Also need help with Win32: Malware-gen

[shels60]

I recently downloaded Avast.  I may not have had any antivirus protection for a few months.  I had previously run Mcafee that was provided by my internet service provider.  In March, they said that they would no longer provide this feature, however, when I would check my McAfee subscription status, it always said that it was current.  Anyway, after I installed Avast, I ran a full scan which detected the win32:malware-gen.  I was able to put this in the chest.  However, when I ran the recommended bootscan, multiple infections of this virus were found.  I was unable to perform any of the suggested fixes.  I don't know where to find the log from this bootscan.

I see that the starting point for fixing these problem is to run malwarebytes Anti- Malware, which I have done.  This log shows different files that are infected than the files found on the avast bootscan. 

I'd appreciate any help you can give me (in as simple terms as possible, since I'm not that computer literate!)

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.15.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.11
Owner :: I1 [administrator]

Protection: Enabled

7/15/2012 8:08:53 AM
mbam-log-2012-07-15 (08-08-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250393
Time elapsed: 15 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) -> Data:  -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 3
C:\Program Files\MyWaySA (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Files Detected: 0
(No malicious items detected)

(end)

[jeffce]

Hi and welcome!

Please visit the site located here.  Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply. 

[shels60]

Thanks for the welcome.

Attached are the logs from OTL and aswMBR.  I was unclear if I should run Malwarebytes one more time or if my original posting with the malwarebytes log was sufficient.

[jeffce]

Hi,

No it's no problem to use the Malwarebytes log you already posted. 

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

• Open the scanner and select the Protection tab
  
• Remove the tick from "Start Protection Module with Windows" as seen below

Once complete continue with the instructions...
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\\npViewpoint.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: //@mail.mar@ ([]msn in Local intranet)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: //@signup.mar@ ([]msn in My Computer)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: aol.com ([objects] * is out of zone range -  5)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: hotmail.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: msn.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: passport.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: turbotax.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2005/08/18 07:46:14 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[shels60]

Uh oh!  I ran Erunt and got to running OTL.  There was a message that I needed to reboot in order for OTL to move files.  A new OTL.exe screen came on, that I clicked run.  I think it was completed when an Avast sandbox notepad screen came on for a little bit and then the screen blanked out and is now sitting there with a blank blue screen.  I didn't see much of the notepad screen other than things had been disabled.  Help!

[shels60]

I just restarted my computer and it started up ok.  There is a new box that says "Restore" and below it "Exit".  Is this from ERUNT?  Before the computer went blank, I did not see a log from OTL.  Please advise on what I should do next. Thanks!

[jeffce]

Hi,

Just go ahead and run a Quick Scan with OTL and post that new log. 

[shels60]

Hi, When I ran OTL, I did see the log file from yesterday.  I have attached that file and today's log file.

[jeffce]

Good...

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

----------

[shels60]

Here is the Malwarebytes log.  I will post the Eset log when done.

[shels60]

This is the ESET log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17110 (vista_gdr.120419-1718)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a92a0f9576b8844bbdbe181e37acea45
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-17 06:45:23
# local_time=2012-07-17 02:45:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 124282777 124282777 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=140929
# found=0
# cleaned=0
# scan_time=5732

[jeffce]

Ok. 

[shels60]

I ran one more Avast full scan and it did not find anything.  Does this mean my computer is "cured"?  If so, is it best to keep all the programs that I downloaded or should use add/remove programs to delete them.  Thank you SO MUCH for helping me with this virus!

[jeffce]

Hi,

Things are looking better.  How is your system running? 

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt.
  
• Please post the contents of that document.

[shels60]

I think my computer is running fine.  It is pretty old (about 6 years old), so it always ran fairly slow.  I tried to download Security Check, but I think the 2 links are broken.  Internet Explorer could not find the webpage.