Resident Shield Alert

[tigweld]

Hello-

I have a computer that got infected with AV Security Suite. I followed the instructions under the Self Help section pertaining to AV Security Suite and ran a quick scan. The lastest scan says that there are 0 objects infected, but a Resident Security Alert window popped up warning of Trojanhorse Downloader.Generic9.CBRE. I haven't done anything because I don't know if this is another fake alert or real. I appreciate any advice.

Thank you.

[crysty2k5]

http://www.bleepingcomputer.com/virus-remo...-security-suite

Start reading from...

Automated Removal Instructions for AV Security Suite using Malwarebytes' Anti-Malware

After this...

Download HijackThis from here:

http://www.softpedia.com/get/Antivirus/Tre...ijackThis.shtml

Install the program, but don't run it.

Go to My Computer -> Tools-> Folder options-> View

Check: "Show hidden files and folders" and uncheck:"Hide protected operating file systems".

After this, close all the programs that are running(the browser, the IM client, the audio player, etc), but do not close the antivirus or the firewall program !

Run HijackThis.exe from Program Files or just use the shortcut from your Desktop.

Click on Do a system scan and save a logfile.

Copy the log from Notepad and post it here

Don't fix anything, some entries are good and can damage your operating system functionality.

When you post the log, please give some details about your system and what you think is going wrong.

In some cases is necessary to rename the hijackthis.exe file in test.exe or something.exe and after, run it.

[tigweld]

When I tried to run HijackThis the following message popped up: The system administrator has set policies to prevent this installation.

There are two users on this computer and I tried to run it through under both, but neither worked. Does it matter which user I am using while going through this process?

Also, should I still be in safe mode?

Thank you.

[tigweld]

We got it to run and here is the log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:43:40 AM, on 6/22/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kids.nationalgeographic.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [stxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"

O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [uCreate Music Mixer] C:\Program Files\Radica\UCreate\Music\UCreate.exe 1

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [cxnevjbkqisd] c:\documents and settings\rat\local settings\application data\bwfwiwf\ckmtwdd.exe

O4 - HKCU\..\Run: [nysfdymfic] c:\documents and settings\rat\local settings\application data\wawlxmjy\.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1223510130046

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223514091593

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Filter hijack: text/html - {fa799bf8-3c19-483e-af06-a80bf28c95fa} - C:\WINDOWS\msv1_0.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe

--

End of file - 8506 bytes

[crysty2k5]

Check and press Fix checked in Hijackthis for these entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKCU\..\Run: [cxnevjbkqisd] c:\documents and settings\rat\local settings\application data\bwfwiwf\ckmtwdd.exe

O4 - HKCU\..\Run: [nysfdymfic] c:\documents and settings\rat\local settings\application data\wawlxmjy\.exe

O18 - Filter hijack: text/html - {fa799bf8-3c19-483e-af06-a80bf28c95fa} - C:\WINDOWS\msv1_0.dll

Download: http://subs.geekstogo.com/ComboFix.exe and save it on your Desktop.

Open Notepad and copy/paste the text in the quotebox below into it:

File::

c:\documents and settings\rat\local settings\application data\bwfwiwf\ckmtwdd.exe

c:\documents and settings\rat\local settings\application data\wawlxmjy\.exe

C:\WINDOWS\msv1_0.dll

Save this as:

CFScript.txt

Drag CFScript.txt into ComboFix.exe

Then post the resultant log here.

[tigweld]

I get a warning from combofix about disabling AVG antivirus software and I can't seem to turn it off. I tried to uninstall it, but it is still there. I even downloaded a uninstall file and that didn't work. Should I just run combofix anyway?

Thanks.

[tigweld]

Hi again,

Still waiting on advice on how to get rid of AVG antivirus program so I can continue with Combofix. I couldn't figure out how to disable so I downloaded an uninstall tool that seemed to remove the program, but Combofix still says it's active. Next I did a system restore to get the AVG program back in hopes of disabling it. Now icons are there, but don't respond. Please help.

Thanks.

[tigweld]

Ok, I ran ComboFix anyway.

Here is the log:

ComboFix 10-06-23.01 - Rat 06/23/2010 16:03:36.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2485 [GMT -6:00]

Running from: c:\documents and settings\Rat\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rat\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\documents and settings\rat\local settings\application data\bwfwiwf\ckmtwdd.exe"

"c:\documents and settings\rat\local settings\application data\wawlxmjy\.exe"

"c:\windows\msv1_0.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Shared

c:\windows\system32\Data

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))

.

2010-06-22 23:18 . 2010-06-22 23:18 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-22 23:18 . 2010-06-23 14:33 -------- d-----w- c:\windows\system32\drivers\Avg

2010-06-22 23:18 . 2010-06-23 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-06-22 23:12 . 2010-06-22 23:17 -------- d-----w- C:\ComboFix(2)

2010-06-22 16:41 . 2010-06-22 16:41 -------- d-----w- c:\program files\Trend Micro

2010-06-19 23:29 . 2010-06-20 00:14 -------- d-----w- c:\documents and settings\Rat\Local Settings\Application Data\lshydxejo

2010-06-16 20:28 . 2008-11-19 00:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-06-16 20:28 . 2010-06-22 23:18 -------- d-----w- c:\documents and settings\Administrator

2010-06-15 03:38 . 2010-06-16 21:18 -------- d-----w- c:\documents and settings\Rat\Local Settings\Application Data\wawlxmjy

2010-06-15 03:38 . 2010-06-15 03:38 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-06-15 03:38 . 2010-06-23 21:53 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-15 02:44 . 2010-06-16 21:18 -------- d-----w- c:\documents and settings\Rat\Local Settings\Application Data\bwfwiwf

2010-06-01 02:20 . 2010-06-01 02:20 503808 ----a-w- c:\documents and settings\Rat\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44c59993-n\msvcp71.dll

2010-06-01 02:20 . 2010-06-01 02:20 499712 ----a-w- c:\documents and settings\Rat\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44c59993-n\jmc.dll

2010-06-01 02:20 . 2010-06-01 02:20 348160 ----a-w- c:\documents and settings\Rat\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44c59993-n\msvcr71.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-22 23:18 . 2008-10-08 20:58 -------- d-----w- c:\documents and settings\Rat\Application Data\AVGTOOLBAR

2010-06-22 20:51 . 2009-06-26 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-06-21 20:37 . 2010-06-16 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-16 21:40 . 2009-02-15 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-06-16 20:37 . 2010-06-16 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-14 20:35 . 2010-01-17 01:37 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-13 02:44 . 2008-10-09 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-01 02:26 . 2009-07-16 03:01 -------- d-----w- c:\program files\Paint Shop Pro 6

2010-05-07 18:55 . 2010-05-07 18:55 255472 ----a-w- c:\documents and settings\Rat\Application Data\Mozilla\plugins\npgoogletalk.dll

2010-05-05 02:34 . 2010-05-05 02:34 496 ----a-w- c:\windows\eReg.dat

2010-05-05 02:34 . 2008-12-26 17:43 -------- d-----w- c:\program files\Electronic Arts

2010-05-05 02:33 . 2010-05-05 02:33 -------- d-----w- c:\program files\Maxis

2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-01 02:34 . 2010-05-01 02:33 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-29 21:39 . 2010-06-16 20:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 21:39 . 2010-06-16 20:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

1999-08-13 12:00 . 2009-07-16 03:03 4820 ----a-w- c:\program files\CAMUNWISE.INI

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 20:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UCreate Music Mixer"="c:\program files\Radica\UCreate\Music\UCreate.exe" [2009-08-10 597616]

"Google Update"="c:\documents and settings\Rat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-24 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"nwiz"="nwiz.exe" [2008-09-18 1657376]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"P17Helper"="P17.dll" [2005-05-03 64512]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]

"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 296631]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\Rat\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-22 16:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Documents and Settings\\Rat\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Rat\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/8/2008 2:58 PM 108552]

R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 2:20 PM 24120]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/8/2008 2:58 PM 335240]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 6:04 PM 908056]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 6:04 PM 297752]

.

Contents of the 'Scheduled Tasks' folder

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-362288127-725345543-1004Core.job

- c:\documents and settings\Rat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-24 03:24]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-362288127-725345543-1004UA.job

- c:\documents and settings\Rat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-24 03:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://kids.nationalgeographic.com/

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

AddRemove-Luxor - c:\progra~1\GAMEHO~1\Luxor\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-23 16:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-362288127-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:48,de,5f,af,69,94,76,1a,ef,47,0a,bc,cd,46,3e,5b,ee,56,ca,54,a5,

b5,67,f4,a0,16,1d,71,b7,12,34,d9,34,01,97,18,1e,cc,28,6e,ba,fb,c3,68,21,6d,\

"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(948)

c:\windows\system32\nvappfilter.dll

.

Completion time: 2010-06-23 16:10:40

ComboFix-quarantined-files.txt 2010-06-23 22:10

Pre-Run: 224,707,956,736 bytes free

Post-Run: 226,045,214,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A9C180A8E779E1CF0AEF7749A35E77FE

[crysty2k5]

Please pack this folder (s) in an archive, protected with the password infected.

C:\Qoobox

Send me a PM with it.(if it's too big, upload it on www.rapidshare.com or other server and send me the download link).

http://forums.malwarebytes.org/index.php?a...=4&MID=7603

Update/Run Malwarebytes

Please update/run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

[tigweld]

Please forgive me, but I do not understand how to pack this folder in an archive with the password infected.

[crysty2k5]

Just pack it without a password then

[tigweld]

Sorry, I don't understand what you mean by pack it.

[crysty2k5]

Use WinRAR, 7-Zip, WinZIP etc and pack it in an archive

[tigweld]

I PM'd you a link to the zip'd file.

Here is the Mbam log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4234

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/24/2010 1:11:37 PM

mbam-log-2010-06-24 (13-11-37).txt

Scan type: Full scan (C:\|)

Objects scanned: 175091

Time elapsed: 19 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{7320637E-FB1B-4569-A277-A0ACF84C16A5}\RP186\A0024516.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7320637E-FB1B-4569-A277-A0ACF84C16A5}\RP186\A0024517.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{7320637E-FB1B-4569-A277-A0ACF84C16A5}\RP186\A0024632.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

[crysty2k5]

Turn off System Restore, restart your PC and after this activate it again.

Do you still have problems ?!

[tigweld]

Yes, all seems normal now. Thank you so much!!!

The only problem I have is this AVG anti-virus software that I can't seem to get off of my computer. I want to install something better like Norton or Kaspersky. Do you have any tricks to unistall it?

Thanks again.

[crysty2k5]

Have a look here:

http://forums.avg.com/ww-en/avg-free-forum...ow&id=24401

That's all you need to uninstall AVG.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!