Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Antivirus software will not run and can not display any HTTPS sites


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gbal

Gbal

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 07 October 2010 - 01:57 PM

While restoring some old files to a new PC, started to see some virus like activity, i.e. slow login throuth Instant Messenger, slow display of various web sites. Noticed in the system log files the following message (Process **\MCSVHOST.EXE pid (1860) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.)

Tried to open up Mcafee Security Center but nothing opened. Mcafee appeared to be running but could not open up manager to control the application. Booted system into SAFE mode. Mcafee center opened up. Ran scan but nothing was found. Uninstalled Mcafee and tried to reinstall app. This is when i noticed that any website that I went to that used HTTPS would not display. Received the followng error message. IE can not display the webpage. Also tried to open up HTTPS sites with Google Chrome and received the error message that the webpage was unavailable. All other web browsing to NON HTTPS sites work. Tried to download and install Malwarebytes but can not access the HTTPS part of the website to download.

Booted up system with various recovery programs (Avira, DrWeb Live Cd, Kapersky Rescue Disk) All scans ran without detecting any issues.

Ran HJT against system and found one entry that looked suspect. (023 - Service: Sessionlauncher - Unknown owner - c:'users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe (file missing) Used HJT to remove entry. Rebood but original problems still remain.

As indicated by this forum. I ran GMER against my system. When i started it , receive the following error: (C:\windows\system32\config\system: The system could nto find the file specified. I ran the scan and received a similar message about the same file, but this time it said that the file was in use by another process. Scan did not turn up anything to report.

Although the various scans could not find anything....like the old saying goes...if it looks like a duck, smells like a duck and quacks like a duck...it must be a duck.

Any help would be greatly appeciated.


DDS (Ver_10-10-05.01) - NTFS_AMD64
Run by Gene at 13:23:01.16 on Thu 10/07/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6143.4479 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k NetworkService
c:\Program Files (x86)\AMD\AMD Fusion Utility for Desktops\FusionSVC.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\vds.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIFJA.EXE
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\SysWOW64\WinMsgBalloonServer.exe
C:\Windows\SysWOW64\WinMsgBalloonClient.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Windows Live\Toolbar\wltuser.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Gene\Downloads\bleeping computer\dds.scr
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20101004155053.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
uRun: [Google Update] "C:\Users\Gene\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [EPSONDAEF2D] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFJA.EXE /FU "C:\Windows\TEMP\E_S8249.tmp" /EF "HKCU"
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [DellComms] "C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe" /P DellComms
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
mRunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe"
mRunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
StartupFolder: C:\Users\Gene\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101004155053.dll
BHO-X64: scriptproxy - No File
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
mRun-x64: [RunDLLEntry_THXCfg] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
mRun-x64: [RunDLLEntry_EptMon] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2010-8-24 529000]
R0 pavboot;pavboot;C:\Windows\System32\drivers\pavboot64.sys [2010-10-4 33800]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-5-27 55280]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\System32\drivers\mfenlfk.sys [2010-10-4 75032]
R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2010-10-4 283232]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-5-27 202752]
R2 AMD_RAIDXpert;AMD RAIDXpert;C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-3-16 122880]
R2 AMDFusionSVC;AMD Fusion Utility Service;C:\Program Files (x86)\AMD\AMD Fusion Utility for Desktops\FusionSVC.exe [2009-9-8 383544]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-10-4 355440]
R2 McMPFSvc;McAfee Personal Firewall Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-10-4 355440]
R2 McNaiAnn;McAfee VirusScan Announcer;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-10-4 355440]
R2 McProxy;McAfee Proxy Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-10-4 355440]
R2 McShield;McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2010-10-4 200056]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2010-10-4 245352]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2010-10-4 149032]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-5-27 689472]
R2 sprtsvc_DellComms;SupportSoft Sprocket Service (DellComms);C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe [2009-5-5 206064]
R3 AmdLLD64;AMD Low Level Device Driver;C:\Windows\System32\drivers\AmdLLD64.sys [2010-5-27 47672]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2010-10-4 62800]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2010-5-27 321064]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2010-10-4 190136]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2010-10-4 441072]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-18 169312]
S3 ahcix64s;ahcix64s;C:\Windows\System32\drivers\ahcix64s.sys [2010-5-27 226616]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2010-10-4 94736]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-10-3 1255736]
S4 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]

=============== Created Last 30 ================

2010-10-07 17:37:40 0 ----a-w- C:\Users\Gene\defogger_reenable
2010-10-07 15:27:57 1438000 ---ha-w- C:\Users\Gene\AppData\Local\IconCache.db
2010-10-04 22:38:21 189520 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2010-10-04 22:35:55 36 ----a-w- C:\Users\Gene\AppData\Local\housecall.guid.cache
2010-10-04 20:51:02 -------- d-----w- C:\Program Files (x86)\McAfee.com
2010-10-04 20:50:52 9984 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2010-10-04 20:50:05 94736 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2010-10-04 20:50:05 75032 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2010-10-04 20:50:05 62800 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2010-10-04 20:50:05 441072 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2010-10-04 20:50:05 283232 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2010-10-04 20:50:05 190136 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2010-10-04 20:41:13 149032 ----a-w- C:\Windows\System32\mfevtps.exe
2010-10-04 20:30:07 33800 ----a-w- C:\Windows\System32\drivers\pavboot64.sys
2010-10-04 20:25:10 270208 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-04 20:24:21 -------- d-----w- C:\Users\Gene\AppData\Local\ElevatedDiagnostics
2010-10-04 20:13:38 -------- dc-h--w- C:\PROGRA~3\{7322D736-AA5F-4DD0-8E33-EA48318CC276}
2010-10-04 20:12:19 -------- d-----w- C:\Users\Gene\AppData\Local\PackageAware
2010-10-04 20:07:38 257024 ----a-w- C:\Windows\System32\mfreadwrite.dll
2010-10-04 20:07:38 206848 ----a-w- C:\Windows\System32\mfps.dll
2010-10-04 20:07:38 196608 ----a-w- C:\Windows\SysWow64\mfreadwrite.dll
2010-10-04 20:07:37 4068864 ----a-w- C:\Windows\System32\mf.dll
2010-10-04 20:07:37 3181568 ----a-w- C:\Windows\SysWow64\mf.dll
2010-10-04 20:07:37 1888256 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2010-10-04 20:07:37 1619456 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2010-10-04 20:06:03 -------- d-----w- C:\Users\Gene\AppData\Local\Windows Live
2010-10-04 19:35:06 65536 --sha-w- C:\Users\Gene\ntuser.dat{5f018a6c-cfec-11df-b378-b8ac6f9d1d5f}.TM.blf
2010-10-04 19:35:06 524288 --sha-w- C:\Users\Gene\ntuser.dat{5f018a6c-cfec-11df-b378-b8ac6f9d1d5f}.TMContainer00000000000000000002.regtrans-ms
2010-10-04 19:35:06 524288 --sha-w- C:\Users\Gene\ntuser.dat{5f018a6c-cfec-11df-b378-b8ac6f9d1d5f}.TMContainer00000000000000000001.regtrans-ms
2010-10-04 15:39:17 -------- d-----w- C:\Program Files (x86)\Panda Security
2010-10-04 14:09:41 -------- d-----w- C:\Users\Gene\AppData\Local\Microsoft Games
2010-10-04 11:30:37 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2010-10-04 09:54:30 524288000 ----a-w- C:\REMOVE_THIS_FILE.livecd.swap
2010-10-04 09:21:34 -------- d-----w- C:\d_drive
2010-10-04 02:18:00 -------- d-----w- C:\Program Files\McAfee.com
2010-10-04 00:32:44 -------- d-----w- C:\Users\Gene\AppData\Roaming\TeamViewer
2010-10-04 00:32:36 -------- d-----w- C:\Program Files (x86)\TeamViewer
2010-10-03 22:18:33 -------- d-----w- C:\Users\Gene\AppData\Local\Programs
2010-10-03 22:18:19 -------- d-----w- C:\Users\Gene\AppData\Local\ArcSoft
2010-10-03 22:17:59 -------- d-----w- C:\PROGRA~3\ArcSoft
2010-10-03 14:04:30 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2010-10-03 13:55:24 -------- d-----w- C:\Windows\SysWow64\Wat
2010-10-03 13:55:24 -------- d-----w- C:\Windows\System32\Wat
2010-10-03 13:48:20 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2010-10-03 13:48:20 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2010-10-03 13:48:20 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2010-10-03 13:48:20 444752 ----a-w- C:\Windows\System32\mscoree.dll
2010-10-03 13:48:20 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2010-10-03 13:48:20 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2010-10-03 13:48:20 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2010-10-03 13:48:20 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2010-10-03 13:48:20 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2010-10-03 13:48:20 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2010-10-03 13:44:43 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2010-10-03 13:44:43 184832 ----a-w- C:\Windows\System32\drivers\usbvideo.sys
2010-10-03 13:06:13 -------- d-----w- C:\Temp
2010-10-03 13:01:45 -------- d-----w- C:\Users\Gene\My Backup Files
2010-10-03 12:31:58 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
2010-10-03 03:21:21 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2010-10-03 03:21:21 126312 ----a-w- C:\Windows\System32\GEARAspi64.dll
2010-10-03 03:21:21 107368 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2010-10-03 03:20:58 -------- d-----w- C:\Program Files\iPod
2010-10-03 03:20:57 -------- d-----w- C:\Program Files\iTunes
2010-10-03 03:20:57 -------- d-----w- C:\Program Files (x86)\iTunes
2010-10-03 03:20:57 -------- d-----w- C:\PROGRA~3\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2010-10-03 03:19:22 -------- d-----w- C:\Program Files\Bonjour
2010-10-03 03:19:22 -------- d-----w- C:\Program Files (x86)\Bonjour
2010-10-03 02:03:14 -------- d-----w- C:\Program Files (x86)\Philips ToUcam Camera
2010-10-03 02:03:08 306688 ----a-w- C:\Windows\IsUninst.exe
2010-10-02 20:04:55 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2010-10-02 20:02:32 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2010-10-02 20:02:02 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2010-10-02 20:01:50 -------- d-----w- C:\Users\Gene\AppData\Local\Microsoft Help
2010-10-02 19:55:56 -------- d-----w- C:\Users\Gene\AppData\Local\Yahoo
2010-10-02 19:45:22 -------- d-----w- C:\Program Files (x86)\Yahoo!
2010-10-02 19:40:53 -------- d-----w- C:\Users\Gene\Tracing
2010-10-02 19:31:33 -------- d-----w- C:\PROGRA~3\EPSON
2010-10-02 19:23:43 -------- d-----w- C:\Users\Gene\AppData\Local\Google
2010-10-02 19:23:27 -------- d-----w- C:\Users\Gene\AppData\Local\Deployment
2010-10-02 19:23:27 -------- d-----w- C:\Users\Gene\AppData\Local\Apps
2010-10-02 19:19:21 423656 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-10-02 19:03:26 -------- d-sh--w- C:\System Recovery
2010-10-02 19:02:34 -------- d-----w- C:\Users\Gene\AppData\Roaming\Dell
2010-10-02 19:02:10 -------- d-----w- C:\Users\Gene\AppData\Local\Stardock_Corporation
2010-10-02 19:02:01 -------- d-----w- C:\Users\Gene\AppData\Local\DataSafeOnline
2010-10-02 19:01:52 -------- d-----w- C:\Users\Gene\AppData\Local\ATI
2010-10-02 19:01:50 -------- d-----w- C:\Users\Gene\AppData\Local\SupportSoft
2010-10-02 19:01:14 -------- d-----w- C:\Users\Gene\AppData\Local\VirtualStore
2010-10-02 19:01:06 -------- d-----w- C:\Users\Gene\AppData\Local\SoftThinks
2010-10-02 18:58:37 220672 ----a-w- C:\Windows\System32\wintrust.dll
2010-10-02 18:58:37 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2010-10-02 18:58:36 139264 ----a-w- C:\Windows\System32\cabview.dll
2010-10-02 18:58:36 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2010-10-02 18:57:43 127552 ----a-w- C:\Users\Gene\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-08 16:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

==================== Find3M ====================

2010-08-24 19:57:38 529000 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2010-08-24 19:57:38 121248 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2010-08-21 06:29:47 558592 ----a-w- C:\Windows\System32\spoolsv.exe
2010-07-29 06:30:34 82944 ----a-w- C:\Windows\SysWow64\iccvid.dll
2010-07-27 23:55:50 95520 ----a-w- C:\Windows\System32\dnssd.dll
2010-07-27 23:55:50 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2010-07-27 23:55:50 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2010-07-27 23:55:50 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2010-07-27 23:44:10 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2010-07-27 23:44:10 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2010-07-27 23:44:10 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2010-07-27 23:44:10 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe

============= FINISH: 13:23:36.90 ===============

I could not resist waiting for assistance so I dediced to investigate the issue further. Upon close inspection of the symptoms, I noticed that the system was identifying any file as "UNKNOWN PUBLISHER" in addition to not allpwing IE to access any HTTPS webpage. I then looked at the properties of individual files that the system had indicated as "unknown publisher" and saw valid publisher details for all files. (The symptoms were obviously pointing towards some issue with Windows 7 UAC.)

I lowered the UAC setting for my profile to (Never notify me of changes) which effectively turns off UAC. The problem suddently went away. Putting UAC settings back to normal returned the system back to it's previous state of Unknown Publisher errors and no HTTPS browsing. I then created another profile to see if the problem moved to this new profile. It did not. The new profile did not exhibit any problems with the UAC setting in it's recommended setting.

I then created a third profile and used this third profile to move objects (data files) from the original profile to the second new profile. It would have been nicer if there was a tool available to move files, account settings, and email files between profiles on the same Windows 7 machine, but i was unable to find them and had to resort to a manual process. Once everything was moved and checked out as operational, I deleted the original old profile.

Looking back on the entire issue, it appears the problem started when i was restoring files from an old backup via Acronis. During this restoration, Mcafee indicated that several of the files trying to be restored contained virus signatures. When these virus warnings appeared during the restore process, i took the option to delete or disable the files Mcafee indicated. Somewhere along this process my Windows 7 user profile's UAC capability became corrupted. I could still logon but had problems as previously described. My initial thought was that one of the viruses got through all the roadblocks and was causing me these problems.

I am still somewhat at a loss as to the root cause of the problem. Either it was Acronis, Mcafee, the files that Mcafee flagged or some abnormality with Windows 7 UAC, or a combination of all three.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 10 October 2010 - 03:52 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 AM

Posted 16 October 2010 - 07:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.



In your reply, please post both OTL logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 AM

Posted 21 October 2010 - 05:12 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users