Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox - additional tab opens shortly after startup


  • This topic is locked This topic is locked
13 replies to this topic

#1 SimRacer

SimRacer

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 05 August 2010 - 01:32 AM

I got hit by "antlmalware Doctor" and need help cleaning up.
Symptoms are:

Shortly after starting FireFox an additional tab will appear and load various different things.
Task SVCHOST abends after the PC has been up about 10 minutes.

Thanks V much for your help.


DDS (Ver_10-03-17.01) - FAT32x86
Run by James Belshaw at 2:02:57.60 on 08/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.826 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Efficient Calendar Free\EfficientCalendarFree.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Belshaw\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by America Online
uStart Page = hxxp://www.aol.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer provided by America Online
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1da9f243-3b73-4495-aa09-aeef6eeb4f94} - :c:\windows\system32\gimikipi.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [IntelAudioStudio] :"c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [nwiz] nwiz.exe /install
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [EfficientCalendarFree]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [DefaultP17] resdef.exe
StartupFolder: c:\docume~1\jamesb~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\jamesb~1\startm~1\programs\startup\effici~1.lnk - c:\program files\efficient calendar free\EfficientCalendarFree.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\IESPELL.DLL/SPELLOPTION.HTM
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Check &Spelling - c:\program files\iespell\IESPELL.DLL/SPELLCHECK.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\IESPELL.DLL/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\IESPELL.DLL/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - hxxp://cc.iwon.com/ct/pm3/iwonpm_11_1,0,2,5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyvuuur relog_ap
LSA: Notification Packages = scecli c:\windows\system32\noyusoda.dll c:\windows\system32\midogiru.dll
mASetup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\system32\updcrl.exe -e -u c:\windows\system\verisignpub1.crl

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jamesb~1\applic~1\mozilla\firefox\profiles\oj6ik6aj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CLab&query=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\james belshaw\application data\mozilla\firefox\profiles\oj6ik6aj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {C236456F-B7B2-4213-8639-11538C368888} - c:\documents and settings\jeff\local settings\application data\{C236456F-B7B2-4213-8639-11538C368888}
FF - HiddenExtension: XULRunner: {5BAFF83A-F3CB-4F1F-A63E-E1228121BE59} - c:\documents and settings\james belshaw\local settings\application data\{5BAFF83A-F3CB-4F1F-A63E-E1228121BE59}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-20 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-20 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-9 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-20 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-20 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-20 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-20 40552]
S0 iimzk;iimzk;c:\windows\system32\drivers\iimzk.sys [2010-7-23 0]
S2 BPRG;Security Service;c:\windows\system32\svcd\svchost.exe --> c:\windows\system32\svcd\svchost.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\lavalys\everest home edition\kerneld.wnt --> c:\program files\lavalys\everest home edition\kerneld.wnt [?]
S3 mdxgthkn;mdxgthkn;c:\docume~1\jeff\locals~1\temp\mdxgthkn.sys [2004-5-10 15872]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\23.tmp --> c:\windows\system32\23.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-20 34248]

=============== Created Last 30 ================

2010-08-05 06:00:14 0 ----a-w- c:\documents and settings\james belshaw\defogger_reenable
2010-08-04 11:52:02 0 d-----w- C:\HiJackThis204
2010-08-02 14:05:55 0 d-----w- c:\docume~1\jamesb~1\applic~1\Canneverbe Limited
2010-08-02 14:05:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Canneverbe Limited
2010-08-02 12:00:50 91139 ----a-w- c:\documents and settings\james belshaw\.recently-used.xbel
2010-07-31 17:51:37 0 d-----w- c:\docume~1\alluse~1\applic~1\jgy50JtoEAFke73spIp
2010-07-30 02:31:54 32816 ----a-w- c:\documents and settings\james belshaw\Kroger_Night_Premium_V02.zip
2010-07-24 13:42:16 0 d-----w- c:\docume~1\jamesb~1\applic~1\Malwarebytes
2010-07-24 13:41:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 13:41:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 13:41:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-24 13:41:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-23 07:06:16 120 ----a-w- c:\windows\Vmuxevalanahi.dat
2010-07-23 07:06:16 0 ----a-w- c:\windows\Qxiviyuwamo.bin
2010-07-23 07:06:11 0 ----a-w- c:\windows\system32\drivers\iimzk.sys
2010-07-23 07:04:59 0 d-----w- C:\spoolerlogs
2010-07-23 07:04:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-23 07:04:25 150 ----a-w- C:\zrpt.xml
2010-07-22 07:38:11 16384 ----a-w- c:\documents and settings\james belshaw\F276_Materials.xls
2010-07-19 15:59:28 417280 ----a-w- c:\documents and settings\james belshaw\Kroger_Night_Premium_V02.xls
2010-07-19 15:55:45 17920 ----a-w- c:\documents and settings\james belshaw\Kroger_PayStub_Format.xls
2010-07-19 15:19:51 337408 ----a-w- c:\documents and settings\james belshaw\Kroger_Night_Premium.xls
2010-07-14 11:00:12 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-27 06:30:36 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2002-09-07 06:47:44 144 ----a-w- c:\program files\pcdocrx_order.html
2001-03-11 11:59:54 766 ----a-w- c:\program files\pcdoc.ico
2000-05-18 02:58:00 266 --sh--w- c:\program files\desktop.ini
2000-05-18 02:58:00 11079 ---h--w- c:\program files\folder.htt

============= FINISH: 2:04:24.98 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 SimRacer

SimRacer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 10 August 2010 - 11:14 AM

Merged topics. Topic title was: Infected by "PUP" software. Cannot bot in normal mode nor in any Safe mode. ~ OB

Sorry to start a new topic but my situation has changed and I can't edit my original post here:
http://www.bleepingcomputer.com/forums/ind...ite=%2B&kw=

McAfee popped up a warning that "PUP" software had been installed and gave me the options of having McAfee remove it or doing it myself with Add/Remove programs.
I chose to have McAfee remove it.
This repeated 2 more times then I got a cascade of warnings from McAfee about dozens of things being blocked and removed.

Things seemed OK until I tried to reboot.

If I try to boot in Normal mode it stops on a black screen right after the BIOS stuff completes with no disk activity.

All 3 Safe Modes load about the first 20 drivers and stop with no further disk activity.

So, I'm really hosed now!

TIA for any help you can give me.

Edited by Orange Blossom, 10 August 2010 - 04:27 PM.


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 PM

Posted 13 August 2010 - 06:44 AM

Hello SimRacer, My name is Syler and I will be helping you to solve your malware issues. Sorry for the delay
in replying, we are very busy at the moment.

Please note because we are very busy, if I don't hear from you within 5 days the topic will be closed, If you
have since resolved your issues I would appreciate if you would let me no so I can close this topic.


Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
    • Custom: (include files and folders from this directory)
      • No information is necessary, leave blank.
    • Output:
      • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
      • Download the RunScanner plugin and save it to your desktop
      http://www.paraglidernc.com/Files/RunScanner10025.cab

      Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!

      • Press the Plugin button on the PE Builder interface
      • Press the Add button and navigate to the location of the RunScanner plugin to install
      • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
    • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD
==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility
==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to All
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!

  • Copy and Paste the following code from your flash drive into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  • Push
  • A report will open named "OTL.txt" and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.
=========

With your next post please provide:
  • OTLPE.txt
  • Extra.txt

Thanks

unite.jpg


#4 SimRacer

SimRacer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 August 2010 - 07:39 AM

Hello Syler.

I can tell things are quite busy here from the number of new posts per day, or should I say by the hour!!

To help you schedule your time, I am usually available from 08:00 to 14:00 Eastern Daylight Time 7 days per week.

I will start on the steps you have given me now.

Thanks for your help.


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 PM

Posted 13 August 2010 - 08:00 AM

Your welcome SimRacer,

I am not available at specific times, it's more as and when I have the spare time, although I do try to reply
within 24 hours and usually it is sooner than that.

unite.jpg


#6 SimRacer

SimRacer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 August 2010 - 08:11 AM

A question:

Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!

This says "folder". Do you mean filename?

Should I rename runscanner1025.cab to runscanner.cab ?



#7 SimRacer

SimRacer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 August 2010 - 08:15 AM

OK I think I got it.

I saved runscanner1025.cab to folder c:\runscanner

For plugins I pointed it to this file and corrected the folder name to runscanner.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 PM

Posted 13 August 2010 - 08:49 AM

Sorry, I can see why you were confused, it would be better if that note came after:

QUOTE
Press the Add button and navigate to the location of the RunScanner plugin to install


as that is where it applies to, you have done it correct so that's fine.

unite.jpg


#9 SimRacer

SimRacer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 August 2010 - 09:16 AM

Well this does not look good.

I have 2 drives installed in this PC

A good one and the sick one.

I have been connecting only one drive at a time.

With the good drive cabled up and the BartPE CD in I boot into BartPE OK.

With the sick drive cabled up it stops on a black screen after the bios splash screen and a few status bytes.

I have tried it with and without the flash drive plugged in.
I have 2 CD readers installed and have tried them both.
I have tried several differnt boot orders in the bios.

Previously I was able to boot into recovery console with the WinXP cd and do dir commands on the sick drive.
This is no longer working either.

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 PM

Posted 13 August 2010 - 09:52 AM

So when you have the sick drive plugged in, alone, you can not boot into the BartPE CD or the recovery console
on your XP CD?

unite.jpg


#11 SimRacer

SimRacer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 August 2010 - 10:06 AM

That is correct.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 PM

Posted 13 August 2010 - 10:14 AM

If you plug both drives in, having the good one set as the primary drive, will it boot from CD then?

What is on the good drive, does it have an OS installed on it?

unite.jpg


#13 SimRacer

SimRacer
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 August 2010 - 10:24 AM

About 1 year ago I bought a new drive and did the normal full image copy.

The sick drive is the one I have been running on for the past year.

The good drive is just the old one that has been sitting in may desk for a year.

So they are almost the same far as system software goes except for windows updates etc that have been applied to the new one.

The sick drive is an IDE drive and the good one is an SATA drive.

I can boot from the SATA drive only if it is the only drive connected.
With both drives connected I can only boot from the IDE drive.
This has always been true and not a result of my current problem.

The current conditions are:
If the sick IDE drive is cabled up I get no further than the BIOS screen no matter what else is cabled up or what CDs I have in.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:45 PM

Posted 22 August 2010 - 04:35 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users