Boot time scan and Fun Web/ Fun Cards

Holy cow, I’m havin some problems here! I was doing a boot scan on a friends computer. Running Win XP SP3 with all the updates. Came up with infected file Win 32 Fun Web, couldn’t repair, so I stuck it in the Virus chest along with some other files also with the same Fun Web virus or Malware name. When I was done and went to reboot, the computer would barely operate. Had to go into safe mode in order to get it to work. :o Can anybody throw me a bone? ??? By the way, my name is Jonathan. I’m a newbie…nice to meet you. :slight_smile:

With funweb the easiest way to get rid of it is use Malwarebytes

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Ok, thank you. It will be a little while b4 I get back to my friends house, but I will do that. Thanks for the info. I am going to have her restore the files until I get there so she can use it.

No need to…just run MBAM as suggested. If you restore, these bad files will remain on your machine unless you delete your system restore files.

Just follow the directions of the MBAM (Malwarebytes) as posted. Let us know if you have any questions. Thank you.

Ok, downloaded the program, and installed it, ran it. (This is something my friend did over the phone with me. She lives 2hrs away) Came up with a ton of files that we removed. Aaaand no difference in performance. >:( Saved a log and did a restore from about a week or 2 ago. No change. Barely boots up in normal mode. The thing that really bugs me is that it was running fine until I did that boot scan with Avast and after that it all went downhill. This happened to once before with this computer, but I don’t remember exactly what I did to fix it. This shouldn’t be happening. I always get all the fun jobs. Ugh! :o On the bright side, I did install Malawarebytes on my laptop and desktop and found some stuff on my desktop that I cleared up, so thanks for that. Any thoughts??? ???
Oh yea, I will have her send me a copy of the report to send to you.

Did your friend quarantine any infections found?

What version and product of Avast is he/she using?

What is the OS? Fully updated?

Is the machine acting normally prior to doing the boot scan?

Edit: Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode). Post the OTS log as an attachment (Additional Options > Attach > Post). Please do not make any further changes to your machine after you have provided the logs. Thank you.

Ok, this is a lot for me to digest, since I am not as familiar with all the terms being used, but I will get all the info together. I downloaded OTS on my computer so I will be familiar with it. (What does OTS stand for?) Also what is ANSI and Unicode? Sorry for my ignorance, I’m still learning. Thanks, Jon

OTS is an acronym for Old Timers Scanner (the auther is Old Timer ;D)

For ANSI

http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif

Okay, that’s simple enough, I noticed that one way of saving a file was Unicode Indian. Does that mean it stores the information and sends it as smoke signals? :stuck_out_tongue: Boy now that’s what I call an old style of internet. LOL :smiley:

Spent time with her on the phone last night and had her send me the info. She is really doing well for somebody that was not computer savvy. I decided to copy and paste your questions with my responses to keep a clear channel of communication. I also attached the logs from MBAM and OTS Hope this will help. Thanks for your assistance.

Did your friend quarantine any infections found? Yes she did

What version and product of Avast is he/she using? Avast Free version 110525-1

What is the OS? Fully updated? Windows XP Home Edition Version 2002 SP 3 All updates installed.

Is the machine acting normally prior to doing the boot scan? Yes, all seemed fine until after the boot scan.

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

She is still having problems after running MBAM AND OTS. Should I create a new topic as mentioned in the above thread?

Should I create a new topic as mentioned in the above thread?
you already have when you started this ;)
What version and product of Avast is he/she using? Avast Free version 110525-1
This is the virus signature version and not the program version (11=year - 2011 / 05=month - may / 25=day / -1= number of release that day

latest program version is 6.0.1125

Ooops my bad on both counts. The current version installed is 6.0.1125 I had just reinstalled it recently. Sorry 'bout that.

Thank you for providing the logs and the information. How is the machine running after performing the MBAM scan and quarantine?

Essexboy will be giving you instructions and have you perform things on the machine. He is on the forum late UK time zone. In the meantime, please instruct your friend not to use her machine unless it is for malware removal and not to sync anything with it.

When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now.

Let us know if you have any questions. Thank you.

Unfortunately it is still running very slow on normal boot up, but she says it is fine in safe mode. I had her run a full scan before going to bed last night and she sent me the results this morning which I have attached. Nothing found, so at least we know that is good. I have a feeling that we need to go into task manager under normal boot up and see if there is something running there. Thanks for your help so far. This is more knowledge under my belt for future reference.

Hi lets see what this does, on completion of this run could you go back to normal mode and let me know how it runs

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [Program Folders] > -> 
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[Files/Folders - Modified Within 30 Days]
NY ->  Disk Cleanup.job -> C:\WINDOWS\tasks\Disk Cleanup.job
NY ->  dfrg.job -> C:\WINDOWS\tasks\dfrg.job
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Ok, had her do that exactly. Unfortunately it did not produce a log. Drat! >:( It just prompted for a restart. She restarted in Normal Windows, but it’s still real slow booting up, so I had her go back to safe mode. Is there anyway to retrieve the log like in MBAM? Should we try the fix again? Thanks for your time.

I really need to work from normal mode as that is where I have the best chance of seeing what is wrong - so lets get the big boy on the job

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Uh oh, this sounds like business. She is out right now, but I will run through it and show her how to do it when she returns. It does seem logical that we get it goin in normal mode since that is where the problem lies. Otherwise it flies in Safe mode. I think we can get it goin, it’s just gonna be stubborn. Thanks for your help.

If necessary then run combofix from safe mode with networking that should relieve the pressure on normal mode, but obviously it would be prefereable to run from normal mode

Understood. Thanks