Avast WEBforum
Other => Viruses and worms => Topic started by: fiveavast on August 29, 2010, 09:01:01 AM
-
I was on the computer earlier and noticed a pop-up (which almost never happens) and when I went to a website I noticed a new toolbar installed "mywebsearch" I think. I figured ok someone was just messing around and clicked something. When I checked avast log viewer it had two warnings about it but it seems it is still installed and avast is no longer detecting it as harmful. After trying to remove it from the Firefox add-ons where I first noticed it and being unsuccessful, I then removed it from the control panel. That hasn't seem to done any good. I did a search on the gamevance name, I saw it talk about really annoying pop-ups and remote attackers. So I immediately came here for help. PLEASE help me before it gets any worse. :'(.
I am running Avast 4.8 Home edition and the os system is windows 7. Any help or recommendations are greatly appreciated. Thank you.
-
Hi fiveavast, and welcome to the forum. :)
Do you have a 32 or 64-bit machine? What is your firewall (FW)?
Have you updated your Avast definitions and run a Full Scan yet?
-
Hi fiveavast, and welcome to the forum. :)
Do you have a 32 or 64-bit machine? What is your firewall (FW)?
Have you updated your Avast definitions and run a Full Scan yet?
Thank you and hello to you also SafeSurfer. The machine runs 64 bit and the firewall is windows firewall. The avast definitions are all up to date and I have done a complete scan but I don't know if it was a full scan?
-
Is anything sitting in your Avast Virus Chest now? Let me know if you need help finding it.
Also, did you change any of the default setting of Avast?
-
To find the Virus Chest: open the Avast GUI > Maintenance > Virus Chest.
Is there anything listed in there? If so, can you give me either a screen shot or manually type in the exact wording of what is there?
My prior question was did you change any of the default settings of Avast?
-
Is anything sitting in your Avast Virus Chest now? Let me know if you need help finding it.
Also, did you change any of the default setting of Avast?
gamevance32.exe and gvun.exe are in the avast chest. I have not changed the default settings except when I first installed avast I turned the resident scanner up to high. It's not detecting "mywebsearch" at all but that wont uninstall either.
-
gamevance32.exe and gvun.exe are in the avast chest.
Good...that's what I wanted to see.
I'd like to check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ (http://www.malwarebytes.org/) for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select "Perform FULL Scan", then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.
Please let me know if you have any questions.
-
gamevance32.exe and gvun.exe are in the avast chest.
Good...that's what I wanted to see.
I'd like to check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ (http://www.malwarebytes.org/) for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select "Perform FULL Scan", then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.
Please let me know if you have any questions.
under general I turn the automatic file save on? Then I check all scanned setting boxes. Then I update Malwarebytes. Select full scan, Then quarantine anything found? then post the log here?
-
Yes....to all your questions.
-
try mbam,gamevance is an adware
-
try mbam,gamevance is an adware
The OP is already running a FULL scan of MBAM. But thank you for responding. :)
-
Yes....to all your questions.
Thank you. Here is the log.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4500
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
8/29/2010 1:31:14 AM
mbam-log-2010-08-29 (01-31-14).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 229458
Time elapsed: 25 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproductsinstaller.start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files (x86)\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files (x86)\Uninstall Fun Web Products.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Also after restarting this came up. If your having trouble reading it, it is "There was a problem starting C:\PROGRA~2\UNINST~1.DLL The specified module could not be found."
(http://i38.tinypic.com/j0fcau.png)
and fire fox still has the same problem. This file keeps reinstalling itself. The add-on is name "Gamevance Textlinks 1.0.0"
(http://i38.tinypic.com/mrqwc6.png)
Thank you for helping me with this.
-
You had a lot of adware in addition to a Trojan that MBAM put into quarantine. Leave everything in there and Do NOT delete anything!
As for the FF extension, have you tried to delete it?
-
You had a lot of adware in addition to a Trojan that MBAM put into quarantine. Leave everything in there and Do NOT delete anything!
As for the FF extension, have you tried to delete it?
I have tried disabling it and uninstalling it but every time Firefox restarts its comes back. I even tried reinstalling Firefox itself. Also another question, I have to keep MBAM now? I can't uninstall it?
-
No...you need to keep MBAM as we will need it for future use. It is an excellent on-demand scanner than many of us use here.
I'd like you to run some more diagnostic tools with OTL. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0). You have already done the MBAM part, so you can skip this.
Under the red OTL, click on it and it will download a file...download it to your desktop. Follow the instructions in the link above. You will be prompted to save 2 files to your desktop and attach them to your next post. To attach a file to a post: click on "Additional Options" > Attach > browse (the 2 files will be on your desktop) > post.
I am going to have a Certified Malware Removal expert named Essexboy review your OTL logs and respond to you in this thread. He will ask you questions and give you instructions. I will be monitoring in the background.
Please do not make any further changes to you machine other than doing normal Avast updates or you will need to re-do all the logs again.
Do you have any questions?
-
Prior to doing the OTL log, please clean your machine with CCleaner -- a freeware system optimization, privacy and cleaning tool. There is a Slim version available at http://www.piriform.com/ccleaner/builds (http://www.piriform.com/ccleaner/builds). It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner.
and...
Download TFC by OldTimer to your desktop.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/ (http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/)
· Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
· It will close all programs when running, so make sure you have saved all your work before you begin.
· Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
· Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
After doing BOTH cleaners...then run the OTL logs.
-
Prior to doing the OTL log, please clean your machine with CCleaner -- a freeware system optimization, privacy and cleaning tool. There is a Slim version available at http://www.piriform.com/ccleaner/builds (http://www.piriform.com/ccleaner/builds). It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner.
and...
Download TFC by OldTimer to your desktop.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/ (http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/)
· Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
· It will close all programs when running, so make sure you have saved all your work before you begin.
· Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
· Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
After doing BOTH cleaners...then run the OTL logs.
Ok thank you.
-
Do you have any questions? I will be signing off shortly but will check in later. I will let Essexboy run the show but be in the background.
-
Do you have any questions? I will be signing off shortly but will check in later. I will let Essexboy run the show but be in the background.
I'm still unsure how to attach the file but if you log off I'm sure someone can help me with it. Thank you for all your help SafeSurf.
-
also download ccleaner http://www.piriform.com/ccleaner/download
dont forget to run "the registry" scan
(http://img412.imageshack.us/img412/9197/ccleanerk.png)
-
also download ccleaner http://www.piriform.com/ccleaner/download
dont forget to run "the registry" scan
Do NOT run the registry scanner as I do not want any interference with the work of Essexboy.
@ Left123, please read the thread prior to posting. The OP has already been instructed to run CCleaner.
-
fiveavast,
I would like you to take instruction from Essexboy or Avast Evangelists at this point so what we have done does not get messed up. We are trying to repair your system. Thank you.
-
fiveavast,
I would like you to take instruction from Essexboy or Avast Evangelists at this point so what we have done does not get messed up. We are trying to repair your system. Thank you.
Ok thank you very much. I didn't run the registry cleaner.
-
Thank you. I don't want to make any changes in it, but you can certainly do the CCleaner and TFC cleaners to clean up your machine. I have already notified Essexboy. He will be looking for your OTL logs in your next post.
-
Here are the OTL logs.
-
Hi,it will be better and safer for you to install the latest version of Avast 5 to protect your PC.Just a little advice.
-
Hi the main OTL log was saved as Unincode, could you rerun and ensure it is saved as ANSI please and then attach the log ;D
-
Hi the main OTL log was saved as Unincode, could you rerun and ensure it is saved as ANSI please and then attach the log ;D
Ok this one should be fine.
-
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\S-1-5-21-3028868506-4198575349-1045157754-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=Z1xdm0033YUS&ptb=OLX2LjpC0i9rmnuWqBqYnQ
FF - prefs.js..extensions.enabledItems: textlinks@gamevance.com:1.0.0
O2 - BHO: (Gamevance Text) - {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - C:\Program Files (x86)\Gamevance\gvtl.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\S-1-5-21-3028868506-4198575349-1045157754-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=Z1xdm0033YUS&ptb=OLX2LjpC0i9rmnuWqBqYnQ
FF - prefs.js..extensions.enabledItems: textlinks@gamevance.com:1.0.0
O2 - BHO: (Gamevance Text) - {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - C:\Program Files (x86)\Gamevance\gvtl.dll File not found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Do I select scan all users again?
-
Yes please just to make sure it is not elswhere on the system -
-
Ok after the custom scan you told me to do this is what it said on the restart and I attached the quick scan like you said.
All processes killed
Error: Unable to interpret <[emptytemp]> in the current context!
Error: Unable to interpret <[EMPTYFLASH]> in the current context!
Error: Unable to interpret <[CREATERESTOREPOINT]> in the current context!
Error: Unable to interpret <[Reboot]> in the current context!
OTL by OldTimer - Version 3.2.11.0 log created on 08292010_055719
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 35.00 mb
OTL by OldTimer - Version 3.2.11.0 log created on 08292010_055705
Files\Folders moved on Reboot...
C:\Users\comp two\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
-
If you could now do one more run with MBAM after updating and then let me know of any problems remaining
-
If you could now do one more run with MBAM after updating and then let me know of any problems remaining
The MBAM came up clean but I'm still having trouble with the Firefox add-on that wont uninstall, Every time Firefox restarts it reloads itself as a newly installed add-on. Here is a screen shot and below that is the MBAM log.
(http://i35.tinypic.com/jjmlio.png)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4500
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
8/29/2010 7:12:42 AM
mbam-log-2010-08-29 (07-12-42).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 227565
Time elapsed: 24 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Does it re-appear as soon as you start FF or after you have visited a web site ?
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
FF - prefs.js..extensions.enabledItems: textlinks@gamevance.com:1.0.0
O2 - BHO: (Gamevance Text) - {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - C:\Program Files (x86)\Gamevance\gvtl.dll File not found
[2010/08/25 19:28:08 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0D4A3EEA-527E-4FD8-9B2F-089B616670B8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{014C4232-6904-47B9-9144-7E0FB7277444}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Gamevance=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance]
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Gamevance
C:\Program Files (x86)\Conduit
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Does it re-appear as soon as you start FF or after you have visited a web site ?
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
FF - prefs.js..extensions.enabledItems: textlinks@gamevance.com:1.0.0
O2 - BHO: (Gamevance Text) - {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - C:\Program Files (x86)\Gamevance\gvtl.dll File not found
[2010/08/25 19:28:08 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0D4A3EEA-527E-4FD8-9B2F-089B616670B8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{014C4232-6904-47B9-9144-7E0FB7277444}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Gamevance=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance]
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Gamevance
C:\Program Files (x86)\Conduit
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
After I uninstall the add-on when Firefox restarts it immediately re-appears as a "new" add-on. This is what it said after the custom scan. The gamevance add-on is still there and I attached the quick scan.
All processes killed
========== OTL ==========
Prefs.js: textlinks@gamevance.com:1.0.0 removed from extensions.enabledItems
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
C:\ProgramData\ezsidmv.dat moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0D4A3EEA-527E-4FD8-9B2F-089B616670B8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4A3EEA-527E-4FD8-9B2F-089B616670B8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{014C4232-6904-47B9-9144-7E0FB7277444}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{014C4232-6904-47B9-9144-7E0FB7277444}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Gamevance not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\comp two\Desktop\OTL\cmd.bat deleted successfully.
C:\Users\comp two\Desktop\OTL\cmd.txt deleted successfully.
File\Folder C:\Program Files (x86)\Gamevance not found.
C:\Program Files (x86)\Conduit\Community Alerts folder moved successfully.
C:\Program Files (x86)\Conduit folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: comp two
->Temp folder emptied: 399 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 15903113 bytes
->Flash cache emptied: 1610 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 51912 bytes
Total Files Cleaned = 15.00 mb
[EMPTYFLASH]
User: All Users
User: Default
User: Default User
User: comp two
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.11.0 log created on 08292010_080725
Files\Folders moved on Reboot...
C:\Users\comp two\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
-
I really hate Firefox, there are so many nooks and crannies where stuff can hide. I find it harder to clean than IE. Plus it is now a easier target since IE8 came along. OK I see that you have little in FF so I would like to do a full uninstall. This will mean wiping it totally from your system, full details here http://kb.mozillazine.org/Uninstalling_Firefox or another way is to use Revo uninstaller http://www.revouninstaller.com/revo_uninstaller_free_download.html and let it delete everything it finds
-
I really hate Firefox, there are so many nooks and crannies where stuff can hide. I find it harder to clean than IE. Plus it is now a easier target since IE8 came along. OK I see that you have little in FF so I would like to do a full uninstall. This will mean wiping it totally from your system, full details here http://kb.mozillazine.org/Uninstalling_Firefox or another way is to use Revo uninstaller http://www.revouninstaller.com/revo_uninstaller_free_download.html and let it delete everything it finds
Ok so I used revo to uninstall FF and when it reinstalled it didn't fix the problem. So I did it again and I realized revo wasnt removing the mozila folders which are hidden in appdata. So I removed everything that revo wanted to and then manually deleted the mozilla files and that seems to have fixed it. It's uninstalled and no longer reloading itself on restart.
Edit: If everything is fine would it now be ok to uninstall MBAM?
-
For sure although MBAM is a handy on demand tool to keep
removing the mozila folders which are hidden in appdata.
OK another area to add for my custom scans ;D
Run OTL and hit the cleanup button and OTL will then disappear
-
I had gamevance virus, and I read somewhere that Spybot S&D is the only thing that would work, and thats what I used to remove it.
-
For sure although MBAM is a handy on demand tool to keep
removing the mozila folders which are hidden in appdata.
OK another area to add for my custom scans ;D
Run OTL and hit the cleanup button and OTL will then disappear
Do you have any questions? I will be signing off shortly but will check in later. I will let Essexboy run the show but be in the background.
I haven't been able to get on for a few days but I finally got some time. Thank you SafeSurf and essexboy for all your help I really appreciate what you guys did.
-
Our pleasure
-
@ fiveavast,
You are quite welcome. Is everything working right now for you now?
@ Essexboy,
Do you need to do your removal tool thing with the OP or is he all set from your point of view other than seeing how his system runs for the next few days?
-
Yep cleany time ;D
Looking at that I am a happy bunny :)
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
- Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 (http://java.sun.com/javase/downloads/index.jsp).
- Click the "Download" button to the right.
- Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
- Click on Continue.
- Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select "Run as an Administrator.")
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
@SafeSurf,
Yes everything is now working fine thank you very much.
@ Essexboy,
Thank you very much also for all your help.
@both,
The computer is working fine now, absolutely no problems. I would really like to express my gratitude to both of you. There is no way I would have been able to do this by myself. I would have broken down and formatted lol. Thank you very very much.
-
The computer is working fine now, absolutely no problems. I would really like to express my gratitude to both of you. There is no way I would have been able to do this by myself. I would have broken down and formatted lol. Thank you very very much.
I am very happy to hear that everything worked out fine for you. :D That's what we are here for, to help people like you.
Now that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.
Feel free to come back any time you need help, to learn something new, or just to ask questions. We are here 24/7 for your convenience. Thank you for allowing us to assist you. :)
-
The computer is working fine now, absolutely no problems. I would really like to express my gratitude to both of you. There is no way I would have been able to do this by myself. I would have broken down and formatted lol. Thank you very very much.
I am very happy to hear that everything worked out fine for you. :D That's what we are here for, to help people like you.
Now that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.
Feel free to come back any time you need help, to learn something new, or just to ask questions. We are here 24/7 for your convenience. Thank you for allowing us to assist you. :)
Done and thank you again for all the help. I will be sure to check the forums every once in awhile.