htm
Type in c:\win32kdiag.exe -f -r



Attach a Combofix log, please review and follow these instructions carefully.

Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then attach the log c:\combofix.txt and c:\win32kdiag.txt


If the above doesnt work, try to run Kaspersky's AVPtool in SafeMode. Post here whats detected, if anything.


This is being a bugger, never seen it in a Vista machine before and rely on win32kdiag to fix it

Heres the Win32kDiag log, I'll run Combofix in a minute.

Right, heres my Combofix log.

Great work, nearly there now

Just for precaution before we install Kaspersky again, I'd like to have a look at some more information to be make sure the active baddies have gone...

1. Create a new AVZ log and attach it to your next post.
2. Download Kaspersky's GSI tool from here and save it to your desktop.
3. Run the tool, click Settings - Customize... tick the "Scan system32" box and click OK - CreateReport.
4. Upload the report to http://www.getsysteminfo.com/ (should be created int he same directory as the GSI tool).
5. Once its been uploaded, copy the URL and paste it here so we can look for any active baddies possibly lying around.


Also have a go doing a scan using MBAM and post here what it detects - http://www.malwarebytes.org/mbam.php
DO NOT remove what MBAM detect, just post the log.

New avz log here.

Heres the GSI

http://www.getsysteminfo.com/read.php?file...0a45133c3bf611c

Great, the logs are both looking clean. Just want to check the Malwarebytes log and its nearly done.

Heres the Malwarebytes log, it found two infected files and I clicked ignore on both of them. It was a full scan of C: drive.

Thanks. One more file we need to replace.

Submit the following files to Kaspersky's viruslab - http://support.kaspersky.com/virlab/helpdesk.html
C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir
C:\Windows\win32k.sys

Go to your c:\Windows folder. Search it and all sub-directories for the file win32k.sys
Where are they located? copy and paste the location or post here a screenshot of the directory names.

What exactly do you mean? I see one win32k.sys in C:\Windows, which is apparently 0kb, and another win32k.sys in C:\Windows\System32, which is 1,987kb.

Is that what you're after?

Is it at any other locations?

I meant right-click the c:\windows folder and click Search. Then search win32k.sys
Tick in the search options "search subdirectories"
Does win32k.sys exist anywhere else other than the locations you posted?


Also, have you sent the files to the viruslab?

After doing a proper scan I also found a load of win32k.sys files each in their own folder, inside C:\Windows\winsxs, with folder names like \x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18211_none_b8e9ade49a8df956. Is that normal? Other than that, I cant see any others.

Im sending the files to the viruslab right now.

It seems I cannot upload win32k.sys, probably because it shows as 0 bytes. I've sent cngaudit.dll.vir along with a description etc.

Yes, that location is fine, exactly what I was looking for.
Win32k.sys might be 0 bytes because its information is hidden. Now, we need to replace the 0byte win32k.sys (bad one) with the good one (the one with he long directory)

1. Open Command Prompt - http://www.petri.co.il/vista_command_prompt.htm
2. Copy the following line

3. In the black window which opens up, right-click in it and click Paste.
4. Click Return on your keyboard.

ONLY IF IT SAYS "1 FILE(S) COPIED", then continue reading on. IF IT DOESN'T, don't do anything else. Just post back saying it doesn't work. Also, close the command prompt window, regardless of whether it works or not.

5. Disable your antivirus program and save and exit all non-essential programs.
6. Download The Avenger to your desktop. Extract it.
7. Run Avenger.exe and click OK in the first prompt. Make sure "scan for rootkits" is ticked and "automatically disable rootkits" is unticked.
8. Copy the script bellow (all 5 lines)

9. Click Edit - Paste in The Avenger. Doublecheck both lines of the script are in the box.
10. Click "Execute" and then click all the "Yes"'s

Your PC will then restart.

Attach the log C:\avenger.txt to your next post.

Download and run Combofix again using the instructions shown here. Remember, download combofix again, don't use the old one.

Attach the new combofix log to your next post.


Installing Kaspersky again:
Download Kaspersky but DO NOT install it yet.
Download KAVremover10.zip. Extract it to your c:\ directory, so it is c:\kavremover10.exe
Open Command Prompt and type in:

Enter the removal code in the KAV Remover Window and click Remove.
Restart your computer.

Uninstall AVG, SuperAntiSpyware and MBAM - (you can install SAS or MBAM again after installing Kaspersky if you wish).
Restart your computer.
Install Kaspersky, update Kaspersky and restart the computer.
Does it work?

Combofix and Avenger logs attatched, going to try reinstalling Kaspersky now.

I was just told during the installation that the setup wizard has insufficient privaledges to modify avp.exe. I assume KAV remover couldnt remove the old avp.exe and left it there without producing an error, so I'll delete it using Unlocker and try again.

Edit: There was no avp.exe. After cancelling the installer and checking the kaspersky folder, it was empty. Spooky. Tried it again after a restart and the installation succeeded. Now to see if it'll run a scan, or lock out the permissions again.

Kaspersky is 73% through a full system scan right now, the first I've been able to perform without the program shutting immediately down since I first noticed the infection. It just detected "rootkit.win32.pmax.h", which upon the recommendation I immediately deleted. Everything is looking good

Thats great. Good job. I appreciate the instructions were quiet long in this case because this particular infection is a tough one to remove. Good you persevered and cleared it up.

Also submit C:\win32k.sys.old to Kaspersky's viruslab.


Download mbr.exe and save it to your desktop.
Click Start - run and type in "%userprofile%\desktop\mbr.exe" -f
Attach here the log it creates (MBR.log)

I cant upload win32k.sys.old, because it still registers as 0 bytes.

Heres the MBR.log.

Great, MBR is clean now I guess.

Click Start - Run and type in Combofix /u
(Note, there is a space before the "/").

Feel free to delete/uninstall all other programs and logs you downloaded or created such as Avenger, AVZ, GSI.exe, MBR.exe, and c:\win32k.sys.old - and anything else I have forgot.

Good job

Fantastic. Cheers for the brilliant quality of help on this, if it werent for these forums I'd still be riddles with viruses. Is there somewhere I can donate to, or something else I can do to assist this place? I am eternally grateful

Dont worry about it, your kind words of appreciation are enough