Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Suspected malware


  • This topic is locked This topic is locked
37 replies to this topic

#16 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 28 July 2009 - 07:48 AM

schalk,

I've never had that happen before but it doesn't sound like you are doing anything. :unsure: Let's help it a bit:

Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
    (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Files
    c:\program files\mcafee
    c:\program files\network associates
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Then try MCPR.exe again.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

    Advertisements

Register to Remove


#17 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 30 July 2009 - 03:22 PM

Hi Tomk Here it is. Schalk All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== FILES ========== File/Folder c:\program files\mcafee not found. c:\program files\Network Associates\Common Framework\Microsoft.VC80.CRT moved successfully. c:\program files\Network Associates\Common Framework\0409 moved successfully. c:\program files\Network Associates\Common Framework moved successfully. c:\program files\Network Associates moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: David ->Temp folder emptied: 397187513 bytes ->Temporary Internet Files folder emptied: 58620097 bytes ->Java cache emptied: 13431030 bytes ->FireFox cache emptied: 35196917 bytes ->Google Chrome cache emptied: 139183907 bytes ->Apple Safari cache emptied: 122899 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 894459 bytes User: NetworkService ->Temp folder emptied: 3528 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes File delete failed. C:\WINDOWS\temp\vtclrg41.tmp scheduled to be deleted on reboot. Windows Temp folder emptied: 325006 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 615.09 mb OTM by OldTimer - Version 3.0.0.5 log created on 07302009_171549 Files moved on Reboot... C:\WINDOWS\temp\vtclrg41.tmp moved successfully. Registry entries deleted on Reboot...

#18 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 30 July 2009 - 04:12 PM

schalk, Now try MCPR.exe again.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#19 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 30 July 2009 - 04:23 PM

Same story: "McAfee enterprise software detected. Cannot continue." Schalk

#20 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 30 July 2009 - 04:37 PM

schalk,

Oh duh! :smack: McAfee enterprise software is a corporate edition isn't it. That means that MCPR.exe won't work.

Please let me have a new DDS log and let's see if we can get all the remnants cleaned up. Also, please advise as to what problems you are currently having.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#21 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 30 July 2009 - 05:11 PM

DDS log? :huh:

#22 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 30 July 2009 - 05:25 PM

OK. Got it. Here it is:

DDS (Ver_09-07-30.01) - NTFSx86
Run by David at 19:21:45.85 on 30/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.152 [GMT -4:00]


============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\My Documents\Downloads\dds (2).scr

============== Pseudo HJT Report ===============

uStart Page = https://ariel.folger.edu/exchange
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Enjoy the Music.com
uDefault_Page_URL = hxxp://www.EnjoyTheMusic.com
uInternet Connection Wizard,ShellNext = hxxp://www.enjoythemusic.com/browser/firsttime.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1008.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1008.0\msneshellx.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\iburst~1.lnk - c:\program files\iburst terminal\iBurst_Terminal_UTL.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231266192984
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231266172234
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: igfxcui - igfxsrvc.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\iotnv21p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxps://ariel.folger.edu/exchange
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\firefox\profiles\iotnv21p.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-9-25 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-9-25 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-9-25 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-9-25 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-9-25 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-9-25 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616]
R2 SmiHlp;SMI helper driver;c:\program files\ibm fingerprint software\smihlp.sys [2005-4-12 3328]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-9-25 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate1c9d0e3a8dc5d5c;Google Update Service (gupdate1c9d0e3a8dc5d5c);c:\program files\google\update\GoogleUpdate.exe [2009-5-9 133104]
S2 McAfeeFramework;McAfee Framework Service;"c:\program files\network associates\common framework\frameworkservice.exe" /servicestart --> c:\program files\network associates\common framework\FrameworkService.exe [?]
S3 iBurstu;iBurst Terminal;c:\windows\system32\drivers\iBurstu.sys [2005-11-28 37960]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-9-25 12288]

=============== Created Last 30 ================

2009-07-30 17:15 <DIR> -cd----- C:\_OTM
2009-07-23 17:44 <DIR> -cd----- C:\Rooter$
2009-07-18 10:20 <DIR> --d----- c:\program files\ESET
2009-07-16 19:43 <DIR> --d----- c:\docume~1\david\applic~1\Malwarebytes
2009-07-16 19:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-16 19:42 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-16 19:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-16 19:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-16 19:05 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-16 19:05 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-12 18:53 <DIR> --d----- c:\program files\home plan software
2009-07-12 16:37 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-02-07 13:41 118,784 a------- c:\program files\zotero-1.0.9.xpi
2009-02-07 12:26 39,339,637 a------- c:\program files\installInsight.exe
2009-02-01 14:21 3,966,048 a------- c:\program files\pdfx_SE.exe
2009-02-01 14:21 14,577,136 a------- c:\program files\PDFXVwer.exe
2008-10-12 22:12 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101320081014\index.dat

============= FINISH: 19:22:36.29 ===============

Attached Files



#23 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 30 July 2009 - 06:14 PM

schalk,

Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
    (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Services
    mferkdk
    McAfeeFramework
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "McAfeeUpdaterUI"=-
    
    :Files
    c:\program files\network associates
    c:\program files\mcafee
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Then be sure to tell me how your computer is running.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#24 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 30 July 2009 - 07:44 PM

I've tried a number of times to rerun OTM with the new instructions, but the computer loses its desktop icons and seems to go into a suspended mode--it's not quite frozen, but I can't do anything except close it down using Ctrl-Alt-Del. It is, however, running MUCH faster--when it runs. Schalk

#25 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 30 July 2009 - 08:26 PM

schalk,

I've had that happen before. This should take care of it.

Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

This will make your OTM go away. Then please re-download OTM and run the script please.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

    Advertisements

Register to Remove


#26 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 31 July 2009 - 07:38 AM

Hi Tomk I've run OTC but have the same problem with OTM. The computer goes into suspension. Schalk

#27 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 31 July 2009 - 08:42 AM

schalk,

Download ToolsCleaner2 (by de A.Rothstein & Dj Quiou) to your desktop and run it
  • Click the Pt. Restauration button and press OK to the prompts.
  • Click the Corbeille button and press OK to the prompt.
  • Click the Fichiers temp button and press OK to the prompt.
  • Click the Recherche button and let it run ( it may look like it freezes but let it continue )
  • Once it is done click the Suppression button and let it remove anything it finds.
  • Close the program

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#28 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 31 July 2009 - 02:26 PM

Hi Tomk Done. It was fun using a French programme. It seems much more friendly. Schalk

#29 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 31 July 2009 - 03:49 PM

schalk, Please try instructions in post #23 again.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#30 schalk

schalk

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 31 July 2009 - 07:53 PM

Done. Here's the logfile: All processes killed ========== PROCESSES ========== No active process named explorer.exe was found! ========== SERVICES/DRIVERS ========== Service\Driver mferkdk deleted successfully. Service\Driver McAfeeFramework deleted successfully. ========== REGISTRY ========== Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\McAfeeUpdaterUI deleted successfully. ========== FILES ========== File/Folder c:\program files\network associates not found. File/Folder c:\program files\mcafee not found. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: David ->Temp folder emptied: 4545175 bytes ->Temporary Internet Files folder emptied: 475430 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes ->Google Chrome cache emptied: 36892412 bytes ->Apple Safari cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 4166 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes File delete failed. C:\WINDOWS\temp\vtclrg41.tmp scheduled to be deleted on reboot. Windows Temp folder emptied: 66041 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 40.07 mb OTM by OldTimer - Version 3.0.0.5 log created on 07312009_214649 Files moved on Reboot... C:\WINDOWS\temp\vtclrg41.tmp moved successfully. Registry entries deleted on Reboot... Schalk :thumbup:

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users