How do you remove a nasty worm/virus not detected by AVG?

[XB-70 Valkyrie]

Hey folks, Long time so see, eh?  Hope everyone's doing well. I've been meaning to come back for quite a while, but 2009 was an extremely busy (but very good) year for me.

Anyway, my computer has picked up a very nasty worm, and members here have been very helpful in the past offering suggestions for my various tech/computer issues, so my return has been hastened.

This thing reared its ugly head this afternoon while my wife was online. It causes many irritating popups to appear from various locations on the screen warning (in very poor english) about virus infections, and urging you to comply with its requests to visit its website. It also installed an icon on the taskbar and on the desktop, both of which look suspiciously like Windows antivirus or AVG. It calls itself "Antivirus 2010" or something like that. The worst part is that it has disabled ALL programs on my wife's logon. Every time she tried to open AVG, or any other program, she received a warning saying that the program was infected. On my logon, things are not nearly as bad, programs work, but the popups are still an annoyance.

Anyway, I ran AVG a number of times, and had it delete a ton of stuff, but it still remains. I then updated AVG's definitions. It found more crap, which I deleted, but the worm remains. Can anyone offer a suggestion for getting rid of it?? (We are running Windows Vista Home Premium).

Thanks folks!


EDIT: I've been finding some potentially helpful sites from Google, some of which offer free downloads that will supposedly kill it. But I'm not sure which I can trust. Here is one: http://www.virusremovalguru.com/?p=715

[Holden]

Hey folks, Long time so see, eh?  Hope everyone's doing well. I've been meaning to come back for quite a while, but 2009 was an extremely busy (but very good) year for me.

Anyway, my computer has picked up a very nasty worm, and members here have been very helpful in the past offering suggestions for my various tech/computer issues, so my return has been hastened.

This thing reared its ugly head this afternoon while my wife was online. It causes many irritating popups to appear from various locations on the screen warning (in very poor english) about virus infections, and urging you to comply with its requests to visit its website. It also installed an icon on the taskbar and on the desktop, both of which look suspiciously like Windows antivirus or AVG. It calls itself "Antivirus 2010" or something like that. The worst part is that it has disabled ALL programs on my wife's logon. Every time she tried to open AVG, or any other program, she received a warning saying that the program was infected. On my logon, things are not nearly as bad, programs work, but the popups are still an annoyance.

Anyway, I ran AVG a number of times, and had it delete a ton of stuff, but it still remains. I then updated AVG's definitions. It found more crap, which I deleted, but the worm remains. Can anyone offer a suggestion for getting rid of it?? (We are running Windows Vista Home Premium).

Thanks folks!


EDIT: I've been finding some potentially helpful sites from Google, some of which offer free downloads that will supposedly kill it. But I'm not sure which I can trust. Here is one: http://www.virusremovalguru.com/?p=715

Download this program MBAM and run it.

To be blunt, you get what you pay for with free AV programs like AVG. Yes MBAM is free but it is very effective.

Anyway, download and run MBAM, then restart your PC. As it starts up hold down the F8 key until it goes into safe mode. Once it does, run MBAM again (without networking) then restart your PC. If this doesn't get rid of it then post here again and I'll take you through the next step.

I'll also talk about how you got this nasty in the first place and how to prevent further infections.

[XB-70 Valkyrie]

Thanks very much Holden. I'm running MBAM right now, but I'm not sure how to run something without networking. From what I remember, WINXP had a "work offline option" somewhere near the taskbar, but I don't see that in Vista. I do have a little icon with two computers and a little blue ball next to them indicating that I am connected. Right clicking this does not bring up any type of work offline option.

[XB-70 Valkyrie]

I ran MBAM, and it found a bunch of crap, which I deleted, but it then prompted me to restart. After restart, it seems to be running normally, and the crapware seems to be gone. Thanks again!

[XB-70 Valkyrie]

Update: The popups are gone.
My wife's programs are opening, and are functional, except for web browsers. None can seem to connect.

[The new erato]

Update: The popups are gone.
My wife's programs are opening, and are functional, except for web browsers. None can seem to connect.

A very common occurence when removing malware. I experienced the same - and can't remember what I did to fix it! But it wasn't particularly difficult, I think it mainly involved checking up network settings.

[Holden]

Reinstall the Web browsers and see what that does. Otherwise get Vista to go back to its default settings for networking for your wife's user account. Try one at a time.

Can I also suggest that you now download, install and run Crap Cleaner to clean out all the 'crap' left behind after this bug did its work.

Once you have done that you may want to prevent any further infections. So here's what you do.

You've been shown that that AVG Free is crap as it didn't protect your system and couldn't clean it either. My suggestions are as follows and it's up to you form here.

1 Buy a Professional Anti-Virus. They are dirt cheap when you consider the hassles they save you. There are only two that I would recommend, NOD32 and Kaspersky. You may read reports about others but only those two have consistently received a 100% tick of health from Virus Bulletin - the VB100 award. I prefer and use NOD32 for a variety of reasons. It cost about $50 a year. There are discounts for multiple PCs

2 Install a good Anti Malware. You can go 'free' here and you already have MBAM which is probably the best to be had. Can I suggest that you also install Spywareblaster. It works quietly away in the background and you can manually update it. Please note that it is not a scanner and won't tell you about any spyware it turns away. It just works.

3 Get Key Scrambler. It encodes all your keystrokes so that they can't be read by a keylogger trojan.

This may seem like overkill but it works for me.

[Holden]

I've done some research about the connection problem and have two solutions for you.

1 From what I read about this Security Tool Virus today and how to repair it, you only needed to right click your Network connection in Control Panel and choose Repair and you would have got your Net connection back online.

2 You can use system restore but run the risk of restoring the virus

[drogulus]

     Here a link to the Wiki article on the zlob trojan. "Antivirus 2010" is just the latest version of it.

     Does this sound familiar?

     The trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an Anti Virus installation file from Microsoft. Having this file initiated can wreak havoc on computers and networks. One symptom is random computer shutdowns or reboots with random comments. This is caused by the programs using Scheduled Tasks to run a file called "zlberfker.exe".

      Another thing to watch is that if you click on a video on the wrong site you'll install bad things. It isn't too difficult to figure out what a wrong site is.  I use an informal reputation assessment: Does this site want to be known for infecting visitors? The less sure I am that the site owner cares about a reputation for integrity the more caution I use. There are "Wild West" sites I frequent where I'm on my guard.

[XB-70 Valkyrie]

I tried this, but the message I got was, "Windows did not find any problems with your network connection". I tried reinstalling Windows Explorer for her (I HATE Explorer and told her that this is probably how she got the malware in the first place, but she insists on using it), but that didn't work either. It said I needed to run Windows Update Service (damned if I can find that).

I've done some research about the connection problem and have two solutions for you.

1 From what I read about this Security Tool Virus today and how to repair it, you only needed to right click your Network connection in Control Panel and choose Repair and you would have got your Net connection back online.

[Holden]

So you now try System Restore.

[drogulus]

      Last night at work I got infected by the "Antivirus Live" rogue antivirus program. It's funny, here I am surfing away, not doing anything unusual, just reading a graphics card review at a tech site, and all of a sudden I get popups saying this computer is infected and a scan starts! This is obviously bogus, and now I'm wondering how the security system here allows software to install on this PC? I'm on a protected network at work and I get infected while at home running unprotected (and going to sites I can't get to at work because they're blocked) I don't ever get this.

      Why?

      I'll probably never know all the reasons. Nevertheless, some answers seem plausible.

      1) The Windows XP environment at work is protected at the network level, and the network is optimized to prevent users from accessing prohibited sites (a good thing in itself) which creates a false sense of security. Infections happen at sites that are not prohibited.

       2) This PC (and no doubt others on the network) is running IE6. It's vulnerable to just about anything out there. If I were a virus writer I'd be targeting old systems that are rarely updated (I can't do updates because I don't have administrative privileges).

       3) At home I'm running a browser no virus has encountered. Someday it will be vulnerable, but on that day I won't be running it.

        Antivirus Live and how to remove it

[Szykneij]

I'm on a protected network at work and I get infected while at home running unprotected (and going to sites I can't get to at work because they're blocked) I don't ever get this.

Ernie, if you don't run any anti-virus software at home, how do you know you're not infected?

[drogulus]

      I just did a scan an hour ago with Malwarebytes (it doesn't appear to affect performance). I keep archives of AV programs and install, run them and uninstall them after. I might run a free AV program tomorrow evening (I have AVG).

     

[Tapio Dmitriyevich]

My thoughts: The whole (Anti/Anti-Anti/Anti-Anti-Anti)(AV, Malware) world is a mess of basically unknown trustworthiness. Personally, I'd always take the time and do a fresh OS installation. What I do with my relatives is giving them a one Virtual Machine (virtualbox.org) with a Linux host for their online banking and another one for their messing needs like running cracks and keygens...

Again, because not widely known, the MS Virus scanner: http://www.microsoft.com/Security_Essentials/

[XB-70 Valkyrie]

I didn't want to risk restoring the malware, so I just created a new acct. for my wife, transferred all her stuff, and set her up with Google Chrome. IE has so many vulnerabilities, and is such a sh1tty browser to begin with, I think anything is better (and my wife refuses to use Opera, Safari, etc.). I do realize that Google OWNS anything you upload, view, or think about while using their browser (which is why I don't use it myself), but for her I suppose it is the least bad alternative.

Thanks to everyone for their help. 

[drogulus]

    I ran AVG free version (full scan), found nothing, uninstalled it.

Again, because not widely known, the MS Virus scanner: http://www.microsoft.com/Security_Essentials/

     I'll give it a try.

                                                                                                                                           

[RJR]

You also should check your Host file in C:Windows/System32/drivers/etc/Host.
If you see www.Brenz.pl at the top of your host file, then you've been zapped.
Download MVP Hosts. Read the instructions.

[drogulus]

     Thank you, Wurstwasser, for suggesting Microsoft Security Essentials. For the first time in many years I'm running antivirus full time, and in addition to being a good program of its type it's free and, most important for me, doesn't impose a noticeable performance penalty. For that reason I run it continuously rather than just periodically install it to run a scan.

     I did try Panda Cloud antivirus but unfortunately it interferes with the start of some programs.