Malware infection detected, but not removed by Avast

I have a multiuser “family” licence for Avast 4.8 Professional.
We developed a malware infection on my daughter’s computer. I don’t know how it was originally installed, but by the time I became aware of it, it was generating fake “attack” and “infection” messages.
My daughter was savvy enough not to respond to the prompts to remove the infection.
Eventually, it began opening IE windows to porn sites.
(Firefox is our default browser.)

Avast was able to detect the infection on boot, but was not able to remove it, despite repeated attempts.
I received notification from Avast of “Win32: Spyware-gen [Spy]”.
The infected file was reportedly windows\system32\iehelper.dll, but this file does not even appear on in this folder.
I requested both quarantine & deletion from Avast, but with no success. I also ran a complete system scan. No success.

Here is the log of Avast Warnings:
11/8/2009 9:33:14 PM SYSTEM 536 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://suggestqueries.google.com/complete/search?hl=en&client=youtube&hjson=t&ds=yt&jsonp=window.yt.www.suggest.handleResponse&q=otgir\\\&cp=8 (C:\TEMP_avast4_\unp45164974.tmp) returning error, 0000A413.
11/9/2009 7:46:07 PM SYSTEM 536 Sign of “JS:Downloader-FT [Trj]” has been found in “http://nokipaka.com/documents/?s=57” file.
11/9/2009 8:16:40 PM SYSTEM 536 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 8:16:40 PM SYSTEM 536 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 9:48:41 PM Natalie 656 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 9:56:38 PM Natalie 320 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 11:28:58 PM Natalie 320 Sign of “HTML:Script-inf” has been found in “http://2009-d0wnloadz.com/malwarebytes-promo/index.php?source=CCN-CD277-MIVA-malwarebytes” file.
11/9/2009 11:29:22 PM Natalie 320 Sign of “HTML:Script-inf” has been found in “http://2009-d0wnloadz.com/malwarebytes-promo/index.php?source=CCN-CD277-MIVA-malwarebytes” file.
11/9/2009 11:32:13 PM Natalie 320 AAVM - scanning warning: x_AavmCheckFileDirectEx: a script started by C:\Program Files\AIM6\aim6.exe (C:\Temp_avast4_\unp76299626.tmp) returning error, 0000A413.
11/9/2009 11:35:16 PM Natalie 592 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/10/2009 12:27:02 AM Natalie 592 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP911\A0055033.dll” file.
11/10/2009 1:00:31 AM Natalie 548 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.

I successfully used Malwarebytes to remove a similar infection a year ago.
So I downloaded a current version of Malwarebytes, and again was able to identify and successfully remove the infection.
I don’t know whether to be disappointed in Avast or not, at this point… but my inclination is to be disappointed.
I know that during the removal process, I inadvertently began installing more malware. While trying to download an update of Malwarebytes, my browser download window was hijacked to another site. I stupidly began installation of the downloaded file, without realizing that it wasn’t Malwarebytes, but a bogus antivirus program (Tiger something-or-other; It looked very slick and realistic). I eventually terminated the installation, after the program was already installed… So at least one of the infections listed below may be related to that error.
I know that Avast cannot protect against user stupidity, but it seems to me that some degree of recognition or removal capability was/is lacking.

Here is the log from Malwarebytes:

Malwarebytes’ Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/10/2009 12:56:50 AM
mbam-log-2009-11-10 (00-56-50).txt

Scan type: Full Scan (C:|)
Objects scanned: 256899
Time elapsed: 1 hour(s), 8 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP911\A0055033.dll (Trojan.BHO) → Quarantined and deleted successfully.
C:\WINDOWS\system32\dmns.cfg (Rogue.AntiVirusPro) → Quarantined and deleted successfully.
C:\WINDOWS\system\cmd (Malware.Trace) → Quarantined and deleted successfully.

:slight_smile: Hi :

You and/or your daughter’s experience is why it is highly recomended to use
the “Layered Approach” to computer security, using 2 or more programs since
1 program should NOT be expected to provide COMPLETE security . I have
Avast, Malwarebytes Anti-Malware, “SUPERAntiSpyware”, Spywareblaster from
www.javacoolsoftware.com and a software firewall as my primary security .
Other than the firewall, the other programs have “Updates” at least once
ever 2 weeks which should be obtained .

Your Malwarebytes Anti-Malware log shows the “Antivirus Pro” “Rogue”,
without identifying IF it MAY be “linked” to a SPECIFIC year, normally either
2009 or 2010 . The latter is Not so easily removed COMPLETELY and to be
safe, I recommend you visit an Advanced Malware Removal Forum, staffed
by experienced, CERTIFIED, Volunteer “Malware Removal Specialist(s)”, such
as the One at www.geekstogo.com .

Also, I noticed in the “First” log a reference to “AIM6”, and since AIM is One
of the most Vulnerable Instant Messengers, it would be wise to have it
checked by running the FREE program ( “AimFix” ) at
http://jayloden.com/aimfix.htm .

Spiritsongs: Thanks so much for your helpful advice.
I too, noticed that one of the indications of an attack was related to AIM, and wondered if that opened the door to other infections. I have only a vague idea of how these things work… and obviously was embarrassed to have actually installed malware on the computer while attempting to remove other malware :-[. I had already purchased and registered Malwarebytes to provide run-time protection, but will follow the additional steps you’ve recommended as well.

try to use boot scan with avast I’m sure it will removed by avast,…

About opening internet explorer I got this before but it wasn’t for porn site!
Maybe it is a Hijacker or Adware!

careful, I notice that some viruses will now easy to infects the IE browser for something reason, make your IE Browser always updates because some viruses is now uses their js or iframe code to spread out…

or else I recommend http://www.mozilla.com/en-US/products/download.html because its fast and safe to use…