Green antivirus shield - vrtpatkmksm.exe - not identified.

I have been using Avast! for about 3 years now, and haven’t really had a problem - until this morning.

Somehow, I ended up with a nasty “antivirus” malware/virus/whatever.

This virus hijacked my .exe files. Wouldn’t allow me to run a scan, and wouldn’t let me into my task manager to look for processes.

I went into safe mode, and was able to download updates for Avast. I was able to run Avast’s boot scan. It found a couple of corrupted zip files, but no viruses nor anything else.

Neither Malwarebytes nor Spybot (after jumping through similar hoops to get them updated) were able to find it.

I was fortunate to get into task manager by getting into it as soon as I logged on, instead of waiting for everything to start up. Once it launched, I was able to see that vrtpatkmksm.exe was one of the processes running. Once I killed it, it released my .exe files, and I was able to run scans without going into safe mode.

I was finally able to get rid of it by downloading and running Norton Power Eraser (which killed me to have to resort to). Since nothing else found it, I don’t really have logs from anything other than the Eraser, so here is the information I am able to get from it:

Risk:
vistacodecpack
C:\program files\vistacodecpack

vrtpatkmksm.exe
C:\Users\XXXXX\AppData\Local\Temp\otwisiusb\vrtpatkmksm.exe
C:\Users\XXXXX\AppData\Local\Temp\otwisiusb
\REGISTRY\USERS\XXXXXX\software\microsoft\windows\current version\run"jxwcogte"

download
\REGISTRY\USERS\XXXXXX\software\microsoft\Internet Explorer\Download"CheckExeSignatures"
\REGISTRY\USERS\XXXXXX\software\microsoft\Internet Explorer\Download"RunInvalidSignatures"

internet settings
\REGISTRY\USERS\XXXXXX\software\microsoft\windows\current version\Internet Settings"ProxyEnable"
\REGISTRY\USERS\XXXXXX\software\microsoft\windows\current version\Internet Settings"ProxyServer"
\REGISTRY\USERS\XXXXXX\software\microsoft\windows\current version\Internet Settings"ProxyOverride"

This thing was hell to get rid of. I know that new ones come out daily, and it’s hard to keep up, but DAMN!!!
I’m very disappointed with Avast right now, but thought I’d log in and post so that others would be aware, and maybe save some time fixing it. I also thought by posting, the team at Avast! can update the definitions for this thing.

It would have been helpful if you could have sent the vrtpatkmksm.exe sample to avast.

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

No single AV is going to cover 100% and that is a fact, but not particularly reassuring, so up to a point you have to rely on your past history. I have had avast for seven years now and no infections, I also take other pro-active measure just in case.

This Green antivirus shield sounds like a rogue/fake AV and they are spawning new variants at an alarming rate, MBAM is particularly good on these as before being renamed to MBAM (MalwareBytes AntiMalware) it was called Rogue Remover.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available, a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

Yes, it would have been helpful if I had been able to identify the exe before Norton got rid of it. But, I had no idea where it was. I did look for somewhere to contact Avast about the issue, but the only thing I found available was this board.

As I stated in my post, MalwareBytes didn’t catch it either.

I hadn’t heard of SuperAntiSpyware until I began trying to troubleshoot this problem.

Although this is not my area of expertise, I am usually very successful in getting rid of these kinds of things within a very short period of time - usually an hour or two - but this one had me tied up for almost 10 hours.

Tracking cookies don’t worry me. Registry entries do.

Thanks for the tip about the SuperAntiSpyware. If I come across another problem like this, I’ll be sure to give it a shot.

No problem, glad I could help.

Welcome to the forums.