pls pls help. possible malware

Hi,
I have read your "read me first" section and can only get as far as saving the new java file. everytime i try to install it, it ends up stopping due to a runtime error. I feel this is because my downloads are extremely slow. it was taking 3 hours plus to download the java file.
I have tried so many things as my computer is extremely slow. I think i have a virus as my son downlods torrents and i think my pc has now been infected. I have tried different spyware but ended up deleting them all and now have microsoft security essentials which states there is no malware/spyware.
Pls let me know what i should do from here to provide you with as much info as possible
regards,
Mezz

 

Welcome to MajorGeeks!

Try not to restart the computer until one of the tools we use does it for you or tells you to.

If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the next one.

Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



If you already have them installed, be sure to update Malwarebytes and SUPERAntiSpyware before the scan!

Now run this: Using Malwarebytes Anti-Malware

Now run this: SUPERAntiSpyware - running & getting a log

Now run this: Using MGtools

Logs needed:

• Rkill
• exeHelper
• Malwarebytes
• SUPERAntiSpyware
• MGlogs

 

Hi, thanks for responding.
I am still in the middle of downloading and producing the logs you requested.
We had a power failure yesterday caused by a freak storm and therefore computer restarted after running the first step. As it stated to try not to restart computer and to run step 2 as soon as possible. I am just wanting to make sure that it is ok to go ahead or should i start from the beginning again.
(sorry for my lack of knowledge on these things)
thanks again for your patience...

 

Yes you can start over. You can run Rkill and exe.Helper at any time. Say if they work and then suddenly you can't download or run something just run them again to try and get the functions back.

 

Hi,
Here are the logs as requested
cheers

 

and the last one...

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
• O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
• O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

After clicking Fix checked, exit HijackThis.



Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code:

C:\Program Files\Common Files\alq.exe

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.


Attach the ComboFix log also. It's in C:\combofix.txt

 

Hi,
Here is the link and combo fix log.
thanks again

http://virusscan.jotti.org/en/scanr...1c9e/5905c35964b7517df928f4e862856252d29c490e

 

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code:

c:\windows\system32\drivers\TCPIP.SYS

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Also scan this file and post the link to the results.

Code:

c:\windows\system32\dllcache\TCPIP.SYS

 

Here are the links

http://virusscan.jotti.org/en/scanresult/b1ba20e3101ae48a1a8837ec983f23d3b2ca9320


http://virusscan.jotti.org/en/scanr...9320/484788aa7340a00add96223a4b430de4139a499f

By the way i have already noticed a HUGE improvement in the running of my pc...thank you sooooo much

 

Please see here. Warning about Porn, Keygens, Cracks, and other Illegal Software.

If there is any more cracked software, movies, games etc, on the computer please remove it now. That's likely how this computer became so infected. You have already been turned down for help at least once and I will discontinue also if I find any more after this warning.



Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.



I need you to scan this file at Jotti's malware scan

Code:

c:\windows\system32\wifemaan.dll

Post the link to the results back here.



Download CKScanner by askey127 to your desktop.

* Double click CKScanner.exe and click Search For Files
* When the cursor hourglass disappears click Save List To File
* A message box will verify the file saved.
* There will now be a file called CKFiles.txt on your desktop.
* Attach the CKFiles.txt in your next reply.



Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please attach the contents of that document.

 

Thanks again for your help and i do appreciate what you are saying. I am getting my son a laptop for his birthday...that way he can deal with these problems himself and not infect my files. Not that he is solely to blame, i am partially to blame as well...

http://virusscan.jotti.org/en/scanr...997c/10c75f0624108dc9780701ea218773abb38957b8

 

All of these are cracks and have to be removed. I know where they are and I won't reply again if I see another one.


Download OTM by OldTimer to your desktop.

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
 explorer.exe

 :files
c:\documents and settings\owner\desktop\rmeqrcof[1]
c:\documents and settings\owner\desktop\westwardv1.02keygeneclipse[1]
c:\documents and settings\owner\my documents\adobeillustratorcsv11.0keygenssg.zip
c:\documents and settings\owner\my documents\extratorrent_com_farmer_jane_vace_cracked_2008.torrent
c:\documents and settings\owner\my documents\keygen.exe
c:\documents and settings\owner\my documents\westwardv1.02keygeneclipse.zip
c:\documents and settings\owner\my documents\2300 java games\1000 juegos\chessgenius_v1.0_cracked
c:\documents and settings\owner\my documents\2300 java games\1000 juegos\digitalred shuffleboard v20
c:\documents and settings\owner\my documents\2300 java games\1000 juegos\geopod\geopod\keygen.exe
c:\documents and settings\owner\my documents\2300 java games\1000 juegos\hantro\hantro_v3.3_full_cracked_18plus2.sis
c:\documents and settings\owner\my documents\2300 java games\1000 juegos\mgs-silverball_v1.60
c:\documents and settings\owner\my documents\2300 java games\1000 juegos\mgskarting_cracked
c:\documents and settings\owner\my documents\2300 java games\1000 juegos\mvrpool
c:\documents and settings\owner\my documents\adobeillustratorcsv11.0keygenssg
c:\documents and settings\owner\my documents\ecltjinx[1]
c:\documents and settings\owner\my documents\limewire lime wire pro v.4.10.0.1 cracked with java runtime environment
c:\program files\big fish games _ my kingdom for the princess _ jacksplatcrack _ precrack ---[www.torrentgamez.com]--- .torrent
c:\program files\bigfish_games_-_farmer_jane_+_adnan_boy_2008_+_precracked.torrent
c:\program files\extratorrent com big fish _ my kingdom for the princess _ jacksplatcrack _ precrack.torrent
c:\program files\farmer_jane-vace_cracked_2008.torrent
c:\program files\mp3 splitter & joiner v3[1].03.1 with crack [mininova].torrent
c:\program files\mp3[1].splitter.and.joiner.pro.v3.48.build.1.incl.patch.and.keygen-lz0.torrent
c:\program files\mp3_splitter___joiner_v3.03.1_keygen._________work________.3970468.tpb.torrent
c:\program files\poweriso v3 7 with keygen (archive checked) - [www slotorrent net] [www[1].fulldls.com].torrent
c:\program files\winrar 3.80 final eng.pre-cracked.exe
c:\program files\winrar 3[1].80 final eng.pre-cracked.rar
c:\program files\ai roboform enterprise v6.9.93
c:\program files\ai_roboform_professional_6.9.94
c:\program files\crack
c:\program files\cucusoft mpeg mov rm divx avi to dvd converter pro 7.07
c:\program files\k-litepro\downloads\! dvdfab platinum v3.0.2.0 + crack.rar
c:\program files\k-litepro\downloads\[app] (mp3 splitter1.2)+crack rename to.zip & extract-works perfect on all mp3s, albums & bad albw too (awsome).zip
c:\program files\mediamonkey 3.1.0.1235 rc1
c:\program files\rylsim__bdgt33
c:\program files\super internet tv 6.6.0.0
c:\program files\tropical_farm
c:\windows\favorites\roller coaster tycoon 3 incl soaked wild keygen d nocd patch » torrentspy.com.url
c:\windows\favorites\beads
c:\windows\favorites\cracks

 :Commands
[purity]
 [emptytemp]
 [start explorer]
 [Reboot]
  

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

 

All removed...


Error: Unable to interpret <c:\documents and settings\owner\desktop\rmeqrcof[1]> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\desktop\westwardv1.02keygeneclipse[1]> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\adobeillustratorcsv11.0keygenssg.zip> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\extratorrent_com_farmer_jane_vace_cracked_2008.torrent> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\keygen.exe> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\westwardv1.02keygeneclipse.zip> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\2300 java games\1000 juegos\chessgenius_v1.0_cracked> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\2300 java games\1000 juegos\digitalred shuffleboard v20> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\2300 java games\1000 juegos\geopod\geopod\keygen.exe> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\2300 java games\1000 juegos\hantro\hantro_v3.3_full_cracked_18plus2.sis> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\2300 java games\1000 juegos\mgs-silverball_v1.60> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\2300 java games\1000 juegos\mgskarting_cracked> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\2300 java games\1000 juegos\mvrpool> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\adobeillustratorcsv11.0keygenssg> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\ecltjinx[1]> in the current context!
Error: Unable to interpret <c:\documents and settings\owner\my documents\limewire lime wire pro v.4.10.0.1 cracked with java runtime environment> in the current context!
Error: Unable to interpret <c:\program files\big fish games _ my kingdom for the princess _ jacksplatcrack _ precrack ---[www.torrentgamez.com]--- .torrent> in the current context!
Error: Unable to interpret <c:\program files\bigfish_games_-_farmer_jane_+_adnan_boy_2008_+_precracked.torrent> in the current context!
Error: Unable to interpret <c:\program files\extratorrent com big fish _ my kingdom for the princess _ jacksplatcrack _ precrack.torrent> in the current context!
Error: Unable to interpret <c:\program files\farmer_jane-vace_cracked_2008.torrent> in the current context!
Error: Unable to interpret <c:\program files\mp3 splitter & joiner v3[1].03.1 with crack [mininova].torrent> in the current context!
Error: Unable to interpret <c:\program files\mp3[1].splitter.and.joiner.pro.v3.48.build.1.incl.patch.and.keygen-lz0.torrent> in the current context!
Error: Unable to interpret <c:\program files\mp3_splitter___joiner_v3.03.1_keygen._________work________.3970468.tpb.torrent> in the current context!
Error: Unable to interpret <c:\program files\poweriso v3 7 with keygen (archive checked) - [www slotorrent net] [www[1].fulldls.com].torrent> in the current context!
Error: Unable to interpret <c:\program files\winrar 3.80 final eng.pre-cracked.exe> in the current context!
Error: Unable to interpret <c:\program files\winrar 3[1].80 final eng.pre-cracked.rar> in the current context!
Error: Unable to interpret <c:\program files\ai roboform enterprise v6.9.93> in the current context!
Error: Unable to interpret <c:\program files\ai_roboform_professional_6.9.94> in the current context!
Error: Unable to interpret <c:\program files\crack> in the current context!
Error: Unable to interpret <c:\program files\cucusoft mpeg mov rm divx avi to dvd converter pro 7.07> in the current context!
Error: Unable to interpret <c:\program files\k-litepro\downloads\! dvdfab platinum v3.0.2.0 + crack.rar> in the current context!
Error: Unable to interpret <c:\program files\k-litepro\downloads\[app] (mp3 splitter1.2)+crack rename to.zip & extract-works perfect on all mp3s, albums & bad albw too (awsome).zip> in the current context!
Error: Unable to interpret <c:\program files\mediamonkey 3.1.0.1235 rc1> in the current context!
Error: Unable to interpret <c:\program files\rylsim__bdgt33> in the current context!
Error: Unable to interpret <c:\program files\super internet tv 6.6.0.0> in the current context!
Error: Unable to interpret <c:\program files\tropical_farm> in the current context!
Error: Unable to interpret <c:\windows\favorites\roller coaster tycoon 3 incl soaked wild keygen d nocd patch » torrentspy.com.url> in the current context!
Error: Unable to interpret <c:\windows\favorites\beads> in the current context!
Error: Unable to interpret <c:\windows\favorites\cracks> in the current context!

OTM by OldTimer - Version 3.1.10.0 log created on 03102010_151840

 

sorry...I thought that the programme removed them for me. I will delete them now...then post the log again..sorry

 

Go to add remove programs and uninstall anything with Norton, Symantec or Live Update (Symantec Corporation) in the name.

Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

* Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
* Once open Click Next
* Accept the license agreement and click Next
* Type in the letters/numbers that you see into the text box then click Next.
* Then click Next and the tool will start running.
* Once finished restart the PC.
* Delete the 'Norton_Removal_Tool' from your desktop.



Now attach a log from the ESET Online Scan. Using ESET's Online Scanner