Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

McAfee SecurityCenter/Paladin Antivirus


  • This topic is locked This topic is locked
24 replies to this topic

#1 JimboZ

JimboZ

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 09 October 2010 - 07:58 AM

Going off of this post and here is the results of what I have done:

http://www.bleepingcomputer.com/forums/topic352282.html

Basically McAfee Security Center has changed and it says that I have installed Paladin Antivirus. Can't get rid of it. I used the steps on this site to get rid of Paladin and it has been unsecessful.

PLease see my DDS posting below:


DDS (Ver_10-10-05.01) - NTFSx86
Run by James at 18:42:56.28 on Fri 10/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.361 [GMT -4:00]

AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

svchost.exe 4
svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101005201019.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [xrecyclerx.exe] c:\xrecyclerx.exe\xrecyclerx.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
Trusted Zone: intuit.com\ttlc
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 khifcb.dll
Hosts: 212.117.163.43 search.yahoo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\g8dqa0az.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\james\application data\mozilla\firefox\profiles\g8dqa0az.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - HiddenExtension: XULRunner: {4C5F9FE5-4151-48DD-8F96-C69F08B9D373} - c:\documents and settings\james\local settings\application data\{4C5F9FE5-4151-48DD-8F96-C69F08B9D373}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 04345962;04345962 Boot Guard Driver;c:\windows\system32\drivers\04345962.sys [2010-7-14 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-13 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-21 386712]
R1 04345961;04345961;c:\windows\system32\drivers\04345961.sys [2010-7-14 128016]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-5 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R1 setup_9.0.0.722_15.07.2010_04-00drv;setup_9.0.0.722_15.07.2010_04-00drv;c:\windows\system32\drivers\0434596.sys [2010-7-14 315408]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-21 93320]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-5 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-5 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-5 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-5 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-5 141792]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-21 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-21 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-5 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-10-5 88544]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S0 gsrkhn;gsrkhn;c:\windows\system32\drivers\gsrkhn.sys [2010-10-1 0]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 svchost32;Windows Service Manager;c:\windows\system32\setup\svchost.exe /service --> c:\windows\system32\setup\svchost.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-10-24 16512]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-5 55840]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1356952]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-13 15008]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-10-5 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-5 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-21 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-21 40552]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-10-25 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2008-10-25 3768]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 uti3ndu1;AVZ Kernel Driver;\??\c:\windows\system32\drivers\uti3ndu1.sys --> c:\windows\system32\drivers\uti3ndu1.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-10-08 22:40:13 0 ----a-w- c:\documents and settings\james\defogger_reenable
2010-10-07 00:55:09 -------- d--h--w- c:\windows\PIF
2010-10-06 00:10:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-06 00:09:24 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-06 00:09:11 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-06 00:09:10 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-06 00:09:10 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-06 00:09:09 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-06 00:09:08 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-06 00:09:07 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-01 09:09:06 143 ----a-w- c:\docume~1\james\applic~1\srsf.bat
2010-10-01 09:08:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-01 09:07:45 0 ----a-w- c:\windows\system32\drivers\gsrkhn.sys
2010-09-25 12:28:30 -------- d-----w- C:\40bd609df133124017
2010-09-25 00:34:27 -------- d-----w- c:\program files\Glary Registry Repair
2010-09-25 00:34:27 -------- d-----w- c:\docume~1\james\applic~1\GlarySoft
2010-09-24 22:37:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-09-24 22:31:54 -------- d-----w- c:\program files\AVG
2010-09-23 23:23:57 -------- d-----w- c:\docume~1\james\applic~1\Windows Search
2010-09-23 22:34:15 -------- d-----w- C:\aebcf6c16d2a9d8d5572c248730dd6
2010-09-23 01:57:58 -------- d-----w- c:\program files\common files\Windows Live
2010-09-23 01:55:25 -------- d-----w- c:\docume~1\james\applic~1\Windows Desktop Search
2010-09-23 01:54:33 -------- d-----w- c:\program files\Windows Desktop Search
2010-09-23 01:54:32 -------- d-----w- c:\windows\system32\GroupPolicy
2010-09-23 01:52:20 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-09-23 01:52:19 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-09-23 01:52:19 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-09-23 01:45:37 -------- d-sh--w- c:\documents and settings\james\PrivacIE
2010-09-23 00:43:23 -------- d-----w- c:\windows\ie8updates
2010-09-22 23:35:47 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-22 23:35:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-09-22 23:35:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-09-17 00:57:54 -------- d-sh--w- c:\documents and settings\james\IETldCache
2010-09-17 00:43:00 -------- dc-h--w- c:\windows\ie8
2010-09-17 00:20:19 -------- d-sh--w- C:\found.000

==================== Find3M ====================

2010-08-24 18:57:38 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 18:57:38 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-24 18:57:38 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 18:44:48.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:50 PM

Posted 17 October 2010 - 05:06 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    hlp.dat
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 JimboZ

JimboZ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 October 2010 - 11:56 AM

Hello:

I am not able to do anything else with my computer because something has prevented me from establishing an interenet connection.

After I did everything in the first part of the post I left my computer on, however something must have infected it.

I turned the computer on and I had a bogus Microsoft Security Essential Alert that would pop up every single time something tried to load (i.e. Task Manager).

I restarted my computer into Safe Mode and opened the task manager and saw that this Microsoft Security Essential Alert was called hotfix.exe.

I ended that process and proceed to run MBAM.EXE and removed a variety of items.

Once I restarted my computer, it was running very slowly and I opened up the task manager and noticed the following things:

MCShield.exe is taking up about 170,000k of my virtual memory.

Furthermore, whenever I start Firefox.exe or Explorer.exe it says it cannot connect to the internet. When I try to repair my internet connection it states that it can't access it. I know the wireless internet works, as I'm using the other computer in my apartment to go on the internt.

When I open firefox.exe the computer tries to load it for a little bit, and then my computer restarts.

Please advise what should be done next.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:50 PM

Posted 25 October 2010 - 02:50 AM

Hi,

have you tried safe mode with network?

Do you have a flash drive we could use to transfer programs and logs back and forth from the offline PC to a healthy PC?

Does your healthy PC have Windows XP too? If so please run this tool to vaccinate the flash drive to prevent it from spreading infections from your infected PC:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 JimboZ

JimboZ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 26 October 2010 - 07:00 PM

Hello - I am able to connect to the internet via safe mode with networking.

MY CPU usage is 100% and I can't do anything about it.

I can't access Firefox but I can access internet explorer.

Please advise as soon as you possible can.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:50 PM

Posted 27 October 2010 - 06:04 AM

Hi,

which process is using the CPU?

Please try to run a scan with ComboFix:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 JimboZ

JimboZ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 30 October 2010 - 10:26 AM

Hello:

I ran combofix and the CPU my computer has been using has decreased.

I have attached the combofix.txt in this reply.

Thanks for your help - we are on our way to fixing this computer!!!

Thanks,

James

Attached Files



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:50 PM

Posted 01 November 2010 - 04:02 AM

Hi,

wow, that is quite some log.

Please run the following script to remove some leftovers. If you are prompted to upgrade ComboFix, please allow it:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Renv::
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Dell\Media Experience\PCMService .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\McAfee\MBK\McAfeeDataBackup .exe
c:\program files\Symantec\LiveUpdate\ALUNotify .exe
c:\windows\system32\rundll32 .exe
File::
c:\program files\Common Files\jypu.dll
c:\program files\Common Files\boripemuso.sys
c:\windows\system32\drivers\50728982.sys
c:\windows\system32\drivers\5072898.sys
c:\windows\system32\drivers\50728981.sys
Folder::
c:\documents and settings\James\Local Settings\Application Data\{4C5F9FE5-4151-48DD-8F96-C69F08B9D373}
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 
Driver::
uti3ndu1
04345962
50728982
04345961
50728981
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370
Firefox::
FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\g8dqa0az.default\
FF - HiddenExtension: XULRunner: {4C5F9FE5-4151-48DD-8F96-C69F08B9D373} - c:\documents and settings\James\Local Settings\Application Data\{4C5F9FE5-4151-48DD-8F96-C69F08B9D373}
FF - prefs.js: browser.search.selectedEngine - Secure Search

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 JimboZ

JimboZ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 04 November 2010 - 06:04 PM

Hello:

Sorry for the delay - I was having a few issues running this.

I kepts on trying to run it in regular windows but it would freeze, therefore I started it in Safe Mode with Networking and I have attached the logs.

One thing that I have noticed is that I beleive the McAfee Security Center that is running is a rouge version. I can't close it and I have attached a picture of what it exactly looks like.

Please reply whenever it is at your earliest convenience - I appreciate all of the help.

Attached Files



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:50 PM

Posted 05 November 2010 - 05:52 AM

Hi,

the combofix log, looks promising.

Could you please go here: FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\g8dqa0az.default\ and zip the file user.js and attach it to your next reply.

You may need to make all files visible:
How to see hidden files in Windows

regards myrti

Edited by myrti, 05 November 2010 - 05:52 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 JimboZ

JimboZ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 08 November 2010 - 08:59 AM

Hello:

Please find the attached file you requested.

Furthermore, am I going to have to reinstall and software that may have been infected, i.e. McAfee?

Attached Files



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:50 PM

Posted 09 November 2010 - 01:52 AM

Hi,

McAfee is confused because Windows no longer sees McAfee as an anti virus. The security center of McAfee hence thinks that the anti virus is not present and warns you. However this is not true, from your initial log it looks as if McAfee anti virus was still running. The warning you are getting should be genuine though, even if it is wrong.
The easiest fix for this is indeed to reinstall McAfee, can you try that and let me know if it helps.

Thanks for the upload! :)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 JimboZ

JimboZ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 09 November 2010 - 10:35 AM

Hello:

So all you need me to do now is reinstall McAfee?

-James

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:50 PM

Posted 09 November 2010 - 11:35 AM

Hi,

there are a couple more things thatI would like to do to make sure you are and stay clean, however first thing I would like to focus on is to make this McAfee message disappear.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 JimboZ

JimboZ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 09 November 2010 - 09:17 PM

Hello:

I've removed McAfee and reinstalled it and there is no mention of Paladin Antivirus on it. Seems as if it is working correctly.

Furthermore, I am able to use firefox by updating the proxy settings.

What are the next steps you wish me to do?

Thanks,

James




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users