Home Support

<  Back to Homepage

AVG Support Community

Share tips and solutions on AVG Products

Have a question?

Community topics

Browse by categories

AVG Gurus

These community experts are here to help

  • (AB) Alan Binch
  • (BA) Borislav Angelov
  • (VB) Vladimir Bartl
  • (SK) Subhadeep Kanungo
  • (MS) Miloslav Serba
ShowAll Questionssorted byRecent Activity
J LJ L 

ransomer.KZY

AVG says secured but ransomer.KZY continually comes back
Gulam Shaik MohammedGulam Shaik Mohammed (Avast)
Hello J L,
We apologize for the inconvenience caused.
We understand how something like this will try your patience.
May I know the name of the AVG Program installed on your system?
Could you please take and send the screenshot of the popup that you are receiving so that we can understand and assist you better in resolving it? To take a screenshot please follow the instructions mentioned in this link: avgread.me/1aZxsAV .
Thank you.
Alan BinchAlan Binch
J L, For your info, just in case that you are unaware, you can post the screenshot here in your topic. Click on 'Answer' & then click on the 'Image' [mountain symbol] & follow the instructions. 
AVG Guru
Eric JonesEric Jones

Hi,
I also am seeing RANSOMER virus discovered every day. AVG says that it is "secured" each time yet, every day, it rediscovers it.
I see 3 threads on ransomer so am adding to this, apparently the latest.
My occurance is slightly different in that:
 - The virus is found each day by resident shield rather than scan.
 - I see Ransomer.LRV
It was initially discovered using AVG2015 (updated to latest). I have tried updating to "AVG antiVirus FREE" 2016 (updated to latest) with no difference. resident shield still "finds" and "secures" the same Ransomer.LRV - (though in a different file).
Running "Whole Computer Scan" has never found any sign of Ransomer 9just tracking cookies removed - Thank You :-) )
I have run both "whole Computer Scan" and "Anti rootkit scan" with any option I can find to be as thorough as possible to no avail. - Resident Shield still finds Ransomer the next day.(eg "scan inside archives", "enable thorough scanning"..)

Each time the Ransomer instance is found in a .dll in C:\windows\TEMP\[name].dll
So far name = sbmdmlxn, 3ibbq1af , kmpqaZhn4 and ndrvm5ch
Each time the extended element infomation indicates the process name to be:
c:\Windows\SysWOW64\svchost.exe

It is as though AVG is only finding spawned "symptom" instances of the virus while leaving the actual infection untouched to spawn anew the next day.

I have run both windows cleanup and ccleaner to clearout any temporary etc files (notably those in c:\WINDOWS\temp - NB. case of this directory is different from that reported by AVG, I have assumed case is not significant?) Still resident shield found RANSOMER again the next day. (even though I see no .dll in C:\WINDOWS\temp - possibly a transient file existed, or possibly only the one removed/secured by AVG??)
Nothing is present in the virus vault.
Running Windows 7 [Having run windows update for all security updates and all relevant other updates]
I currently have the affcted laptop airgapped but typing in the info that would be in a screenshot:
Threat: Trojan Horse Ransomer.LRV [more info]
Object name: c:\Windows\TEMP\ndrvm5ch.dll
Severity: High
Identified by: Resident Shield
Date: 2016-08-23 15:24:07
Extended Element information:
Process name: c:\Windows\SysWOW64\svchost.exe
process ID:2756
Created: 2016-08-23, 15:24:07
Username: SYSTEM
Session ID: 0

Status: Healed

Is AVG capable of fixing this infection completely? or only symptoms such it will keep recurring?
Please advise how to remove this virus permanently and completely.
Thanks!
Eric
is secured yet is found anew the following day.

 
Balasubramanian SBalasubramanian S (Avast) 
Hello Eric,

We are sorry for the inconvenience caused.
We request you to provide the screenshot of the threat detection so that we can assist you better.
This "file:///C:/Windows/SysWOW64/svchost.exe" shouldn't be a Ransomeware virus, we have to do further analysis, once you provide the screenshot we will provide the further instructions to be followed to get our additional support.
If you aren't sure on how to take a screenshot please follow the instructions mentioned in this link: http://avgread.me/1aZxsAV and attach the image to this post.

Just in case that you are unaware, you can post the screenshot here in your topic. Click on 'Answer' & then click on the 'Image' [mountain symbol] & follow the instructions.
Eric JonesEric Jones

Hi Balasubramanian,
Thanks for the reply!

As I said in my post, I currently have the affected machine airgapped so cannot send you a screenshot without risking problems.
I therefore listed every character that would have shown in the screenshot from the report i[In hstory->Resident Shield] nstead.
What aditional are you missing as I don't see anything on that screen that I did not already post.
Thanks!
 
Balasubramanian SBalasubramanian S (Avast) 
You are welcome.
Thank you for the detailed information.
We request you to get our additional support help so that they can do further analysis and help you with this issue.
We have sent you the email instructions to send the log files of AVG and to get our additional support help.
Please check for the email on spam or junk folders if it is not present in the inbox.
Eric JonesEric Jones

I hope I'm not missing something here but I see no email with instructions I'm afraid.
I've given it a good half hour since your post above & checked junk folder as well as inbox (and have refreshed both).
I have 2 mails from AVG:

 - The initial account activation code
 - Your mail about my duplicate post [Sorry again about that. I know better now]
So we have the correct email address.are you sure it was sent - or perhaps you could resend?


 
Ask a question
Struggling with non-AVG technology? We can fix that, too!