AV Security 2012 isn't being removed by avast.

[DonZ63]

I  like seeing that RogueKiller run output. Shows one main issue with these rogues; how they write malware IPs to the localhost file. People have to start locking down access to their localhost file.

[toobusyforvirus]

Okay, I'll try and run that again. (sorry it took so long, been stuck in lab revising papers all day XD )

Is it okay if I run it while the virus is going though? Because the virus was running even during safe mode when I tried that.

I think I already deleted the files on the computer and may have to make another usb drive.

[toobusyforvirus]

I'm getting a lot more activity from the virus this time. Last time I was able to open mozilla in safe mode and now I can't.

Roguekiller isn't giving me a prompt or anything it just says...
searching bad processes
[susppath] csq.exe <1316> ->killed [termproc]

searching hidden processes running
searching bad services running
driver loading : [1084]error

searching for new version online


I triedfinding a new version of roguekiller online, but this laptop is saying norton blocked a malicious attack from the roguekiller site when I tried to use the download link

[toobusyforvirus]

I keep trying to use the roguekiller program to turn the virus off so I can use the other tools, but I can't use it now either. clicking on the roguekiller.exe just opens morevirus windows.

I feel stuck here.

[toobusyforvirus]

first attachment from selecting scan in rogeukiller...

[toobusyforvirus]

second attahment from running "2" in roguekiller

[toobusyforvirus]

Okay, here's the OTL log thing.

[toobusyforvirus]

I guess I'll catch up with you tomorrow on what to do with those logs, but I figured I'd go ahead and reinstall/run malewarebytes anyway just to see if it could catch some of it.
Here's the log from that if it helps anything.

[toobusyforvirus]

I went ahead and ran the OTL scan again after trying malwarebytes just to see if it picked up anything different.

[toobusyforvirus]

I ran a full scan with malwarebytes and this is the log...

[toobusyforvirus]

I tried logging in under normal conditions (not safe mode), and ran the roguekiller program again with the updated version which produced this log saying something about a rootkit...


edit: went ahead and ran otl again too in case something changed. log attached

[toobusyforvirus]

I think I had bad timing the other day so I'm going to try running everything again in case updated logs are needed.

I'm currently using the standard windows login. I have ran roguekiller a couple times today. Earlier it wasn't returning anything, but it just started showing the same zeroaccess thing it did last night. Log is attached.

Scanning with OTL and originally provided settings atm, will have results in a moment.

Now attaching the up-to-date OTL log...

[essexboy]

OK you have a little nasty there

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  [2011/12/12 18:15:45 | 000,004,376 | -HS- | M] () -- C:\Documents and Settings\RED\Local Settings\Application Data\mecdvr8m3quf5hlt0dpk8r678y5c
  [2011/12/12 18:15:45 | 000,004,376 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\mecdvr8m3quf5hlt0dpk8r678y5c
  [2011/12/11 21:06:42 | 000,329,216 | ---- | M] () -- C:\Documents and Settings\RED\Local Settings\Application Data\csq.exe
  [2011/01/16 16:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\RED\Local Settings\Temp\RarSFX0\procs\explorer.exe
  [2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\RED\Local Settings\Temp\RarSFX0\h\explorer.exe
  [2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\RED\Local Settings\Temp\RarSFX0\userinit.exe
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply

[toobusyforvirus]

Ahh, thanks! Running OTL again now!

[toobusyforvirus]

OTL says processing complete, but has removed everything, but the desktop background. Is it safe to do a hard boot, or should I try closing OTL and see if that lets me access a shutdown menu?