Virus of some sort...at Wits end.

I was a McAfee user until I got a virus " Vists Antispyware 2012". Their fixes did not work so I resorted to downloading Webroot to fix the problem ( A HUGE mistake ) It ended up deleting all my Win32 files. I went to microsoft forum and they recommended I do a system restore. I did a system restore from about 10 days ago with no problem. Instead of reloading McAfee I talked to one of my good friends who recommended Avast. I downloaded and installed Avast, it ran its first indepth scan and found nothing. I then started to get pop up warnings of malicious URL’s when I wasn’t even online and then I started getting pop-up warnings that one of the malicious processes was Avast.

I then went to safe mode and downloaded and installed Adaware and ran it, it found nothing so I ran it 3 times just to be safe all returned with nothing found.

I am stuck with a PC Windows Vista 32 Home Premium that whenever I go online, I have to type a VERY specific address on the url or I can’t get there. If I use a yahoo/google/bing search and say look for used cars, I click on the link and it redirects me to something completely different topic or even website that wasn’t even close to the topic I was looking for.

I could REALLY REALLY use some help, I can’t do a system wipe due to some programs I no longer have the disks for as well as files ( Music & Work/background files etc…) I absolutely can’t lose or replace.

http://i178.photobucket.com/albums/w248/bigbluekrew/AvastSS.jpg

Ok, you still need to follow the guide I linked originally and post the logs, though.

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7286

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

7/26/2011 1:11:49 PM
mbam-log-2011-07-26 (13-11-49).txt

Scan type: Quick scan
Objects scanned: 208304
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (“%1” /S) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi if you have not allready run OTS then

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

http://www.mediafire.com/?5hyk15k9j1q0us9

I ran the OTS per your first thread that had the following custom:

%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

OK not a lot showing there but you still have a fair few AVG drivers running

Download the removal tool from here http://www.avg.com/us-en/utilities

On completion of this run can you let me know if the alerts continue

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "MFARestart" -> ["C:\ProgramData\MFAData\pack\avgrunasx.exe" /usereg]
[Files/Folders - Created Within 30 Days]
NY ->  gegl-0.0 -> C:\Users\andrew\Documents\gegl-0.0
[Files/Folders - Modified Within 30 Days]
NY ->  8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t
NY ->  8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t
[Files - No Company Name]
NY ->  8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t
NY ->  8i77ft206gu8885x4ik6hya7g57ktd2b0t -> C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t
NY ->  19236.bat -> C:\Users\andrew\AppData\Roaming\19236.bat
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

All Processes Killed [Registry - Safe List] Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found. Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MFARestart deleted successfully. [Files/Folders - Created Within 30 Days] C:\Users\andrew\Documents\gegl-0.0\plug-ins folder moved successfully. C:\Users\andrew\Documents\gegl-0.0 folder moved successfully. [Files/Folders - Modified Within 30 Days] C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t moved successfully. C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t moved successfully. [Files - No Company Name] File C:\Users\andrew\AppData\Local\8i77ft206gu8885x4ik6hya7g57ktd2b0t not found! File C:\ProgramData\8i77ft206gu8885x4ik6hya7g57ktd2b0t not found! C:\Users\andrew\AppData\Roaming\19236.bat moved successfully. [Custom Items] ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\andrew\Desktop\cmd.bat deleted successfully. C:\Users\andrew\Desktop\cmd.txt deleted successfully. [Empty Temp Folders]

User: All Users

User: andrew
->Temp folder emptied: 57521243 bytes
->Temporary Internet Files folder emptied: 627879373 bytes
->Java cache emptied: 24171084 bytes
->Flash cache emptied: 1091109 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Melynda
->Temp folder emptied: 8650925 bytes
->Temporary Internet Files folder emptied: 133593426 bytes
->Java cache emptied: 154300 bytes
->Flash cache emptied: 18571 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10777278 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 3461429 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 827.00 mb

[EMPTYFLASH]

User: All Users

User: andrew
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Melynda
->Flash cache emptied: 0 bytes

User: Public

User: UpdatusUser
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07272011_105501

Files\Folders moved on Reboot…
File\Folder C:\Users\andrew\AppData\Local\Temp\fla5CB9.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF41F4.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF4202.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF43B0.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF43B8.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF4407.tmp not found!
File\Folder C:\Users\andrew\AppData\Local\Temp~DF441D.tmp not found!
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZY4MMU4K\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUWWQ6HQ\ac3[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TUWWQ6HQ\get[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T5CEVUUH\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\52415542734534736b45674142756649[3].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\B5636109;sz=300x250;ord=953523898[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[3].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[4].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[5].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\fw-nonplayer-banner[6].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\mm212-google-nexus-4g-aa-s-1st[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\xd_receiver[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NUQ0I11W\xd_receiver[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\52415542734534736b45674142756649[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\52415542734534736b45674142756649[2].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\login_statusCAYS46F9.htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\login_status[10].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LNBJCGN3\matt-and-kim-cameras-music-video[1].htm moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9NM84038\emily[1].html moved successfully.
C:\Users\andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\Windows\temp\fb_2596.lck not found!
File\Folder C:\Windows\temp\TMP00000041E627879296B2B4A0 not found!

Registry entries deleted on Reboot…

The Fix took like 45 mins…but it did finish.

Lots and lots of temporary files

Are the alerts still present ?

Now Malwarebytes every 90 seconds pops-up this:

http://i178.photobucket.com/albums/w248/bigbluekrew/MalwarebytesPop-Up.jpg

Is it just malwarebytes showing this ?

As I had the same problem before I disabled that element

I have just used AIS to locate the server, but I turned on the malwarebytes checker first and this is what I got

Does this ISP ring any bells (?) as this is who the IP address belongs:

ISP of this IP [?]: Network Operations Center Organization: Roman Semenchuk c/o Network Operations Center

I have also found in the past that the MBAM IP blocker is more of a hindrance than a help, it is too damn sensitive; has many FPs and worse, considering these are meant to be malicious websites it has sites blocked that aren’t malicious.

I too have disabled this feature as the network shield and web shield are good enough for me.

I now am getting these pop-ups:

http://i178.photobucket.com/albums/w248/bigbluekrew/IEPop-up.jpg

http://i178.photobucket.com/albums/w248/bigbluekrew/MIMEPop-up.jpg

I never had this pop-up until that last process I was instructed to do…coincidence?

How often does the IE one come up ?

The other one is of no consequence as it is related to quicktime file associations and can be cured just by resetting them

Lets check out the drivers

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I ran the aswMBR tool again and these two came up red ( I highlighted in Yellow )

http://i178.photobucket.com/albums/w248/bigbluekrew/aswMBR072711.jpg

They are suspicious - however, combofix also looks at that area as well

http://www.mediafire.com/?sh47ep8aeow49cl

How is your system running now ?

Sorry, at work now, I’ll get off my shift tomorrow morning… So far I really appreciate all your help!

I am still getting the the internet was closed due to a security issue. I still have the redirect issue with regard to the Internet.