Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

myonlinearcade.com malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

myonlinearcade.com malware

Unread postby z147 » July 2nd, 2011, 1:10 pm

I believe I have the same exact malware problem as posted by nOOb1 on 6/23.

I'm also getting a svchost.exe Application Error " the instruction at "0x06310190" referenced memory at "0x06310190".
the memory could not be "written"

I would have followed the posed instructions but the first note was "Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections

I've also received a Data Execution Prevention message from Windows which states" To help protect your computer, Window
has closed this program" Generic Host Process for Win32 Services.


File: myonlinearcade.com/survey/c/94/index.php
Infection: Exploit Social engineering (type 1912)
Result: Object was blocked

Also on occasions when I start up my browser (Firefox 5.0) I will get a tab about being winner from wal-mart.
My browser redirects to strange websites (ex: pubads.g.doubleclick.net) before actually going to my desired site.

AVG has also vaulted "setup.exe (4252)" and "setup.exe (1860)" and described these as "Trojan.Win32 Generic.pak:cobra"

My processing goes to 100% utilization after the computer is on for a period of time and slows to a crawl.

My browser and computer on occasion will spontaneously freeze and can only be revived after a hitting the reset button
(ctrl+alt+del would NOT work).

This is my first time posting to this forum please forgive any errors in format.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by AZ at 12:55:32 on 2011-07-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.128 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Documents and Settings\AZ\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://news.google.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.74.166 68.87.68.166
TCP: Interfaces\{DE038714-5CDA-49F1-A43C-B066D60146DF} : DhcpNameServer = 68.87.74.166 68.87.68.166
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\az\application data\mozilla\firefox\profiles\yx8detvg.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4ddebeab ... g=en-US&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\az\local settings\application data\crossloop\CrossLoopService.exe [2011-4-28 560880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-26 984392]
S3 tvnserver;TightVNC Server;c:\documents and settings\az\local settings\application data\crossloop\tvnserver.exe [2011-4-28 814080]
.
=============== Created Last 30 ================
.
2011-07-01 12:55:01 -------- d-----w- c:\program files\Comcast
2011-07-01 12:53:58 -------- d-----w- c:\documents and settings\az\local settings\application data\SupportSoft
2011-07-01 12:53:31 -------- d-----w- c:\program files\common files\SupportSoft
2011-07-01 12:53:31 -------- d-----w- c:\program files\ComcastUI
2011-06-27 20:50:00 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-27 20:50:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-27 19:31:31 -------- d-----w- c:\program files\StartNow Toolbar
2011-06-17 14:03:20 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-09 14:16:31 -------- d-----w- c:\documents and settings\all users\application data\mJ45103KpMcP45103
.
==================== Find3M ====================
.
2011-06-30 20:40:27 59 ----a-w- c:\windows\wpd99.drv
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 14:11:12 11081728 ----a-w- c:\windows\system32\ieframe(2)(2).dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2011-04-25 16:11:12 1211904 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1991680 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-15 01:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AVJB-63WKA0 rev.00.02C01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84AF64D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x84afc7d0]; MOV EAX, [0x84afc84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x84BEA560]
3 CLASSPNP[0xF751CFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000058[0x84BC8F18]
5 ACPI[0xF7393620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x84B8E940]
\Driver\atapi[0x84B85C78] -> IRP_MJ_CREATE -> 0x84AF64D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x84AF631B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:00:52.17 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/23/2010 7:57:28 PM
System Uptime: 7/2/2011 12:32:14 PM (1 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Salmon
Processor: AMD Athlon(tm) 64 Processor 3300+ | Socket 754 | 2411/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 128 GiB total, 61.233 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is CDROM ()
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP115: 4/3/2011 10:29:15 PM - System Checkpoint
RP116: 4/4/2011 10:40:45 PM - System Checkpoint
RP117: 4/6/2011 8:03:50 AM - System Checkpoint
RP118: 4/7/2011 8:40:29 AM - System Checkpoint
RP119: 4/8/2011 8:52:30 AM - System Checkpoint
RP120: 4/9/2011 11:22:37 AM - System Checkpoint
RP121: 4/10/2011 11:51:56 AM - System Checkpoint
RP122: 4/11/2011 12:37:12 PM - System Checkpoint
RP123: 4/12/2011 1:22:33 PM - System Checkpoint
RP124: 4/13/2011 3:06:42 PM - System Checkpoint
RP125: 4/14/2011 3:00:14 AM - Software Distribution Service 3.0
RP126: 4/15/2011 9:26:40 AM - System Checkpoint
RP127: 4/16/2011 9:30:18 AM - System Checkpoint
RP128: 4/17/2011 12:46:26 PM - System Checkpoint
RP129: 4/18/2011 1:25:19 PM - System Checkpoint
RP130: 4/19/2011 2:18:18 PM - System Checkpoint
RP131: 4/20/2011 3:17:13 PM - System Checkpoint
RP132: 4/24/2011 11:02:28 PM - System Checkpoint
RP133: 4/25/2011 11:45:15 PM - System Checkpoint
RP134: 4/26/2011 7:45:36 PM - Restore Operation
RP135: 4/27/2011 7:29:31 AM - Software Distribution Service 3.0
RP136: 4/27/2011 8:24:56 AM - Restore Operation
RP137: 4/27/2011 8:48:48 AM - Restore Operation
RP138: 4/27/2011 8:52:03 AM - Restore Operation
RP139: 4/27/2011 3:15:07 PM - Restore Operation
RP140: 4/27/2011 3:19:05 PM - Restore Operation
RP141: 4/27/2011 3:22:51 PM - Restore Operation
RP142: 4/27/2011 3:39:51 PM - Restore Operation
RP143: 4/27/2011 4:50:44 PM - Restore Operation
RP144: 4/28/2011 5:50:41 PM - System Checkpoint
RP145: 4/29/2011 6:01:17 PM - System Checkpoint
RP146: 4/30/2011 6:23:28 PM - System Checkpoint
RP147: 5/1/2011 7:15:37 PM - System Checkpoint
RP148: 5/2/2011 8:10:08 PM - System Checkpoint
RP149: 5/3/2011 9:10:08 PM - System Checkpoint
RP150: 5/5/2011 7:24:17 AM - System Checkpoint
RP151: 5/6/2011 7:58:48 AM - System Checkpoint
RP152: 5/7/2011 2:15:54 PM - System Checkpoint
RP153: 5/8/2011 2:53:29 PM - System Checkpoint
RP154: 5/8/2011 4:06:51 PM - Restore Operation
RP155: 5/9/2011 5:10:13 PM - System Checkpoint
RP156: 5/10/2011 5:21:37 PM - System Checkpoint
RP157: 5/11/2011 5:42:29 PM - System Checkpoint
RP158: 5/12/2011 3:00:13 AM - Software Distribution Service 3.0
RP159: 5/13/2011 3:21:32 AM - System Checkpoint
RP160: 5/14/2011 4:21:32 AM - System Checkpoint
RP161: 5/15/2011 5:21:32 AM - System Checkpoint
RP162: 5/16/2011 8:50:42 AM - System Checkpoint
RP163: 5/17/2011 9:26:07 AM - System Checkpoint
RP164: 5/18/2011 10:03:25 AM - System Checkpoint
RP165: 5/19/2011 10:52:51 AM - System Checkpoint
RP166: 5/20/2011 9:18:28 AM - Restore Operation
RP167: 5/21/2011 11:12:04 AM - System Checkpoint
RP168: 5/22/2011 1:59:26 PM - System Checkpoint
RP169: 5/23/2011 2:46:21 PM - System Checkpoint
RP170: 5/25/2011 9:17:37 AM - System Checkpoint
RP171: 5/26/2011 9:35:45 AM - System Checkpoint
RP172: 5/26/2011 3:07:44 PM - Restore Operation
RP173: 5/26/2011 3:25:30 PM - Restore Operation
RP174: 5/26/2011 4:55:29 PM - Installed AVG 2011
RP175: 5/26/2011 4:57:58 PM - Removed AVG 2011
RP176: 5/27/2011 11:23:58 PM - System Checkpoint
RP177: 5/28/2011 11:44:30 PM - System Checkpoint
RP178: 5/30/2011 12:44:30 AM - System Checkpoint
RP179: 5/31/2011 12:34:46 PM - System Checkpoint
RP180: 6/1/2011 12:47:05 PM - System Checkpoint
RP181: 6/2/2011 1:36:40 PM - System Checkpoint
RP182: 6/3/2011 2:02:07 PM - System Checkpoint
RP183: 6/4/2011 11:40:19 AM - Restore Operation
RP184: 6/5/2011 11:47:45 AM - System Checkpoint
RP185: 6/5/2011 1:32:02 PM - Restore Operation
RP186: 6/6/2011 2:22:12 PM - System Checkpoint
RP187: 6/7/2011 2:32:36 PM - System Checkpoint
RP188: 6/8/2011 3:39:57 PM - System Checkpoint
RP189: 6/9/2011 6:55:19 PM - System Checkpoint
RP190: 6/11/2011 4:13:56 PM - System Checkpoint
RP191: 6/12/2011 4:38:44 PM - System Checkpoint
RP192: 6/13/2011 6:45:00 PM - System Checkpoint
RP193: 6/15/2011 12:55:56 AM - System Checkpoint
RP194: 6/17/2011 10:15:52 AM - System Checkpoint
RP195: 6/18/2011 12:30:12 PM - Software Distribution Service 3.0
RP196: 6/19/2011 1:22:22 PM - System Checkpoint
RP197: 6/20/2011 1:38:57 PM - System Checkpoint
RP198: 6/21/2011 2:15:10 PM - System Checkpoint
RP199: 6/22/2011 3:15:02 PM - System Checkpoint
RP200: 6/23/2011 4:16:11 PM - System Checkpoint
RP201: 6/24/2011 7:15:26 PM - System Checkpoint
RP202: 6/25/2011 2:15:53 PM - Restore Operation
RP203: 6/25/2011 3:28:50 PM - Software Distribution Service 3.0
RP204: 6/26/2011 3:29:56 PM - System Checkpoint
RP205: 6/27/2011 4:06:39 PM - System Checkpoint
RP206: 6/27/2011 4:38:52 PM - Restore Operation
RP207: 6/27/2011 4:54:11 PM - Removed Bonjour
RP208: 6/27/2011 6:12:17 PM - Software Distribution Service 3.0
RP209: 6/28/2011 1:51:31 PM - Restore Operation
RP210: 6/29/2011 3:38:42 PM - System Checkpoint
RP211: 6/29/2011 5:35:47 PM - Software Distribution Service 3.0
RP212: 6/30/2011 6:38:45 PM - System Checkpoint
RP213: 7/1/2011 8:53:30 AM - Installed Comcast Desktop Software (v1.2.0.9)
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Agere Systems PCI Soft Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2011
Comcast Desktop Software (v1.2.0.9)
Compatibility Pack for the 2007 Office system
CrossLoop 2.75
Desktop Doctor
Epson Event Manager
EPSON Scan
EPSON WorkForce 600 Series Printer Uninstall
EpsonNet Print
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.18)
Pdf995
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SiS VGA Utilities
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Spybot - Search & Destroy
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
7/1/2011 9:13:22 AM, error: Dhcp [1002] - The IP address lease 192.168.1.1 for the Network Card with network address 0011D8292605 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/1/2011 9:12:37 AM, error: Dhcp [1002] - The IP address lease 192.168.2.105 for the Network Card with network address 0011D8292605 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
7/1/2011 9:10:45 AM, error: Dhcp [1002] - The IP address lease 76.108.145.113 for the Network Card with network address 0011D8292605 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/1/2011 8:51:53 AM, error: Dhcp [1002] - The IP address lease 192.168.100.2 for the Network Card with network address 0011D8292605 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
7/1/2011 8:51:22 AM, error: Dhcp [1002] - The IP address lease 76.108.145.113 for the Network Card with network address 0011D8292605 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The HID Input Service service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 4:28:46 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
6/30/2011 4:28:46 PM, error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/29/2011 8:41:29 AM, error: Service Control Manager [7022] - The WebClient service hung on starting.
6/29/2011 1:46:13 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the BITS service.
6/27/2011 4:54:27 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
6/27/2011 4:38:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/27/2011 4:38:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/27/2011 4:38:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
6/27/2011 4:38:16 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
6/27/2011 4:38:16 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/27/2011 4:38:16 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/27/2011 4:38:16 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/27/2011 4:38:16 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/27/2011 4:38:16 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm
Advertisement
Register to Remove

Re: myonlinearcade.com malware

Unread postby MWR 3 day Mod » July 6th, 2011, 9:12 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: myonlinearcade.com malware

Unread postby askey127 » July 7th, 2011, 10:49 am

Hi z147,
Sorry for the delay.
------------------------------------------------
Download and Run Rkill
Please download and run the tool named Rkill, which may help in allowing other programs to run.
There are 4 different versions. If one of them won't run then download and try to run one of the other ones.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools, ignore them or shutdown your antivirus.
Please download Rkill from one of the following links (note the different names) and save to your Desktop:
Rkill.exe
eXplorer.exe
RKill.com
RKill.scr
Rkill.pif
  • Double-click on the Rkill or eXplorer desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If you get a Warning Message when you try to run it, run it again while the Warning Message is still displayed.
  • If it doesn't run on the first try, please try to run it another two or three times.
  • If it still does not run, delete the desktop entry. Then download and use the one provided in the next link.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided after trying each a few times, please let me know.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    (Vista - W7 users: Right-click and select "Run As Administrator")
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the main directory of C:
    (the dd.mm.yyyy_hh.mm.ss numbers in the filename represent the time/date stamp)
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: myonlinearcade.com malware

Unread postby z147 » July 7th, 2011, 11:51 pm

Thanks. The problem is now more severe. When I try to open Firefox or Explorer I'm presented with a list of programs to choose in order to open them. I can get to the web via a link on my desktop to my provider's email. When I get there multiple sessions are opened including "Indes of file:///C:Documents and Settings. I also recieve an error Program files\Java\jreg\lib\deply\jqj\FF\..\..\..\bin\jqsnotify.ex I did download Rkill and it seemed to run. There is a statement in the notepad "Processes terminated by Rkill or while it was running:" but there were no processes acutally listed. Should I proceed to TDSSKiller?
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: myonlinearcade.com malware

Unread postby askey127 » July 8th, 2011, 7:01 am

Yes, if you can download it on this machine or another one.
You can use a flash drive to transfer the download to this desktop if necessary.

It's possible that the machine cannot be saved or fixed by online methods, and the Operating System would have to be re-installed after a reformat.

It's also possible that the machine has hardware problems, like a bad hard drive, but it isn't in good enough shape to evaluate online yet.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: myonlinearcade.com malware

Unread postby z147 » July 8th, 2011, 8:44 am

I ran TDSSKiller. I also have a false windows secutity bug on the machine and can't copy anything.

2011/07/08 08:35:40.0078 0204 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21
2011/07/08 08:35:40.0468 0204 ================================================================================
2011/07/08 08:35:40.0468 0204 SystemInfo:
2011/07/08 08:35:40.0468 0204
2011/07/08 08:35:40.0468 0204 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/08 08:35:40.0468 0204 Product type: Workstation
2011/07/08 08:35:40.0468 0204 ComputerName: ANDREW-PC
2011/07/08 08:35:40.0468 0204 UserName: AZ
2011/07/08 08:35:40.0468 0204 Windows directory: C:\WINDOWS
2011/07/08 08:35:40.0468 0204 System windows directory: C:\WINDOWS
2011/07/08 08:35:40.0468 0204 Processor architecture: Intel x86
2011/07/08 08:35:40.0468 0204 Number of processors: 1
2011/07/08 08:35:40.0468 0204 Page size: 0x1000
2011/07/08 08:35:40.0468 0204 Boot type: Normal boot
2011/07/08 08:35:40.0468 0204 ================================================================================
2011/07/08 08:35:41.0656 0204 Initialize success
2011/07/08 08:35:44.0015 0320 ================================================================================
2011/07/08 08:35:44.0015 0320 Scan started
2011/07/08 08:35:44.0015 0320 Mode: Manual;
2011/07/08 08:35:44.0015 0320 ================================================================================
2011/07/08 08:35:45.0109 0320 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/08 08:35:45.0171 0320 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/08 08:35:45.0265 0320 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/08 08:35:45.0328 0320 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/08 08:35:45.0421 0320 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/07/08 08:35:45.0703 0320 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/07/08 08:35:45.0890 0320 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/08 08:35:46.0031 0320 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/08 08:35:46.0093 0320 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/08 08:35:46.0156 0320 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/08 08:35:46.0250 0320 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/08 08:35:46.0328 0320 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/07/08 08:35:46.0437 0320 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/07/08 08:35:46.0656 0320 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/07/08 08:35:46.0843 0320 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/07/08 08:35:46.0906 0320 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/07/08 08:35:47.0000 0320 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/07/08 08:35:47.0046 0320 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/07/08 08:35:47.0109 0320 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/07/08 08:35:47.0203 0320 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/08 08:35:47.0296 0320 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/08 08:35:47.0375 0320 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/08 08:35:47.0453 0320 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/08 08:35:47.0500 0320 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/08 08:35:47.0765 0320 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/08 08:35:47.0828 0320 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/08 08:35:47.0921 0320 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/08 08:35:47.0984 0320 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/08 08:35:48.0031 0320 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/08 08:35:48.0109 0320 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/08 08:35:48.0156 0320 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/07/08 08:35:48.0203 0320 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/07/08 08:35:48.0281 0320 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/08 08:35:48.0359 0320 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/08 08:35:48.0421 0320 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/08 08:35:48.0468 0320 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/08 08:35:48.0531 0320 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/08 08:35:48.0609 0320 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/08 08:35:48.0656 0320 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/08 08:35:48.0703 0320 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2011/07/08 08:35:48.0765 0320 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/07/08 08:35:48.0812 0320 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/08 08:35:48.0906 0320 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/08 08:35:49.0046 0320 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/08 08:35:49.0156 0320 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/08 08:35:49.0203 0320 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
2011/07/08 08:35:49.0343 0320 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/08 08:35:49.0406 0320 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/08 08:35:49.0453 0320 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/08 08:35:49.0500 0320 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/08 08:35:49.0546 0320 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/08 08:35:49.0593 0320 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/08 08:35:49.0640 0320 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/08 08:35:49.0703 0320 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/08 08:35:49.0750 0320 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/08 08:35:49.0812 0320 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/08 08:35:49.0875 0320 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/08 08:35:50.0000 0320 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/08 08:35:50.0062 0320 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/08 08:35:50.0093 0320 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/08 08:35:50.0171 0320 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/08 08:35:50.0218 0320 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/08 08:35:50.0281 0320 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/08 08:35:50.0375 0320 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/08 08:35:50.0437 0320 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/08 08:35:50.0500 0320 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/08 08:35:50.0546 0320 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/08 08:35:50.0593 0320 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/08 08:35:50.0640 0320 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/08 08:35:50.0687 0320 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/08 08:35:50.0750 0320 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/08 08:35:50.0796 0320 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/08 08:35:50.0843 0320 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/08 08:35:50.0875 0320 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/08 08:35:50.0937 0320 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/08 08:35:51.0000 0320 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/08 08:35:51.0046 0320 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/08 08:35:51.0125 0320 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/08 08:35:51.0156 0320 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/08 08:35:51.0234 0320 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/08 08:35:51.0343 0320 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/08 08:35:51.0437 0320 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/08 08:35:51.0468 0320 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/08 08:35:51.0500 0320 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/08 08:35:51.0562 0320 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/08 08:35:51.0593 0320 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/08 08:35:51.0656 0320 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/08 08:35:51.0687 0320 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/08 08:35:51.0781 0320 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/08 08:35:51.0843 0320 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/08 08:35:52.0109 0320 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/08 08:35:52.0156 0320 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/08 08:35:52.0218 0320 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/08 08:35:52.0281 0320 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/08 08:35:52.0343 0320 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/08 08:35:52.0531 0320 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/08 08:35:52.0593 0320 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/08 08:35:52.0640 0320 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/08 08:35:52.0671 0320 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/08 08:35:52.0734 0320 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/08 08:35:52.0781 0320 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/08 08:35:52.0875 0320 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/08 08:35:52.0937 0320 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/08 08:35:53.0046 0320 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/08 08:35:53.0109 0320 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/08 08:35:53.0156 0320 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/08 08:35:53.0203 0320 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/08 08:35:53.0359 0320 SiS315 (509d96916c7d9218e4083940b8711b9b) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
2011/07/08 08:35:53.0406 0320 SiSkp (2c921a4cce0b3eb372ebf448939fa3bf) C:\WINDOWS\system32\DRIVERS\srvkp.sys
2011/07/08 08:35:53.0484 0320 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
2011/07/08 08:35:53.0562 0320 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/08 08:35:53.0656 0320 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/08 08:35:53.0718 0320 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/08 08:35:53.0765 0320 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/07/08 08:35:53.0796 0320 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/07/08 08:35:53.0875 0320 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/08 08:35:53.0906 0320 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/08 08:35:54.0078 0320 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/08 08:35:54.0171 0320 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/08 08:35:54.0250 0320 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/08 08:35:54.0531 0320 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/08 08:35:54.0640 0320 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/08 08:35:54.0718 0320 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/07/08 08:35:54.0750 0320 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/07/08 08:35:54.0781 0320 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/07/08 08:35:54.0828 0320 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) C:\WINDOWS\system32\dla\tfsndres.sys
2011/07/08 08:35:54.0859 0320 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/07/08 08:35:54.0906 0320 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/07/08 08:35:54.0937 0320 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/07/08 08:35:54.0968 0320 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/07/08 08:35:55.0000 0320 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/07/08 08:35:55.0109 0320 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/08 08:35:55.0203 0320 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/08 08:35:55.0281 0320 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/08 08:35:55.0359 0320 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/08 08:35:55.0437 0320 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/08 08:35:55.0484 0320 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/08 08:35:55.0531 0320 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/07/08 08:35:55.0562 0320 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/08 08:35:55.0593 0320 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/08 08:35:55.0687 0320 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/08 08:35:55.0750 0320 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/08 08:35:55.0828 0320 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/08 08:35:55.0968 0320 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/07/08 08:35:55.0968 0320 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/08 08:35:55.0984 0320 MBR (0x1B8) (b2c30d2809c155a3de14b0aed50ef0b5) \Device\Harddisk5\DR10
2011/07/08 08:35:56.0343 0320 Boot (0x1200) (77a1e1f69097cdc2f3acb43aa23c394a) \Device\Harddisk0\DR0\Partition0
2011/07/08 08:35:56.0359 0320 ================================================================================
2011/07/08 08:35:56.0359 0320 Scan finished
2011/07/08 08:35:56.0359 0320 ================================================================================
2011/07/08 08:35:56.0375 0372 Detected object count: 1
2011/07/08 08:35:56.0375 0372 Actual detected object count: 1
2011/07/08 08:36:04.0093 0372 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/08 08:36:04.0093 0372 \Device\Harddisk0\DR0 - ok
2011/07/08 08:36:04.0093 0372 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/08 08:36:13.0515 2820 Deinitialize success
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: myonlinearcade.com malware

Unread postby askey127 » July 8th, 2011, 9:03 am

z147,
You do show a rootkit. TDSSK is attempting to remove it.
If you have not Rebooted since running TDSSKiller, please do so.
----------------------------------------------------------------------------------
Run Rkill again
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware It is free for non-business use.
(Use a separate machine to download it to a flash if necessary. It can be installed directly from the flash.)
Please go here to the Download Location, click on the Free Download button on the Left.
When the next page comes up, click on the Download Now button in the upper right.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Choose Desktop as the location to save the installer and click Save again.
  • You should now have a desktop icon named mbam-setup.exe. Double-click it.
  • Let it install the program where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
    (You can Decline any Offer for a Trial if you don't want the paid version)
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2011-mm-dd(hour-min-sec).txt
  • You can now delete the installer icon, named mbam-setup.exe from your desktop.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: myonlinearcade.com malware

Unread postby z147 » July 8th, 2011, 8:20 pm

Although it found and deleted FakeAV I still see an red icon with an"x" in my tray that I believe is a fake windows security alert. Next step? Thanks.

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\administrator.andrew-pc\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\administrator.andrew-pc\Desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\administrator.andrew-pc\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\administrator.andrew-pc\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\application data\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: myonlinearcade.com malware

Unread postby askey127 » July 9th, 2011, 8:03 am

z147,
Please do all of these tasks at one time, with no surfing in between.
-----------------------------------------------------------
Download the Microsoft Security Essentials Installer
The download is here: http://www.microsoft.com/security_essentials/
Save it to your desktop BUT DON'T RUN IT YET.
-----------------------------------------------------------
Download the ComboFix Program
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the download file.
We will remove your Antivirus BEFORE we run ComboFix.
.
Download ComboFix from here
Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
**Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
SAVE IT AS zzz.exe to your desktop, BUT DON'T RUN IT YET.
---------------------------------------------------------
Remove AVG
The analytical tools we use do not work properly with AVG installed.
For this reason and others, we will be removing your AVG antivirus in the following instructions, and installing a different antivirus later.

Go to this site: http://www.avg.com/us-en/download-tools
For a 32-bit machine, download this to your desktop:
AVG Remover(32bit) 2011
(avg_remover_stf_x86_2011_1322.exe)

If you have a 64-bit machine, download this one to your desktop:
AVG Remover(64bit) 2011
(avg_remover_stf_x64_2011_1322.exe)

Double click the remover (Right click and choose "Run as administrator in Vista/Win7). It will require a restart.
-----------------------------------------------------------
Run ComboFix (zzz.exe)
  • Now double click zzz.exe on your desktop (Right click and choose "Run as administrator" in Visat/Win7). OK any disclaimers and start the scan.
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
Don't do any surfing until you complete the following:
-----------------------------------------------------------
Install, Update, Scan with Microsoft Security Essentials
Double Click the icon for Microsoft Security Essentials (Right Click and "Run as administrator" in Vista/Win7)
Let it Install, update itself, and run a scan. Have it delete anything it finds.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: myonlinearcade.com malware

Unread postby z147 » July 9th, 2011, 12:20 pm

askey127

I'm just about to run zzz.exe. You instruct to right click and run as administrator but my right click has not worked since these problems started. I assumed it was a sympton associated with the malware. I've been getting by without being able to right click or cut/past using right click. Should I just click run on zzz.exe?
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: myonlinearcade.com malware

Unread postby askey127 » July 9th, 2011, 1:44 pm

The right click is not required on XP (Vista and Win7 only).
Just double click to run it.
Sorry for the confusion.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: myonlinearcade.com malware

Unread postby z147 » July 9th, 2011, 2:48 pm

ComboFix went well. When I ran MSE it got to Update and ran into a problem. I clicked update and a message came up" Virus and sypware definitions update failed. Security Essentials could not check for virus and spyware definition updates due to an Internet or network connectivitiy issue". My connection to the Internet is working well. I still have the red shield with an X on it in my tray. Is that a real ms icon?

ComboFix 11-07-09.02 - AZ 07/09/2011 14:17:32.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.617 [GMT -4:00]
Running from: c:\documents and settings\AZ\Desktop\zzz.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\AZ\Application Data\Adobe\shed
c:\windows\system32\$winnt$.inf
c:\windows\vb.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-09 18:09 . 2011-07-09 18:10 -------- d-----w- C:\zzz
2011-07-08 23:36 . 2011-07-08 23:36 -------- d-----w- c:\documents and settings\AZ\Application Data\Malwarebytes
2011-07-08 23:36 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 23:36 . 2011-07-08 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-08 23:36 . 2011-07-08 23:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 23:36 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 03:15 . 2011-07-08 03:15 -------- d-----w- c:\documents and settings\BZ\Local Settings\Application Data\SupportSoft
2011-07-08 02:43 . 2011-07-08 02:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-07-03 21:25 . 2011-07-03 21:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-07-01 12:55 . 2011-07-01 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2011-07-01 12:55 . 2011-07-01 12:55 -------- d-----w- c:\program files\Comcast
2011-07-01 12:53 . 2011-07-08 01:53 -------- d-----w- c:\documents and settings\AZ\Local Settings\Application Data\SupportSoft
2011-07-01 12:53 . 2011-07-08 01:53 -------- d-----w- c:\program files\Common Files\SupportSoft
2011-06-28 07:57 . 2011-06-28 07:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-28 07:57 . 2011-06-28 07:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-28 07:57 . 2011-06-28 07:57 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-28 07:53 . 2011-06-28 07:57 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-27 20:50 . 2011-06-27 20:50 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-27 19:31 . 2011-07-08 02:04 -------- d-----w- c:\program files\StartNow Toolbar
2011-06-24 20:43 . 2011-06-24 20:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-24 13:37 . 2011-06-24 13:37 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-06-17 14:03 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2010-12-24 00:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2001-08-18 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2001-08-18 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 14:11 . 2009-03-08 09:39 11081728 ----a-w- c:\windows\system32\ieframe(2)(2).dll
2011-04-25 16:11 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2011-04-25 16:11 . 2001-08-18 12:00 1211904 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2011-04-25 16:11 . 2009-03-08 09:32 1991680 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2011-04-25 16:11 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2010-12-24 01:46 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2001-08-18 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-04-12 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 600(Network)]
2008-03-05 11:00 188928 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIEKA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Documents and Settings\\AZ\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\AZ\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
.
S2 CrossLoopService;CrossLoop Service;c:\documents and settings\AZ\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [4/28/2011 4:33 PM 560880]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/8/2011 7:36 PM 39984]
S3 tvnserver;TightVNC Server;c:\documents and settings\AZ\Local Settings\Application Data\CrossLoop\tvnserver.exe [4/28/2011 4:33 PM 814080]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.74.166 68.87.68.166
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\documents and settings\AZ\Application Data\Mozilla\Firefox\Profiles\yx8detvg.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4ddebeab ... g=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-scIeDgaoTLYN - c:\documents and settings\All Users\Application Data\scIeDgaoTLYN.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 14:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-09 14:26:31
ComboFix-quarantined-files.txt 2011-07-09 18:26
.
Pre-Run: 65,446,297,600 bytes free
Post-Run: 67,023,650,816 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
[spybotsd]
timeout.old=30
.
- - End Of File - - 04A1072CE8EE02571AB483E14398FD19
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: myonlinearcade.com malware

Unread postby askey127 » July 10th, 2011, 7:01 am

Please Reboot, Download and Run Rkill again (Malwarebytes removed it), Open MS Security Essentials and see if you can get it to update.
The red shield may be a legit icon from Windows Security Center showing that you have a security (update) issue.

Tell me how/why you use CrossLoop.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: myonlinearcade.com malware

Unread postby z147 » July 10th, 2011, 5:02 pm

askey127

Cross Loop is something I installed last time I had a problem so that one of my friends could help me remotely. The red update shield is now gone and everything appears to run fine except that I can't right click. I've checked my mouse settings. I guess I can try to reinstall the mouse. Thank you for all your help. I've learn a lot. The removal process was more preferred than reinstalling the OS and all files.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 07/10/2011 at 16:51:11.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Documents and Settings\AZ\Local Settings\Application Data\CrossLoop\CrossLoopService.exe


Rkill completed on 07/10/2011 at 16:51:25.
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: myonlinearcade.com malware

Unread postby askey127 » July 10th, 2011, 6:23 pm

Good luck.
I would Uninstall CrossLoop if you don't intend to use it regularly.
It provides an unnecessary avenue into your machine from the outside.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 483 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware