Win32-Malware Gen

[Trancidonia]

The PC is working fine at the moment, no more random avast! telling me there's viruses
However Internet Explorer will tend to lag. But with all the treat appearing, Im too afraid to use this PC to go to official sites for banks and what not.


Here's the Log from ESETSCAN

C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe.vir Win32/bProtector.J potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\uninstall.exe.vir Win32/bProtector.J potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\User\Application Data\BabylonToolbar\CR\BabylonChrome1.crx.vir a variant of Win32/Toolbar.Babylon.Q potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\User\Application Data\BabylonToolbar\CR\BUSolution.dll.vir a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\User\Application Data\BabylonToolbar\FF\BUSolution.dll.vir a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\User\Application Data\BabylonToolbar\IE\BUSolution.dll.vir a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\User\Application Data\BabylonToolbar\Shared\BUSolution.dll.vir a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\BabylonToolbar\BabylonToolbar\1.8.4.9\BabylonToolbarApp.dll.vir a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\BabylonToolbar\BabylonToolbar\1.8.4.9\BabylonToolbarTlbr.dll.vir a variant of Win32/Toolbar.Montiera.F potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\BabylonToolbar\BabylonToolbar\1.8.4.9\uninstall.exe.vir Win32/Toolbar.Montiera.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\BabylonToolbar\BabylonToolbar\1.8.4.9\bh\BabylonToolbar.dll.vir a variant of Win32/Toolbar.Escort.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR.vir Win32/Toolbar.MyWebSearch potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3HKSTUB.DLL.vir Win32/Toolbar.MyWebSearch.G potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3REPROX.DLL.vir Win32/Toolbar.MyWebSearch.D potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE.vir Win32/Toolbar.MyWebSearch potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOESTB.DLL.vir Win32/Toolbar.MyWebSearch potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSSRCAS.DLL.vir Win32/Toolbar.MyWebSearch potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\MyWebSearch\bar\firefox\NPMYWEBS.DLL.vir Win32/Toolbar.MyWebSearch potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe.vir a variant of Win32/SweetIM.F potentially unwanted application
C:\FRST\Quarantine\C\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\n9rs2w4x.default\Extensions\plugin2@gameplaylabs.com\chrome\content\overlay.js Win32/Adware.GamePlayLabs potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\NPMyWebS.dll.xBAD Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3DTACTL.DLL Win32/FunWeb potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3HISTSW.DLL Win32/FunWeb potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3HKSTUB.DLL Win32/Toolbar.MyWebSearch.G potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3HTMLMU.DLL Win32/Toolbar.MyWebSearch.B potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3HTTPCT.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3IMSTUB.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3POPSWT.DLL Win32/FunWeb potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3REGHK.DLL Win32/Toolbar.MyWebSearch.G potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3REPROX.DLL Win32/Toolbar.MyWebSearch.D potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3SCHMON.EXE Win32/FunWeb potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch.P potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\F3WPHOOK.DLL Win32/FunWeb potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3AUXSTB.DLL Win32/Toolbar.MyWebSearch.H potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3DLGHK.DLL Win32/Toolbar.MyWebSearch.I potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch.F potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch.P potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3IEOVR.DLL Win32/Toolbar.MyWebSearch.P potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3IMPIPE.EXE Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch.J potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch.P potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3SKPLAY.EXE Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch.J potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\M3TPINST.DLL Win32/Toolbar.MyWebSearch.I potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\MWSMLBTN.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\MWSOEPLG.DLL Win32/Toolbar.MyWebSearch.J potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\MWSSRCAS.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch potentially unwanted application
C:\FRST\Quarantine\C\Program Files\MyWebSearch\bar\5.bin\5.bin\MWSUABTN.DLL Win32/Toolbar.MyWebSearch potentially unwanted application
C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch potentially unwanted application
C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch potentially unwanted application
C:\WINDOWS\system32\dfrg\btc-miner.exe a variant of Win32/BitCoinMiner.AQ potentially unsafe application
C:\WINDOWS\system32\dfrg\minerd.exe Win32/BitCoinMiner.W potentially unsafe application
D:\My Documents\New Quo\Order details.zip Win32/TrojanDownloader.FakeAlert.BKK trojan

[Juliet]

Im too afraid to use this PC to go to official sites for banks and what not.

As a precaution I would do:
From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords from this computer.

*******************************************

Most of what was found in the online scan was already in quarantine folders, this computer was heavily infected but it does appear we've done a good job.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

start
C:\Program Files\Windows Live\Messenger\msimg32.dll
C:\Program Files\Windows Live\Messenger\riched20.dll
C:\WINDOWS\system32\dfrg\btc-miner.exe
C:\WINDOWS\system32\dfrg\minerd.exe
D:\My Documents\New Quo\Order details.zip
Reboot:
end

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

[Trancidonia]

I wonder if the PC is clean now,
I will now try to delete everything from the Quarantine

here's the FRST log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014 01
Ran by User at 2014-04-03 08:22:57 Run:2
Running from C:\Documents and Settings\User\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\Program Files\Windows Live\Messenger\msimg32.dll
C:\Program Files\Windows Live\Messenger\riched20.dll
C:\WINDOWS\system32\dfrg\btc-miner.exe
C:\WINDOWS\system32\dfrg\minerd.exe
D:\My Documents\New Quo\Order details.zip
Reboot:
end
*****************

C:\Program Files\Windows Live\Messenger\msimg32.dll => Moved successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll => Moved successfully.
C:\WINDOWS\system32\dfrg\btc-miner.exe => Moved successfully.
C:\WINDOWS\system32\dfrg\minerd.exe => Moved successfully.
D:\My Documents\New Quo\Order details.zip => Moved successfully.


The system needed a reboot.

==== End of Fixlog ====

[Juliet]

I wonder if the PC is clean now,

You tell me?
From the scans we've done looks like we got it.

[Trancidonia]

Thank you Juliet for everything!! :D
Should I look at my previous thread for Cleanups of the file that does rkill, frst and jrt and what not?

[Juliet]

I can post it here too.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
no needed to post the log this time.

start
DeleteQuarantine:
end

~~~~~~~~~~~~~~~~~~~~~

1. Download Delfix from here
2. Ensure Remove disinfection tools is ticked
   Also tick:
   
   • Create registry backup
   • Purge system restore
   
   
   
3. Click Run

Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc.

[Trancidonia]

Thank you for everything Juliet.
Now I will start preping the third PC but my Aunt will always be on that PC

[Juliet]

I'll close this one, no need to keep it open too.