Green AV infected boss' cpu & Norton unaware

bsk713:

 

Since you have N360 instead of NIS/NAV, the Mods have moved your thread to the N360 forum.  The best way to find it, is to click on your own user name, which will take you to a screen showing your latest posts.  Probably pick the one near the bottom.  That will get you where you need to be.  Otherwise, go to the N360 forum and search down the list of thread authors to find your own.

I am not a tech type but I have Norton. I was so disappointed that they wanted to charge me $99 to solve this problem.  Their software could not even find the green av when I did the full scan???? Yet their dept. wanted to take care of it for additional $$.  Norton should serve their customers and get an update asap w/o extra charges.  What is the point of buying their software.  I wanted to THANK YOU for your kindness in helping us out for free!!! :smileyhappy:The only thing I did not find via hijack to remove was -O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll.  I don't think I let this enter my computer as I would say no to request for 32..... I am now running malwarebytes as you recommended.  I will not be purchasing Norton again. Can you recommend any other product?

Thanks

New

New:

 

I can't recommend anything better.  I have been using Norton for over 10 years, and I am a deliriously happy customer.  I have had only two minor infections during that time, thanks to my children, that were easily removed.  The improvements in the product, as well as the support found on this excellent forum, which is provided by Symantec, ensure that I remain a loyal customer.

 

All antivirus products have their own issues.  None are perfect.  None can stop malware 100% of the time.  People will click on things, and open things, and download things.  Nothing protects a user from himself.

 

We have quite a few people with other antivirus products trying to get our assistance to remove malware.  This we can't do, as it is not an open forum.  That has to tell you something.

 

Best wishes

Dear Quads,

I already had malware bytes installed and updated it just now and ran a full scan. We got rid of them! Thanks!!!!!!!!!!!!!!!


Files Infected:
C:\Documents and Settings\All Users\Application Data\gra\mradll.exe (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\gra\gra.exe (Rogue.GreenAV) -> Quarantined and deleted successfully.

Greetings.  I see how you have helped others with the GAV virus.  Can you help me?  My teeager went onto 911tabs and got this virus.  I did get a log from Hijackthis.org but I do not know how to find it (i know how to attach and how to browse, buut i can't find it in the browse. usually i can find it).  I have to get rid of this since I use this computer in my private business (my child's computer crashed....wonder why!haha).  Anyway, now I need to fix this one.  Please help.

 

michi

 

[edit: Please do not post links to potentially dangerous websites per the Participation Guidelines and Terms of Service.]

Message Edited by shannons on 09-12-2009 03:38 PM

Quads,

  I ran hijack this but I would like to attach it, yet I can't find the hijackthis2 log which i created. i know how to attach but not how to find it. please help. 

 

michi

Message Edited by michijoesm on 09-12-2009 08:37 AM

bsk713

Did you find your new thread, which the Moderator set up for you a while ago?

here is a copy:

Moved: http://community.norton.com/norton/board/message?message.uid=140675#U140675 

 michi

 

[edit: Fixed posting error.]

Message Edited by shannons on 09-12-2009 03:41 PM

QUADS

 

Would you be able to look at my Hijack This Log attached?  I would really appreciate it.  Thank you.

 

I tried to attach it after i found it, a while ago, but it would not attach it, so i had to copy it into Word. here goes:

 

 

This is an edit:  I just opened the file and I had saved it in Rich Text, but it did not put in returns after the lines, so I am going to try to do it again. Sorry.

 

 

Sincerely, michi

Message Edited by michijoesm on 09-12-2009 10:03 AM

QUADS,

 

 I utilized your advice and solved the problem (but I hope that I did not delete anything else in the process).  I used the Task Manager to see which of the ones would take off the Green AV, and it was the END PROCESS for "rwg.exe".  I then utilized the Hijack This to take out the following:

    04 - H RCU\,,\Run: [69387646557683] C:\ProgramData\gwr\wsn.bat

    04 - H RCU\,,\Run: [37465982736455] C:\ProgramData\gwr\mwrdll.exe

    04 - H R CU\,,\Run:[038745569874596]C:\ProgramData\gwr\rwg.exe

 

Did I take out anything I needed?  If so, which one(s)?     (I cant find the little logo for my WiFi on my quick launch Task Bar(?). Also, I noticed that when the malware appeared, it was always preceded by that little "blackboard" called cmd.  But now that does not appear anymore.

 

Thank you for your advice online.  It worked!!!   and the Malware is gone (did I get it all??) and it does not appear on my User (Michele);

I am reattaching a copy of my Hijack This Log (without the WordWrapping I hope).

 

Overall, it took me 6 hours of work on the computer to get rid of this, but I'm sure glad it is off!  Interesting to note that when the kids use 911tabs on their iPods, the malware does not appear! Has Apple found a solution? Do GAV's not appear on Mac's and only on IE?

 

Also, I did not delete the following, but should I:

 

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
(it seems to bring up the cmd when I pressed it.  Maybe they used this as an opener to get the cmd open and jumpstart the malware files(?)  i'm no programmer but it looks like they were interconnected.

 

and I deleted Silverlight (Microsoft) by mistake in the process.  I hope I can restore it. 

 

Michi 

 

 

Message Edited by michijoesm on 09-12-2009 12:34 PM
Message Edited by michijoesm on 09-12-2009 12:40 PM
[edit: Please do not post direct links to potentially unsafe websites Participation Guidelines and Terms of Service.]
Message Edited by shannons on 09-12-2009 03:43 PM

Delphinium,

 

I tried to install Malwarebytes.org software online, but every time I do, it says "internal error: failed to expand shell folder cont "userappdata". I went to the Microsoft website, deleted the "Recent" file they suggested after going through this long route to get to that folder, but that didn't work.  I tried to Restore to an earlier date, (this was before I got rid of the Green AV through Trend Micro hijackThis) but it would not restore.   Can you lead me towards obtaining a solution to the inability to install the Malwarebytes software?

Thank you.

Michele

In the last Hijackthis log, you also have these

 


O4 - HKUS\S-1-5-21-1085965913-235832656-310955751-1001\..\Run: [69387646557683] C:\ProgramData\gwr\wsn.bat (User 'Michele')

O4 - HKUS\S-1-5-21-1085965913-235832656-310955751-1001\..\Run: [37465982736455] C:\ProgramData\gwr\mwrdll.exe (User 'Michele')

O4 - HKUS\S-1-5-21-1085965913-235832656-310955751-1001\..\Run: [03874569874596] C:\ProgramData\gwr\rwg.exe (User 'Michele')



With "C:\ProgramData\gwr\rwg.exe " still loading

 

 With Vista when you download Malwarebytes  after right click on the Malwarebytes installer and choose "Run as Administrator" from the Menu.

 

Quads 

 

 

Michele, in regards to the ‘MOM.EXE’ thats in the ‘‘C:\Program Files\ATI Technologies\ATI.ACE\Core-Static’’, thats OK…As long as its not in another folder. That file gets used for ATI monitoring processes, primarily with the CCC that it uses. As far as your MS Silverlight for showing videos, that can always be re-installed with no problem.

Message Edited by plb4333 on 09-12-2009 09:59 PM

QUADS

 

Thank you so much for your kindness and your expertise.

Michele