Green Dot virus For a Friend

[Busymama62]

Well, I got OTL downloaded and managed to start the scan before I saw that I needed to type some stuff into custom scan.  Will have to let this finish and start the scan again.  Sorry!

[essexboy]

Not a problem .. We will now just need to do the tidying up

[Busymama62]

I forgot to say that in the OTL the 64 bit option does not show up, so it is running without it.  It appears that her Norton "BLAH" has expired and I have permission to download Avast and Malwarebytes.  She is using IE and I will be suggesting Mozella to her as I feel that it is safer.

OTL document is attached.

[essexboy]

OK we will now remove some garbage, replace the services file which is infected and carry out some repairs.  The desktop wall paper will need to be replaced as it is a Funweb one ..not good
Once that is done I will then prepare the system for Avast 

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
SRV - [2012/03/06 20:15:31 | 000,034,320 | ---- | M] (MyWebSearch.com) [Auto | Running] -- C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE -- (MyWebSearchService)
IE - HKLM\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZNxpt790CJUS&ptnrS=ZNxpt790CJUS&si=120088&ptb=1OXQxGZHniXMAvyVDAN2ow&ind=2012030621&n=77ed269d&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-2843368061-1495724786-861422060-1000\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
IE - HKU\S-1-5-21-2843368061-1495724786-861422060-1000\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZNxpt790CJUS&ptnrS=ZNxpt790CJUS&si=120088&ptb=1OXQxGZHniXMAvyVDAN2ow&ind=2012030621&n=77ed269d&psa=&st=sb&searchfor={searchTerms}
FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\1.bin\NPMyWebS.dll (MyWebSearch.com)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin [2012/03/06 20:15:51 | 000,000,000 | ---D | M]
O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O3 - HKU\S-1-5-21-2843368061-1495724786-861422060-1000\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (MyWebSearch.com)
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (MyWebSearch.com)
O4 - HKU\S-1-5-21-2843368061-1495724786-861422060-1000..\Run: [MyWebSearch Email Plugin] C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (MyWebSearch.com)
O4 - HKU\S-1-5-21-2843368061-1495724786-861422060-1000..\Run: [PopularScreensaversWallpaper] C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL (FunWebProducts.com)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab (Reg Error: Value error.)
O24 - Desktop WallPaper: C:\Users\leon\AppData\LocalLow\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
[2012/12/18 14:04:38 | 000,184,832 | ---- | C] () -- C:\Users\leon\AppData\Roaming\ldr.mcb

:Files
C:\Program Files\MyWebSearch

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete



Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

[Busymama62]

I will have to change her download settings to install to desktop.  I thought I could do that but when I go in to the downloads settings on internet explorer I do not see Desktop.  What should I do. I did have to restart again, the "touch pad" has locked up on me twice.  Also when I try to go online I keep getting Do you want to allow the following program to make changes to this computer?  Java SE Runtime Environment 7 Update 9  Publisher Oracle America.  For now I am choosing No but am afraid I may be wrong in doing so.

OTL Report attached   will do the others once I figure out how to save to Desktop.

[essexboy]

When you click the links a small bar should appear at the bottom of IE
Click the arrow next to save and you will be given the option to choose where to save it

[Busymama62]

Still don't see Desktop, I have as my choices "Computer, Local Disk C, Then different files and folders.

[essexboy]

Select computer and that should open up to show the desktop

[Busymama62]

It opened up and is showing  Local Disk C, Recovery D, HP Tools E.

[essexboy]

Sheesh typical  save it to the root c drive and then copy to the desktop please

[Busymama62]

ARRRGGGG!!!!   "You Don't have permission to save in this location.  Contact the administrator to obtain permission.    Would you like to save in the leon folder instead?   Leon is my friends husbands name.

[essexboy]

Save it there then copy to the desktop please.  Are you able to logon to the admin account ?

 

[Busymama62]

Where would I find the adm account? 

[essexboy]

I just checked you are in an admin account..  Combofix should cure that problem

[Busymama62]

I am not sure the firewall is turned off.  I think Combofix is downloaded it just had a firewall type warning about this file is not commonly downloaded.  I think I have successfully copied Combofix to the desktop.  Do I proceed?