Author Topic: Recently had a av suite virus (?) now things aren't right??? (Read 16025 times)

mcummings36 · « **on:** July 01, 2010, 09:46:39 AM »

A few days ago my computer wigged out and I kept getting this pop up about my computer not being protected, and that I needed to purchase an anti virus protection program. It took me a few hours to get to where I could do a system restore, because everything I clicked on, (IE, Outlook, control panel, everything) caused a pop up error message and/or opened an internet page to a porn site. I just kept clicking on my icons until I finally got my system tools opened up. The system restore seemed to work, I can now access everything, but when I search for something on, for example, google, if I click on anything in the search results, I get taken to some random page, not the site I click on. I also have horrible pop ups, even though my pop up blocker is set to medium high. What should I do?

Dr Jay · « **Reply #1 on:** July 02, 2010, 03:24:55 PM »

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

mcummings36 · « **Reply #2 on:** July 03, 2010, 03:27:43 PM »

WHERE? I set up an account and did a search for "using combo fix" and got pages and pages of everyone else's problems.

Dr Jay · « **Reply #3 on:** July 03, 2010, 08:33:17 PM »

This is the guide: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

mcummings36 · « **Reply #4 on:** July 05, 2010, 04:17:38 PM »

Here is the log. Sorry it took so long, but that stupid av security...whatever it is showed up again last night, and it took forever for me to even get combo fix to run.

[recovering disk space - old attachment deleted by admin]

Dr Jay · « **Reply #5 on:** July 05, 2010, 04:34:18 PM »

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.

mcummings36 · « **Reply #6 on:** July 07, 2010, 06:44:47 PM »

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 9:16:23 AM
mbam-log-2010-06-29 (09-16-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 245818
Time elapsed: 6 hour(s), 49 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproductsinstaller.start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Dr Jay · « **Reply #7 on:** July 07, 2010, 06:56:33 PM »

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

mcummings36 · « **Reply #8 on:** July 09, 2010, 04:53:58 AM »

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dacdeef605cf144581765b7c1da0d8d2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-27 03:49:57
# local_time=2010-01-26 08:49:57 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 36219885 36219885 0 0
# compatibility_mode=769 16775125 100 98 0 199919878 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=99055
# found=12
# cleaned=12
# scan_time=7473
C:\Documents and Settings\Christopher Apostle\Incomplete\T-5857189-mama dont get dressed up for.au   a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Christopher Apostle\My Documents\Downloads\oops i did it again britney.mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined)   00000000000000000000000000000000   C
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090306-175822-786.dll   a variant of Win32/Adware.Gamevance.AA application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir   Win32/Olmarik.RF virus (deleted - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2171\A0185091.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2171\A0185100.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2172\A0185667.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2172\A0185774.dll   Win32/Adware.OneStep application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2202\A0187448.dll   a variant of Win32/Adware.Gamevance.AA application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt   Win32/TrojanDownloader.FakeAlert.AED virus (deleted - quarantined)   00000000000000000000000000000000   C
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4PQ7052J\oHcbf355a8V0100f080006R0c630b01102T80ce34d5201l0409K674c5f60317[1].pdf   JS/Exploit.Pdfka.ASD trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\J9HEZTHA\oHcbf355a8V0100f080006Rfe02f902102T80ad026c201l0409Ke9f006da317[1].pdf   JS/Exploit.Pdfka.ASD trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dacdeef605cf144581765b7c1da0d8d2
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-07-09 06:44:31
# local_time=2010-07-09 12:44:31 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 50316945 50316945 0 0
# compatibility_mode=769 16775125 100 98 0 214016938 297974 0
# compatibility_mode=8192 67108863 100 0 13179470 13179470 0 0
# scanned=113211
# found=6
# cleaned=6
# scan_time=4087
C:\Qoobox\32788R22FWJFW\WudfPf.sys   Win32/Olmarik.ZC trojan (cleaned - quarantined)   99A311F3249C31AB502F20865708BB72   C
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\obcevydjq\nwxbetttssd.exe.vir   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2373\A0209340.exe   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0210381.exe   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0212393.exe   Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined)   01B0A1AD097DB0F99BD695CDD1D9FBBF   C
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2378\A0214147.sys   Win32/Olmarik.ZC trojan (cleaned - quarantined)   99A311F3249C31AB502F20865708BB72   C

Dr Jay · « **Reply #9 on:** July 09, 2010, 09:29:16 AM »

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

mcummings36 · « **Reply #10 on:** July 20, 2010, 06:49:48 PM »

I get an error message when I try to check for updates? I've tried several times...??

Dr Jay · « **Reply #11 on:** July 20, 2010, 11:32:42 PM »

Ok. Just run the scan and post a log, please.

mcummings36 · « **Reply #12 on:** July 21, 2010, 08:42:21 PM »

Here is the log, and also, can you tell me what might be causing me to not stay logged in on most of my pages? Like here, ebay, hotmail, etc...before when I check "stay logged in" I would stay logged in, whether it was for a day, or all the time, however that specific page was set up. But now no matter what I do, I am logged out of everything. What could be causing that and how do I fix it? I also keep getting a pop up message about a script running. No idea what that is either. Thanks!!

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/21/2010 7:44:37 AM
mbam-log-2010-07-21 (07-44-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239929
Time elapsed: 2 hour(s), 6 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2373\A0209287.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0210328.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0211315.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0212308.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2374\A0212436.sys (Malware.Trace) -> Quarantined and deleted successfully.

Dr Jay · « **Reply #13 on:** July 22, 2010, 12:34:12 AM »

How is the computer running?

mcummings36 · « **Reply #14 on:** July 22, 2010, 08:59:18 AM »

Fine, except for the script message that pops up on Facebook, and the fact that I don't stay logged in on anything.

Dr Jay · « **Reply #15 on:** July 22, 2010, 01:44:27 PM »

Download MBRCheck to your desktop.

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

mcummings36 · « **Reply #16 on:** July 22, 2010, 06:27:56 PM »

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

38 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...

Dr Jay · « **Reply #17 on:** July 23, 2010, 12:17:59 AM »

How is your computer running now?

mcummings36 · « **Reply #18 on:** July 23, 2010, 09:14:54 AM »

The same. Still saying something about a script running on facebook, still not staying logged in on anything.

Dr Jay · « **Reply #19 on:** July 23, 2010, 12:42:26 PM »

Odd.

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

mcummings36 · « **Reply #20 on:** July 23, 2010, 11:33:58 PM »

There are 4 different downloads for the 7 - zip, which one do I download?

Dr Jay · « **Reply #21 on:** July 25, 2010, 04:35:00 AM »

Do the .exe for 32-bit.

mcummings36 · « **Reply #22 on:** July 28, 2010, 11:35:09 PM »

Okay, I downloaded the 7 thing, then tried to do what you said with the Root whatever, but it asked me if I wanted to find, save or something, there wasn't just the option to save it to the desktop. I clicked save anyway, because I'm assuing that means the same thing, but there's no right click mouse over anything on these two desktop icons. If I try and move one over the top of the other, it asks if I want to open one, move one, copy it, pretty much everything other than what you said it would do, so somethings messed up somewhere. I just want to be able to stay logged on on stuff, like this site for example. I have to do all this just for that?

Dr Jay · « **Reply #23 on:** July 29, 2010, 12:31:45 PM »

Try double-clicking on RootkitUnhooker.rar, see what happens.

mcummings36 · « **Reply #24 on:** July 29, 2010, 08:22:39 PM »

I get an error message that says "windows cannot open this file...." ??

Dr Jay · « **Reply #25 on:** July 30, 2010, 10:40:51 PM »

GMER

Note about this tool:

This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

mcummings36 · « **Reply #26 on:** July 31, 2010, 07:19:40 AM »

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-31 07:17:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\pwddapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB0C616B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB0C61574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB0C61A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB0C6114C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB0C6164E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB0C6108C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB0C610F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB0C6176E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB0C6172E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB0C618AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[708] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[708] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\32[1].png 3925 bytes
File C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\44[1].png 3024 bytes
File C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\59538[1].txt 1184 bytes
File C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\59538[2].txt 2749 bytes
File C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\59538[3].txt 1989 bytes

---- EOF - GMER 1.0.15 ----

Dr Jay · « **Reply #27 on:** July 31, 2010, 02:07:37 PM »

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Note: If the scan freezes for more than 30 minutes, stop the scan, and report back to me.

mcummings36 · « **Reply #28 on:** August 01, 2010, 09:02:18 AM »

KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 01, 2010 00:31:19
Records in database: 4178720

Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Objects scanned 110590
Threats found 8
Infected objects found 17
Suspicious objects found 0
Scan duration 04:03:12

File name Threat Threats count
C:\Program Files\Gamevance\gamevancelib32.dll/C:\Program Files\Gamevance\gamevancelib32.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dwv 5

C:\Program Files\Gamevance\gvtl.dll/C:\Program Files\Gamevance\gvtl.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dqc 1

C:\Documents and Settings\Christopher Apostle\Application Data\Sun\Java\Deployment\cache\6.0\13\11a39b8d-5da722ec Infected: Exploit.Java.Agent.ar 1

C:\Documents and Settings\Christopher Apostle\Application Data\Sun\Java\Deployment\cache\6.0\13\11a39b8d-5da722ec Infected: Exploit.Java.Agent.as 1

C:\Documents and Settings\Christopher Apostle\Application Data\Sun\Java\Deployment\cache\6.0\38\608baae6-669b5b30 Infected: Trojan-Downloader.Java.Agent.fe 3

C:\Documents and Settings\Christopher Apostle\Local Settings\temp\jar_cache1456766111123690851.tmp Infected: Trojan-Downloader.Java.Agent.ea 1

C:\Documents and Settings\Christopher Apostle\Local Settings\temp\jar_cache6162741573307089447.tmp Infected: Exploit.Java.Agent.f 1

C:\Documents and Settings\Christopher Apostle\Local Settings\temp\jar_cache6162741573307089447.tmp Infected: Trojan-Downloader.Java.Agent.fi 2

C:\Program Files\Gamevance\gamevancelib32.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dwv 1

C:\Program Files\Gamevance\gvtl.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dqc 1

Selected area has been scanned.

Dr Jay · « **Reply #29 on:** August 01, 2010, 01:58:56 PM »

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.

Set the slider to Maximum.

IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.

On the General tab, make sure all of the boxes are checked.

On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.

Click Create Report to run it.

It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.

mcummings36 · « **Reply #30 on:** August 02, 2010, 12:10:55 AM »

I got the file you described on my desktop, but I don't know how to manually upload it?? All it opened was a page Getsysteminfo parser 2.96 and there is no place to upload anything? All it says is what's your problem, with a dropdown menu.

mcummings36 · « **Reply #31 on:** August 02, 2010, 09:52:46 AM »

I'm also now getting tons of pop ups, even though my blocker is set at high, and every page or email, everything I go to has certain words underlined twice in green, and if I put my cursor on them, a gamevance ad pops up? What is that and how do I get rid of it?

Dr Jay · « **Reply #32 on:** August 02, 2010, 03:28:29 PM »

Seems like adware.

Please download ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe and save it to your Desktop. Do NOT perform a scan yet

Double-click on drweb-cureit.exe to start the program.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now, Click OK to start the scan.
This is a short scan that will scan the files currently running in memory.
If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis
Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
When finished, a message will be displayed at the bottom advising if any viruses were found.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found.

If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit when you have finished.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

mcummings36 · « **Reply #33 on:** August 02, 2010, 03:54:06 PM »

When I click on DrWeb-CureIt I get an error message - Internet Explorer cannot display the page....etc....

Dr Jay · « **Reply #34 on:** August 02, 2010, 09:05:52 PM »

I fixed the link. Please try it again.

mcummings36 · « **Reply #35 on:** August 03, 2010, 05:14:35 PM »

Okay, here is the report, but I don't think the scan was complete. I started this thing last night about 12:30 am, and at 9 am this morning it was STILL going. I had to end it, because I work from home online and needed my computer. So I have no idea if this will even be useful, since I don't think it was finished. I've never had a scan take so long. Is that a bad sign?

gtdownde_110.ocx;C:\WINDOWS\system32;Probably DLOADER.Trojan;Incurable.Deleted.;
SkillJamLoader.dll;C:\Documents and Settings\All Users\Application Data\SkillJam\SecurePlayer;Program.PopcapLoader.4;;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Christopher Apostle\Desktop\Unused Desktop Shortcuts\SDFix.exe;Tool.Killproc.3;;
SDFix.exe;C:\Documents and Settings\Christopher Apostle\Desktop\Unused Desktop Shortcuts;Archive contains infected objects;Moved.;
jar_cache1456766111123690851.tmp\AppleT.class;C:\Documents and Settings\Christopher Apostle\Local Settings\temp\jar_cache1456766111123690851.tmp;Exploit.Java.90;;
jar_cache1456766111123690851.tmp;C:\Documents and Settings\Christopher Apostle\Local Settings\temp;Archive contains infected objects;Moved.;
WmaInfo.dll;C:\Program Files\AMT;BackDoor.Click.679;Deleted.;

Dr Jay · « **Reply #36 on:** August 04, 2010, 01:05:40 PM »

Let's move to a different tool.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)[/color]

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be neutralized then choose the delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Computer Hope Forum

News:

Author Topic: Recently had a av suite virus (?) now things aren't right??? (Read 16025 times)

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

mcummings36

Dr Jay

mcummings36

Dr Jay

mcummings36

Dr Jay