AV Security 2012

Viruses and worms
1

I have Windows XP on my desktop computer. We have no internet access at all. My son got the AV 2012 virus on the desktop. How do you recommend that we remove this?
I appreciate all your help.
Fran

2

follow this guide and attach all log`s
http://forum.avast.com/index.php?topic=53253.0

if you have no internet access on infected computer, download tools to a USB stick and move over to infected comp

you may also see this guide http://www.bleepingcomputer.com/virus-removal/remove-av-security-2012

Essexboy will then help you later today…

3

Thanks.
I had to start in safe mode and hope this still worked.
Malwarebytes report:

4

If you start in Safe mode with networking…and then try to update Malwarebytes before you scan, as your log show it has a old signature database

It also looks as you have avast and Norton installed ?

Essexboy is notified…

5

I have tried to remove the program in safe mode and went to the toolkit removal. I am told that I need internet access. I can’t change my LAN settings because they are not checked any way. Any help is appreciated.
Fran

6

When you boot into safe mode you could try safe mode with networking.

7

Sorry Essexboy,
I am in safe mode with networking when I am on the infected computer. I cannot update malware because I cannot access the internet in safe mode either. I used to have Norton but removed it and just kept Avast. Perhaps it didn’t totally remove???

I am worried that taking the flash drive back and forth to the uninfected computer will cause problems. This morning my laptop loaded funny and I had to reboot before i could access the computer. Worry or paranoia, not sure.

Thanks for your comments. Any further direction???

8

when you are in “Safe mode with networking” you need cable connection and not wireless…do you have that

9

Hi lets see if this will restore your internet. Are all your desktop icons, start menu programmes present ? OTL will reboot you to normal mode

As the fix is quite large I will need to attach it, download the fix.txt file to your desktop

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[]Click the run fix button
[]A dialogue will open asking for the location of the fix
[]Browse to and select the fix.txt that you downloaded
[]Press run fix again

10

Sigh, sigh, sigh
I ran the program as you asked. Still no internet explorer. I cannot rerun avast as I am told the service as stopped.

I do not have an ip address, period. Can I restore to an earlier date. When I try to run rkill it stops and says that the program has been stopped by rkill. I get a error message when runntinn rkill that I am in safe mode. do I want to continue or go to the restore module.
2 hours this morning and nothing. However, the avast 2012 looks to be removed. Afraid to reboot as directions say need to run antivirus first.
Antivirus is now unsecured and fix now doesn’t work and I can’t get it to run.

11

With regard to Avast could you run a repair on the programme - From control Panel > Add/remove
Select Avast and on the left of the uninstall dialogue are a series of options > select Repair

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{77695730-F0FD-491C-8603-A3655CCEEF28}: C:\Documents and Settings\Owner\Local Settings\Application Data\{77695730-F0FD-491C-8603-A3655CCEEF28}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{EBBED563-9EA2-4D13-9E1F-2B0112FA1736}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{EBBED563-9EA2-4D13-9E1F-2B0112FA1736}\ [2010/03/25 18:02:41 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}: C:\Documents and Settings\Owner\Local Settings\Application Data\{21F7A5FC-4004-41C2-8C1B-3493ADB664A6}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}: C:\Documents and Settings\Owner\Local Settings\Application Data\{E3C7DCA5-26A9-4B67-A356-88E0AE2B58C7}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{335C706C-7314-4106-A9DC-8855F895E38C}: C:\Documents and Settings\Owner\Local Settings\Application Data\{335C706C-7314-4106-A9DC-8855F895E38C}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{09D24B01-9033-4AD1-A656-171EF16C2964}: C:\Documents and Settings\Owner\Local Settings\Application Data\{09D24B01-9033-4AD1-A656-171EF16C2964}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}: C:\Documents and Settings\Owner\Local Settings\Application Data\{B376E164-DF2A-4E7B-9D3C-699FD67AB5CD}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{947382DB-39EB-46D6-BF28-547763E3BE3F}: C:\Documents and Settings\Owner\Local Settings\Application Data\{947382DB-39EB-46D6-BF28-547763E3BE3F}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D923AA26-308D-47A4-ADCB-72AECF9B5388}: C:\Documents and Settings\Owner\Local Settings\Application Data\{D923AA26-308D-47A4-ADCB-72AECF9B5388}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}: C:\Documents and Settings\Owner\Local Settings\Application Data\{F6A2D5D5-1A79-48FF-9A15-5F4A07838DB6}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{19177630-995E-4FA6-8397-8799911C1C7B}: C:\Documents and Settings\Owner\Local Settings\Application Data\{19177630-995E-4FA6-8397-8799911C1C7B}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}: C:\Documents and Settings\Owner\Local Settings\Application Data\{C54C6E4A-CA87-4ABD-B130-09AEC372A5A2}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}: C:\Documents and Settings\Owner\Local Settings\Application Data\{4189BEF2-2767-4294-A7B1-0C8B1EEFE490}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}: C:\Documents and Settings\Owner\Local Settings\Application Data\{7C566C15-DBB8-470D-8CD5-F3DCA576CF31}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{E82CDC65-D3B4-463B-A56E-85905920E8F1}: C:\Documents and Settings\Owner\Local Settings\Application Data\{E82CDC65-D3B4-463B-A56E-85905920E8F1}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F09D793D-913B-4F52-B5CE-48F93448829C}: C:\Documents and Settings\Owner\Local Settings\Application Data\{F09D793D-913B-4F52-B5CE-48F93448829C}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{258626A1-FA86-4D19-AD58-B71885453FAD}: C:\Documents and Settings\Owner\Local Settings\Application Data\{258626A1-FA86-4D19-AD58-B71885453FAD}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}: C:\Documents and Settings\Owner\Local Settings\Application Data\{5BDB6C7C-54D2-48A3-90B9-0EDFF96B1BBA}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}: C:\Documents and Settings\Owner\Local Settings\Application Data\{0FDA65B4-3FEE-4E94-9EC3-C315C8C28519}\ FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{682C99AA-1B1E-4427-9092-48FC5CF159BF}: C:\Documents and Settings\Owner\Local Settings\Application Data\{682C99AA-1B1E-4427-9092-48FC5CF159BF}\

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and copy to the affected system the MSFixit from this page
http://support.microsoft.com/kb/299357

NEXT

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

12

I was able to get avast to run by ignoring the error message - duh, and I have run the fix this is what the virus does, right? It ran successfully and stated no viuses were found.
I have run OTL and logs are attached.
I cannot run the fix from microsoft as I am told that the administrator prevents this. I tried to go to my security center to see why this might be so , but cannot understand what might be preventing me from running the check.

I am reluctant to go past this point as I am trying to go in order.

thank you for all of your help.
Fran

13

Could you now run combofix please - it may run in reduced functionality mode but it will give me a clear look at your drivers

14

Is it okay not to disable to avast. Following the directions I do not have the option to disable it… The avast still says it is not working with an error message, but does run if I just ignore the error message.

15

Just ensure that Avast does not sandbox any files or delete/quarantine any files whilst combofix is running

16

Here is the combofix log. It took quite a while…

17

One more to kill and you should have the internet back. Let me know what problems remain on completion please

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
Folder:: c:\windows\$NtUninstallKB43628$
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

18

I hate to sound stupid. but I do not seem to be able to disable any of my malware or antivirus. In the past that has not been a problem. Now I do not see the option to disable. Kept having to tell Avast not to sandbox the previous program. Follow the same procedure?

19

Right click Avast and select shield control > disable till reboot
Then run the Combofix script

20

This may be a double post but i do not see. Attached is a screen shot of what I am able to see to disable avast. what you have pictured is not an option. when I try to do as you said with combofix I am told the file is spelled incorrectly. Will get a screen shot of that.
Thanks for your patience.