AV Security 2012 isn't being removed by avast.

[toobusyforvirus]

A program called AV Security 2012 automatically downloaded and installed itself through firefox last night. I couldn't get rid of it and it started saying legitimate things were illegal processes (like task manager, firefox, chrome, etc.) when I was trying to find a solution. It forced a system reset and I had just enough time to schedule avast's boot scan, but that didn't pick it up either. Now the system says windows has been restarted to apply updates and the virus is preventing me from doing anything.

I'm not sure what other information would help besides the fact that I'm using XP professional.

Is this a common virus with a good method of removing it, or will I have to reformat?

[Pondus]

read it all before you start

Remove AV Security 2012 (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-av-security-2012





If you have no success with this, then follow this guide and attach all logs
http://forum.avast.com/index.php?topic=53253.0

Essexboy will then help you when he arrive here later today...

[toobusyforvirus]

Thank you. I have to get to work, but I will definitely go through those steps when I get back.

I'm just wondering though, if/when I remove it, what's the best way to go about reformatting system and starting fresh while making sure that any rootkits or other nasty things don't stay in the system?

[Pondus]

I have PMd Essexboy so he see this when he arrive here.
this rogue is sometimes bundled with rootkits, so i would follow Essexboys guide also and attach those logs, essexboy can then see if all is gone

he is usually in here around 08:00pm - 11:59pm UK time

[toobusyforvirus]

Okay, I only have to work a few hours today,so I'll check back then.

I did have one thing I remembered that I need to ask. I use an external hard drive for most of my storage because my main isn't very big. Do these viruses bother messing around with those, or will I need to do some specific cleaning on the external after I get it off the pc?

[Pondus]

Do these viruses bother messing around with those,

I dont think so.....but essexboy will give you all info as he is removing lost of these every week

[toobusyforvirus]

Okay, I'm borrowing a laptop to work on. I've already got the malware bytes exe loaded up on a flash drive. I printed out a copy of the "bleepingcomputer" page you sent me in case I lose wireless here (my pc is hardwired to my cable modem, but this laptop is connected to my family's wireless a few apartments over so the connection is kinda dodgy). I've had my computer turned off ever since this morning.

Now that I'm not in a rush to get out the door I can elaborate on what happened. It jumped on my pc and gave me fits last night, so my first reaction (with relatively little system security knowledge) was to run avast, CCleaner (I had something earlier in the year and a lot of tech sites were saying that program was supposed to fix that particular virus or trojan or whatever so I kept it installed in case I had the same trouble again), and threw up peerblock in case it helped (usually that thing is good about not letting sketchy adds connect, but I turned it off that evening because it seemed to be interfering the starcraft streams on teevox). I don't imagine it was a bright idea to leave the system running with that thing active, but I thought running avast and the ccleaner would take care of it, so it had an hour or two of uptime to mess around with stuff. I started going through task manager to close a couple processes I didn't recognize as a normal system process, but the virus didn't like that and activated an automatic reboot countdown so I quickly told avast to schedule a boot scan because I figured avast might be able to catch it if the virus isn't running and mucking about in windows yet. It popped up a couple suspicious files that had something to do with Java, and I chose "move all to chest" so I wouldn't have to babysit the thing (I thought moving to chest or vault or whatever is the safe thing to do, but maybe I was wrong). Unfortunately I waited about an hour for the bootscan to finish (it was actually moving at a pretty good pace, but my main was pretty full so it takes a while) and it wasn't even past saying 0% so I went to bed. When I got up in the morning the screen was displaying the windows user login page (I thought it would stay in the boot with the results of the scan, but it didn't) so I logged on to find out if avast had some good news for me. Windows said it had automatically restarted to apply an update, and had that little green shield sitting in the tray, so I have no idea if that's legit, or if the virus ran a fake update and infected even more of the system. I immediately started noticing the same shenanigans the virus was doing last night, so I turned the computer off (hard turnoff of at the power button) and started looking for alternatives. I came here this morning, and you know the rest.

Side question... My pc has a wireless card, but I never really got it to work properly so if some of the troubleshooting involves booting all the way back into windows should I be worried about the virus getting onto the network or other's in the vicinity? I figure if that would have happened it would've happened in the first few minutes of mucking about on my machine.

edit: I forgot to ask...
The virus was interfering with pretty much anything I tried to do. Should I go ahead and turn it back on to follow the guide, or wait for Essex(the local guru I gather?) just to be safe?

[essexboy]

Hi lets see if we can kill this dead.  Do not allow the other computers to access the sick one 

Download

RogueKiller to your desktop
 
[list=1]

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 2 and validate
  
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[toobusyforvirus]

Hi! Thanks for your help. I'm trying to get everything I need on one USB so if it gets infected then I won't have to put the usb back in this laptop.

Currently the usb is empty except for...
mbam setup
rkill
tdsskiller
hosts perm
hosts
otl
aswmbr

and now downloading the one you just told me to.

Is there anything else I should prepare?

edit: It sounds like you're giving me directions for the computer already being running in windows. should I start in the safe networking mode, or should another mode be chosen?
also, sorry if my responses seem slow, my connection isn't very good on this laptop.

[essexboy]

Nope that looks good.... Just run RogueKiller and OTL initially as we do not want to kill any of the wrong files

I have attached the data to input into OTL for the scan as scan.txt  download that to the USB and just drag and rop it into the OTL scan window

[essexboy]

Safe or normal mode - your choice it will work in either

[toobusyforvirus]

okay, I'm logging into the avast webforum on the pc (it's letting me use firefox now) so I can paste the page (it's way to long for me to manually transcribe)

[toobusyforvirus]

RogueKiller V6.1.7 [11/05/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: RED [Admin rights]
Mode: Remove -- Date : 11/11/2011 17:34:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED ()
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED ()
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED ()
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED ()

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost
   46.4.179.109   google.com
   46.4.179.109   yahoo.com
   46.4.179.109   bing.com
   46.4.179.109   facebook.com
   46.4.179.109   yahoo.com
   46.4.179.109   bing.com
   46.4.179.109   facebook.com
   46.4.179.109   yahoo.com
   46.4.179.109   bing.com
   46.4.179.109   facebook.com


Finished : << RKreport[1].txt >>
RKreport[1].txt

[toobusyforvirus]

That's the result of the roguekiller program.

[essexboy]

OK I can see where to go from that and with OTL I should be able to remove the majority