Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo!.grb?


  • This topic is locked This topic is locked
22 replies to this topic

#1 Please Help Us

Please Help Us

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 31 January 2009 - 05:25 AM

Good morning Ladies and Gentlemen of the BleepingComputer's Forum. I wish I came here on better terms of business then to be causing another problem for all you wonderful people to solve, however, sadly I must. It seems recently *I can't pinpoint the hours exactly, but somewhere yesterday afternoon around the hours of 4-8 PM* I manage to somehow contract the infamous looking Vundo!GRB trojan it seems. I've done a little research to the problem, however, I do not wish to move on without the aid of your wonderful staff here.

Let me start off with the common side effects my poor computer seems to be having. Every window in IE or FF will randomly produce a pop up of another window altogether making surfing quite a hassle. My window's security automatic updater is off, and no matter what I try it seems to not come back on. McAfee itself has deleted this trojan for about the tenth time so far, and I'm not sure what else, but its not getting rid of it. Also a virus scan from reveals nothing.

Now I haven't gone on trying to turn off the computer yet, however, my case reminds very much of this fellows:
http://www.bleepingcomputer.com/forums/t/198421/infected-with-vundogrb/
I'm not sure if that will be of any aid to you as well, however, I found it quite odd we shared some of the same problems from what limited knowledge of computers that I understand.

Anyway, enough of me yapping my gums off, here is what you all require I assume. If you need me to answer anything else I will be monitoring these topic till a response comes.

DDS File:

DDS (Ver_09-01-19.01) - NTFSx86
Run by Jonathan at 4:04:49.26 on Fri 01/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1345 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Jonathan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {4ee4}: {2f01a7d9-956c-47c7-a1bb-df10e7b88824} - c:\windows\system32\xyguwgky.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\byXOeCss.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {8e3f7a41-65da-4cf1-a740-099d3bd9250e} - c:\windows\system32\vtUolLcB.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {f2af6a1e-1b87-a0d8-2204-6dc653a4956c}: {c6594a35-6cd6-4022-8d0a-78b1e1a6fa2f} - c:\windows\system32\kanbps.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DLBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBUtime.dll,_RunDLLEntry@16
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [981b48ce] rundll32.exe "c:\windows\system32\xriyepbs.dll",b
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: byXOeCss - byXOeCss.dll
AppInit_DLLs: kanbps.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\byXOeCss.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\vtUolLcB

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonathan\applic~1\mozilla\firefox\profiles\p4on7tbg.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-12 201320]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-4-27 33792]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-12 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-12 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-12 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-12 40488]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-5-30 56576]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R4 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-29 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-12 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-12 144704]
S3 MAC607;MAC607 Filter;c:\windows\system32\drivers\MAC607.sys [2008-7-4 23808]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-12 33832]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [2008-5-30 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\saiuFF0C.sys [2008-5-30 19584]
S3 XBox;XBox Filter;c:\windows\system32\drivers\Xbox.sys [2008-7-4 23936]

=============== Created Last 30 ================

2009-01-30 02:48 72,704 a------- c:\windows\system32\xriyepbs.dll
2009-01-30 02:45 75,776 a------- c:\windows\system32\xyguwgky.dll
2009-01-30 02:43 129,024 a------- c:\windows\system32\kanbps.dll
2009-01-30 02:43 129,024 a------- c:\windows\system32\bfcharsc.dll
2009-01-26 18:07 77,072 a------- c:\windows\War3Unin.dat
2009-01-26 18:07 139,264 a------- c:\windows\War3Unin.exe
2009-01-26 18:07 2,829 a------- c:\windows\War3Unin.pif
2009-01-10 21:19 31 a------- c:\documents and settings\jonathan\jagex_runescape_preferences.dat
2009-01-10 21:18 --d----- c:\windows\.jagex_cache_32
2009-01-10 14:28 --d----- c:\program files\Super Mario Blue Twilight DX
2009-01-09 16:53 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-01-09 16:50 --d----- c:\windows\system32\xlive

==================== Find3M ====================

2009-01-30 04:03 46,438 a--sh--- c:\windows\system32\BcLloUtv.ini2
2008-12-29 05:29 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-03 22:02 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-10 15:17 2,296,339 a------- c:\windows\system32\x264vfw.dll
2008-11-02 08:02 7,680 a------- c:\windows\system32\ff_vfw.dll
2008-08-01 19:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080120080802\index.dat

============= FINISH: 4:05:43.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:30 PM

Posted 01 February 2009 - 06:43 AM

Hello Please Help Us,

Posted Image

Similar, yes, but every case is different, to be sure. :) As you saw in the thread you referenced, McAfee needs to be disabled, and preferably uninstalled temporarily for the ComboFix run. Hopefully it will go as easily as her thread did, but let's not count our chickens before they hatch. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 03 February 2009 - 11:31 PM

Well some good news and bad news.

After I posted this topic, about a hour or two later I manage to find one of your self help guides using Malwarebytes' Anti-Malware to get rid of the Vundo.

The Guide in question:
http://www.bleepingcomputer.com/malware-re...undo-virtumonde

So happy that I thought I manage to get rid of the terrible program I ignored your current advice thinking it was over (No disrespect for your hard time spent on me sir, however I thought it was really over).

However today it seems that it has come back according to a scan done my McAfee found them and started to remove ten of the little buggers...however there also seems to be a EXE program in my Temp Internet files that McAfee can't remove from the virus scan, I plan on cleaning them up as soon as I'm done with this post. I think that may be the original program that may cause the infection, I'm not sure.

So, what should be my next course of action, should I continue with the Combofix, use the other program listed on the self help guide "VundoFix", give another DDS scan, etc, etc.

I await your response eagerly.

Also, I would like to thank you for your time once again, honestly, you guys (and gals it seems) really are god sends.

Thank you
-please help us

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:30 PM

Posted 04 February 2009 - 08:35 AM

Hello,

Yes, I'm one of the gals here. :thumbup2:

Please go ahead with ComboFix and post the report. It will show us all the bad files and delete the ones it can. It's very thorough. :)

Thank you for telling me what you did. It helps!

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 04 February 2009 - 07:23 PM

Alright ran combofix, made sure to uninstall McAfee, I reinstalled it just now and I hoped back right here to post the log.

From what I can tell it removed one thing (a .job{?} file) however, I'll let you be the judge of that since I'm not even close to being a beginner to this stuff.

Also once again I would like to thank you for your time, and I wish that all is in good news.
I await your answer with a grim patience on myself.

Alright here's Combofix's log.

ComboFix 09-02-04.01 - Jonathan 2009-02-04 17:53:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1642 [GMT -6:00]
Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\whvjexao.job

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-01-30 13:45 . 2009-01-30 13:45 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 13:45 . 2009-01-30 13:45 <DIR> d-------- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2009-01-30 13:45 . 2009-01-30 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-30 13:45 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 13:45 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 18:07 . 2009-01-26 18:18 139,264 --a------ c:\windows\War3Unin.exe
2009-01-26 18:07 . 2009-01-26 18:39 77,072 --a------ c:\windows\War3Unin.dat
2009-01-26 18:07 . 2009-01-26 18:18 2,829 --a------ c:\windows\War3Unin.pif
2009-01-26 18:01 . 2009-01-31 18:53 <DIR> d-------- c:\program files\Warcraft III
2009-01-10 21:19 . 2009-01-10 22:01 31 --a------ c:\documents and settings\Jonathan\jagex_runescape_preferences.dat
2009-01-10 21:18 . 2009-01-10 21:18 <DIR> d-------- c:\windows\.jagex_cache_32
2009-01-10 14:28 . 2009-01-10 14:42 <DIR> d-------- c:\program files\Super Mario Blue Twilight DX
2009-01-09 16:54 . 2009-01-09 16:54 <DIR> d-------- c:\documents and settings\Jonathan\Application Data\InstallShield Installation Information
2009-01-09 16:53 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2009-01-09 16:50 . 2009-01-09 16:50 <DIR> d-------- c:\windows\system32\xlive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 23:44 --------- d-----w c:\program files\Steam
2009-02-03 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-31 07:55 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-31 04:09 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-31 04:09 --------- d-----w c:\program files\Java
2009-01-30 13:12 --------- d-----w c:\program files\dl_Cats
2009-01-27 18:19 --------- d-----w c:\program files\Project64 1.6
2009-01-22 22:37 --------- d-----w c:\documents and settings\Jonathan\Application Data\Hamachi
2009-01-19 09:28 --------- d-----w c:\documents and settings\Jonathan\Application Data\Skype
2009-01-19 01:12 --------- d-----w c:\program files\Google
2009-01-15 05:42 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 22:54 --------- d-----w c:\program files\Bethesda Softworks
2009-01-09 03:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-29 11:29 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-29 10:10 --------- d-----w c:\program files\Electronic Arts
2008-12-26 21:33 --------- d-----w c:\program files\Midway
2008-12-23 01:04 --------- d-----w c:\program files\VSTplugins
2008-12-23 01:04 --------- d-----w c:\documents and settings\Jonathan\Application Data\Sony
2008-12-23 01:04 --------- d-----w c:\documents and settings\Jonathan\Application Data\Publish Providers
2008-12-23 00:58 --------- d-----w c:\program files\Sony
2008-12-23 00:58 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-12-23 00:56 --------- d-----w c:\program files\Sony Setup
2008-12-11 23:18 --------- d-----w c:\documents and settings\Jonathan\Application Data\Media Player Classic
2008-12-11 23:13 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-10 21:17 2,296,339 ----a-w c:\windows\system32\x264vfw.dll
2008-08-02 01:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080120080802\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 68856]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-07 1410296]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kanbps.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-04-27 33792]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-05-30 56576]
S3 MAC607;MAC607 Filter;c:\windows\system32\drivers\MAC607.sys [2008-07-04 23808]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [2008-05-30 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\saiuFF0C.sys [2008-05-30 19584]
S3 XBox;XBox Filter;c:\windows\system32\drivers\Xbox.sys [2008-07-04 23936]
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\p4on7tbg.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 17:55:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1844237615-926492609-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:01,ff,2b,03,ac,2e,3b,77,7c,8a,8e,d3,a8,dc,f5,fc,7e,ac,24,2c,1d,69,f9,
ca,02,a8,4e,32,3c,23,03,76,b4,df,e0,f4,35,6c,81,a7,a3,3c,6d,9a,08,3b,ac,26,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1844237615-926492609-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:82,70,ec,27,31,dd,f2,7f,79,ff,09,8d,43,dc,d8,51,34,79,cd,3f,b1,
ae,e2,11,24,5c,5a,c8,1c,44,d9,9a,eb,4b,ee,54,57,30,66,bc,3d,db,63,22,19,24,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
Completion time: 2009-02-04 17:56:34
ComboFix-quarantined-files.txt 2009-02-04 23:56:32

Pre-Run: 245,210,755,072 bytes free
Post-Run: 246,460,366,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

159 --- E O F --- 2009-01-15 05:42:43

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:30 PM

Posted 05 February 2009 - 07:51 AM

Hello there,

How is it running now please?

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

3. Copy that log and paste it in a reply here. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 05 February 2009 - 04:55 PM

It seems to be doing much better as of now, however, it was also running fine after malware bytes detected it and deleted it then McAfee still found some traces of it...

Also about the hijackThis program, which should I download, the installer, exe, etc, etc. Or does it really matter?

If it means anything I rather not have all these programs that I'm only going to use once so...

Your opinion would be nicely accepted, I await your response.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:30 PM

Posted 05 February 2009 - 06:31 PM

Hello,

We'll clean everything up. :thumbup2: The .exe of HijackThis would be easiest. This will be the last thing I ask you to download, and you'll be able to uninstall it when we're done as well.

If you want to, go ahead and delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If it's space you're worried about, then this will be a welcome thing to do. You'll free up several hundred mbs :

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_12.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 05 February 2009 - 09:25 PM

Alright, I would like to thank you for your help, however, on your last tip on updating java I do not see the exact line you're talking about. Could you please clear this up a bit so I hope I'm not going blind.

Also here is the Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:46 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\Jonathan\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: kanbps.dll
O23 - Service: McAfee Application Installer Cleanup (0247531233792429) (0247531233792429mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Jonathan\LOCALS~1\Temp\024753~1.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbu_device - - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9079 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:30 PM

Posted 06 February 2009 - 10:18 AM

Hello,

When you click on that link I gave you, it's the very top one " JRE 6 Update 12". My apologies.....they've changed the page a bit, so I need to change my navigation directions to leave that line out now. :) Thank you for pointing it out to me. :thumbup2:

Have you ever heard of kan BPS? There isn't much on it at all. I'm looking at the 020 on your log. If you don't know what it is, then I'd like to be sure before we go killing it.

Please go to the following site : http://www.threatexpert.com/submit.aspx

In the "file to submit" area, please click the browse button and navigate to the following file :

C:\WINDOWS\System32\kanbps.dll

Check the "I agree" box and when your file is uploaded, click submit.

Please post back with the URL of the page that comes up when it's done analyzing the file.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 06 February 2009 - 05:12 PM

Well, I updated my Java (yay?!) so hopefully things will be better.

Also I've never heard of that .dll program.....which wouldn't really matter that much if I could FIND it.

I've checked system 32, system....everywhere basically for it and it seems to have vanished from the face of the Earth, which really worries me.

So what do you want me to do, run another file scan, look for it more?

Just tell me what to do and I'll do my best.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:30 PM

Posted 06 February 2009 - 05:36 PM

Nope, that's okay. :thumbup2: That means it's only a leftover if you can't find it.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O20 - AppInit_DLLs: kanbps.dll
O23 - Service: McAfee Application Installer Cleanup (0247531233792429) (0247531233792429mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Jonathan\LOCALS~1\Temp\024753~1.EXE


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

How is it running please? If you like MBAM, then keep it. I don't know what other tools you used before, and don't see anything else present except for MBAM and HijackThis. You might consider keeping HijackThis in case you need it in the future. If not, then uninstall it. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 06 February 2009 - 06:02 PM

Just removed/fixed those items besides the last one. (It was gone...?)

Well how is it running?

Well just like new actually, I'm really surprised.

I still want to clean up some stuff on it, however, last time I tried to do that I BSOD my way to the loony bin.

Also about keeping the programs, I do think I will, since MBAM did more in about twenty minutes then McAfee can do in a several hour scan.

In fact of speaking in McAfee I wish I could find something better, but meh....I haven't really been into the recent protection phase till about now so no clue where to start or what is even good, (besides staying away from Norton the spawn of the underworld internet protection program it seems).

Hijack this seems real helpful, however, I wouldn't know what to fix and what not to fix and what should be what...since I do think as you can tell I'm somewhat computer illiterate. (Which is something I wish to change but I don't know where to start.)

Overall I'd have to say this has been really really helpful, I just wish I had something in return to give you for all the time you've wasted on helping me.

Thank you! :thumbup2:

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:30 PM

Posted 06 February 2009 - 06:17 PM

Wasted? :step4: I don't feel at all like this was time wasted.

What is it you want to clean?

For AntiVirus protection......there are several free alternatives that are just as good as the paid programs. Avira OR Avast are good FREE antivirus. I run Avira on my own system, along with the also free Comodo firewall. http://comodo.com If you try Comodo, do NOT let it install the entire suite. Choose only the firewall. The suite as a whole leaves a lot to be desired.

I wouldn't want you to try and use HijackThis yourself. There is a lot more to it than meets the eye. But if something happens in the future and you need to have your computer looked at again, you'll have a starting point. :)

I'm glad it's running so well, and you're welcome. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 06 February 2009 - 06:42 PM

I hope we aren't getting off topic but....

Just a bunch of random junk hanging out of my computer that was there when I had to reboot it.
Also stuff I don't use anymore, but I'm one of those people who are like "Ehh...I might use this...Ehh...." or also in a more human term, someone who has trouble deciding on what to keep and what not.

Also could any of these programs run along side another, or is that just a plain unhealthy habit in general?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users