I recently downloaded Avast. I may not have had any antivirus protection for a few months. I had previously run Mcafee that was provided by my internet service provider. In March, they said that they would no longer provide this feature, however, when I would check my McAfee subscription status, it always said that it was current. Anyway, after I installed Avast, I ran a full scan which detected the win32:malware-gen. I was able to put this in the chest. However, when I ran the recommended bootscan, multiple infections of this virus were found. I was unable to perform any of the suggested fixes. I don’t know where to find the log from this bootscan.

I see that the starting point for fixing these problem is to run malwarebytes Anti- Malware, which I have done. This log shows different files that are infected than the files found on the avast bootscan.

I’d appreciate any help you can give me (in as simple terms as possible, since I’m not that computer literate!)

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.15.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.11
Owner :: I1 [administrator]

Protection: Enabled

7/15/2012 8:08:53 AM
mbam-log-2012-07-15 (08-08-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250393
Time elapsed: 15 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) → Data: → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) → Data: → Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.

Folders Detected: 3
C:\Program Files\MyWaySA (PUP.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (PUP.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (PUP.MyWebSearch) → Quarantined and deleted successfully.

Files Detected: 0
(No malicious items detected)

(end)

Hi and welcome!

Please visit the site located here. Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply.

Thanks for the welcome.

Attached are the logs from OTL and aswMBR. I was unclear if I should run Malwarebytes one more time or if my original posting with the malwarebytes log was sufficient.

Hi,

No it’s no problem to use the Malwarebytes log you already posted.

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

[*]Open the scanner and select the Protection tab
[*]Remove the tick from “Start Protection Module with Windows” as seen below

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM16orgreater.jpg

Once complete continue with the instructions…

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\\npViewpoint.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: //@mail.mar@ ([]msn in Local intranet)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: //@signup.mar@ ([]msn in My Computer)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: aol.com ([objects] * is out of zone range -  5)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: hotmail.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: msn.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: passport.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: turbotax.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2005/08/18 07:46:14 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Uh oh! I ran Erunt and got to running OTL. There was a message that I needed to reboot in order for OTL to move files. A new OTL.exe screen came on, that I clicked run. I think it was completed when an Avast sandbox notepad screen came on for a little bit and then the screen blanked out and is now sitting there with a blank blue screen. I didn’t see much of the notepad screen other than things had been disabled. Help!

I just restarted my computer and it started up ok. There is a new box that says “Restore” and below it “Exit”. Is this from ERUNT? Before the computer went blank, I did not see a log from OTL. Please advise on what I should do next. Thanks!

Hi,

Just go ahead and run a Quick Scan with OTL and post that new log.

Hi, When I ran OTL, I did see the log file from yesterday. I have attached that file and today’s log file.

Good…

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic

Here is the Malwarebytes log. I will post the Eset log when done.

This is the ESET log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

version=7

iexplore.exe=7.00.6000.17110 (vista_gdr.120419-1718)

OnlineScanner.ocx=1.0.0.6583

api_version=3.0.2

EOSSerial=a92a0f9576b8844bbdbe181e37acea45

end=finished

remove_checked=false

archives_checked=false

unwanted_checked=true

unsafe_checked=false

antistealth_checked=true

utc_time=2012-07-17 06:45:23

local_time=2012-07-17 02:45:23 (-0500, Eastern Daylight Time)

country=“United States”

lang=1033

osver=5.1.2600 NT Service Pack 3

compatibility_mode=512 16777215 100 0 124282777 124282777 0 0

compatibility_mode=8192 67108863 100 0 0 0 0 0

scanned=140929

found=0

cleaned=0

scan_time=5732

Ok.

I ran one more Avast full scan and it did not find anything. Does this mean my computer is “cured”? If so, is it best to keep all the programs that I downloaded or should use add/remove programs to delete them. Thank you SO MUCH for helping me with this virus!

Hi,

Things are looking better. How is your system running?

Download Security Check by screen317 from here or here.
[*]Save it to your Desktop.[*]Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.[*]A Notepad document should open automatically called checkup.txt.
[*]Please post the contents of that document.

I think my computer is running fine. It is pretty old (about 6 years old), so it always ran fairly slow. I tried to download Security Check, but I think the 2 links are broken. Internet Explorer could not find the webpage.

Sorry…that was my fault the link was broken… try this…

Download Security Check by screen317 from here or here.
[*]Save it to your Desktop.[*]Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.[*]A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Hi, I forgot to mention when I first tried to open the file, I had to enable Intranet Settings. Is this something I should leave as is? If not, would you please tell me how to disable them?

Here is the Security Check Log. Should I just close out of the Security Check black screen?

Hi,

No that shouldn’t be a problem.

Please go to Start > Control Panel > Add/Remove Programs > remove all the Java Programs you see, now download the latest Java from the following link and install it:

http://java.com/en/download/index.jsp

While in Add/Remove programs delete Adobe Reader 9

Let me know how your system is running now.

I did the remove/reinstall of Java. However, I did not see Adobe Reader 9 in the add/remove menu. Adobe Reader x (10.1.3) was listed.

Things seem to be running very smoothly! Thank you! I’m not sure if this is just coincidental, but for the last few days (since the virus repair started) this message has popped up about once a day: “Adobe Flash Player Update Service 11.3 r 300 has encountered a problem and needs to close. Please tell Microsoft about this problem”. I hit the report problem button and the message goes away.

Hi,

Glad to hear your system is running well except for that Flash Player glitch. I did some reading and it seems that everyone is having that problem and it seems that it is on Adobe’s side and needs to be fixed. Hopefully they will have this fixed up soon. Just keep checking for updates for Flash Player.

Providing there are no other malware related problems…

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!!

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Clean up with OTL:

[*]Right-click and Run as Administrator OTL.exe to start the program.
[*]Close all other programs apart from OTL as this step will require a reboot
[*]On the OTL main screen, press the CLEANUP button
[*]Say Yes to the prompt and then allow the program to reboot your computer.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren’t cluttering up your desktop.
If you didn’t already have it I would keep Malwarebytes AntiMalware though.

Here are some tips to reduce the potential for spyware infection in the future:

1. Internet Explorer. Even if you don’t use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.
Make your Internet Explorer more secure - This can be done by following these simple instructions:

[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*]Next press the Apply button and then the OK to exit the Internet Properties page.

2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
[*]Open Internet Explorer
[*]Click on Tools > Internet Options
[*]Press Security tab
[*]Select Internet zone then place check next to Enable Protected Mode if not already done
[*]Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
[*]Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As “Googling” is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT’s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7.Finally, I strongly recommend that you read TonyKlein’s good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.