Avg has trojan sheriff in vault

recovery console...

Thank you. Hope you're right.

Am now running housecall.

If shell 32.dll changed, won't that affect my computer system?

I don't have a recovery console. Searched but didn't find.

Can revert to other dates but never saw a recovery program where I could put a disk in and start up again after my computer died.

When I installed windows, I didn't go into detail, just installed everything.

ST

Anyway, how did this trojan get through?

Have avg and run it every day.

Microsoft has virus program running, too.

I don't go to weird websites.

How could it happen?

ST

Was avg/sheriff....My computer went wild...

Was doing trend housecall.

Monitor went off and hd was racing.

Did the complicated tech thing. Unplugged and replugged and it seems okay now.

How will I know if my computer is all right?

Is it safe to use my thumb drive with passwords and bank info?

ST

what were the results from housecall, did it find anything?

Housecall....

Ran it twice.

First time my monitor shut off and hd started racing. Rebooted.

Second time it froze in last 2 minutes and wouldn't advance. Meanwhile, my hd made all kinds of noises and clunked and jumped.

Will try it again before the end of the day.

Usually use firefox but IE kept coming up so I checked off "preferred" on firefox and IE has been quiet.

Computer has been running slow but there may be a lot of people on the network (verizon) now, jamming it with offers from microsoft and disneyworld for forwarding same prayer to 90 people.

Will post back if I see anything.

I am concerned about the change in shell32.dll. Can I find out how it was changed and whether it's harmful?

Thank you. ST

:Run Kaspersky Online AV Scanner:

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

Here it is...2 viruses, 5 infected files... Thank you..

See attached file.

Thank you. ST

Some of those files are from avg and othere from windows...

Are they all bad?

ST

No, you are infected. But as the log says at the top 2 viruses and 5 total infections.

I am going to look back through the last few logs and will be back in a little while.

Symantec scan showed nothing wrong...

That's why I stopped subscribing to them years ago.

Trend caught 2 viri that Sy missed. ST

F-Secure said not-virus bad joke was virus

Why are all the reports different?

Ran F-Secure again and it did same thing...

Ran F-Secure again and it did same thing...

Will see if Kaspersky changes opinion. Thank you. ST

Hi shetawk, sorry for the delay, as you can tell we get pretty busy around here.

AVG Anti Spyware

• Download and install the latest version of AVG Anti Spyware
• Click Save File on the box that pops up after clicking the link
• The AVG installer will download to your desktop, Double click on this Icon
• In the installer Click Next, I agree, Next, Install, after it extracts the files, check box to launch AVGAS then Finish
• With the program launched, Select the Icon at the top that says UPDATE then Start Update in the left pane
• Now select the Icon at the top that says SHIELD then at the top of the left pane change "Resident Shield is ..." from Active to Inactive
• After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
• Click back to the Scan tab and select Complete System Scan

Attach the log back here

Installed and ran avg spy...no report

Installed and ran avg spy...no report

Block saying "no report if not infected" was clicked, although I clicked "save scan report". There is nothing listed under "infections". There were usual shopping spythings and one copy of not-virus. Didn't find a way to copy info from report. Program supposedly deleted those files. Can I access them? Do I need to?

Reinstalled AVG antivirus and it said there were no viruses.

Ran Housecall again and it froze, didn't finish.

Ran Kaspersky and it said there were still viri. (report attached.)

Although my machine is running much better and faster, am concerned about change in shell32.dll file. Feel as though someone is looking over my shoulder and monitor will explode any second.

Is there a way I can pull that file out of installation disk and reinstall without reinstalling the whole program? How can I know whether it's doing something it shouldn't?

Thank you. ST

Looking better, the kaspersky scan only shows a few things. 2 of the 4 infections it is finding are in a restore point.

Can you please turn off system restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. click Yes to confirm that you want to turn off System Restore:

After you are clean we will turn system restore back on.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Go to start -> control panel -> add/remove programs and uninstall the following if there:
SideStep

Launch Hijackthis again and select Do a System Scan and Save a log. attach this log

**I also need to know if you removed any entries with Hijackthis prior to attaching the log. One thing I was looking for is not there, but I see the file for it in the kaspersky scan. It looks like the entry had been removed but the file wasn't deleted.

Just found out how to program reports on avg spy...

Here it is.

Subsequent report shows no intruders.

Thank you. ST

Excellent. Can you scan one more time with kaspersky just to be sure. Also let's secure some of the work you have done.

You may still have this from the preliminary instructions.
Crap Cleaner

• Download from HERE
• Close all browsers.
• Run the program and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
• Click the run cleaner button. Do this several times
• You can also click the registry icon on the left if you want and scan for problems, select fix, then backup your registry when it pops up.

Go to start -> Run -> type in combofix /u
*note the space between
*This will uninstall combofix
*removes vundofix backups
*removes quarentine files
*creates a fresh clean restore point

Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

I recommend you keep
1 anti virus program
1 firewall
Spybot S&D + Adaware 2007, or your choice of anti-spyware

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

Still have a virus...

CC cleaned and I ran it a few more times with no more infection.

Hijack this wasn't on my list of programs to uninstall on control panel. Found it on my start menu. Don't know whether it cleaned completely.

Kaspersky says I still have a virus and damaged files.

Why weren't they cleaned out by the other programs?

Thank you. ST

hijack this log again...

Here's hijack again.

Thank you. ST

Use Windows Explorer to navigate to and delete the following folder:

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

Files:
C:\Kitandkaboodle\Documents\~Documents2\Travel <-This folder only

afterwards restart your computer and run kaspersky 1 more time. I think this should be the end of it.

Also, before the next time I post
Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder