Avast WEBforum
Other => Viruses and worms => Topic started by: RobertDL on February 23, 2010, 11:26:23 AM
-
I receive an e-mail with a zip-file, from what I thought were an e-mail from the freight company DHL.com. Now my PC is infected and I can only use my labtop.
I'm running home edition of Avast, but it did not protect the PC when the PC were attacked.
Can anyone help me with this problem? I want to know how I eliminate the virus.
I tried to use PC Netdoctor, but that only made the problem worse.
Someone please help?
-
Hello,
if you have the original email, please send it to virus@avast.com to analyze, put "Undetected DHL" to subject .
Thank you,
Milos
-
How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010
What this programs does:
Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:
•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010
When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.
-
I'm also suffering from this - picked up while browsing. Avast didn't stop it and after a search, there are lots of recomendations for malwarebytes (including the bleepingcomputer.com link someone posted above). Malwarebytes manages to detect and says it removes it, but after a reboot it's back again. Part of the problem may be it's blocking Malwarebytes from updating it's virus database.
I'm running XP btw.
Any help greatly appreciated! It's driving me crazy. Thanks
-
Malwarebytes will get the majority of it - but as the programme files change daily it is always playing catch up
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
- Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
THEN
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
-
ARgh.
Actually, I find that you CAN get around the firewall and constant security alerts, as for some reason or another, it seems that the program can only hijack IE. I'm currently on the infected computer, but I have to use firefox. I seem to have been able to get around the firewall thing and launch firefox, but your internet explorer is probably hijacked.
-
Yep ran into this Avast 5 just allowed the "av.exe" to run, and didn't detect it.
I'm running XP, luckily my firewall (sygate personal firewall) caught av.exe trying to get out, and I was able to block it.
Disconnected my system from the network, rebooted into Safe mode, downloaded a clean copy of Malware Bytes and its def file on another clean system and dropped it to a thumb drive, and was able to clean in Safemode.
Then re-ran MWB again in normal mode, and ran Spybot behind it to clean the rest of it up.
Super Antispyware (SAS) Free Edition also catches this version, and at this time the XP Antivirus 2010 variant does not know of this process and allows SAS to run. It kills Malwarebytes and Spyware if executed in normal mode.
If your not running Sygate and have XP I suggest you do so. If your running Vista/Win7 grab Comodo Free Firewall, that also does a great job of catching 'av.exe' beofore it gets out (plus sygate will not run under Vista or Win7).
-
Before installing any anti-spyware tool, make sure you fix bad Windows Registry values by downloading ExeRepair.reg file (Antivirus XP 2010 (http://www.pcindanger.com/xp-guardian-2010-removal.html))
Use Malwarebytes Antimalware program instead of Spyware Doctor, which can be downloaded from http://www.malwarebytes.org/mbam-download.php
- Install program by double clicking mbam-setup.exe setup file.
- Stick to the guidelines when installing the program.
- Make sure you update the program with latest entries.
- Start computer scan by launcing the program and pressing "Scan" button.
- After the scan has been completed, click "Show Results", then "Remove Selected".
- Computer restart might be necessary.