Need HELP with "Resident Shield Alert" REMOVAL!

[LickTheBassist]

This window keeps popping up saying it's from AVG Resident Shield Alert and I have multiple trojans infecting my computer, it adds a new one every minute. I'M LOST! I now know it's a virus!

I have ran my AVG 2012, and nothing found!

I have ran Spybot, it found two cookie tracers, or whatever their called and one trojan, and those were fixed.

I ran Malwarebytes, and it found nothing!

I am not a computer genius, but I can manuever around with directions. I have been searching the internet for hours, but nothing is helping me.

I NEED HELP! I use this computer for work, so I need help now! Please I'm desperate!

My computer is a Dell desktop with Windows Vista.

Also, for some reason my security center is shutdown and I cannot turn it back on. So these trojans are messing with that now! HELP!

[LDTate]

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
    

  [*]Then click Finish.

  [*]If an update is found, it will download and install the latest version.

  [*]Once the program has loaded, select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.

Post the scan results using Copy/Paste

[LickTheBassist]

I updated... and it found some stuff. I also updated my Spybot, and it found a few more as well.

I have ran malware, spybot, and avg several times since.

The bugs seem to be gone... but my Security Center is still not responding.

Here is the scan that found them after I updated.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.05.11

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16982

Tipton :: TIPTON-PC [administrator]

9/5/2012 5:50:42 PM

mbam-log-2012-09-05 (17-50-42).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 186918

Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Users\Tipton\AppData\Roaming\htvmir.dll (Spyware.Password) -> Delete on reboot.

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|htvmir (Spyware.Password) -> Data: rundll32.exe "C:\Users\Tipton\AppData\Roaming\htvmir.dll",FIsEmptyA -> Quarantined and deleted successfully.

Registry Data Items Detected: 2

HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$70cf7cdeedd62f3b4983cc13037f6569\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-74056479-2286771197-3958680048-1000\$70cf7cdeedd62f3b4983cc13037f6569\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Users\Tipton\AppData\Roaming\htvmir.dll (Spyware.Password) -> Delete on reboot.

C:\$Recycle.Bin\S-1-5-18\$70cf7cdeedd62f3b4983cc13037f6569\n (RootKit.0Access) -> Delete on reboot.

C:\$Recycle.Bin\S-1-5-21-74056479-2286771197-3958680048-1000\$70cf7cdeedd62f3b4983cc13037f6569\n (RootKit.0Access) -> Quarantined and deleted successfully.

(end)

[LDTate]

Please run a new MBAM scan.

That RootKit 0access is known to be a backdoor trojan so I need to give you this information.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  
• Consider what other private information could possibly have been taken from your computer and take appropriate steps
  

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

[LickTheBassist]

I ran two scans yesterday after the first one... a quick and a full one. Both came up with nothing.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.05.11

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16982

Tipton :: TIPTON-PC [administrator]

9/5/2012 6:06:54 PM

mbam-log-2012-09-05 (18-06-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 186276

Time elapsed: 18 minute(s), 16 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.05.11

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16982

Tipton :: TIPTON-PC [administrator]

9/5/2012 8:47:55 PM

mbam-log-2012-09-05 (20-47-55).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 51163

Time elapsed: 9 minute(s), 18 second(s) [aborted]

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[LDTate]

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from this link

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have XP SP3, use the XP SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!