Hi!

First off let me say thank you in advance for reading this and taking the time to help! It is very much appreciated!

Recently, while surfing, I noticed that a script was constantly being flagged by McAfee saying it was "iexplore.exe" trying to modify the registry- there were like 6 "iexplore.exe" processes running at one time!

I did a scan with both the malwarebytes anti malware and SUPERAntiSpyware programs in safe mode and they had found a few items which i deleted- then i scanned with spybot search and destroy, windows defender, and the microsoft Windows Malicious Software Removal Tool in safe mode- then scanned again with the malwarebytes anti-malware program all came up clean-

the iexplore.exe notifications have stopped, but now i cannot access McAfee security Center or quick scan any files, when i try to open the program the splash screen appears for a second but the main program never launches, i can see it try to open the mcshell.exe in the task manager, but it closes in a second..

So I am afraid it is some script causing it to shut down..

i tried renaming the mcafee files to different names to see if they would then launch, but they did not.. i also noticed i still have 2 "csrss.exe" processes running at all times..and i seem to have a bunch of new temp folders in my Users folder..

any help would be very much appreciated! I am at a loss as what to try next!

thanks again for any help!

I am running Windows Vista (i think 32 bit?) with Service Pack 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:27 PM, on 10/15/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\WLTRAY.EXE
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\ModLEDKey.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5446E
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5446E
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5446E
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [MoLed] ModLEDKey.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-287529226-14584916-2173285869-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avlibrary.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avlibrary.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avlibrary.dll
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6420701-06D2-4719-BE9B-5CD9F3531198}: NameServer = 205.171.3.65,205.171.2.65
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Unknown owner - C:\Windows\SYSTEM32\astsrv.exe (file missing)
O23 - Service: AVRedirector - Unknown owner - C:\Program Files\Invisible IP Map\AVRedirector.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\Windows\system32\libusbd-nt.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Unknown owner - C:\Program Files\Maxtor\Sync\SyncServices.exe (file missing)
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9021 bytes

Sounds like one for McAfee support forums:

http://community.mcafee.com/index.php

thank you very much for responding-

unfortunately, it was not just a mcafee problem, one of my external hard drives has been totally corrupted, i just can't believe it...

please examine these logs to determine if i can save my computer- windows crashes if i try to play any video files through any program- and i keep getting multiple new user accounts generating !!

i really would appreciate some help, thet's why i posted here because i trust you guys!

thanks-

please view these additional logs if needed-

hi,

to help show all files do this:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

Next using explorer navigate to:
C:\Users\Frito\AppData\Local\Temp\

and delete: kwlcapoc.sys
If it dosnt delete reboot into safe mode and try deleting it. To reach safe mode you would tap the f8 key during a computer restart. chose the first option from the list: safe mode, once at the safe mode desktop try deleting the file.

thank you for responding!

i successfully deleted the file!

and i already have all the hidden files and system files showing-


windows explorer still crashes if i play any type of video file-

i am ready to take the next steps, so let me know what i can do next-


i really appreciate the help!

hi- i just realized that i didn;t in fact have the protected operationg system files unchecked-

so i unchecked it, and now i see i have 2 "desktop.ini" files appear on my desktop, one is 700kb and one is only 150 kb...

aren't i only supposed to have one of those files, not two?

You can have two .ini files. One showed up because of the change you made to not hid OS files. Try checking the option again to keep them hidden.


windows explorer still crashes if i play any type of video file
have you installed any codec packages lately?

thanks again for responding!

I haven't recently changed anything codec wise..

i did a online scan with eset, and it did find a few malware in the windows/system 32 folder,

are there any other programs that could help determine my problems? i have heard of a program called dds, but it has an extension called .scr that my computer can;t seem to know how to open, and asks me what program i want to open it in, or choose from a list online..

also i have heard of a program called ComboFix, but i understand it is only to be used if a tech advises you to try it..

anyway, once again i appreciate your help and any more scans i can provide i will be happy to do so!

:)

Can you run in 'normal mode' Malwarebytes and Superantispyware ok?
do they launch ok and can complete a scan without problems?
Can you update them ok?

Some of the signs (http://www.virusvault.us/signs1.html)of malware.

There is a guide to read before using combofix. read the guide, download combofix to your desktop but before you save it: rename it to combofix1.exe then save it. Disable any AV etc as explained in the guide doubleclick the combofix1 icon and follow the prompts. Post the combofix log in your reply.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

hi!

i downloaded the combofix program, and renamed accordingly, but when i launched it,as it loaded up, it gave an error:

Windows cannot open: n.pif
File Type: Unknown
Description: Windows does not recognize this file type.

not sure what i should do now..

well, i decided to hit "cancel" on the error message, and the program continued to do it's scan-

the program restarted teh computer after it scan and popped out this log (see attached)

but then nothing happened, it didn;t restart again or fix my internet connection, and every time i tried to click on the control panel or a text file or start firefox or run msconfig as it told me the operation was denied due to the process accessing a registry value that was set to be deleted!!

so i restarted a few times, and it still wouldn;t let me do anything!!!

i was pretty dang freaked out!

i was finally able to access the control panel to do a system restore, but the first couple of restore points were corrupted apparently due to the "shadow" copy being corrupted..

luckily as heck for me finally a restore point from 3 days ago worked and now i can actually access my files and the web again!!!

sheesh!

so whatever files combofix removed are probably back now since i rolled the registry back, but i had to!! my computer was a paperweight there for a second..

so please check out the combofix log, and see if you can figure out why it messed up my system so bad, and if any of the files it removed as being malware need to be dealt with..

but i don't think i will ever run combofix again..

oh sorry, here is the log-

you had a malware driver running. Malware is getting much more harder to find and remove on machines. See if you can update and run Malwarebytes, post its log as well as DDS:

MBAM:

click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

DDS:

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Copy/paste both logs in your reply.

hi-

thanks again for responding!

i will post the malware bytes scan when it gets done, but i am having problems running the DDS.scr, when i try to run it it says:

************************************
Windows cannot open the file "DDS.scr"

To open this file, Windows needs to know what program you want to open the program with
************************************

it suggested i have windows go online to try to determine what program to use, but it said "no program known"

any ideas?

ok forget DDS. See if you can use Dr Web;

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

This thread has been closed due to inactivity.

As it has been four days or more since your last post, it will not be re-opened.

If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Thank you shelf life.