Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clean or not?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Brian-1234

Brian-1234

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 18 April 2012 - 07:17 PM

Hi,

I have a friend with a system that I'm not sure about... I had run GMER and it found some things that make me wonder. McAfee A/V and MBAM find nothing (absolutely zero). Note that I ran GMER before reading the tips in the prep guide but that took like 4 hours so I hope the full report is OK (attached). Primarily there are a lot of JMPs that I wonder about, though GMER showed nothing in red highlight. (FYI I was running via teamviewer)


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by [user name] at 19:39:45 on 2012-04-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1007.560 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\DOCUME~1\BARBAR~1\LOCALS~1\Temp\TeamViewer\Version7\TeamViewer.exe
C:\DOCUME~1\BARBAR~1\LOCALS~1\Temp\TeamViewer\Version7\tv_w32.exe
c:\docume~1\barbar~1\locals~1\temp\teamviewer\version7\TeamViewer_Desktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120415020620.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HTpatch] c:\windows\htpatch.exe
mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [mclogcln_exe] c:\program files\mcafee\msc\mclogcln.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [PrnStatusMX] c:\program files\hewlett-packard\prnstatusmx\PrnStatusMX.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105736218844
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157021383778
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E686972E-1E0B-43DA-A833-985A56CEC7BA} : DhcpNameServer = 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\[user name]\application data\mozilla\firefox\profiles\y8byxich.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.gopher - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-16 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-16 89792]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-5 95200]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-16 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-16 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-16 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-16 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-16 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-16 150856]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-16 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-16 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-16 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-16 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-16 83856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-13 253088]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-16 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-16 87656]
.
=============== Created Last 30 ================
.
2012-04-15 06:06:21 28760 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2012-04-14 00:28:55 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-14 00:28:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-13 23:57:35 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-13 23:57:35 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-13 01:03:54 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-04-13 01:02:59 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2012-04-13 01:01:59 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2012-04-13 01:00:59 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2012-04-13 00:59:59 26112 -c--a-w- c:\windows\system32\dllcache\sm90w.dll
2012-04-13 00:58:59 65664 -c--a-w- c:\windows\system32\dllcache\s3legacy.sys
2012-04-13 00:57:55 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2012-04-13 00:56:59 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2012-04-13 00:55:59 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2012-04-13 00:55:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2012-04-13 00:55:43 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2012-04-13 00:55:36 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2012-04-13 00:55:35 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2012-04-13 00:55:28 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2012-04-13 00:55:27 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2012-04-13 00:55:18 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2012-04-13 00:53:56 7680 -c--a-w- c:\windows\system32\dllcache\kbdnecnt.dll
2012-04-13 00:52:58 471102 -c--a-w- c:\windows\system32\dllcache\imskdic.dll
2012-04-13 00:51:58 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2012-04-13 00:50:55 11264 -c--a-w- c:\windows\system32\dllcache\fxssend.exe
2012-04-13 00:49:59 137088 -c--a-w- c:\windows\system32\dllcache\essm2e.sys
2012-04-13 00:48:54 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2012-04-13 00:47:59 24648 -c--a-w- c:\windows\system32\dllcache\dfe650.sys
2012-04-13 00:46:57 39936 -c--a-w- c:\windows\system32\dllcache\cnxt1803.sys
2012-04-13 00:45:58 171264 -c--a-w- c:\windows\system32\dllcache\camdrv30.sys
2012-04-13 00:45:57 223232 -c--a-w- c:\windows\system32\dllcache\camdrv21.sys
2012-04-13 00:45:55 314752 -c--a-w- c:\windows\system32\dllcache\camdro21.sys
2012-04-13 00:45:47 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2012-04-13 00:45:46 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2012-04-13 00:43:58 13696 -c--a-w- c:\windows\system32\dllcache\avcstrm.sys
2012-04-13 00:42:57 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-04-04 05:53:56 182160 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:44:42.93 ===============

Attached Files

  • Attached File  GMER.log   80.61KB   2 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:10 PM

Posted 22 April 2012 - 09:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

The log is clean.

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the log and let me know of any issues with this computer.

#3 Brian-1234

Brian-1234
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 22 April 2012 - 10:40 PM

Thanks nasdaq!

I don't have access to the system at the moment, but it looks like SecurityCheck primarily checks 3rd party apps? If so then we're OK there, I just ran all Windows, Firefox, Adobe, AV, Java updates and more last week.

Any feedback about all the JMPs seen in the GMER log? Perhaps that's a hook by McAfee?

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:10 PM

Posted 23 April 2012 - 07:59 AM

Any feedback about all the JMPs seen in the GMER log? Perhaps that's a hook by McAfee?


Yes it is.


If still having issues you can run this tool instead of GMER.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Let me know of the current issues.

#5 Brian-1234

Brian-1234
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 23 April 2012 - 06:45 PM

We're not having any issues (anymore). Original complaint from my friend was that it was slow... I cleaned things out, ran scans (zero found), etc.

The only thing that worried me was the JMPs in the GMER log... I just wanted to double-check that. Either it was clean or there was real sneaky malware.

I believe we're done - thanks again!

Edited by Brian-1234, 23 April 2012 - 11:20 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:10 PM

Posted 24 April 2012 - 10:42 AM

The only thing that worried me was the JMPs in the GMER log... I just wanted to double-check that. Either it was clean or there was real sneaky malware.

If something was bad you would have problems with this computer.

If you want a security check please run the tool I suggested earlier.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users