Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

E-Shopper Adware, Etc.


  • This topic is locked This topic is locked
27 replies to this topic

#1 nitebeat

nitebeat

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 19 April 2009 - 10:46 AM

This is my Hijack This file, I believe I have the E-Shopper and maybe other problems on my PC - cannot run in "normal" mode, only safe mode. Please advise:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:17, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: TBSB09693 - {A7455FD4-5846-49A4-A2EC-E6332D20697B} - C:\Program Files\Ecocho Toolbar\tbu03139\ecocho-com.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {DC7A3552-A87C-4788-8DD7-648B9AD8EC41} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Ecocho Toolbar - {65B41DCE-101B-4A4A-A53F-374ABB560841} - C:\Program Files\Ecocho Toolbar\tbu03139\ecocho-com.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Tinypic Publisher - http://tinypic.com/flix/tinypic_publisher.CAB
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9438 bytes

"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


BC AdBot (Login to Remove)

 


#2 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 19 April 2009 - 04:29 PM

No one around to help me with this?????

"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


#3 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 21 April 2009 - 11:14 AM

Still need help - anybody?????????????????

Edited by nitebeat, 21 April 2009 - 11:23 AM.

"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:02 AM

Posted 04 May 2009 - 01:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 04 May 2009 - 04:07 PM

Hello - thanks for your reply I understand you are busy and appreciate your help. I performed the tasks you stated to perform in "Safe Mode" because in "regular mode" I cannot do anything - programs start and then freeze - can't run A/V progams or anything so, I am attaching the DDS files - please advise further as necessary . . . . .

DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Administrator at 16:57:16.03 on Mon 05/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.2135 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: TBSB09693 Class: {a7455fd4-5846-49a4-a2ec-e6332d20697b} - c:\program files\ecocho toolbar\tbu03139\ecocho-com.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {DC7A3552-A87C-4788-8DD7-648B9AD8EC41} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Ecocho Toolbar: {65b41dce-101b-4a4a-a53f-374abb560841} - c:\program files\ecocho toolbar\tbu03139\ecocho-com.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Tinypic Publisher - hxxp://tinypic.com/flix/tinypic_publisher.CAB
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-18 130424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-10-2 29808]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-18 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-18 1095560]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-2 4048240]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2008-11-8 1181040]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-17 214024]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-2 210216]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-17 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-17 144704]
S2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\nikon\wireless camera setup utility\NkPtpEnum.exe [2005-6-17 24064]
S2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2008-1-31 135168]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-28 24652]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-17 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-17 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-17 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-17 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-17 40552]
S3 SNDP202;WFDC;c:\windows\system32\drivers\sndp202.sys [2006-2-4 227072]
S3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [2005-6-17 17664]

=============== Created Last 30 ================

2009-04-18 23:17 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-18 23:17 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-18 23:17 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-18 23:16 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-18 23:16 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-18 23:16 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-18 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-16 00:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\Webroot
2009-04-15 22:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-04-15 00:38 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 00:38 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 00:38 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 00:38 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 00:37 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 00:37 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 00:37 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 00:37 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 00:37 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 00:37 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 00:10 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-04-15 00:04 <DIR> --d----- c:\windows\Google Toolbar
2009-04-15 00:04 <DIR> --d----- c:\windows\{65B41DCE-101B-4A4A-A53F-374ABB560841}
2009-04-14 21:06 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 21:06 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 21:06 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-11 21:10 <DIR> --d----- c:\program files\Ask.com

==================== Find3M ====================

2009-04-18 22:57 3,202 a------- c:\windows\system32\tmp.reg
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-06 13:32 1,563,008 a------- c:\windows\WRSetup.dll
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 16:43 164 a------- C:\install.dat
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2006-12-31 21:25 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2005-12-11 12:14 774,144 ac------ c:\program files\RngInterstitial.dll
2008-01-31 23:31 32 a--sh--- c:\windows\{058FEC5C-964E-486C-B174-5DEBB1908199}.dat
2008-01-31 23:26 32 a--sh--- c:\windows\{1A1E218C-9019-456B-BA8A-58F7DB62EB87}.dat
2008-01-31 23:36 32 a--sh--- c:\windows\{1E97249C-945A-495D-9C15-6A99CFE345CD}.dat
2008-01-31 23:26 32 a--sh--- c:\windows\{3AD10F5F-A575-483A-8DF9-269A4B16964E}.dat
2005-09-11 12:54 32 ac-sh--- c:\windows\{774294D7-0CD0-4C6C-B7EC-C57CB5C66672}.dat
2005-02-19 11:08 32 ac-sh--- c:\windows\{83686AA5-7D77-4089-90FA-E700F6B4943B}.dat
2005-09-11 12:53 32 ac-sh--- c:\windows\{8ABD63EE-FCB5-4846-AA91-EF5142EB5E0D}.dat
2008-01-31 23:35 32 a--sh--- c:\windows\{9BCB2C59-B3C4-412C-AA74-047E6A6B494C}.dat
2008-01-31 23:26 32 a--sh--- c:\windows\{FD673AFE-B463-45C0-8191-82A8BF0F3A9B}.dat
2009-01-13 18:50 900 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-01-31 23:26 32 a--sh--- c:\windows\system32\{0CCBD097-7734-4464-9782-4969F2158D54}.dat
2005-02-19 11:08 32 ac-sh--- c:\windows\system32\{14507DC6-2070-4C7C-A95D-0A05AC76A962}.dat
2008-01-31 23:35 32 a--sh--- c:\windows\system32\{6034BFB6-1C6E-431F-935F-B8F83BF61CCC}.dat
2008-01-31 23:31 32 a--sh--- c:\windows\system32\{944420FF-3D69-4B73-9E4A-7D21B348A02C}.dat
2005-09-11 12:53 32 ac-sh--- c:\windows\system32\{981D44E5-16A9-4D84-965A-2DD876635443}.dat
2008-01-31 23:26 32 a--sh--- c:\windows\system32\{CF8AC440-CEAD-4827-B6C1-DE167A6FB0DB}.dat
2008-01-31 23:36 32 a--sh--- c:\windows\system32\{CFE88473-75D6-49D4-B5B6-D00A04FA7088}.dat
2005-09-11 12:54 32 ac-sh--- c:\windows\system32\{E77CB5B8-D72E-4C37-A0D6-159AF4A2802A}.dat
2008-01-31 23:26 32 a--sh--- c:\windows\system32\{FFCCD772-7540-43F1-BF3F-544029F3F64F}.dat
2008-09-01 09:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 16:58:03.93 ===============

And please also find the "attach" file uploaded. I await your further assistance. Thanks again!

Attached Files


"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 05 May 2009 - 07:43 AM

Hi nitebeat,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
Our priority is getting to normal mode as fast as possible. Please do all the steps and give me feedback about what you doing and what you observe and in any stage you are able to boot to normal mode tell me about that. This round we are going to do some cleaning and maintenance which is needed for a healthy system.

  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Open Windows Defender.
    • Click on Tools, Options.
    • Scroll down the list of options to select "Real-time Protection Options."
    • Uncheck "Use Real-Time Protection (Recommended)".
    • After you uncheck this, click on the Save button and close Windows Defender.

      Note:After all of the fixes are complete and I give you the clean sign you enable Real-time Protection again.
  • Empty all p2p download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • I see on the log My Way Search Assistant is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about My Way Search Assistant here:
    http://www.bleepingcomputer.com/uninstall/...-Assistant.html

    To uninstall My Way Search Assistant:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    My Way Search Assistant

    Also remove the folder in bold: C:\Program Files\MyWay

  • If you have a broadband internet connection and no Dial-up you may uninstall NetWaiting as you don't need it.

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore you have remove either McAfee or Spyware Doctor. Since you have McAfee with firewall if it has subscription you may keep it and uninstall Spyware Doctor. But if McAfee is expired remove it as follows:

    To remove McAfee AntiVirus I recommend you to use McAfee Consumer Product Removal tool (MCPR.exe).

    For download and instruction to use McAfee Consumer Product Removal tool click on majorgeeks.com

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.


#7 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 07 May 2009 - 06:10 PM

Hello Again!

OK, I did what you said in the last mssage to me, here are the results:

MalwareBytes Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2090
Windows 5.1.2600 Service Pack 3

5/7/2009 7:04:02 PM
mbam-log-2009-05-07 (19-04-02).txt

Scan type: Quick Scan
Objects scanned: 113909
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:48 PM, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weresoblogging.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: TBSB09693 - {A7455FD4-5846-49A4-A2EC-E6332D20697B} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {DC7A3552-A87C-4788-8DD7-648B9AD8EC41} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {65B41DCE-101B-4A4A-A53F-374ABB560841} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-21-552665184-792701170-3462284427-500\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-21-552665184-792701170-3462284427-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Tinypic Publisher - http://tinypic.com/flix/tinypic_publisher.CAB
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 8880 bytes

Please advise any necessary next steps. Thanks again!!

"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 07 May 2009 - 06:50 PM

Please make a program list with Hijackthis:
  • Open HijackThis and click Open the Misc Tools section.
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


#9 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 07 May 2009 - 09:17 PM

Here you go sir:

Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
AIM 6
AIM MusicLink 4.0.0.0
Aimersoft Video Converter(Build 1.1.52)
AIMTunes
Animation Shop 3 Evaluation
AOL Instant Messenger (SM)
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ArcSoft PhotoMVP
Banctec Service Agreement
Bonjour
BuddyList Ops 1.0.0.1
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
Debut Video Capture Software
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
Dell Support Center (Support Software)
DellSupport
Digital Line Detect
Digital Media Converter 2.78
Digital Photo Activity Kit
Diner Dash
Diner Dash™
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Express Burn
Greetings Workshop
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Jasc Paint Shop Pro 9
Java 2 Runtime Environment, SE v1.4.2_03
Jeopardy!
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech Desktop Messenger
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Zoo Tycoon
MobileMe Control Panel
Modem Helper
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 4.0 SP2 Parser and SDK
Nikon Message Center
Norton SystemWorks 2003
PCFriendly
Photo Click
Photo Loader 2.3E
Photo Viewer
Photohands 1.0E
PictureProject
PictureProject In Touch Downloader 1.0
PowerDVD 5.3
Prism Video Converter
QuickTime
Reading Blaster Ages 9-12
RealArcade
RealPlayer
Rhapsody Player Engine
Roll
Safari
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live! 24-bit
Spelling Dictionaries Support For Adobe Reader 8
SpongeBob Coolbuddy
Spy Sweeper
Spy Sweeper Core
Stardust Screen Saver QuickStart 2.1
Switch Sound File Converter
The Game Of Life
The Sims 2
The Sims 2 Nightlife
The Sims 2 University
The Sims Unleashed
The Sims™ 2 Bon Voyage
The Sims™ 2 Seasons
TI Connect 1.6
Trillian
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
V CAST Music Manager
WD Diagnostics
WFDC
Windows Defender
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Wireless Camera Setup Utility
WordPerfect Office 12
Xingtone Ringtone Maker

"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 08 May 2009 - 05:44 AM

Thanks for the log.

You may run Combofix in Safe Mode with networking but please make sure after running ComboFix the computer reboots to normal mode even if it is needed to use the reset button a few times.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Also tell me how is the current condition of your computer.

#11 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 08 May 2009 - 10:57 PM

Hello Once Again!

I ran ComboFix as directed (see attached log) and rebooted in "normal" mode. When in "normal" mode, I cannot access the Internet - just says "connecting" and hangs there. I can also NOT run "CCleaner" - only goes to 4% and stays there. Also, I keep getting popups from McAfee telling me the computer is not protected and to click the popup for additional information. The additional information says that the virus "signature file" is 8 to 29 days outdated and when I click "fix" nothing happens. It seems something still has a "hold" on the meachine, preventing it from doing these things and perhaps other things I have not tried yet. Please advise - thanks again for your help!

Attached Files


Edited by nitebeat, 08 May 2009 - 10:58 PM.

"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 09 May 2009 - 05:48 AM

Good news you can boot in normal mode. We are going to operate in normal mode unless it is mentioned to boot to Safe Mode.
  • You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Run once more ComboFix in normal mode and post the log.


#13 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 09 May 2009 - 10:10 AM

Hi. I see your current reply but want you to know that I USE Norton on the computer (I do not have the Anti-Virus portion installed) I use the other features such as "checkup" - "speed disk" etc. so there is NO conflict with McAfee. McAfee is the only anti-virus / firewall application on the computer at this time so, I am inclined NOT to remove Norton if it is possible to leave it on the machine and if anything needs to be done to "work around" it so that it stays installed, kindly advise.

As mentioned, in NORMAL mode, things start but then stop, NOTHING runs. After I hear from you regarding THIS reply, I will run ComboFix again (in NORMAL mode) and hopefully it will run - even though, as stated, nothing else runs!

Let me know what you think about leaving NORTON on the machine and doing what you have directed or do I need to do something else.

Thank you.

"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 PM

Posted 09 May 2009 - 11:20 AM

I am aware of the fact that you have a Norton product. I didn't mean you have Norton antivirus installed and that is causing conflict with McAfee.
What I see on the log is this:

LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)

Norton SystemWorks 2003

The third one is a utility and I didn't mean to uninstall it. The first two look like the remains of an incomplete uninstall of previously installed Norton antivirus. Tell me me if you had ever Norton antivirus on the computer. If that is the case we the only option is to remove them with Norton removal tool. The reason is that we have seen the remains of Norton before causing even more issues than many adware/spyware stuff do. So the question is if you have ever installed Norton antivirus and uninstalled via Add/Remove?

#15 nitebeat

nitebeat
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Big Apple
  • Local time:10:02 AM

Posted 09 May 2009 - 03:41 PM

Hello. I ran the Norton Removal Tool and then ComboFix (in Normal mode). I tried disabling McAfee but it kept restarting, don't know why. I did receive a couple of McAfee "warning" popups and replied "trust this program" - I hope it did not interfere with what ComboFix had to do. Attached is the latest ComboFix log. Please advise further as necessary. Thank you!

Attached Files


"A little less conversation, a little more action." [Elvis Aaron Presley 1935-1977]





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users