help wife picked up a trogen called overlay.xul

She got a blue screen so i had her run a scan. When it was done it showed this virus. I put it in the chest and need to know how to ge rid of it.

I put it in the chest and need to know how to ge rid of it.
well...when you put it in chest you have ;)

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

but to be sure that there is not more in there
follow this guide and attach the logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

a removal expert will then check the logs and remove any leftovers :wink:

ok heres two of the three the last one i did not dl due to it not commonly dl. I already had Malwarebytes and had already scaned. heres that log Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.30.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Jennifer :: JENNIFER-PC [administrator]

9/30/2012 7:14:21 PM
mbam-log-2012-09-30 (19-14-21).txt

Scan type: Full scan (C:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 366760
Time elapsed: 1 hour(s), 45 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKCR\CLSID{D9291F9E-7010-4D7A-8DF6-455DEEF8EF51} (PUP.LivingPlay) → Quarantined and deleted successfully.
HKCR\TypeLib{8006F89E-63A1-402A-8DB7-08A4C58F95AA} (PUP.LivingPlay) → Quarantined and deleted successfully.
HKCR\Interface{D4256C66-8177-4E19-8A13-2D43B2282D0D} (PUP.LivingPlay) → Quarantined and deleted successfully.
HKCR\lptlIE.TextLinks.1 (PUP.LivingPlay) → Quarantined and deleted successfully.
HKCR\lptlIE.TextLinks (PUP.LivingPlay) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{D9291F9E-7010-4D7A-8DF6-455DEEF8EF51} (PUP.LivingPlay) → Quarantined and deleted successfully.
HKCR\AppID\GamevanceText.DLL (Adware.GameVance) → Quarantined and deleted successfully.
HKCU\Software\AppDataLow\gvtl (Adware.GameVance) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(e
here the adcleaner log
AdwCleaner v2.003 - Logfile created 10/01/2012 at 12:10:24

Updated 23/09/2012 by Xplode

Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)

User : Jennifer - JENNIFER-PC

Boot Mode : Normal

Running from : C:\Users\Jennifer\Downloads\adwcleaner.exe

Option [Search]

***** [Services] *****

Found : Viewpoint Manager Service

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla FireFox\Components\AskSearch.js
File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\user.js
File Found : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\pnemz0jg.default\searchplugins\Ask.xml
File Found : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\pnemz0jg.default\searchplugins\Askcom.xml
Folder Found : C:\Program Files\Viewpoint
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\SweetIM
Folder Found : C:\ProgramData\Viewpoint
Folder Found : C:\Users\Jennifer\AppData\Local\Babylon
Folder Found : C:\Users\Jennifer\AppData\LocalLow\BabylonToolbar
Folder Found : C:\Users\Jennifer\AppData\LocalLow\FunWebProducts
Folder Found : C:\Users\Jennifer\AppData\LocalLow\MyWebSearch
Folder Found : C:\Users\Jennifer\AppData\LocalLow\SweetIM
Folder Found : C:\Users\Jennifer\AppData\Roaming\Babylon
Folder Found : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\pnemz0jg.default\extensions\ffxtlbr@babylon.com
Folder Found : C:\Windows\TEMP\AskSearch
Folder Found : C:\Windows\TEMP\BabylonToolbar
Folder Found : C:\Windows\TempDir

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Freecause
Key Found : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Found : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Found : HKCU\Software\AppDataLow\Software\MyWebSearch
Key Found : HKCU\Software\FunWebProducts
Key Found : HKCU\Software\Microsoft\Internet Explorer\MenuExt&Search
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mywebsearch bar uninstall
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{4260E0CC-0F75-462E-88A3-1E05C248BF4C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{F78BF7A8-CF12-4DE7-A6DA-C463D1B539A7}
Key Found : HKCU\Software\SweetIm
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID{0BC6E3FA-78EF-4886-842C-5A1258C4455A}
Key Found : HKLM\SOFTWARE\Classes\CLSID{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\SOFTWARE\Classes\CLSID{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins@viewpoint.com/VMP
Key Found : HKLM\Software\SweetIm
Key Found : HKLM\Software\Viewpoint
Key Found : HKU\S-1-5-21-151772460-102258358-3302068965-1000\Software\Microsoft\Internet Explorer\SearchScopes{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKU\S-1-5-21-151772460-102258358-3302068965-1000\Software\Microsoft\Internet Explorer\SearchScopes{EEE6C360-6118-11DC-9C72-001320C79847}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]

***** [Internet Browsers] *****

-\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\ Mozilla Firefox v [Unable to get version]

Profile name : default
File : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\pnemz0jg.default\prefs.js

Found : user_pref(“browser.search.order.1”, “Ask.com”);
Found : user_pref(“browser.search.selectedEngine”, “Ask.com”);
Found : user_pref(“extensions.snipit.askTbInstalled”, true);
Found : user_pref(“extensions.snipit.chromeURL”, "hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&g[…]
Found : user_pref(“keyword.URL”, "hxxp://search.babylon.com/?AF=100789&babsrc=adbartrp&mntrId=06f88e1e000000[…]
Found : user_pref(“browser.babylon.HPOnNewTab”, “search.babylon.com”);
Found : user_pref(“browser.startup.homepage”, "hxxp://search.babylon.com/?AF=100789&babsrc=HP_ss&mntrId=06f8[…]
Found : user_pref(“browser.search.defaultengine”, “Ask.com”);
Found : user_pref(“browser.search.defaultenginename”, “Ask.com”);


AdwCleaner[R1].txt - [6791 octets] - [01/10/2012 12:02:08]
AdwCleaner[R2].txt - [6722 octets] - [01/10/2012 12:10:24]

########## EOF - C:\AdwCleaner[R2].txt - [6782 octets] ##########

well those two cleared a ton of browser/toolbar crap :wink:

you should update Malwarebytes and do a quick scan to see if it now comes up clean

also post OTL and aswMBR logs

OBS OTL log must be attached bc of the size… or you will have 10 posts with copy and paste

ok thanks i will get the other dl not sure if i have time tofinish this right now though

ok got I ran the OTL and am attaching the note pad. I dont know if i should click fix or clean up. I tried to run the awsmbr one and got a blue screen crash twice then ran this one it seemed to scan with no problems.

I would like to take a different look at the MBR

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{C43722E8-D857-4284-A265-1DF33FB27CEE}: C:\Users\Jennifer\AppData\Local\{C43722E8-D857-4284-A265-1DF33FB27CEE} [2010/08/22 16:19:06 | 000,000,000 | ---D | M]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
[2010/08/22 16:19:09 | 000,000,000 | ---- | C] () -- C:\Users\Jennifer\AppData\Local\Pseyitifefeqaco.bin
[2010/08/22 16:19:08 | 000,000,120 | ---- | C] () -- C:\Users\Jennifer\AppData\Local\Mluyukovi.dat

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*]Start RogueKiller.exe.
[*]Wait until Prescan has finished …
[*]Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

when i click fix it says no fix provided says click ok to load from a file or cancel. When i click ok to load from a file it takes me to my doc. but nothing seems to hapen when i click ok

do you copy and paste the fix in to OTL before you run it ?

duh me i tried to get back to tell you dumb me forgot to copy and paste. I’m doing it now on her lap top I’m on my desk top. It will be tomorrow before I can get back on this though. I will pick up where I’m leaving off then . Thank you for your help.

the fix is instruction that tell OTL what to do/fix… if you dont paste it in then OTL will do nada. :wink:

so read all the instructions before you start

Before I go I just checked and it shows in the fixs/scans box 3 items
emtpy temp
createrestorepoint
reboot
Is this something im to do or is the program gonna do it? It the hard drive light is blinking as if it is still running the fix.

OTL will do that…you copy everything in that box from top to bottom and paste it in to OTL

;D ta Pondus I am a bit busy this evening

ok need to know how long the run fix should take. It is still showing the same three items beginning with empty temp,since my last post which was around 51/2 hours ago. So the fix has been running 61/2 hrs

Well after 81/2 hrs i ended up hard shuting down. reboted this am and it showed a otl file folder on the disk i ran program from. I ran quick scan and am attahing results from it. will wait to hear back.

OK it has stuck there just manually reboot and proceed to RogueKiller

ok have done that,tried attaching folder but it just opend it, there are three items in the folder. Do I attach each item on seprate post? I attached one but wasnt sure how to attach more on same post so i cleared it for now.

They should be quite small so you should be able to post it

Also how is the computer behaving ?

ok doing that now. Oh much much better. it rebooted real fast and was ready to use quick. Wife will be so happy. Now if i can get her to be more conscious about what she does on here.I dont have these issues on my pc. Course i use mine mostly for on line gaming. oh also can i delete what i put in the avast virus chest earlier. it wont let me copy and paste. the quarentine report is empty, physical driver user dat isnt in text format (you knew that im sure) the eula text is lic. I did click on all tabs nothing in any excpet the registry tab and only 4 things in it I did not delete yet.