Strange anti-virus blocking virus

Kaspersky lab Anti-virus 2010 (oem produ...
October 28, 2009 at 14:07:40
Specs: Windows XP sp3
Hi,
I believe i have gotten a pretty bad virus. I was downloading a program that supposedly monitored my router bandwith but turned out to be a virus. My antivirus (kis9) didn't say anything was wrong. But procceses named a.exe, b.exe, c.exe and msa.exe were in my task manger. I tracked these files down and found them in my temp directory. i didn't need anything in my temp directory so i deleted all of its contents in case anything else reuired by the virus was in there. I new the virus wouldn't be gone. I went on the internet and googled the exes however any google links i clicked redirected me to random websites or dodgy search engines. I tried clicking the links several times and they eventually worked on about the third go. The forums explained about using AVZ and stuff and the users that were asking the questions uploaded reports and their problems were fixed from there. As an experiment I restarted my pc to see if the procceses would start again. They didn't.... AND KASPERSKY WASN'T RUNNING! I tryed to start it maually but i received the message: "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to acces the item." I got seriously worried. I downloaded a program called "superantispyware" because i read on a forum it was good. I ran two scans and it picked up some viruses and deleted them. (i can email their reports on request). AVP.exe still didn't work So i unistalled kis 2009 and installed a trial of kis10. It ran (before i restarted again). I ran a scan with it and it also picked up 2 viruses and removed them (some of the files from C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Report can be emailed or uploaded on request). Then i restarted again. avp.exe didn't work. Get the idea? the virus is blocking any antivirus applications. so i download avz because it helped the other people and ran a scan it got part of the way through and then crashed (leaving an avz.gid file that i can email or upload on request). I tryed to start it again and it came up with the same error message. As Kaspersky 10 and kaspersky 09 after they had been shut down. What should i do? I can reinstall kis10 again and it will run until i restart as for avz.exe i can do the same. Might renaming the exes help?
Thanks in advance

See More: Strange anti-virus blocking virus

Report •


#1
October 28, 2009 at 19:53:34
It sounds like Police Pro, if it is it will take several different task to remove it. We will use a different method that AVP although it is a great tool.

Please save this file to your desktop.

Win32kDiag.exe

Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.


Report •

#2
October 29, 2009 at 00:14:58
Running from: C:\Documents and Settings\Owner\My Documents\Downloads\Firefox\Win-32-k-Diag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19.tmp\ZAP19.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP309.tmp\ZAP309.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP68.tmp\ZAP68.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\UnManaged\S-1-5-21-796845957-651377827-515967899-1003\S-1-5-21-796845957-651377827-515967899-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{6030FDAF-C39D-4BEE-991F-2F95BF54F66D}\{6030FDAF-C39D-4BEE-991F-2F95BF54F66D}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^


Report •

#3
October 29, 2009 at 16:48:32
This may save a step or two.

Go to start> run> type in cmd click ok.

Copy paste this comand at the blinking cursor the click enter, you may have to type it in manually if you type it in manually not the spaces after these:
DIR
/a/s
each .dll
Log.txt
&
START

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt


A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.


Report •

Related Solutions

#4
October 30, 2009 at 01:28:05
Volume in drive C has no label.
Volume Serial Number is F0DD-5EF4

Directory of C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\SP2QFE

06/02/2009 18:46 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\SP2QFE

06/02/2009 18:46 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\system32

14/04/2008 12:00 181,248 scecli.dll

Directory of C:\WINDOWS\system32

19/07/2009 16:01 407,552 netlogon.dll
2 File(s) 588,800 bytes

Total Files Listed:
4 File(s) 1,404,928 bytes
0 Dir(s) 79,419,805,696 bytes free


Report •

#5
October 31, 2009 at 05:15:57
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#6
November 7, 2009 at 15:12:37
This same thing happened to me today, only I wasn't downloading anything. I got assaulted by a website. I can't access any antivirus websites and I had the a, b, c, and d files in my temporary folder. I also have a ton (as in ten or so) processes running which are questionable; lsass.exe, rundll32.exe, smss.exe, crss.exe, FastNetSrv.exe, CSHelper.exe and more. I have no idea what to do for such an invasive bunch of malware.

Report •


Ask Question