BleepingComputer.com: So frustrated! Not sure what I have. Please help me :(

Hi guys!!! I was on novmov last night and during a show I was watching, these annoying Lysol and AirWick advertisement ads kept playing. There was no ad displayed on the computer. I closed out of IE, and the ads were playing in the background. I tried googling what it could be and there were so many viruses it could be: vundo, black internet, routing.exe, perf.exe, iexplore.exe. I was looking around here and tried to run a hijackthis log (even though I have no clue what it's for) and was told "For some reason your system denied write access to the hosts file. If any hijacked domains are in this file, hijackthis may NOT be able to fix this". I've scanned with Norton, AVG, McAfee, Malwarebytes and the results for all says that no threat was found.

I'm so confused and just want to cry, I have no clue what virus is on my computer or what to do. I really don't want to restore my computer. Can someone please help me?

This post has been edited by Aubriella504: 27 October 2010 - 10:01 AM

What version of Windows are you running?

I am running Windows 6.0 with Vista.

This post has been edited by Aubriella504: 27 October 2010 - 10:08 AM

Can you bring up my computer then open the c drive and navigate to the following:

c:\windows\system32\drivers\etc

Open up the HOSTS File then copy and paste the contents in your next reply.

I went to c:\windows\system32\drivers\etc and I found hosts. It asked me to choose which program I want to open the file. Am I in the correct location?

I am sorry if I might sound like a pain, I'm just such a newbie to this.

I decided to open it with notepad, this is what came up:

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

Your hosts file is fine. When you ran those scans did you make sure those products were updated?

Yes, I did an update on each product before I did the scans to make sure they were up to date.

Can you post the logs from those scans?

From Malware bytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3822
Windows 6.0.6000
Internet Explorer 7.0.6000.17037

10/27/2010 8:22:05 AM
mbam-log-2010-10-27 (08-22-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 291004
Time elapsed: 2 hour(s), 24 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



From AVG:

"Scan ""Whole computer scan"" completed."
"No infection was found during this scan"
"Folders selected for scanning:";"Whole computer scan"
"Scan started:";"Wednesday, October 27, 2010, 2:31:57 AM"
"Scan finished:";"Wednesday, October 27, 2010, 3:56:25 AM (1 hour(s) 24 minute(s) 28 second(s))"
"Total object scanned:";"1414336"
"User who launched the scan:";"Aubri"


The scan for Norton isn't available because I had to uninstall it to run AVG.

Have the advertisements reappeared?

Yes, they actually started a few minutes ago. They stopped for about an hour, now they are back. Last night, it was for Lysol and Airwick ads, now a new one has popped up saying "congradulations, you win". So, all together there are 5 ads that constantly loop.

I went into c:\windows\system32\drivers to find anything that was added or changed at or around the time I was watching the show on novamov. This is what I found, and it is at the exact time I was on that website.


Name: perfc009.dat
Date Modified: 10/26/2010 11:58
Type: DAT File
Size: 102 KB

Name: perfh009.dat
Date Modified: 10/26/2010 11:58
Type: DAT File
Size: 604 KB

Name: PerfStringBackup.INI
Date Modified: 10/26/2010 11:58
Type: Configuration Settings
Size: 701 KB

What sites were you visiting when they popped up?

I was streaming a show from novamov.com, there was a lysol ad on the screen and it was constantly looping, but it did show on the screen. Halfway through the show a notification came up and told me my computer was in danger and to click OK to fix it. I know to never click on that notification, so I didn't hit OK or Cancel. I went to my task manager and closed it out through there. As soon as internet explorer shut down, the same lysol ad began playing. Only this time it was other ads included with it, Air Wick, Paris Hilton perfume.

As I'm typing this, the ads have stopeed and its rock music playing for about 15 seconds then it cuts off. Then about 5 minutes later a clown laugh starts.