Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

myonlinearcade.com malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 27th, 2011, 3:09 pm

I should also like to add that there were a few suspicious files found, but there was no option to cure so I selected skip.
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm
Advertisement
Register to Remove

Re: myonlinearcade.com malware

Unread postby Gary R » June 27th, 2011, 6:00 pm

OK looks like TDSSKiller has successfully targeted TDL4, time for round 2.

Lets see if we can resolve your other problems.

First

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Java(TM) 6 Update 21
Advanced SystemCare 4


Old versions of Java can be exploited.

Advanced System Care is by IoBit, a company with an established record of stealing other people's software and incorporating it into their products ..... http://forums.malwarebytes.org/index.ph ... opic=29681

Reboot your computer when finished.

Now download and install JDK 6 Update 26 (JDK or JRE).

Next

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
[2010/09/07 20:14:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
O3 - HKU\S-1-5-21-1633274402-97511745-251067657-500\..\Toolbar\WebBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
O4 - HKU\S-1-5-21-1633274402-97511745-251067657-500..\Run: [Advanced SystemCare 4] C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (IObit)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O33 - MountPoints2\{577ecc90-7476-11de-a9cb-0021851d33c0}\Shell - "" = AutoRun
O33 - MountPoints2\{577ecc90-7476-11de-a9cb-0021851d33c0}\Shell\AutoRun\command - "" = F:\setup.exe

:Files
C:\Program Files\IObit
C:\Users\Administrator\AppData\Roaming\Azureus
C:\Users\Administrator\AppData\Roaming\IObit
ipconfig /flushdns /c

:Commands
[emptytemp]
[emptyflash]
[resethosts]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Next

I see you have Malwarebytes Anti-Malware installed ...

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Quick Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Check all items except items in the C:\System Volume Information folder and click on Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.

You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open

Next

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)

Summary of the logs I need from you in your next post:
  • OTL log
  • MBAM log
  • E-Set log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 27th, 2011, 9:58 pm

Thank you for your quick response.
Below are the logs that you requested.
I must make one confession. I forgot to disable my antivirus software (AVG) before running ESET. By the time I realized what I had done, the scanner was running for over an hour. I can re-scan later if you think that is necessary.
This is what I have so far including the ESET log with AVG running:
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 27th, 2011, 9:59 pm

All processes killed
========== OTL ==========
Prefs.js: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 removed from extensions.enabledItems
Folder C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry value HKEY_USERS\S-1-5-21-1633274402-97511745-251067657-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
Registry value HKEY_USERS\S-1-5-21-1633274402-97511745-251067657-500\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced SystemCare 4 not found.
File C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577ecc90-7476-11de-a9cb-0021851d33c0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{577ecc90-7476-11de-a9cb-0021851d33c0}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577ecc90-7476-11de-a9cb-0021851d33c0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{577ecc90-7476-11de-a9cb-0021851d33c0}\ not found.
File F:\setup.exe not found.
========== FILES ==========
C:\Program Files\IObit\Advanced SystemCare 4\Update folder moved successfully.
C:\Program Files\IObit\Advanced SystemCare 4\LatestNews folder moved successfully.
C:\Program Files\IObit\Advanced SystemCare 4\Freeware\FreeSoftwareDownload folder moved successfully.
C:\Program Files\IObit\Advanced SystemCare 4\Freeware folder moved successfully.
C:\Program Files\IObit\Advanced SystemCare 4 folder moved successfully.
C:\Program Files\IObit folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\torrents folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\tmp\AZU5118.tmp folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\tmp folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\subs folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\shares folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\plugins\azupnpav folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\plugins folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\net folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\logs folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\dht\net3 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\dht folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus\active folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Azureus folder moved successfully.
C:\Users\Administrator\AppData\Roaming\IObit\Advanced SystemCare V4\PMonitor folder moved successfully.
C:\Users\Administrator\AppData\Roaming\IObit\Advanced SystemCare V4\Log folder moved successfully.
C:\Users\Administrator\AppData\Roaming\IObit\Advanced SystemCare V4\Backup folder moved successfully.
C:\Users\Administrator\AppData\Roaming\IObit\Advanced SystemCare V4 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\IObit folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Administrator\Desktop\cmd.bat deleted successfully.
C:\Users\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 39544692 bytes
->Temporary Internet Files folder emptied: 6474066 bytes
->Java cache emptied: 333182 bytes
->FireFox cache emptied: 54501632 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1522262298 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3063936 bytes

Total Files Cleaned = 1,551.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.24.1 log created on 06272011_184402

Files\Folders moved on Reboot...
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TCQE0NY\viewtopic[1].htm moved successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 27th, 2011, 10:00 pm

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6964

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/27/2011 7:10:29 PM
mbam-log-2011-06-27 (19-10-29).txt

Scan type: Quick scan
Objects scanned: 170507
Time elapsed: 14 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 27th, 2011, 10:00 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=b4d9785934874f4a880dc86624eae4dc
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-28 01:52:11
# local_time=2011-06-27 08:52:11 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1032 16777213 100 94 0 51564100 0 0
# compatibility_mode=5892 16776574 100 91 0 145828036 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=188498
# found=0
# cleaned=0
# scan_time=5422
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby Gary R » June 28th, 2011, 1:36 am

How's your computer running now ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 28th, 2011, 6:29 pm

It's certainly running faster compared to a few days ago, but it's still running much slower than it should.
I could never get Firefox to work again so I just re-installed it. It works, but like everything else it runs slow.
I'm still picking up the following running in the Task Manager under svchost.exe processes:

FontCace
FontCache 3.0.0.0
Dnscache
CryptSvc
AeLookupSvc
BITS (Background Intelligent Transfer Service)
DPS (Diagnostic Polyc Service)
EapHost (Extensible Authentication Protocol)

Are these normal? If not, how can I address the problem?

What is the best method or program to optimize my computer speed?

What anti-virus program do you recommend?

Thank you, Gary!
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 28th, 2011, 6:52 pm

BTW - The last windows update for Vista failed. I've also noticed that it takes much longer to shut the computer down.
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 28th, 2011, 9:09 pm

Quick update - I did get windows to install the new updates. :D

After a couple re-boots the computer seems to be back to normal!!!

Thank you so much Gary!

Are there any other tests that I should run?
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby Gary R » June 29th, 2011, 1:20 am

Glad to hear your computer is back to normal.

I suspect your slowness was due to Windows catching up on updates, since the processes you saw running in Task Manager are mostly related to updating.

Run your computer for a couple of days to make sure everything is behaving the way you'd expect it to before following the instructions below for removing the programs we've used to clean your machine. Once those programs have gone any backups they've made are gone as well and cannot be recovered.

Once you're happy things are OK ....

Let's clear out OTL and the files and folders it created. This will also remove TDSSKiller.
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

Please delete the following files and folders ...

MBRFix.zip
MBRFix
C:\MBRFix.exe
C:\Backup_MBR_0.bin


Next

ERUNT can be removed using Control Panel > Programs > Uninstall a program

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection (including recommendations for free programs).

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: myonlinearcade.com malware

Unread postby nOOb1 » June 29th, 2011, 5:50 am

Thank you Gary for all your help. I had nearly given up on my computer and was about to re-install windows. I really appreciate you saving it.

Is there a way I can may a PayPal contribution to this site or to you personally? I don't have much, but I'd like to contribute something.
nOOb1
Regular Member
 
Posts: 21
Joined: June 23rd, 2011, 6:04 pm

Re: myonlinearcade.com malware

Unread postby Gary R » June 29th, 2011, 6:21 am

You're welcome, glad we could help.

Helpers on this site donate their time for free, but if you'd like to make a contribution to the site it is much appreciated. You'll see a link in the closure notice below.

Keep safe.

Gary

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware