My dell laptop has avast! internet security installed on it. It updates automatically throughout the day. Even so, today a virus has attacked! The Cloud AV 2012. I have very little technical knowledge, so this is SCARY! I was able to run the complete scan, it found and removed a file. But I’m still seeing the big red box when I start up the computer. I’m currently writing from my MAC laptop, so I do have internet access. Just not on the infected computer - well actually I’m afraid to try the internet on the Dell, so I’m not sure if it’s working or not. I’m hoping someone can give me very clear, simple instruction on what to do. Please help!

A new one - not played with this before

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.
.
THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U*.* /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

I ran roguekiller here’s the report:

RogueKiller V6.1.10 [11/18/2011] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Christine [Admin rights]
Mode: Remove – Date : 11/23/2011 17:57:20

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤
[SUSP PATH] HKCU[…]\Run : uwjjjUVelIBtzNc8234A (C:\Users\Christine\AppData\Roaming\ovvDD2onF4pm5sJ\Cloud AV 2012v121.exe) → DELETED
[SUSP PATH] HKCU[…]\Run : W444ppmH5sQ7dK8 (C:\Users\Christine\AppData\Roaming\dwme.exe) → DELETED
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)
[HJ] HKCU[…]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)
[HJ] HKCU[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)
[HJ] HKCU[…]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) → REPLACED (0)
[HJ] HKCU[…]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) → REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

Finished : << RKreport[1].txt >>
RKreport[1].txt

here’s the report:

to avoid multiple post with copy and paste you must attach the two OTL log`s

see attached text file from OTL

OTL.txt attached

Essexboy is in bed now…but will continu with the removal tomorrow…

Okay. Tomorrow is Thanksgiving here in US. I’m thankful there’s people out there that know how to fix this crazy bad stuff.

The United Kingdom does not celebrate Thanksgiving so Essexboy will be back tomorrow.

Hi again … On completiuon of this run can you let me know what the problems remaining are

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2011/11/23 13:02:15 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\RsWK7fEL9TqYwIr [2011/11/23 13:02:15 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\qONtxP0uc1b3n4m [2011/11/23 11:03:35 | 002,800,640 | ---- | C] (?????????? ??????????) -- C:\Users\Christine\AppData\Roaming\java.exe [2011/11/23 10:43:34 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\vVelIBtzPyAuDoF [2011/11/23 10:43:34 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\KpmG5sQJ6E8R9Tw [2011/11/23 10:02:46 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\LQH66WWKfEL [2011/11/23 10:02:46 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\lNtxx00uS2iDpn4 [2011/11/23 10:02:46 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cloud AV 2012 [2011/11/23 10:02:31 | 002,800,640 | ---- | C] (?????????? ??????????) -- C:\Users\Christine\AppData\Roaming\iexplore.exe [2011/11/23 10:02:26 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\mIIIVrrzONtA0uS [2011/11/23 09:59:34 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\ovvDD2onF4pm5sJ [2011/11/23 09:59:33 | 000,000,000 | ---D | C] -- C:\Users\Christine\AppData\Roaming\uRRRZqqhYXwkVeO [2011/11/23 16:37:12 | 002,800,640 | ---- | M] (?????????? ??????????) -- C:\Users\Christine\AppData\Roaming\java.exe [2011/11/23 16:37:12 | 000,001,983 | ---- | M] () -- C:\Users\Christine\AppData\Roaming\ahst.lni [2011/11/23 13:02:21 | 000,001,971 | ---- | M] () -- C:\Users\Christine\Desktop\Cloud AV 2012.lnk [2011/11/23 10:16:49 | 002,800,640 | ---- | M] (?????????? ??????????) -- C:\Users\Christine\AppData\Roaming\iexplore.exe [2011/11/23 10:43:34 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\KpmG5sQJ6E8R9Tw [2011/11/23 10:02:46 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\lNtxx00uS2iDpn4 [2011/11/23 10:02:46 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\LQH66WWKfEL [2011/11/23 10:02:26 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\mIIIVrrzONtA0uS [2011/11/23 17:52:47 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\ovvDD2onF4pm5sJ [2011/11/23 13:02:17 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\qONtxP0uc1b3n4m [2011/11/23 13:02:15 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\RsWK7fEL9TqYwIr [2011/11/23 09:59:33 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\uRRRZqqhYXwkVeO [2011/11/23 10:43:34 | 000,000,000 | ---D | M] -- C:\Users\Christine\AppData\Roaming\vVelIBtzPyAuDoF

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN
.
Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

I ran run fix in OTL, rebooted, then ran quick scan in OTL. Log is attached.

Could you now update and run MBAM please and on completion let me know what problems remain

I ran into CloudAv 2012 today while webbrowsing with Firefox & Win7.

When it first popped up, I was unable to kill it. Flash kept requesting access to change my hard drive, and would not take NO as an answer until I 3-finger saluted and killed every suspicious looking program and process in task manager. I rebooted, and CloudAV 2012 launched automatically. I ran msconfig, cleared it from all the startup fields, and rebooted- this time, it did not launch, but was still on my PC. It did not install itself as a proxy server; I was able to use IE to troubleshoot online (wasn’t sure if Firefox was infected).

So, avast didn’t stop it, didn’t catch it in a scan, and didn’t even recognize it as a virus when I clicked on the virus .exe and initiated a scan. I found this thread in a google earch, installed Malwarebytes Anti-Malware, which appears to have found and destroyed it.

Here is the log from Malwarebytes. They may not all be CloudAv, but they’re all files that Avast missed:

Folders Infected:
c:\Users\xxxx\AppData\Roaming\microsoft\Windows\start menu\Programs\cloud av 2012 (Rogue.CloudAV2012) → No action taken.

Files Infected:
c:\Users\xxxx\AppData\Roaming\dwme.exe (Malware.Packer) → No action taken.
c:\Users\xxxx\AppData\Roaming\firefox.exe (Malware.Packer) → No action taken.
c:\Users\xxxx\AppData\Local\Temp\dwme.exe (Malware.Packer) → No action taken.
c:\Users\xxxx\AppData\Local\Temp\tmph1549684543348720964.tmp (Trojan.Tracur) → No action taken.
c:\Users\xxxx\downloads\xvidsetup.exe (Adware.Hotbar) → No action taken.
c:\Users\xxxx\AppData\Roaming\ahst.lni (Malware.Trace) → No action taken.
c:\Users\xxxx\Desktop\cloud av 2012.lnk (Rogue.CloudAV2012) → No action taken.
c:\Users\xxxx\AppData\Roaming\microsoft\Windows\start menu\Programs\cloud av 2012\cloud av 2012.lnk (Rogue.CloudAV2012) → No action taken.

  • Please create your own new topic, here http://forum.avast.com/index.php?board=4.0 in the viruses and worms forum (click the New topic button at the top of the page see image), so as not to hijack this one and we will try and help you there.

Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.

The MBAM log shows “no action taken” for every malware instance it found. I interpret that to mean MBAM did not remove those infections.

I don’t have any problems at this point and didn’t mean to hijack, just hoping my information will help update Avast!. If I have any new issues, I’ll start a new thread.

It deleted all the noted files (I watched the desktop icon disappear in real time, and the other files are no longer there); not sure why it says “no action taken” in the log. Edit: it had apparently quarantined the files, not deleted them. I deleted them through MBAM this morning.

OK Guys. I tried MBAM 4 times and still won’t work and it was very confusing.

I did end up removing it but it wasn’t free. At this stage it was well worth it, I didn’t want to lose all of my files plus I can’t afford a new computer.

I found this site and the have a very easy 3 step process to remove this cloud av 2012 virus.

Here it is: http://www.security-exchange.net/news/cloud-av-2012-virus/

I have since reinstalled my avast and my computer is working better than ever.

That site has a phone number to assist you if you run into any problems removing the virus too.

I hope this helps!

Good Luck!

I did end up removing it but it wasn't free.
yes...PC Tools spyware Doctor is not free

but here in the forum malware removal is free :wink:

Plus there are probably some residual files

I ran MBAM after the OTL and it reported no files detected/no action taken. There was a report file, but I was unable to figure out where it saved on my hard drive, so I have nothing to attach. I’ll run MBAM again tonight, but I’m thinking I’m cured. Being optimistic. Thanks.