AV Security Suite help please

[tigweld]

Hi,

My daughter's computer has been infected with the AV Suite virus. I can't download MBAM to her computer via the internet because of the virus and I tried to copy it to a CD with my computer with no luck.

I would greatly appreciate any help.

[AdvancedSetup]

Please copy to CD and then take to the infected computer and copy it there and run it.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[tigweld]

Hi,

My wife posted after I did, so sorry for the double post.

The person who was helping us hasn't responded in a day so I thought I would try you.

I got stuck running ComboFix because we couldn't figure out how to disable our AVG antivirus. I then tried to uninstall it, but it seems ComboFix told me it was still there. I decided to run it anyway. Here is the log:

ComboFix 10-06-23.01 - Rat 06/23/2010 16:03:36.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2485 [GMT -6:00]

Running from: c:\documents and settings\Rat\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rat\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\documents and settings\rat\local settings\application data\bwfwiwf\ckmtwdd.exe"

"c:\documents and settings\rat\local settings\application data\wawlxmjy\.exe"

"c:\windows\msv1_0.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Shared

c:\windows\system32\Data

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))

.

2010-06-22 23:18 . 2010-06-22 23:18 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-22 23:18 . 2010-06-23 14:33 -------- d-----w- c:\windows\system32\drivers\Avg

2010-06-22 23:18 . 2010-06-23 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-06-22 23:12 . 2010-06-22 23:17 -------- d-----w- C:\ComboFix(2)

2010-06-22 16:41 . 2010-06-22 16:41 -------- d-----w- c:\program files\Trend Micro

2010-06-19 23:29 . 2010-06-20 00:14 -------- d-----w- c:\documents and settings\Rat\Local Settings\Application Data\lshydxejo

2010-06-16 20:28 . 2008-11-19 00:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-06-16 20:28 . 2010-06-22 23:18 -------- d-----w- c:\documents and settings\Administrator

2010-06-15 03:38 . 2010-06-16 21:18 -------- d-----w- c:\documents and settings\Rat\Local Settings\Application Data\wawlxmjy

2010-06-15 03:38 . 2010-06-15 03:38 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-06-15 03:38 . 2010-06-23 21:53 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-15 02:44 . 2010-06-16 21:18 -------- d-----w- c:\documents and settings\Rat\Local Settings\Application Data\bwfwiwf

2010-06-01 02:20 . 2010-06-01 02:20 503808 ----a-w- c:\documents and settings\Rat\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44c59993-n\msvcp71.dll

2010-06-01 02:20 . 2010-06-01 02:20 499712 ----a-w- c:\documents and settings\Rat\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44c59993-n\jmc.dll

2010-06-01 02:20 . 2010-06-01 02:20 348160 ----a-w- c:\documents and settings\Rat\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-44c59993-n\msvcr71.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-22 23:18 . 2008-10-08 20:58 -------- d-----w- c:\documents and settings\Rat\Application Data\AVGTOOLBAR

2010-06-22 20:51 . 2009-06-26 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-06-21 20:37 . 2010-06-16 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-16 21:40 . 2009-02-15 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-06-16 20:37 . 2010-06-16 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-14 20:35 . 2010-01-17 01:37 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-13 02:44 . 2008-10-09 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-01 02:26 . 2009-07-16 03:01 -------- d-----w- c:\program files\Paint Shop Pro 6

2010-05-07 18:55 . 2010-05-07 18:55 255472 ----a-w- c:\documents and settings\Rat\Application Data\Mozilla\plugins\npgoogletalk.dll

2010-05-05 02:34 . 2010-05-05 02:34 496 ----a-w- c:\windows\eReg.dat

2010-05-05 02:34 . 2008-12-26 17:43 -------- d-----w- c:\program files\Electronic Arts

2010-05-05 02:33 . 2010-05-05 02:33 -------- d-----w- c:\program files\Maxis

2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-01 02:34 . 2010-05-01 02:33 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-29 21:39 . 2010-06-16 20:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 21:39 . 2010-06-16 20:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

1999-08-13 12:00 . 2009-07-16 03:03 4820 ----a-w- c:\program files\CAMUNWISE.INI

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 20:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UCreate Music Mixer"="c:\program files\Radica\UCreate\Music\UCreate.exe" [2009-08-10 597616]

"Google Update"="c:\documents and settings\Rat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-24 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"nwiz"="nwiz.exe" [2008-09-18 1657376]

"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]

"P17Helper"="P17.dll" [2005-05-03 64512]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]

"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 296631]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\Rat\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-22 16:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Documents and Settings\\Rat\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Rat\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/8/2008 2:58 PM 108552]

R2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [1/18/2007 2:20 PM 24120]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/8/2008 2:58 PM 335240]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 6:04 PM 908056]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 6:04 PM 297752]

.

Contents of the 'Scheduled Tasks' folder

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-362288127-725345543-1004Core.job

- c:\documents and settings\Rat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-24 03:24]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-362288127-725345543-1004UA.job

- c:\documents and settings\Rat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-24 03:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://kids.nationalgeographic.com/

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: %SYSTEMROOT%\system32\nvappfilter.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

AddRemove-Luxor - c:\progra~1\GAMEHO~1\Luxor\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-23 16:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-362288127-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:48,de,5f,af,69,94,76,1a,ef,47,0a,bc,cd,46,3e,5b,ee,56,ca,54,a5,

b5,67,f4,a0,16,1d,71,b7,12,34,d9,34,01,97,18,1e,cc,28,6e,ba,fb,c3,68,21,6d,\

"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(948)

c:\windows\system32\nvappfilter.dll

.

Completion time: 2010-06-23 16:10:40

ComboFix-quarantined-files.txt 2010-06-23 22:10

Pre-Run: 224,707,956,736 bytes free

Post-Run: 226,045,214,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A9C180A8E779E1CF0AEF7749A35E77FE

[AdvancedSetup]

No, please stick with the other person that is helping you now. I will close this post.

Thank you.

http://forums.malwarebytes.org/index.php?s...st&p=271721