Recently had a av suite virus (?) now things aren't right???

[Dr Jay]

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  
• It will show a black screen with some data on it.
• A report called MBRcheckxxxx.txt will be on your desktop
  
• Open this report and post its content in your next reply.

[mcummings36]

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



      Size  Device Name          MBR Status

  --------------------------------------------

     38 GB  \\.\PhysicalDrive0   Windows XP MBR code detected





Done!  Press ENTER to exit...

[Dr Jay]

How is your computer running now?

[mcummings36]

The same. Still saying something about a script running on facebook, still not staying logged in on anything.

[Dr Jay]

Odd.

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

• Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  
• Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
• Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
• It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
• Once inside the interface, do not fix anything. Click on the Report tab.
  
• Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  
• It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
• When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

[mcummings36]

There are 4 different downloads for the 7 - zip, which one do I download?

[Dr Jay]

Do the .exe for 32-bit.

[mcummings36]

Okay, I downloaded the 7 thing, then tried to do what you said with the Root whatever, but it asked me if I wanted to find, save or something, there wasn't just the option to save it to the desktop. I clicked save anyway, because I'm assuing that means the same thing, but there's no right click mouse over anything on these two desktop icons. If I try and move one over the top of the other, it asks if I want to open one, move one, copy it, pretty much everything other than what you said it would do, so somethings messed up somewhere. I just want to be able to stay logged on on stuff, like this site for example. I have to do all this just for that?

[Dr Jay]

Try double-clicking on RootkitUnhooker.rar, see what happens.

[mcummings36]

I get an error message that says "windows cannot open this file...." ??

[Dr Jay]

GMER

Note about this tool:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
• No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[mcummings36]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-31 07:17:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\pwddapod.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwClose [0xB0C616B8]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwCreateKey [0xB0C61574]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwDeleteValueKey [0xB0C61A52]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwDuplicateObject [0xB0C6114C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwOpenKey [0xB0C6164E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwOpenProcess [0xB0C6108C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwOpenThread [0xB0C610F0]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwQueryValueKey [0xB0C6176E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwRestoreKey [0xB0C6172E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                    ZwSetValueKey [0xB0C618AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\WINDOWS\system32\services.exe[708] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]             00390002
IAT             C:\WINDOWS\system32\services.exe[708] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]                   00390000

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                   aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                 aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                              aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File            C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\32[1].png     3925 bytes
File            C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\44[1].png     3024 bytes
File            C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\59538[1].txt  1184 bytes
File            C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\59538[2].txt  2749 bytes
File            C:\Documents and Settings\Christopher Apostle\Local Settings\Temporary Internet Files\Content.IE5\SQZYYB9Y\59538[3].txt  1989 bytes

---- EOF - GMER 1.0.15 ----

[Dr Jay]

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
  
• Now, click on the Save Report as button.
  
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note: If the scan freezes for more than 30 minutes, stop the scan, and report back to me.

[mcummings36]

KASPERSKY ONLINE SCANNER 7.0: scan report 
Sunday, August 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 01, 2010 00:31:19
Records in database: 4178720
 
 
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
 
Scan area My Computer
A:\
C:\
D:\ 
 
Scan statistics
Objects scanned 110590
Threats found 8
Infected objects found 17
Suspicious objects found 0
Scan duration 04:03:12

File name Threat Threats count
C:\Program Files\Gamevance\gamevancelib32.dll/C:\Program Files\Gamevance\gamevancelib32.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dwv 5 
 
C:\Program Files\Gamevance\gvtl.dll/C:\Program Files\Gamevance\gvtl.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dqc 1 
 
C:\Documents and Settings\Christopher Apostle\Application Data\Sun\Java\Deployment\cache\6.0\13\11a39b8d-5da722ec Infected: Exploit.Java.Agent.ar 1 
 
C:\Documents and Settings\Christopher Apostle\Application Data\Sun\Java\Deployment\cache\6.0\13\11a39b8d-5da722ec Infected: Exploit.Java.Agent.as 1 
 
C:\Documents and Settings\Christopher Apostle\Application Data\Sun\Java\Deployment\cache\6.0\38\608baae6-669b5b30 Infected: Trojan-Downloader.Java.Agent.fe 3 
 
C:\Documents and Settings\Christopher Apostle\Local Settings\temp\jar_cache1456766111123690851.tmp Infected: Trojan-Downloader.Java.Agent.ea 1 
 
C:\Documents and Settings\Christopher Apostle\Local Settings\temp\jar_cache6162741573307089447.tmp Infected: Exploit.Java.Agent.f 1 
 
C:\Documents and Settings\Christopher Apostle\Local Settings\temp\jar_cache6162741573307089447.tmp Infected: Trojan-Downloader.Java.Agent.fi 2 
 
C:\Program Files\Gamevance\gamevancelib32.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dwv 1 
 
C:\Program Files\Gamevance\gvtl.dll Infected: not-a-virus:AdWare.Win32.Gamevance.dqc 1 
 
Selected area has been scanned.

[Dr Jay]

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.



Set the slider to Maximum.



IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.




On the General tab, make sure all of the boxes are checked.




On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.



Click Create Report to run it.


It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.