Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Thought I Should Pass This On!


  • Please log in to reply
8 replies to this topic

#1 Wink

Wink

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 07 December 2006 - 07:46 AM

Hello,
This happened to me yesterday, quote from Adware Report, [/Flooder.ake

Flooder.Ake is a brand new threat that began to appear on people's computers on December 6th, 2006.

The symptoms of infection are an alert window which pops up reading "threat found, trojan horse, heal now". Clicking this popup quarantines a system file, which then restarts the computer and pops up the alert again. The computer is then stuck in an infinite loop. It appears at this time that neither restoring the file from quarantine nor restoring the system using a Windows restore point will fix the computer. Only a complete reinstall of the operating system will work.

This problem only seems to be impacting users of the antivirus program, AVG. Initial indications are that this not a true virus, but rather a bug in AVG that results in damage to system critical files.

If you are experiencing problems associated with flooder.ake, please post any pertinent information below. If you have a screenshot that we may share with our readers, please post a URL where we may find it. Thank you!

Step-by-Step Fix

1. Boot your computer to Safe mode. Power on (or restart) your computer, keep pressing F8 key until the Startup menu appears and choose "Windows in Safe Mode".

2. In the Windows Safe mode, navigate to following folder:

C:\WINDOWS\system32\drivers\

3. Rename rename the following files to avoid furhter deleting of "winlogon.exe".

AVGCLEAN.SYS -> AVGCLEAN.SY_
AVGRSXP.SYS -> AVGRSXP.SY_

4. Launch Registry Editor (regedit.exe) and remove the "__delete" value in the right pane from this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgClean

5. Restart the computer back to Windows normal mode

6. Update your AVG program to latest virus base version. Launch AVG or open AVG Control Center and press F9 key to update your AVG.

7. Then rename the SYS files back to their original names

AVGCLEAN.SY_ -> AVGCLEAN.SYS
AVGRSXP.SY_ -> AVGRSXP.SYS

8. Restart your computer for to get AVG Resident shield loaded again ]
I was lucky, I have Windows SP2, it looks like people without the service packs are experiencing some major difficulties. I went to the AVG web site and there is no mention of this problem there as of yet.
I hope this helps someone,
have a great day,
Wink

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:06:06 AM

Posted 08 December 2006 - 11:29 AM

The existence of this false positive appears to be limited to certain versions of Windows XP without Service Packs, and the problem has been quickly fixed by a new definition file. (I would like to thank members of the BC Staff and TeMerc for further researching the problem mentioned in Wink's post).

In the AVG Forum, Radek Janata, a member of the Grisoft Team, responded as follows:

“Unfortunately, this issue is caused by the false detection on particular version of "winlogon.exe" file. The false detection has been immediately fixed, however several users may have updated their AVG to this virus update containing this false definition. In order to solve this unpleasant issue, please proceed as follows:

1. Boot your computer to Safe mode. Power on (or restart) your computer, keep pressing F8 key until the Startup menu appears and choose "Windows in Safe Mode".
2. In the Windows Safe mode, navigate to following folder:
C:\WINDOWS\system32\drivers\
3. Rename rename the following files to avoid furhter (sic) deleting of "winlogon.exe".
AVGCLEAN.SYS -> AVGCLEAN.SY_
AVGRSXP.SYS -> AVGRSXP.SY_
4. Launch Registry Editor (regedit.exe) and remove the "__delete" value in the right pane from this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgClean
5. Restart the computer back to Windows normal mode
6. Update your AVG program to latest virus base version. Launch AVG or open AVG Control Center and press F9 key to update your AVG.
7. Then rename the SYS files back to their original names
AVGCLEAN.SY_ -> AVGCLEAN.SYS
AVGRSXP.SY_ -> AVGRSXP.SYS
8. Restart your computer for to get AVG Resident shield loaded again
The problem should be solved now.
Please note that this issue may happen on a very old Windows XP systems without any Service Packs. This issue doesn't appear on Windows XP Service Pack 1 or Service Pack 2. Therefore we strongly recommend to update your Windows XP to Service Pack 2, not only to get your computer secure. Visit [www.windowsupdate.com] to get the latest critical security patches for your operating system.
Please accept our apologies for this inconvenience."

Further discussion may be found in this AVG Forum thread:

http://forum.grisoft.cz/freeforum/search.p...hor=1,subject=1

Regards,
John



_
Whereof one cannot speak, thereof one should be silent.

#3 Dijital

Dijital

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 15 December 2006 - 02:59 AM

Just thought I would drop in my 2c here and say that this is NOT limited to specific versions without service packs. I have a friend's system, XP, SP2 and I experience this problem with it. I've followed the instructions to correct it but they do not work. As soon as I uninstall AVG, everything works fine.

I've scanned the drive with FOUR other AV scanners by slaving it into other systems, and also run it through 2 online scanners and none of them besides AVG detect winlogon.exe as infected. In my case, the infection is called Generic.KZY to which I can find no reference or information.

I really do like their product (particularly the Pro edition that doesn't tag your emails) so I am hopeful that they can/will resolve it. Cheers.

Armando

#4 unix110011

unix110011

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 15 January 2007 - 08:08 AM

hello. i am new here. i have the full versions of AVG spyware and anti virus. i have scanned my laptop HD with XP pro SP2 and have no problems. just my input. thanks.

#5 spacecase67

spacecase67

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 14 October 2007 - 01:33 PM

Hi i'm new here to i have this problem right now but i'm not using AVG i'm using norton so what steps should i take thank if you can help.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:06 AM

Posted 14 October 2007 - 03:29 PM

Welcome to BC spacecase67

If you have an issue or problem you would like to discuss, please start your own topic account. Doing that will help to avoid the confusion that often occurs when trying to help two or more people in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using. Start a new topic and post in the Am I infected? What do I do?.

Further, posting for assistance in someone else's topic is also known as "hijacking a thread", which is not considered proper forum etiquette.

Thanks for your cooperation.

Edited by quietman7, 14 October 2007 - 03:30 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:06:06 AM

Posted 15 October 2007 - 12:06 PM

I am not sure that you actually have the SAME problem, since the original false-positive was limited to AVG. A separate post would be, therefore, extremely helpful; please be careful to give us as much information as you can about what is happening, especially any information or warnings Norton gives you.
Thanks,
John
Whereof one cannot speak, thereof one should be silent.

#8 Turnips

Turnips

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 19 November 2007 - 03:58 AM

Should that be done if I haven't been infected(as prevention) or only if you've been infected?

Edited by Turnips, 19 November 2007 - 04:01 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:06 AM

Posted 19 November 2007 - 08:45 AM

As jgweed said, the original false-positive only affected WIN XP/2000 users with AVG anti-virus. It began to appear on December 6th, 2006 and was caused by a bug which give a false detection of winlogon.exe. The issue was quickly corrected and there have been no reports since the first quarter of this year that I am aware of.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users