Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Malwarebytes Targeted, Same problem as before despite new har

Started by Mirrodin , Oct 09 2009 04:13 PM

  • This topic is locked This topic is locked
58 replies to this topic

#1 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 09 October 2009 - 04:13 PM

I recently posted a thread detailing a problem that I had regarding Malwarebytes being targeted and then other websites running incredibly slow as well as the entire internet running slow. I had intended to do what I could wiht whatever help was offered here. However, the next day, the computer went haywire, with ScareWare installed and I had to get a new hard drive. The same problem is happening again. It is not at the scareware stage yet, and I'd like to stop it before it happens again and possibly get some kind of deterrent against it happening in the future. I had installed Malwarebytes on the new HD, but again the .exe had been deleted. I'd like to take care of it now. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/09 18:09 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_iaStor.sys Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys Address: 0x9E751000 Size: 876544 File Visible: No Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys Address: 0x9E62B000 Size: 180608 File Visible: - Signed: - Status: Hidden from the Windows API! Name: mrxsmb.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys Address: 0xA51FD000 Size: 455296 File Visible: - Signed: - Status: Hidden from the Windows API! Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF71E2000 Size: 574976 File Visible: - Signed: - Status: Hidden from the Windows API! Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0x9C183000 Size: 49152 File Visible: No Signed: - Status: - ==EOF== DDS (Ver_09-06-26.01) - NTFSx86 Run by jmart366 at 18:08:01.78 on Fri 10/09/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.758.64 [GMT -4:00] AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} ============== Running Processes =============== C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\IPSSVC.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe c:\program files\lenovo\system update\suservice.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE C:\Program Files\Lenovo\AwayTask\AwaySch.EXE C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\McAfee\Common Framework\udaterui.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM7\aim.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\jmart366\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://cpprod.stjohns.edu/cp/home/loginf uWindow Title = Microsoft Internet Explorer provided by St. John's University uInternet Settings,ProxyOverride = *.local BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe mRun: [TpShocks] TpShocks.exe mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper mRun: [TP4EX] tp4ex.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [veluhepoj] Rundll32.exe "c:\windows\system32\tibukiji.dll",a StartupFolder: c:\docume~1\jmart366\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe StartupFolder: c:\docume~1\jmart366\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) uPolicies-explorer: NoPropertiesMyComputer = 1 (0x1) mPolicies-system: LogonType = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\PkgMgr.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxps://www-3.ibm.com/pc/support/access/sdccommon/download/tgctlins.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120763170514 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147371192171 DPF: {74FFE28D-2378-11D5-990C-006094235084} - file://c:\program files\support.com\bin\ibmaccesssupport\common\install\ibmegath.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.5184143518 DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} - file://c:\program files\support.com\bin\ibmaccesssupport\common\install\AcpControl.cab Notify: ACNotify - ACNotify.dll Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll Notify: igfxcui - igfxdev.dll Notify: tpfnf2 - notifyf2.dll Notify: tphotkey - tphklock.dll AppInit_DLLs: lagehogo.dll c:\windows\system32\tibukiji.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: nugusivek - {6b943bbe-303e-4808-a237-a927d59a8f04} - c:\windows\system32\tibukiji.dll STS: kupuhivus: {6b943bbe-303e-4808-a237-a927d59a8f04} - c:\windows\system32\tibukiji.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Notification Packages = scecli ACGina wohahibe.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jmart366\applic~1\mozilla\firefox\profiles\al5onozg.default\ FF - prefs.js: browser.startup.homepage - hxxp://cpprod.stjohns.edu/cp/home/loginf FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-15 340592] R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-5-15 85760] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-5-10 14208] R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-5-15 11520] R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-5-15 4224] R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-5-15 4736] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-5-15 4442] R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144] R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2008-9-29 19456] R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744] R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-9-29 143088] R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-9-29 62800] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-5-15 67904] R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-14 520192] R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 253952] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-15 90360] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-15 42424] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-5-10 6016] R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312] S3 AM5211;11b/g Wireless LAN Mini PCI Adapter Service;c:\windows\system32\drivers\am5211.sys --> c:\windows\system32\drivers\am5211.sys [?] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-5-15 64432] ============== File Associations =============== regfile="regedit.exe" "%1" =============== Created Last 30 ================ 2009-10-09 17:27 <DIR> --d----- C:\QUARANTINE 2009-10-09 14:14 <DIR> --d----- c:\program files\ASIO4ALL v2 2009-10-09 14:14 225,280 a------- c:\windows\system32\rewire.dll 2009-10-09 14:14 <DIR> --d----- c:\program files\VstPlugins 2009-10-09 14:14 1,294,336 a------- c:\windows\system32\vorbis.acm 2009-10-09 14:13 <DIR> --d----- c:\program files\Outsim 2009-10-09 14:09 <DIR> --d----- c:\program files\Image-Line 2009-10-08 13:34 221,184 a------- c:\windows\system32\wmpns.dll 2009-10-07 17:31 <DIR> --d----- c:\docume~1\jmart366\applic~1\LimeWire 2009-10-07 17:30 411,368 a------- c:\windows\system32\deploytk.dll 2009-10-07 17:30 73,728 a------- c:\windows\system32\javacpl.cpl 2009-10-07 17:29 <DIR> --d----- c:\program files\LimeWire 2009-10-07 17:23 107,368 a------- c:\windows\system32\GEARAspi.dll 2009-10-07 17:23 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-10-07 17:22 <DIR> --d----- c:\program files\iPod 2009-10-07 17:22 <DIR> --d----- c:\program files\iTunes 2009-10-07 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-10-07 17:22 <DIR> --d----- c:\program files\Bonjour 2009-10-07 17:02 153,088 -c------ c:\windows\system32\dllcache\triedit.dll 2009-10-07 17:02 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx 2009-10-07 17:01 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll 2009-10-07 15:56 <DIR> --d----- c:\docume~1\jmart366\applic~1\Malwarebytes 2009-10-07 15:56 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-07 15:56 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-07 15:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-07 15:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-07 15:13 <DIR> --d----- c:\documents and settings\jmart366\Tracing 2009-10-07 15:11 <DIR> --d----- c:\program files\Windows Live SkyDrive 2009-10-07 15:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AIM 2009-10-07 15:07 <DIR> --d----- c:\program files\AIM7 2009-10-07 15:07 <DIR> --d----- c:\program files\common files\Software Update Utility 2009-10-07 15:07 <DIR> --d----- c:\program files\common files\AOL 2009-10-07 15:07 361 a---h--- C:\IPH.PH 2009-10-07 14:21 <DIR> --d----- c:\docume~1\jmart366\applic~1\Avaya 2009-10-07 12:26 <DIR> --d----- c:\documents and settings\jmart366\.jpi_cache 2009-10-07 12:26 <DIR> --d----- c:\documents and settings\jmart366\.java 2009-10-07 12:26 <DIR> --d----- c:\docume~1\jmart366\applic~1\Intel 2009-10-07 12:26 <DIR> --d----- c:\docume~1\jmart366\applic~1\IBM 2009-10-07 12:25 <DIR> --d----- c:\docume~1\jmart366\applic~1\ThinkVantage 2009-10-07 12:25 <DIR> --ds---- c:\documents and settings\jmart366\UserData 2009-10-07 12:25 <DIR> --d-h--- c:\documents and settings\jmart366\WLANProfiles.sav 2009-10-07 12:25 <DIR> --d----- c:\documents and settings\jmart366\WINDOWS 2009-10-07 12:25 <DIR> --d----- c:\documents and settings\jmart366 ==================== Find3M ==================== 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll 2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll 2009-07-09 17:26 114,688 a--sh--- c:\windows\system32\butawabe.dll 2009-07-09 17:26 114,688 a--sh--- c:\windows\system32\lagehogo.dll 2009-07-09 17:32 1,011,112 a--sh--- c:\windows\system32\pijihaje.exe 2009-07-09 17:32 69,120 a--sh--- c:\windows\system32\wawebodo.dll 2009-07-09 17:26 114,688 a--sh--- c:\windows\system32\wohahibe.dll 2009-07-09 17:32 3 a--sh--- c:\windows\system32\yahetugi.dll 2009-04-24 15:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042420090425\index.dat ============= FINISH: 18:10:47.95 ===============

Attached Files


    Advertisements

Register to Remove

#2 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 10 October 2009 - 12:49 AM

I know that we're not supposed to bump threads or anything like that, but the last time I had this a couple days ago, and I shut my computer down, when I turned it back on the scareware had installed itself and the computer went haywire and required a new hard drive. I'd like to avoid that which means I can't turn the computer off until something is done about it. Everyone's requests are all important, this I know, so if anyone can help me out, it'd be much appreciated. Thanks in advance.

#3 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 10 October 2009 - 05:42 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#4 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 10 October 2009 - 03:45 PM

This is a school computer, so they've blocked you from turning off the antivirus. I ran combofix anyway, since it said it could try to go through even though the anti virus was up. It was doing its thing, but then it exited out of firefox and Windows Live messenger. Then it said that it needed to reboot the computer, so I agreed and now that its rebooted, it's sitting there preparing the log report, but it's been 20+ minutes while its been working on the log report.

#5 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 10 October 2009 - 04:27 PM

Combofix is still preparing its log report. Is it supposed to take this long?

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 10 October 2009 - 07:28 PM

Hi, Go into task manager > processes tab and look for processes Pev.exe Sed.exe cfxxx.exe and end those processes. Then navigate to C:\combofix.txt and see if there is a log at that location. Post the log.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 10 October 2009 - 07:53 PM

This is all there is, if I'm at the correct file. There was no combofix.txt in the C drive, but there was combofix.txt in the combofix folder in the C drive: ComboFix 09-10-10.01 - jmart366 10/10/2009 17:06:12.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.758.153 [GMT -4:00] Running from: C:\Documents and Settings\jmart366\My Documents\Downloads\ComboFix.exe AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Resident AV is active .

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 11 October 2009 - 04:18 AM

* Resident AV is active


This was why it didn't work.

McAfee must be disabled,

Please do the following, then run combofix again

Open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.

    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)

  • Next, select never for "When to re-enable real time scanning"
  • and click OK.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#9 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 11 October 2009 - 03:49 PM

I'm going to attempt what you suggested and try Combofix again in a few minutes. Also, this popped up on McAffee's scanner: milinase.exe detected as a FakeAlert-DZ Trojan sisa.exe detected as a FakeAlert-DZ Trojan Figured it might help in some way, probably can't hurt.

#10 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 11 October 2009 - 04:01 PM

I don't have a McAfee Security Center. All I have is: McAfee Agent and Virus Scan Enterprise. Within Virus Scan Enterprise, there's no common task option The university has restricted a lot of access so that you can't even accidentally mess with the computer. I would just go to them for another hard drive, but I would like something that gets rid of the problem and stops it from coming back or at least if it comes back, I can do something about it, instead of thinking about how I haven't backed up in a month and now I need a new HD and the time it takes to get everything up and running again. Any advice?

    Advertisements

Register to Remove

#11 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 11 October 2009 - 05:11 PM

Hi. Is it possible to uninstall McAfee until we can clean the computer then reinstall it?

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#12 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 11 October 2009 - 05:54 PM

Not that I know of. All major decisions for the program are locked and I can't change any of them. I'm assuming then that there's no way to fix it? Edit: Completely off topic, but I love your avatar.

Edited by Mirrodin, 11 October 2009 - 06:00 PM.

#13 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 11 October 2009 - 06:20 PM

You could try running combofix in safe mode and end process in task manager for anything McAfee related

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#14 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 11 October 2009 - 06:29 PM

Put the computer into safe mode? I could try that. I'll see what happens.

#15 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 12 October 2009 - 12:47 AM

I wasn't exactly sure if you meant reboot the computer in safe mode or not, so I tried to use the taskmanager to stop anything related to McAfee. I tried to end the McShield process, but its a system process and I wasn't allowed to. I was able to stop the others, but that didn't do anything for me. I would reboot the computer into safe mode, but I'm not sure what would happen when I started the computer back up normally or when I go into safe mode. The last time the virus took the computer down, it happened because I had rebooted. Then the scareware fully set itself up and everything happened.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·