Recently had a av suite virus (?) now things aren't right???

[mcummings36]

A few days ago my computer wigged out and I kept getting this pop up about my computer not being protected, and that I needed to purchase an anti virus protection program. It took me a few hours to get to where I could do a system restore, because everything I clicked on, (IE, Outlook, control panel, everything) caused a pop up error message and/or opened an internet page to a porn site. I just kept clicking on my icons until I finally got my system tools opened up. The system restore seemed to work, I can now access everything, but when I search for something on, for example, google, if I click on anything in the search results, I get taken to some random page, not the site I click on. I also have horrible pop ups, even though my pop up blocker is set to medium high. What should I do?

[Dr Jay]

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[mcummings36]

WHERE? I set up an account and did a search for "using combo fix" and got pages and pages of everyone else's problems.

[Dr Jay]

This is the guide: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[mcummings36]

Here is the log. Sorry it took so long, but that stupid av security...whatever it is showed up again last night, and it took forever for me to even get combo fix to run.

[recovering disk space - old attachment deleted by admin]

[Dr Jay]

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

[mcummings36]

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 9:16:23 AM
mbam-log-2010-06-29 (09-16-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 245818
Time elapsed: 6 hour(s), 49 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproductsinstaller.start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

[Dr Jay]

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

[mcummings36]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dacdeef605cf144581765b7c1da0d8d2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-27 03:49:57
# local_time=2010-01-26 08:49:57 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 36219885 36219885 0 0
# compatibility_mode=769 16775125 100 98 0 199919878 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=99055
# found=12
# cleaned=12
# scan_time=7473
C:\Documents and Settings\Christopher Apostle\Incomplete\T-5857189-mama dont get dressed up for.au   a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Christopher Apostle\My Documents\Downloads\oops i did it again britney.mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined)   00000000000000000000000000000000   C
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090306-175822-786.dll   a variant of Win32/Adware.Gamevance.AA application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir   Win32/Olmarik.RF virus (deleted - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2171\A0185091.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2171\A0185100.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2172\A0185667.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2172\A0185774.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2202\A0187448.dll   a variant of Win32/Adware.Gamevance.AA application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt   Win32/TrojanDownloader.FakeAlert.AED virus (deleted - quarantined)   00000000000000000000000000000000   C
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4PQ7052J\oHcbf355a8V0100f080006R0c630b01102T80ce34d5201l0409K674c5f60317[1].pdf   JS/Exploit.Pdfka.ASD trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\J9HEZTHA\oHcbf355a8V0100f080006Rfe02f902102T80ad026c201l0409Ke9f006da317[1].pdf   JS/Exploit.Pdfka.ASD trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dacdeef605cf144581765b7c1da0d8d2
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-07-09 06:44:31
# local_time=2010-07-09 12:44:31 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 50316945 50316945 0 0
# compatibility_mode=769 16775125 100 98 0 214016938 297974 0
# compatibility_mode=8192 67108863 100 0 13179470 13179470 0 0
# scanned=113211
# found=6
# cleaned=6
# scan_time=4087
C:\Qoobox\32788R22FWJFW\WudfPf.sys   Win32/Olmarik.ZC trojan (cleaned - quarantined)   99A311F3249C31AB502F20865708BB72   C
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\obcevydjq\nwxbetttssd.exe.vir   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2373\A0209340.exe   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0210381.exe   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0212393.exe   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2378\A0214147.sys   Win32/Olmarik.ZC trojan (cleaned - quarantined)   99A311F3249C31AB502F20865708BB72   C

[Dr Jay]

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

[mcummings36]

I get an error message when I try to check for updates? I've tried several times...??

[Dr Jay]

Ok. Just run the scan and post a log, please.

[mcummings36]

Here is the log, and also, can you tell me what might be causing me to not stay logged in on most of my pages? Like here, ebay, hotmail, etc...before when I check "stay logged in" I would stay logged in, whether it was for a day, or all the time, however that specific page was set up. But now no matter what I do, I am logged out of everything. What could be causing that and how do I fix it? I also keep getting a pop up message about a script running. No idea what that is either. Thanks!!


Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/21/2010 7:44:37 AM
mbam-log-2010-07-21 (07-44-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239929
Time elapsed: 2 hour(s), 6 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2373\A0209287.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0210328.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0211315.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0212308.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0212436.sys (Malware.Trace) -> Quarantined and deleted successfully.

[Dr Jay]

How is the computer running?

[mcummings36]

Fine, except for the script message that pops up on Facebook, and the fact that I don't stay logged in on anything.