Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Windows Security 2011 virus. registy files deleted

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Windows Security 2011 virus. registy files deleted

Unread postby forza » May 20th, 2011, 11:51 pm

Hi, my computer has just been infected by "Windows Security 2011" virus. I looked up online on how to remove the virus and a part of the steps require to me remove some registry files. After removing all the desired registry files, i cannot open my antivirus software, internet browser and every .exe application.

Here's the DDS log.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_20
Run by @k3yM at 23:16:58 on 2011-05-20
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2813.1692 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
G:\MalwareRemoval\dds.scr
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://en.us.acer.yahoo.com
mStart Page = hxxp://en.us.acer.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\@k3ym\appdata\roaming\mozilla\firefox\profiles\pb9px39p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.soccernet.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\@k3ym\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\@k3ym\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\@k3ym\appdata\roaming\move networks\plugins\npqmp071705000014.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-12 28552]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl129e6631;MpKsl129e6631;c:\programdata\microsoft\microsoft antimalware\definition updates\{6d2f2090-164b-4cf9-b463-d9e2aaae1dcc}\MpKsl129e6631.sys [2011-5-20 28752]
R1 MpKslf0fbf740;MpKslf0fbf740;c:\programdata\microsoft\microsoft antimalware\definition updates\{6d2f2090-164b-4cf9-b463-d9e2aaae1dcc}\MpKslf0fbf740.sys [2011-5-20 28752]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2009-9-7 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2009-9-7 81504]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-22 24576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2009-9-7 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-5-22 210432]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DYXPPQO;DYXPPQO;c:\users\@k3ym\appdata\local\temp\dyxppqo.exe --> c:\users\@k3ym\appdata\local\temp\DYXPPQO.exe [?]
S3 GMYZBU;GMYZBU;c:\users\@k3ym\appdata\local\temp\gmyzbu.exe --> c:\users\@k3ym\appdata\local\temp\GMYZBU.exe [?]
S3 HRU;HRU;c:\users\@k3ym\appdata\local\temp\hru.exe --> c:\users\@k3ym\appdata\local\temp\HRU.exe [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010c\RpcAgentSrv.exe [2010-5-15 93336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.exe=
.
=============== Created Last 30 ================
.
2011-05-21 03:05:36 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6d2f2090-164b-4cf9-b463-d9e2aaae1dcc}\MpKslf0fbf740.sys
2011-05-20 20:38:08 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6d2f2090-164b-4cf9-b463-d9e2aaae1dcc}\MpKsl129e6631.sys
2011-05-20 09:51:58 -------- d-----w- c:\users\@k3ym\appdata\local\Windows Live
2011-05-20 09:51:11 754688 ----a-w- c:\windows\system32\webservices.dll
2011-05-20 06:36:10 327680 --sha-w- c:\users\@k3ym\appdata\local\uxi.exe
2011-05-19 21:17:48 6962000 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6d2f2090-164b-4cf9-b463-d9e2aaae1dcc}\mpengine.dll
2011-05-19 20:39:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 18:28:16 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-06 20:31:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-05-06 20:29:55 -------- d-----w- c:\users\@k3ym\appdata\local\Electronic Arts
2011-05-06 10:50:23 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-06 10:50:23 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-06 10:50:23 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-06 10:50:22 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-06 10:50:22 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-06 10:50:22 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-06 10:50:22 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-06 10:50:21 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-27 15:57:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 15:57:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 15:57:29 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24:10 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24:02 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23:59 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23:55 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
============= FINISH: 23:19:13.29 ===============






Attach log.


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 9/7/2009 4:18:23 AM
System Uptime: 5/20/2011 11:05:04 PM (0 hours ago)
.
Motherboard: Acer, Inc. | | Grasmoor
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-70 | Socket M2/S1G1 | 2000/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 70 GiB total, 7.68 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 33.195 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acer Arcade Deluxe
Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePower Management
Acer eRecovery Management
Acer eSettings Management
Acer GameZone Console 2.0.1.1
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player
Amazon Unbox Video
Apple Application Support
Athan Basic 3.8
CCleaner
CDDRV_Installer
Counter-Strike 1.6
EA Download Manager
EA SPORTS online 2008
erLT
ERUNT 1.1j
ESET Online Scanner v3
eSobi v2
FIFA 11 Demo
Football Manager 2010
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Java Auto Updater
Java(TM) 6 Update 20
K-Lite Mega Codec Pack 3.6.5
KhalInstallWrapper
Launch Manager
LightScribe 1.4.142.1
Logitech SetPoint
Madden NFL 08
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Works
Move Media Player
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
NHL® 09
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
NVIDIA Drivers
NYKO Gamepad Mapping Tools 2.0.0
OGA Notifier 2.0.0048.0
Orion
Panda ActiveScan 2.0
PhotoNow!
PowerDirector
Pro Evolution Soccer 2010
Quran in Ms Word
R for Windows 2.12.1
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SiSoftware Sandra Lite 2010c
Skype™ 4.1
SpywareBlaster 4.3
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Veetle TV 0.9.17
WIDCOMM Bluetooth Software 6.0.1.6400
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger
YouTube Downloader 2.6.2
.
==== Event Viewer Messages From Past Week ========
.
5/20/2011 5:51:09 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 9 for Windows Vista.
5/20/2011 5:39:32 AM, Error: EventLog [6008] - The previous system shutdown at 5:38:22 AM on 5/20/2011 was unexpected.
5/20/2011 2:58:05 AM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
5/20/2011 11:05:57 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
5/20/2011 11:05:28 PM, Error: EventLog [6008] - The previous system shutdown at 5:29:59 PM on 5/20/2011 was unexpected.
.
==== End Of File ===========================
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm
Advertisement
Register to Remove

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 22nd, 2011, 7:56 am

Checking you log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 22nd, 2011, 8:17 am

Hi forza,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

I looked up online on how to remove the virus and a part of the steps require to me remove some registry files.


Do you have a copy of those instructions or details of what has been removed?

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
c:\users\@k3ym\appdata\local\temp\DYXPPQO.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Please also submit the following file to Virustotal and paste the logs into your reply.

c:\users\@k3ym\appdata\local\temp\GMYZBU.exe
c:\users\@k3ym\appdata\local\temp\HRU.exe
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Windows Security 2011 virus. registy files deleted

Unread postby forza » May 22nd, 2011, 8:32 am

This is the copy of the instructions:

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Security 2011″. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Security 2011 Virus.
4. Registry entries created by Windows Security 2011 must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of Windows Security 2011 start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe

7. Click Apply and restart the computer.

Windows Security 2011 Removal Tool:
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.

Using Portable SuperAntiSpyware:
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
Technical Details and Additional Information:

Malicious Files Added by Windows Security 2011:
c:\Documents and Settings\All Users\Start Menu\Windows Security 2011\
c:\Documents and Settings\All Users\Start Menu\Windows Security 2011\Windows Security 2011.lnk
c:\Documents and Settings\All Users\Start Menu\Windows Security 2011\Uninstall.lnk
%ProgramFiles%\Windows Security 2011\
%ProgramFiles%\Windows Security 2011\e-set.exe
%UserProfile%\Desktop\Windows Security 2011.lnk
%System%\msiexecs.exe

Windows Security 2011 Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_CURRENT_USER\Software\A88246
HKEY_CURRENT_USER\Software\Mon246
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Windows Security 2011? = ‘%ProgramFiles%\Windows Security 2011\e-set.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-A8I 16.03.2011?




Right now, I cannot open my internet browser.
So, can I just copy those 3 files and submit them through another computer?
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 22nd, 2011, 8:51 am

Hi forza,

Right now, I cannot open my internet browser.
So, can I just copy those 3 files and submit them through another computer?


No, hang on, let's get Internet Explorer working first then submit them later. I will be back with further instructions soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 22nd, 2011, 9:01 am

Hi forza,

exeHelper
Please download exeHelper ... by Raktor. Save it to your desktop.
  1. Double-click on exeHelper.com to run the fix.
  2. A black window should pop up... press any key to close the window, once the fix is completed.
    A file "log.txt" will be created ... in the same place your ran exeHelper from (your desktop).
  3. Please post the contents of the log.txt file in your next reply.
Note: If the window shows a message that says "Error deleting file", please re-run the program then post both logs (the re-run and the original) together...they will both be in the "log.txt" file.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Windows Security 2011 virus. registy files deleted

Unread postby forza » May 22nd, 2011, 10:14 am

I cannot download exeHelper because of a virus associated with it.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 22nd, 2011, 10:23 am

Hi forza,

I cannot download exeHelper because of a virus associated with it.


The file is clean and so this is a false positive. What is blocking it? Microsoft Security Essentials? If so disable the antivirus and try again.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Windows Security 2011 virus. registy files deleted

Unread postby forza » May 22nd, 2011, 10:28 am

Right now, I'm in computer lab. Hence, I could not disable the antivirus. Is there any other software beside exeHelper? Otherwise, I'll go back home and use my roomate's computer.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 22nd, 2011, 10:48 am

Otherwise, I'll go back home and use my roomate's computer.


Please do.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Windows Security 2011 virus. registy files deleted

Unread postby forza » May 22nd, 2011, 8:45 pm

I successfully ran exeHelper. Now, I am able to use all .exe application (Mozilla, games, etc)

Here's the exeHelper log:

exeHelper by Raktor
Build 20100414
Run at 20:14:21 on 05/22/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 23rd, 2011, 4:29 am

Hi forza,

I successfully ran exeHelper. Now, I am able to use all .exe application


Good, now please submit the 3 files to Virustotal as per my earlier post.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Windows Security 2011 virus. registy files deleted

Unread postby forza » May 23rd, 2011, 6:30 am

I cannot locate the 3 files.

There is no 'appdata' folder in '@ky3m' directory.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Security 2011 virus. registy files deleted

Unread postby forza » May 23rd, 2011, 6:36 am

the 3 files are not there anymore.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Security 2011 virus. registy files deleted

Unread postby deltalima » May 23rd, 2011, 6:47 am

Hi forza,

Defogger
Disable Drivers
Please download DeFogger... by jpshortstuff. Save it to your desktop.
  1. Right click DeFogger.exe and select: Run as Administrator. The application window will appear.
  2. Click the Disable button to disable your CD Emulation drivers.
  3. Click Yes to continue. A 'Finished!' message will appear. Click OK.
  4. Click OK when DeFogger asks to reboot the machine.
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe and select: Run as Administrator.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator.. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware