Please Help With Methodical Clean

saylahv · 01-17-2009, 03:59 PM

As always... time is of the essence, as I do not want to return this machine is a shakey, cluttered state. Your help is sooooo appreciated!
My cousin dropped off her infected machine for me to clean::: expired definitions I suppose was the culprit (mcafee)... but the symptoms included desktop wallpaper with a flashing warning that I couldn't change, nothing in the control panel's Programs to remove, Firefox opening every time I attempted to open a folder, pesky Windows-style alerts near the app.bar that the computer was infected and the inability to install anti-Malware software ::: what a mess !
I managed to get the above resolved... and renewed the McAfee virus app.
I ran the suggested apps based on this forum's advice::::below is the DDS log and attached is compressed ARK.log (gmer) & ATTACH.txt logs (Archive.zip)::

What now my brilliant friends???? HiJackThis perhaps??
Thank you!
Virginia
--------------------

DDS (Ver_09-01-07.01) - NTFSx86
Run by Holly Adair at 14:18:11.34 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.86 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\euuqw.exe
C:\WINDOWS\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Holly Adair\Desktop\jan2009\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [Pmwluka] c:\windows\euuqw.exe
mRun: [ATIPTA] c:\windows\atiptaxx.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\docume~1\vpease\locals~1\temp\ntdll64.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hollya~1\applic~1\mozilla\firefox\profiles\yra3bm0v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 207656]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-17 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-17 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-17 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-17 40488]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-17 206112]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-17 358736]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-17 144704]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2005-10-17 2368]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-17 34152]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2004-12-8 320384]
S4 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]

=============== Created Last 30 ================

2009-01-17 14:13 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-17 14:13 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-17 11:35 <DIR> --d----- c:\docume~1\hollya~1\applic~1\Windows Search
2009-01-17 11:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-17 11:00 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-17 10:40 8,121 a------- c:\windows\system32\Config.MPF
2009-01-17 10:29 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-17 10:29 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-17 10:29 79,240 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-17 10:29 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-01-17 10:23 <DIR> --d----- c:\program files\common files\McAfee
2009-01-17 10:12 34,152 a------- c:\windows\system32\drivers\mferkdk.sys
2009-01-17 01:03 <DIR> --d----- c:\docume~1\hollya~1\applic~1\Windows Desktop Search
2009-01-17 01:02 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-01-17 01:02 <DIR> --d----- c:\program files\Windows Desktop Search
2009-01-17 01:00 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-01-17 01:00 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-01-17 01:00 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-01-17 00:14 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-16 21:04 161,792 a------- c:\windows\SWREG.exe
2009-01-16 21:04 98,816 a------- c:\windows\sed.exe
2009-01-16 19:01 <DIR> --d----- c:\program files\Trend Micro
2009-01-16 18:39 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-16 18:39 <DIR> --d----- c:\docume~1\hollya~1\applic~1\SUPERAntiSpyware.com
2009-01-16 18:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-16 18:27 <DIR> --d----- c:\docume~1\hollya~1\applic~1\Malwarebytes
2009-01-16 18:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 18:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 18:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 18:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-01-17 10:53 155,648 a------- c:\windows\euuqw.exe
2009-01-16 07:31 125,440 a------- c:\windows\system32\userinit.exe
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-02 06:05 118,656 a------- c:\windows\system32\drivers\Rtnicxp.sys
2008-11-27 11:47 10,240 a------- c:\windows\system32\RtNicProp32.dll
2008-11-10 08:21 77,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-02-29 07:58 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2004-04-09 22:22 180,416 a------- c:\docume~1\hollya~1\applic~1\GDIPFONTCACHEV1.DAT
2003-11-30 18:21 184,048 a------- c:\documents and settings\holly adair\ei-askbar-BUNDLEWARE.exe

============= FINISH: 14:23:57.31 ===============

tetonbob · 01-18-2009, 06:59 PM

Duplicate topic, thread closed.

Patience is appreciated for this free service. We're all volunteers.

As stated here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

How Soon Can I Expect Help?

=============================

Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. Also please note that there are many more people in need of assistance than there are trained staff members who may assist. Patience for this free assistance is required. If there is an immediate need, please take the machine to a local technician.