Hello tech team,

Im new to avast & to the forum so i apologise if this has already been posted before. My understanding of viruses & removing them isn’t brilliant so please go gentle

I first notice this problem when i did a full scan on my pc (widows XP) with avast free anti virus & it kept coming up with a list of viruses called win32:rootkit-gen [Rtk] & win32:malware-gen & win32:trojan-gen.
I did a boot scan which found more of these viruses & applied the action to delete them. But when i did another full scan after, it still found more of the same threats.

I’ve followed the instructions on this forum & installed malwarebytes anti malware.
This is what it said in the log.

www.malwarebytes.org

Database version: 5278

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

09/12/2010 13:11:32
mbam-log-2010-12-09 (13-11-32).txt

Scan type: Quick scan
Objects scanned: 141538
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 8
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{E596DF5F-4239-4D40-8367-EBADF0165917} (Rogue.Installer) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt&Search(default) (Adware.Hotbar) → Value: (default) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) → Value: svchost → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{9F9D4B0C-8F92-82F3-0F67-AEB4F30FDFF7} (Trojan.ZbotR.Gen) → Value: {9F9D4B0C-8F92-82F3-0F67-AEB4F30FDFF7} → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
c:\program files\funwebproducts (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\funwebproducts\Shared (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\mywebsearch (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) → Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\compaq_owner\local settings\temporary internet files\Content.IE5\OUXPI19T\OTL[1].com (Trojan.Dropper.PGen) → Quarantined and deleted successfully.
c:\documents and settings\compaq_owner\application data\avdrn.dat (Malware.Trace) → Quarantined and deleted successfully.
c:\documents and settings\all users\documents\Server\admin.txt (Malware.Trace) → Quarantined and deleted successfully.
c:\documents and settings\compaq_owner\application data\abpzlw.dat (Malware.Trace) → Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History\search3 (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\setting2.htm (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\settings.dat (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) → Quarantined and deleted successfully.

Hopefully someone can help me out as i dont have a clue what this means.

Hi lets see if I can find the miscreant for you

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Thanks for the help essexboy, i’ve done the scan with OTL & the 2 note pad folders are on my desk top.
What do i do with them now? sorry if this is basic im a complete noobie.

No problem - attach both logs - to do this

When you start a reply in the bottom left corner is an additional options link
click that and browse to the first file
then click the more attachments link and browse to the second file

then post

ok hope fully this works.

Ok cleaning time ;D

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20061113.031\symidsco.sys -- (SYMIDSCO)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\aswArKrn.sys -- (aswArKrn)
IE - HKU\S-1-5-21-1636675980-441378194-1940988597-1008\..\URLSearchHook: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1636675980-441378194-1940988597-1008\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
[2010/12/05 23:29:23 | 000,000,000 | ---D | C] -- C:\Program Files\tmp
[2010/12/03 11:35:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[2010/12/02 18:04:39 | 000,000,000 | ---D | C] -- C:\Program Files\windows
[2010/12/02 18:04:36 | 000,000,000 | ---D | C] -- C:\Program Files\vPVDvuSE›aK’Ëqouleltj.exe
[2010/11/29 13:10:31 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\inst.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This is the log after doing the first bit.

OK lets see what CF has found

& this is the log after doing the combo fix.

And a final sweep for orphans I feel - once done can you let me know what problems remain

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

this is the report after anti-malware.

Malwarebytes’ Anti-Malware 1.50
www.malwarebytes.org

Database version: 5278

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

09/12/2010 22:30:45
mbam-log-2010-12-09 (22-30-45).txt

Scan type: Quick scan
Objects scanned: 138121
Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Subject to no further problems

Looking at that I am a happy bunny

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 23.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u23-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u23-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

Thank you so much for all your help & support essexboy, you’ve been a fantastic help;D

;D