PDA

View Full Version : Virus and Malware Removal, Need assistance


gvargas980
2011-04-07, 23:45
I have a virus giving me pop ups. PC running very slow. Not sure what kind of virus I have. Can someone please help me here?
tashi
2011-04-08, 00:01
Hello gvargas980,

In case you missed it please see the FAQ which includes guidelines for this forum and also instructions on posting preliminary logs in post #2.
"BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic and a volunteer analyst will advise you when available. :)


A topic is already open here: http://forums.spybot.info/showthread.php?t=62208

Best regards.
gvargas980
2011-04-13, 04:49
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6304

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/9/2011 3:55:00 PM
mbam-log-2011-04-09 (15-55-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 378157
Time elapsed: 2 hour(s), 34 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 86

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{52794457-af6c-4c50-9def-f2e24f4c8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{52794457-AF6C-4C50-9DEF-F2E24F4C8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{52794457-AF6C-4C50-9DEF-F2E24F4C8889} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\gvtl (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OneStep Search Service (Adware.OneStepSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qmjoatnd (Trojan.FakeAlert.Gen) -> Value: qmjoatnd -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Witkinat) -> Value: AppInit_DLLs -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gamevance (Adware.Gamevance) -> Value: Gamevance -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Gary\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\weather (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Not selected for removal.
c:\WINDOWS\system32\config\systemprofile\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Not selected for removal.

Files Infected:
c:\documents and settings\Gary\local settings\Temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\fastbrowsersearchprotection.exe (PUP.Fbsearch) -> Quarantined and deleted successfully.
c:\documents and settings\Gary\local settings\Temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\update.exe (PUP.Fbsearch) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1340299183-3535359552-1845530643-1007\Dc85.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP597\A0649701.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP597\A0649703.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP597\A0649738.dll (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP597\A0653785.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP597\A0653787.exe (PUP.Fbsearch) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP597\A0653793.exe (PUP.Fbsearch) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0798947.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799951.scr (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799960.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799961.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799962.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799963.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799964.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799965.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799967.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799968.SCR (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799969.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799970.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799971.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799972.EXE (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799973.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799974.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799975.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799976.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799977.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799978.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799979.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799980.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799981.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799982.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799983.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799966.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799984.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799985.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799986.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799987.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799988.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799990.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799991.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799992.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799993.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799994.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799995.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799996.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799997.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0799998.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP637\A0800947.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP641\A0809116.scr (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP641\A0809118.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP641\A0809119.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP641\A0809120.SCR (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP641\A0809121.DLL (PUP.FunWebProducts) -> Not selected for removal.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP641\A0809122.EXE (PUP.FunWebProducts) -> Not selected for removal.
c:\WINDOWS\Temp\0.8396187911008596.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\6E5.tmp (PUP.WhiteSmoke) -> Not selected for removal.
c:\WINDOWS\Temp\Bff.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tmpD8E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\jar_cache31781.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\ybrw\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\fastbrowsersearchprotection.exe (PUP.Fbsearch) -> Not selected for removal.
c:\WINDOWS\Temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\update.exe (PUP.Fbsearch) -> Not selected for removal.
c:\documents and settings\Kristal\application data\microsoft\internet explorer\quick launch\windows protection suite.lnk (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\WORK.DAT (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Gary\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\preferences.dat (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\stat.log (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\stats.dat (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\uninstallie.dat (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\uninstallstatie.dat (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\weatherbutton_prefs.xml (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\weather\6ca74a5dbaf55db50f6f553c3adbcc55 (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\weather\c8a1761e9218b639991ac2631e4aac8b (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\weather\forecasts_cache.xml (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\Gary\application data\whitesmoketoolbar\weather\observations_cache.xml (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Not selected for removal.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Not selected for removal.
c:\WINDOWS\system32\config\systemprofile\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Not selected for removal.
tashi
2011-04-13, 06:43
Hello gvargas980,

Instructions for posting preliminary "DDS" logs for analysis in post #2.
"BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Please start a new topic providing the DDS logs and a link back to this thread. :)

http://forums.spybot.info/showthread.php?t=62208

Edit
http://forums.spybot.inf/showthread.php?p=401172

Best regards.