Help - Search - Members
Full Version: AV Protection 2011 Malware
Kaspersky Lab Forum > English User Forum > Virus-related issues
grandhavenbill
Have the AV Protection 2011 malware on my machine....have tried malwarebytes and it just keeps coming back and has "blossomed" into a nagging blinkx redirect too.

Here is a link to my GSI log: http://www.getsysteminfo.com/read.php?file...be76f2ab7f477c9

My virusinfo_syscure.zip log is attached.

Thanks for your help!!

grandhavenbill
richbuff
Welcome. If you don't have Kaspersky installed, please feel free to use the AVP Tool. It is linked in the first Important topic.

Attach its sysinfo.zip.
Located at Desktop\Virus Removal Tool\LOG\avptool_sysinfo.zip
grandhavenbill
QUOTE(richbuff @ 24.11.2011 05:18) *
Welcome. If you don't have Kaspersky installed, please feel free to use the AVP Tool. It is linked in the first Important topic.

Attach its sysinfo.zip.
Located at Desktop\Virus Removal Tool\LOG\avptool_sysinfo.zip


Thanks. Have run the AVP Tool, but cannot find the sysinfo.zip file. There is not a "virus removal tool" folder in my desktop and I get a "location is not available" error when when I click on the avptool_sysinfo.zip link.....

grandhavenbill
I was able to create the attached manual disinfection report .txt file.....
richbuff
Run this script, instructions: http://forum.kaspersky.com/index.php?showt...mp;#entry678368 PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Users\Jen\AppData\Roaming\svhostu.exe','');
QuarantineFile('C:\Users\Jen\AppData\Local\temp\winupd4744.exe','');
DeleteFile('C:\Users\Jen\AppData\Local\temp\winupd4744.exe');
DeleteFile('C:\Users\Jen\AppData\Roaming\svhostu.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','G9gTTqjYekVrO');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review these instructions carefully before downloading Combofix, and follow these instructions carefully after downloading Combofix.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

--------------------
The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.

memo: Vista SP2.
grandhavenbill
Combofix has been "stuck" on the blue "scanning for infected files" screen for over 45 minutes now with no other activity. It appears to have stalled?
richbuff
Please try Combofix when booted to Safe mode.

If still no go with Combofix after an hour in Safe mode, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.
grandhavenbill
Still no luck with combofix, and it just keeps getting more interesting.....I'm now getting a "recycle bin on C:\ is corrupt" message. Attempted a system restore thinking it might be part of the reason combofix won't run, but the system restore did not fix the recycle bin corruption issue.

I ran malwarebytes a couple of times yesterday before I contacted you. It found numerous issues and I did go ahead and remove them at that time. On my latest run, two issues were detected.

I have attached the last 3 logs.
grandhavenbill
QUOTE(grandhavenbill @ 24.11.2011 20:29) *
On my latest run, two issues were detected.


Just to clarify: I did NOT remove the infected files on the last run of malwarebytes
richbuff
Please Remove Selected what Malwarebytes detects > reboot.

Please check to see if c:\combofix.txt exists, and if so, please attach it.

It appears that Combofix did quarantine some items.

Run this script, instructions same as the last one:
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\ and upload both it and C:\quarantine.zip to a filehost such as http://www.mediafire.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, after you send me the qoobox, uninstall Combofix by: Start > run > type combofix /uninstall > ok. Or Start > run > type 123 /uninstall > ok.
grandhavenbill
PM sent with links.

Still cannot find any combofix files....
richbuff
I received the links. Your qoobox shows that Combofix was ran in May, 2011 and November 1st, 2011.

Any changes noted with the AV Protection 2011 Malware?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.