Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware on my computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: malware on my computer

Unread postby bordanik » April 15th, 2010, 2:19 am

Also this message keeps popping up on my screen in a box saying it is windows internet security

Windows Internet Security Your browser is under the threat of infection. Windows requires your permission to install online protection tool.Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website in unsafe mode may lead to the loss of personal data and computer breakage. To run the web browser in protected mode Windows requires installing the certified antivirus scanner software and online protection tool.Online Protection Tool
Microsoft WindowsName:
Publisher:

it has 2 boxes at the bottom saying allow or dont allow if I click on allow it redirects me to another window which asks me to download a program from a site called nifowhich .com ( sometimes this will be a different site) it is a setup exe file type appication

should I download thiis appplication
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am
Advertisement
Register to Remove

Re: malware on my computer

Unread postby askey127 » April 15th, 2010, 6:10 pm

bordanik,
We'll fix this problem.. How about this:
Download Microsoft Security Essemtials from here: http://www.microsoft.com/security_essentials/
Save the installer to your desktop;
------------------------------------------------
Remove Programs Using Control Panel(Vista)
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:
AVG 9
Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Download and Run ComboFix
[i]IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy of the log will be located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
------------------------------------------------
Now right click and choose "Run as administrator" on the Microsoft Installer.
Let it install, update, and run a scan.

Please post the contents of the C:\ComboFix.txt file.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware on my computer

Unread postby bordanik » April 16th, 2010, 3:55 am

hi this is the log from combo fix, I am now finding it impossible to re download avg , its as if whatever is on the computer is stopping all antivirus software. can you help


ComboFix 10-04-14.01 - NICK 16/04/2010 17:34:42.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1860 [GMT 10:00]
Running from: c:\users\NICK\Desktop\zzz.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1032073352-3646096773-1008586168-500
c:\users\NICK\AppData\Roaming\.#
D:\install.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 07:45 . 2010-04-16 07:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-13 11:27 . 2010-04-13 11:27 -------- d--h--w- c:\windows\PIF
2010-04-12 07:09 . 2010-04-12 07:10 -------- d-----w- C:\rsit
2010-04-12 06:56 . 2010-04-12 06:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-12 06:51 . 2010-04-12 06:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 06:46 . 2010-04-08 06:46 -------- d-----w- c:\program files\Trend Micro
2010-04-05 01:17 . 2010-01-07 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 01:17 . 2010-04-13 11:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 01:17 . 2010-01-07 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 00:34 . 2010-04-05 00:34 -------- d-----w- c:\users\NICK\AppData\Local\Threat Expert
2010-04-04 23:42 . 2010-04-04 23:42 -------- d-----w- c:\users\NICK\AppData\Roaming\AVG9
2010-03-27 17:21 . 2010-03-27 17:21 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-27 17:04 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-03-27 17:04 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-03-27 17:04 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-03-27 17:02 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-03-27 17:02 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-03-27 17:02 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-03-27 08:54 . 2010-03-27 08:54 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-27 08:54 . 2010-03-27 08:54 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-27 08:54 . 2010-03-27 08:54 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-27 08:53 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-03-27 08:53 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-27 08:53 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-27 08:51 . 2010-03-26 20:47 1658136 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-03-27 08:51 . 2010-03-26 20:46 613656 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-03-27 08:51 . 2010-03-26 20:46 1007896 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-03-27 08:51 . 2010-03-26 20:46 800536 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-03-26 11:31 . 2010-03-26 11:32 -------- d-----w- c:\windows\system32\ca-ES
2010-03-26 11:31 . 2010-03-26 11:32 -------- d-----w- c:\windows\system32\eu-ES
2010-03-26 11:31 . 2010-03-26 11:32 -------- d-----w- c:\windows\system32\vi-VN
2010-03-26 10:34 . 2010-03-26 10:34 -------- d-----w- c:\windows\system32\EventProviders
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 07:44 . 2009-03-07 08:45 -------- d-----w- c:\users\NICK\AppData\Roaming\Skype
2010-04-16 07:24 . 2009-03-07 08:48 -------- d-----w- c:\users\NICK\AppData\Roaming\skypePM
2010-04-16 07:22 . 2010-02-04 21:07 -------- d-----w- c:\programdata\avg9
2010-04-12 06:50 . 2008-12-28 11:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-12 06:42 . 2008-12-28 11:42 -------- d-----w- c:\program files\Vuze
2010-04-02 02:04 . 2008-12-28 11:43 -------- d-----w- c:\users\NICK\AppData\Roaming\Azureus
2010-03-27 17:20 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-27 17:20 . 2010-03-27 17:20 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-26 11:32 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-17 11:02 . 2008-08-19 09:12 -------- d-----w- c:\programdata\Microsoft Help
2010-03-01 06:16 . 2008-12-27 10:19 103528 ----a-w- c:\users\NICK\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:06 . 2010-03-11 20:29 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 20:29 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 20:29 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-25 12:47 . 2010-02-04 21:04 3777816 ----a-w- c:\programdata\TEMP\AVG\setup.exe
2010-01-25 12:00 . 2010-02-24 06:05 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 06:05 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 06:05 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 06:05 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 06:05 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 06:05 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 06:05 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 06:05 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 06:05 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 06:05 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-03 1848648]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-21 6144000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\users\NICK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-12-13 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^NICK^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent]
2008-05-30 00:44 147456 ------w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-04-26 04:36 28672 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-05-30 00:44 167936 ------w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-05-15 00:05 526896 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
2008-06-11 17:22 409600 ----a-w- c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-12-27 10:21 24064 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-09-10 22:02 809480 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-26 11:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 00:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2008-05-13 00:28 167936 ----a-w- c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 06:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-05-21 02:06 6144000 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-02-04 02:27 23975720 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 19:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-08 19:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-25 18:08 1049896 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2008-01-29 09:03 303104 ----a-w- c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):08,02,82,02,d9,cc,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1032073352-3646096773-1008586168-1000]
"EnableNotificationsRef"=dword:00000001

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-27 24064]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2007-12-17 75776]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-05-09 61424]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-28 210432]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2008-05-29 22072]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com.au/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... spire_5535
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://photomax.lifepics.com/net/Upload ... ader57.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 17:46
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-16 17:50:13
ComboFix-quarantined-files.txt 2010-04-16 07:50

Pre-Run: 19,418,505,216 bytes free
Post-Run: 19,210,231,808 bytes free

- - End Of File - - 8F35550F2A573D8D81DEE2DC670C5000
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am

Re: malware on my computer

Unread postby askey127 » April 16th, 2010, 1:15 pm

bordanik,
This thing tries every trick in the book to keep itself from being removed.

UNDER NO CIRCUMSTANCES should you download Windows Security 2010.
If you do, you will have to contact your credit card issuer about fraud.

I want you to run RKILL, then immediately run a quick scan with Malwarebytes.
When the scan is complete, press the Show Results button under the main “Scanner” tab.
Check all the detected infections. It will pop up a log report.
Please post the log it creates.
If you lose it, you can see all the logs from the Logs tab in the Malwarebytes program (they each have dates in the name).

Also tell me your status regarding your Antivirus. I didn't understand it very well.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware on my computer

Unread postby bordanik » April 16th, 2010, 7:39 pm

HI Rkill didnt run properly i dont think and malware bytes didnt find any problems





Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

17/04/2010 09:33:31
mbam-log-2010-04-17 (09-33-31).txt

Scan type: Quick Scan
Objects scanned: 102248
Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as NICK on 17/04/2010 at 9:20:44.


Processes terminated by Rkill or while it was running:


C:\Users\NICK\Desktop\rkill2.com


Rkill completed on 17/04/2010 at 9:20:53.
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am

Re: malware on my computer

Unread postby askey127 » April 17th, 2010, 7:38 am

bordanik,
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner (TFC) and save it to your desktop.
Right click and Run as Administrator.
If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard
    Code: Select all
    File::
    C:\Windows\System32\drivers\etc\hosts
    
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
-------------------------------------------------------------
Tell me the status of your Antivirus application. Which one is it? Does Windows Security Center say it's up to date and running?
Also tell me how the machine is running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware on my computer

Unread postby bordanik » April 18th, 2010, 6:50 am

hello hope this is what you need, my AVG antivirus is now up and running ok, and machine is runnig ok except for the redirects I am still getting.

ComboFix 10-04-14.01 - NICK 18/04/2010 18:59:06.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2814.1758 [GMT 10:00]
Running from: c:\users\NICK\Desktop\zzz.exe
Command switches used :: c:\users\NICK\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\System32\drivers\etc\hosts"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\etc\hosts

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-18 09:11 . 2010-04-18 09:11 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-04-18 09:11 . 2010-04-18 09:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-18 09:11 . 2010-04-18 09:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-16 23:14 . 2010-04-16 23:14 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-16 23:14 . 2010-04-16 23:14 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-16 23:14 . 2010-04-16 23:14 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-16 23:14 . 2010-04-16 23:14 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-16 23:14 . 2010-04-16 23:14 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-16 23:14 . 2010-04-16 23:14 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-16 23:14 . 2010-04-16 23:14 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-16 23:13 . 2010-04-16 23:13 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-16 23:13 . 2010-04-16 23:13 4250976 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-16 23:13 . 2010-04-16 23:13 341272 ----a-w- c:\programdata\avg9\update\backup\avgxch32.dll
2010-04-16 23:13 . 2010-04-16 23:13 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-16 23:13 . 2010-04-16 23:13 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-16 23:13 . 2010-04-16 23:13 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-16 23:12 . 2010-04-16 23:12 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-16 23:12 . 2010-04-16 23:12 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-16 08:37 . 2010-04-16 08:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-16 08:37 . 2010-04-16 08:37 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-16 08:36 . 2010-04-16 08:36 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-16 08:36 . 2010-04-16 08:36 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-16 08:36 . 2010-04-18 08:47 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-13 11:27 . 2010-04-13 11:27 -------- d--h--w- c:\windows\PIF
2010-04-12 07:09 . 2010-04-12 07:10 -------- d-----w- C:\rsit
2010-04-12 06:56 . 2010-04-12 06:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-12 06:51 . 2010-04-12 06:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 06:46 . 2010-04-08 06:46 -------- d-----w- c:\program files\Trend Micro
2010-04-05 01:17 . 2010-01-07 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 01:17 . 2010-04-13 11:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 01:17 . 2010-01-07 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 00:34 . 2010-04-05 00:34 -------- d-----w- c:\users\NICK\AppData\Local\Threat Expert
2010-04-04 23:42 . 2010-04-04 23:42 -------- d-----w- c:\users\NICK\AppData\Roaming\AVG9
2010-03-27 17:21 . 2010-03-27 17:21 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-27 17:04 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-03-27 17:04 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-03-27 17:04 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-03-27 17:02 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-03-27 17:02 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-03-27 17:02 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-03-27 08:54 . 2010-03-27 08:54 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-27 08:54 . 2010-03-27 08:54 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-27 08:54 . 2010-03-27 08:54 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-27 08:53 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-03-27 08:53 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-27 08:53 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-27 08:51 . 2010-03-26 20:46 613656 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-03-27 08:51 . 2010-03-26 20:46 800536 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-03-26 11:31 . 2010-03-26 11:32 -------- d-----w- c:\windows\system32\ca-ES
2010-03-26 11:31 . 2010-03-26 11:32 -------- d-----w- c:\windows\system32\eu-ES
2010-03-26 11:31 . 2010-03-26 11:32 -------- d-----w- c:\windows\system32\vi-VN
2010-03-26 10:34 . 2010-03-26 10:34 -------- d-----w- c:\windows\system32\EventProviders
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\29657\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 09:12 . 2009-03-07 08:45 -------- d-----w- c:\users\NICK\AppData\Roaming\Skype
2010-04-18 08:44 . 2009-03-07 08:48 -------- d-----w- c:\users\NICK\AppData\Roaming\skypePM
2010-04-16 08:36 . 2010-02-04 21:07 -------- d-----w- c:\programdata\avg9
2010-04-12 06:50 . 2008-12-28 11:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-12 06:42 . 2008-12-28 11:42 -------- d-----w- c:\program files\Vuze
2010-04-02 02:04 . 2008-12-28 11:43 -------- d-----w- c:\users\NICK\AppData\Roaming\Azureus
2010-03-27 17:20 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-27 17:20 . 2010-03-27 17:20 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-26 11:32 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-26 11:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-17 11:02 . 2008-08-19 09:12 -------- d-----w- c:\programdata\Microsoft Help
2010-03-01 06:16 . 2008-12-27 10:19 103528 ----a-w- c:\users\NICK\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:06 . 2010-03-11 20:29 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 20:29 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 20:29 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-25 12:47 . 2010-02-04 21:04 3777816 ----a-w- c:\programdata\TEMP\AVG\setup.exe
2010-01-25 12:00 . 2010-02-24 06:05 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 06:05 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 06:05 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 06:05 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 06:05 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 06:05 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 06:05 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 06:05 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 06:05 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 06:05 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-03 1848648]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-21 6144000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\users\NICK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-12-13 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^NICK^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent]
2008-05-30 00:44 147456 ------w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-04-26 04:36 28672 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-05-30 00:44 167936 ------w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-05-15 00:05 526896 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
2008-06-11 17:22 409600 ----a-w- c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-12-27 10:21 24064 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-09-10 22:02 809480 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-26 11:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 00:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2008-05-13 00:28 167936 ----a-w- c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 06:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-05-21 02:06 6144000 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-02-04 02:27 23975720 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 19:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-08 19:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-25 18:08 1049896 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2008-01-29 09:03 303104 ----a-w- c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):08,02,82,02,d9,cc,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1032073352-3646096773-1008586168-1000]
"EnableNotificationsRef"=dword:00000001

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-27 24064]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2007-12-17 75776]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-16 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-16 242696]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-05-09 61424]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-16 308064]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-28 210432]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2008-05-29 22072]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com.au/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... spire_5535
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://photomax.lifepics.com/net/Upload ... ader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 19:11
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
Completion time: 2010-04-18 19:15:16
ComboFix-quarantined-files.txt 2010-04-18 09:15
ComboFix2.txt 2010-04-16 07:50

Pre-Run: 17,539,588,096 bytes free
Post-Run: 19,818,708,992 bytes free

- - End Of File - - 64D9A28356E276AE67AD7F5B3F8C2E31
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am

Re: malware on my computer

Unread postby askey127 » April 19th, 2010, 7:26 am

Please tell me the following:
Is your PC connected to a router (wireless or wired), or is it plugged directly into the Internet modem?
If it is using a router, has the administrator password on the router ever been changed from the default value?
If it is using a router, does any other PC connected to it have the problem with redirects?
-----------------------------------------------
Run RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program, or in Vista, right click and choose "Run as administrator"
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
  • Click the OK button
  • In the next dialog, select every drive showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program
  • Post the contents of RootRepeal.txt in your next reply

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware on my computer

Unread postby bordanik » April 19th, 2010, 8:05 am

hello I have tried to run root repeal twice both times my pc has frozen up the second time I had too manually shut down as everything froze

the pc is connected to a wireless router, I dont think the password has been changed and yes other computers in my household are suffering with redirects too.

Hope this helps
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am

Re: malware on my computer

Unread postby askey127 » April 19th, 2010, 10:01 am

bordanik,
They actually publish the list of default passwords for each router on the Internet.
Router Passwords Default List : http://www.phenoelit-us.org/dpl/dpl.html

If you don't change it, a ZLOB infection can use the default password and change your router settings, so as to intercept every communication by passing it through a malware server.
It will definitely produce redirects.
The router will likely have to be re-installed so the malware server address can be removed. (Then you can change the password)
If you can find the instructions that came with the router, it may save a bit of work.
------------------------------------
We can doublecheck your connection routing and use it to get the browser address you will need to reset your model router :
Go to Start, Run and type the command word cmd into the box. Hit <Enter>
A window will pop up. (Don't try to move the cursor in the window.)
Type the following (there is a space on either side of the double arrow in this line):
ipconfig/all >> c:\ip.txt
Hit <Enter>
Next, type exit, and hit the Enter key again.
The window will disappear.
-----------------------------------
Now go to Start, Computer and double-click on C:\ drive.
Click View , Details in the top menu.
Find a file in the list named ip.txt
Double click it and you should see Notepad popup with a few lines of information in it.
Please Copy the contents and paste back in a reply here.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware on my computer

Unread postby bordanik » April 19th, 2010, 4:47 pm

Hello I think I am still on the origional password from the router but I dont have any instructions for it



Windows IP Configuration

Host Name . . . . . . . . . . . . : NICK-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR5B91 Wireless Network Adapter
Physical Address. . . . . . . . . : 00-23-4D-15-8E-86
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1c8a:172e:3893:fa7d%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 20 April 2010 06:21:47
Lease Expires . . . . . . . . . . : 21 April 2010 06:21:48
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 201335629
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-70-21-E8-00-1D-72-D0-86-BF
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-1D-72-D0-86-BF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{1FE02DFE-0767-48E6-96C2-F05D932B6E75}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:35:3598:856b:cc42(Preferred)
Link-local IPv6 Address . . . . . : fe80::35:3598:856b:cc42%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{40355FDF-E64B-4CF1-AB31-36FDF91F8928}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am

Re: malware on my computer

Unread postby askey127 » April 19th, 2010, 5:58 pm

You have a linksys router.
Go find the model number of your router (sticker on the bottom?) and plug this address into the top of your browser.
192.168.1.1
Look up the instructions for the model number you have.
Print out what you need to reset your settings.
You may need to visit the website of your Internet Provider to get instructions for re - setting/installing the router.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware on my computer

Unread postby bordanik » April 20th, 2010, 5:35 am

Hello again and thanks so much for all your help so far, I have reset the modem and all now seems to be well with the machine now. what do I need to do to protect the modem from further attacks? will changing the password in the security section on the modem work, (this is the password that is used when logging on to the wireless network)
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am

Re: malware on my computer

Unread postby askey127 » April 20th, 2010, 6:21 am

bordanik,
There is a user name and password you have to type in when you go to the address 192.168.1.1 and try to change the router settings. That password is the one you need to change. After you get that access, there is a way provided to change your own password. Then write it down and save it somewhere. The idea is to fix it so the original (published) password doesn't work any more for changing settings. Doing so will foil those kind of attacks.

As I mentioned, the original username and password is in this list
Router Passwords Default List : http://www.phenoelit-us.org/dpl/dpl.html
-----------------------------------------------------------
Click the START circle.
Type Combofix /uninstall in the box and click OK. Give permission.
Note the space between Combofix and /uninstall
When shown the disclaimer, Select "2"

Your machine should be fine now, as long as you avoid using P2P sharing programs like Limewire, Vuze, and utorrent.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: malware on my computer

Unread postby bordanik » April 20th, 2010, 7:38 am

I have followed the instructions to uninstall combofix but receive a mesage saying windows cannot find zzz.exe
bordanik
Regular Member
 
Posts: 19
Joined: April 8th, 2010, 2:41 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware