My behavior shield is going nuts,

[essexboy]

Run combofix even with the warning - but do not allow Avast to quarantine or delete anything whilst combofix is running.  This is because some of combofixes behaviour would appear the same as malware 

[Patricia.K]

ComboFix ran fine with no problems from avast!
ComboFix.txt is attached at the bottom.

PK

[essexboy]

Again not a lot showing there - is behaviour shield still going nuts ?  Are they related to OA I wonder ?

[Patricia.K]

Again not a lot showing there - is behaviour shield still going nuts ?  Are they related to OA I wonder ?

I have excluded OA/Spybot/Mbam/avast! from each other. Avast!, has 3 places I exclude from, the 'On Demand Scans' the 'File system shield settings/Exclusions' and 'Behaviour Shield/Trusted Processes'.
 
,,,,,,,,,crap,,,just got a BSOD on the desktop,,,,,,,,,
"IRQL_NOT_LESS_OR_EQUAL",,,,,,,Hmmmmm

OK,,So no biggie on the BSOD.
Remove OTL and ComboFix?, try something else? GMER, TDSSKiller?

Nothing new on the Behaviour Shield.

[essexboy]

If you are happy to play I have lots of toys 

Could you upload the zip file to Mediafire and post the sharing link.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.



Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

[Patricia.K]

MEDIAFIRE LINK: http://www.mediafire.com/?uadwayzz2zcd2mf
Tried 2x to DL Kaspersky to the desktop, no go, will do try to DL in safe mode next.

[Patricia.K]

Here are the 2 Kaspersky scans you requested.
ZIP LINK:http://www.mediafire.com/?stk3hyuaca30bqn

[essexboy]

OK the only thing I can see that might be causing this is Superantispyware unpacking its definitions

('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS','');
('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS','');

Could you stop SAS and see if that removes all the alerts

[Patricia.K]

SAS was installed after the Behavior Shield started going bonkers, Its been removed already.
I will take a look through the C:/ and remove any leftovers.

[essexboy]

Looking at the alerts from page one they are all associated with SAS and Spybot

Could you do another screenshot of the current alerts

[Patricia.K]

Current Behavior Shield



Current Full System Scan Log



I did the SAS scan between the 1st post on the 9th and my 1st post on the 10th, that shows the SAS quarantine in the Full System Scan Log, from the 1st page of this thread.
I turned off system restore,
Turned off Spybots TeaTimer (resident shield),
Emptied out the temp file, cache etc,
Rebooted,
Ran SAS,
Ran Spybot,
Ran avast,
Ran MBAM,
Posted the log,
Later that day (10th) I deleted the SAS quarantine and SAS and it's leftovers (hope I got it all).
Emptied out the trash, rebooted, started system restore and a new restore point,
Turned on TeaTimer.
SAS must of picked up what SB/avast!/MBAM missed, only to show up in the Spybot/avast logs. Trust me on this, I thoroughly ran all of them (other than SAS) before posting here.

Spybot detected and removed the 'Cbit-Solutions.PlayGames' from the rcimlby.exe (MS Remote Assistance) file on the 7th.
Cbit-Solutions.PlayGames is associated with the 'coolwebsearch' - 'search.mywebsearch' - 'Mywebsearch Toolbar' TROJAN and it's variants, which I was infected with early last year.
This is a concern for me as 'search.mywebsearch' shows up in the OTL scan, last listing under FireFox. For some reason YAHOO is there as well and I have never had it as a search engine or browser.

So,,,where to go from here?

[DavidR]

Of the ones in your image that we can see, they are all for S&D's recovery section.

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (recovery/restore) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping in S&D and delete old recovery entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

The knock on of this may also be less associated behaviour shield activity; though I rather think these are inert so shouldn't trigger the behaviour shield, as these are on-demand scan results and not related to the behaviour shield.

[essexboy]

Lets kill the FF entries - and what David said, delete the Spybot backups

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
  FF - prefs.js..keyword.URL: "http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZLxdm203YYCA&ptb=5oTs7OJBSpUx3taYs1yERA&psa=&ind=2010040301&ptnrS=ZLxdm203YYCA&si=182401&st=kwd&n=77cec7ed&searchfor="
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[Patricia.K]

Of the ones in your image that we can see, they are all for S&D's recovery section.

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (recovery/restore) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping in S&D and delete old recovery entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

The knock on of this may also be less associated behaviour shield activity; though I rather think these are inert so shouldn't trigger the behaviour shield, as these are on-demand scan results and not related to the behaviour shield.

Sooo,,,somewhere in the archived zip files could be a problem that could not be scanned by avast. If I was to use one of them it would possibly reinfect the pc again.

OOPS,,,was going to post this and you got ahead of me essexboy.
Will delete the Spybot backups, to prevent any further infections.
Reboot, run OTL, insert commands and let it do its thing.
Post new OTL log as requested.
(my ##@%&! son better not FU this pc again!)

[essexboy]

Ah but you are learning - there is always a silver lining if you look hard enough

Could you attach the log please