Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91700 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Trojan.CWSMeup.b


  • This topic is locked This topic is locked
91 replies to this topic

#46 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 27 March 2007 - 07:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:10:38 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Marty Sellers\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

    Advertisements

Register to Remove


#47 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 27 March 2007 - 09:16 PM

mcupdmgr.exe;c:\program files\mcafee\msc;Probably DLOADER.Trojan;Incurable.Moved.

I am not sure that the above is a bad file. Please locate it on your computer so you know the path and can find the file. I want you to submit it to Jotti to check it out.

STEP 1.
======
Please show all files for your system.
You will need to reverse this process when all steps are done.


Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
mcupdmgr.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#48 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 28 March 2007 - 05:01 AM

Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "grokster Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "hotbar Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "hotbar Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Object "browseraid Spyware/Adware" found in File System! Action Taken: Entries Removed. Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: Entries Removed. Entry "HKCR\AOLCoach.TrainerOCXCtrl.10" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: Entries Removed. Entry "HKCR\CoachDM.WebCoachDownload" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: Entries Removed. Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: Entries Removed. Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: Entries Removed. Entry "HKCR\Context.test" refers to invalid object "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}". Action Taken: Entries Removed. Entry "HKCR\DirectAnimation.PathControl" refers to invalid object "{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}". Action Taken: Entries Removed. Entry "HKCR\DirectAnimation.Sequence" refers to invalid object "{4F241DB1-EE9F-11D0-9824-006097C99E51}". Action Taken: Entries Removed. Entry "HKCR\DirectAnimation.SequencerControl" refers to invalid object "{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96}". Action Taken: Entries Removed. Entry "HKCR\DirectAnimation.SpriteControl" refers to invalid object "{FD179533-D86E-11D0-89D6-00A0C90833E6}". Action Taken: Entries Removed. Entry "HKCR\DirectAnimation.StructuredGraphicsControl" refers to invalid object "{369303C2-D7AC-11D0-89D5-00A0C90833E6}". Action Taken: Entries Removed. Entry "HKCR\FujifilmUploadClient.FujifilmUploader.1" refers to invalid object "{A8683C98-5341-421B-B23C-8514C05354F1}". Action Taken: Entries Removed. Entry "HKCR\JavaPlugin.FamilyVersionSupport" refers to invalid object "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}". Action Taken: Entries Removed. Entry "HKCR\LSClient.SubscriptionInfo" refers to invalid object "{9B3A3465-FE53-11D3-9784-005004D12CC3}". Action Taken: Entries Removed. Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: Entries Removed. Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: Entries Removed. Entry "HKCR\StatusRequestHandler.StatusNotifier" refers to invalid object "{EAEF733D-5B08-4e85-8440-5A087504DF87}". Action Taken: Entries Removed. Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\system32\LegitCheckControl.DLL". Action Taken: Entries Removed. Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Kodak\Kodak Software Updater\7288971\6.1.4.37-7288971L\Program\PrvCnt.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\BSZIP.DLL". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Fonts\HUM521BI.TTF". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Fonts\GOUDYOSI.TTF". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Fonts\GOUDYOSB.TTF". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\WildTangent\Apps\Dell Game Console\Downloads\Installers\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\WildTangent\Apps\Dell Game Console\Downloads\Installers\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\WildTangent\Apps\Dell Game Console\Downloads\Installers\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\WildTangent\Apps\Dell Game Console\Downloads\Installers\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\WildTangent\Apps\Dell Game Console\Downloads\Installers\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\ComcastToolbar\Cache\ppctl.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\LegitCheckControl.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\kdlang\1033.ini". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWCHelpr-7288971.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWfiles-7288971.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWTargetInf.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\EnDisSrv.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\frext-7288971.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\KDPostRep.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\KSUUtil.exe". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\backweb.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\bwfiles.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\bwsec.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\clntutil.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\FrExt.dll". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\README\Updater_Readme_1033.HTM". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\GTDownloaderDE\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\WildTangent\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\My Documents\My Music\Corel Sample Music\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Decomposers\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Installer\{77772678-817F-4401-9301-ED1D01A8DA56}\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\IDS\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\VirusDefs\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton AntiVirus\IWP\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton AntiVirus\IWP\IDSDefs\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Security Center\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton AntiVirus\Quarantine\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton AntiVirus\Quarantine\Portal\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton AntiVirus\Quarantine\Incoming\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Start Menu\Programs\Norton AntiVirus\". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Installer\{C6F5B6CF-609C-428E-876F-CA83176C021B}\". Action Taken: Entries Removed. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".1". Action Taken: Entries Removed. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dna". Action Taken: Entries Removed. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".opt". Action Taken: Entries Removed. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uce". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AOL Connectivity Services". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AOLCoach". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "LiveReg". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "LiveUpdate". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "McAfee Personal Firewall Plus". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mcafee SecurityCenter". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "VirusScan Online". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WildTangent CDA". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7698EDA5-A90F-4205-99CB-8FF6F9048ED9}". Action Taken: Entries Removed. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{CAA10E9F-579B-4743-B800-63E734EF5DA8}". Action Taken: Entries Removed.

#49 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 28 March 2007 - 05:02 AM

Above is the MWAV scan. I ran it before I got your last instruction.

#50 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 28 March 2007 - 05:11 AM

Jotti says file not found.

#51 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 28 March 2007 - 05:25 AM

Does the file mcupdmgr.exe exist on your computer anywhere? Can you do a search for it? What I am afraid of if that the file may have been a good McAfee file.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#52 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 28 March 2007 - 07:39 AM

I am at work now. I will search for the file when I get home. Dr.CureIt was supposed to have quarantined this file so it must exist. Did you see the MWAV scan?

#53 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 28 March 2007 - 07:56 AM

Yes I saw the MWAV report. It always gives a ton of stuff that is irrelevant. It's the "infected" which is important. I like the MWAV because you can scan and not clean files. Your hijackcthis log appears to be clean. DrWebCureit deleted the infected restore files. My main concern now is whether a McAfee file was quarantined that should not have been. I do not want to risk crippling your MacAfee.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#54 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 28 March 2007 - 09:02 AM

I did get a warning that McAfee needed to be reinstalled but I have not done that because I didn't know if I should do that now or not.

#55 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 28 March 2007 - 03:44 PM

If you could get that file back, then I would uninstall McAfee and then proceed with downloading a new copy and installing it. What you need to be careful of is making sure that it uninstalls cleanly before you download and install the new copy. I had problems in the past where McAfee did not uninstall cleanly and then the new downloaded version would not install properly. They have probably improved things since then which has been a few years ago.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

    Advertisements

Register to Remove


#56 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 28 March 2007 - 04:25 PM

I did locate the file in Dr. Web. Here is the VirusTotal log: VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines. Select file : DistributeSSL Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu: News Hot news in the virus/antivirus sector. Estadisticas Statistics of VirusTotal procesing. Virustotal More info about Virustotal. STATUS: FINISHEDComplete scanning result of "mcupdmgr.exe", received in VirusTotal at 03.29.2007, 00:13:08 (CET). Antivirus Version Update Result AhnLab-V3 2007.3.27.0 03.28.2007 no virus found AntiVir 7.3.1.44 03.28.2007 no virus found Authentium 4.93.8 03.28.2007 no virus found Avast 4.7.936.0 03.28.2007 no virus found AVG 7.5.0.447 03.28.2007 no virus found BitDefender 7.2 03.28.2007 no virus found CAT-QuickHeal 9.00 03.28.2007 no virus found ClamAV devel-20070312 03.28.2007 no virus found DrWeb 4.33 03.28.2007 DLOADER.Trojan eSafe 7.0.14.0 03.28.2007 no virus found eTrust-Vet 30.6.3518 03.28.2007 no virus found Ewido 4.0 03.28.2007 no virus found FileAdvisor 1 03.29.2007 no virus found Fortinet 2.85.0.0 03.28.2007 no virus found F-Prot 4.3.1.45 03.28.2007 no virus found F-Secure 6.70.13030.0 03.28.2007 no virus found Ikarus T3.1.1.3 03.28.2007 no virus found Kaspersky 4.0.2.24 03.28.2007 no virus found McAfee 4994 03.28.2007 no virus found Microsoft 1.2306 03.28.2007 no virus found NOD32v2 2152 03.28.2007 no virus found Norman 5.80.02 03.28.2007 no virus found Panda 9.0.0.4 03.28.2007 no virus found Prevx1 V2 03.29.2007 no virus found Sophos 4.15.0 03.27.2007 no virus found Sunbelt 2.2.907.0 03.24.2007 no virus found Symantec 10 03.28.2007 no virus found TheHacker 6.1.6.080 03.23.2007 no virus found UNA 1.83 03.16.2007 no virus found VBA32 3.11.2 03.27.2007 no virus found VirusBuster 4.3.7:9 03.28.2007 no virus found Webwasher-Gateway 6.0.1 03.28.2007 Win32.Vulnerable.gen!High (suspicious) Aditional Information File size: 689752 bytes MD5: 993582ec1cf765206cf9d4d5ca22589f SHA1: 3e1d7093e0852aee337022c1e00fd71208b061ce VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. > Ir a: Inicio Contactar En Español -------------------------------------------------------------------------------- www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com

#57 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 28 March 2007 - 08:25 PM

Finally located file in Jotti and here are results. What do I do now? Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 File to upload & scan: Service Service load: 0% 100% File: mcupdmgr.exe Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database) MD5 993582ec1cf765206cf9d4d5ca22589f Packers detected: - Scanner results Scan taken on 29 Mar 2007 02:14:20 (GMT) AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found DLOADER.Trojan (probable variant) F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing Powered by Disclaimer This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service. Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita. Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware. Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample. Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all. Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all! -------------------------------------------------------------------------------- Statistics Last file scanned at least one scanner reported something about: Trojan_Remover_6.5.9___Patch.rar (MD5: 467abe415f03ae941d05048ff8687e54, size: 942909 bytes), detected by: Scanner Malware name AntiVir X ArcaVir X Avast X AVG Antivirus X BitDefender X ClamAV X Dr.Web X F-Prot Antivirus unknown virus F-Secure Anti-Virus X Fortinet X Kaspersky Anti-Virus X NOD32 X Norman Virus Control X Panda Antivirus X Rising Antivirus X VirusBuster X VBA32 X You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Frequently asked questions - Feedback - Privacy policy Page generated by JTPL Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

#58 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 28 March 2007 - 09:01 PM

I believe the file was a good file and it was a false positive by DrWebCureit. I do not know if you will be able to move this file back and have McAfee working properly or not. Try to move the file back and then uninstall McAfee, and install a fresh copy of McAfee. C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

Edited by Susan528, 28 March 2007 - 09:02 PM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#59 cortspop

cortspop

    Authentic Member

  • Authentic Member
  • PipPip
  • 162 posts

Posted 29 March 2007 - 05:07 AM

How do I move the file back?? And why is this in the instructions: C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

#60 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 29 March 2007 - 05:44 AM

http://ts.mcafeehelp.com/?siteID=16

Your McAfee is broken. I am not a subscriber to McAfee and I do not know the best way to help you. I am sorry about the DrWebCureit problem. Please try the above link.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users