Articles

mighty magoo

January 29, 2011 at 18:32:21
Specs: Windows XP, Pentium Dual core 3 GB

I scan with maleware bytes it finds
Folders Infected:
c:\documents and settings\User\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.
I choose to delete it and reboot. I scanned again and the virus or PUP comes back. I don't see anything called mighty magoo in add/remove. The way I got the mighty magoo is someone a family member clicked an add that said play super mario brothers the old nintendo game online. It installed a toolbar can;t remember what toolbar but I removed that but the mightmagoo keeos coming back.q
please forgive my typo's it's late and I am tired. I also go to that folder and it's not showing up even if i choose view all files.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


See More: mighty magoo

Report •


#1
January 29, 2011 at 23:41:17

Run the following free, online virus scan. Run at least 3 times, then post the 3rd log here. each scan could take 2 hours.
Using ESET's Online Scanner
http://forums.majorgeeks.com/showth...
http://www.eset.eu/online-scanner

Report •

#2
January 30, 2011 at 05:59:16

I scanner twice first time it found some rogue AV second time it found nothing about to scan a 3rd time 2 scans in an hour. And I do not see a log to post.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#3
January 30, 2011 at 08:33:29

I just read the FAQ.

How can I view the log file from ESET Online Scanner?

http://www.eset.eu/eset-online-scan...

The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start → Run dialog box from the Start Menu on the desktop.


Report •

Related Solutions

#4
January 30, 2011 at 13:07:36

OK here is the log.

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=e6e3db51d2d19a4c9f7c50320c0835b2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-01-30 07:08:52
# local_time=2011-01-30 02:08:52 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1029 16777214 0 1 3094907 3094907 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 10587221 10587221 0 0
# scanned=85914
# found=0
# cleaned=0
# scan_time=2922

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#5
January 30, 2011 at 13:26:22

Ok, now UPDATE & run Malwarebytes ( Mbam )

Reboot .

Run Mbam again & post the log.


Report •

#6
January 30, 2011 at 13:48:11

Just updated it and scanned it here are the results.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#7
January 30, 2011 at 14:25:24

Sorry about that I had to rescan problem with the log but maleware still finds mighty magoo and I reoved it before and just removed it.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5642

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/30/2011 5:23:28 PM
mbam-log-2011-01-30 (17-23-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 219844
Time elapsed: 22 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\User\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#8
January 30, 2011 at 14:36:06

"Sorry about that I had to rescan problem with the log but maleware still finds mighty magoo and I reoved it before and just removed it"
Don't understand what you are saying here, your log say's you are clean.

We are not finished yet.

How is the comp running?


Report •

#9
January 30, 2011 at 17:27:26

Computer runs fine and I checked for maleware bytes to remove the mighty magoo and it found it again. I rebooted and scanned again.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5642

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/30/2011 8:27:12 PM
mbam-log-2011-01-30 (20-27-12).txt

Scan type: Full scan (C:\|)
Objects scanned: 219874
Time elapsed: 30 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\User\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#10
January 30, 2011 at 17:28:56

reply to post number 8. I was not able to get the log that's what I meant no big deal it was P.B.K.A.C

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#11
January 30, 2011 at 17:40:28

I take it the comp is now running OK.

Run ATF Cleaner
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.atribune.org/
http://www.atribune.org/index.php?o...
Forum
http://www.atribune.org/forums/
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
This will remove all files from the items that are checked so if you have some cookies you'd like to save, please move them to a different directory first, or use CCleaner. http://img830.imageshack.us/i/cclea...


Report •

#12
January 30, 2011 at 18:57:14

I ran the AFT then ran cCleaner and then did a male ware bytes quick scan and still mighty magoo is there. I selected all on the ATF and rebooted. I did notice the computer started up faster after the ATF. But the mighty magoo just keeps coming back. I just cannot get rid of this PUP. Here is the log again.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5643

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/30/2011 9:57:01 PM
mbam-log-2011-01-30 (21-57-01).txt

Scan type: Quick scan
Objects scanned: 149628
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\User\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#13
Report •

#14
February 4, 2011 at 03:06:46

I had the same that you do. I found out the problem is in an add-on in the FireFox
browser, (also in Google Chrome) run your scans to make sure your system is cleann reboot and open I.E. surf for a few then scan and reboot everything will come up clean. Then open FireFox just for a few minutes and then close the browser and scan and you will have Mighty Magoo in the results. Good Luck and let me know....

Report •

#15
February 5, 2011 at 04:46:28

I have 2 computers I will just use the one I am on to read instructions. Sorry I have not came back for a few days I have been busy. Thanks for your help I will try it now.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#16
February 5, 2011 at 05:09:57

Ok here is the Combo Fix log.


ComboFix 11-01-31.02 - User 02/05/2011 7:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2112 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\GoToAssistDownloadHelper.exe
c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((( Files Created from 2011-01-05 to 2011-02-05 )))))))))))))))))))))))))))))))
.

2011-02-05 03:20 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6154476A-9BC3-4948-8FD8-4DDDB26DFBC2}\mpengine.dll
2011-01-28 22:43 . 2011-01-28 22:44 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2011-01-28 22:42 . 2011-01-12 09:42 25088 ----a-w- c:\windows\system32\drivers\teamviewervpn.sys
2011-01-28 22:42 . 2011-01-28 22:42 -------- d-----w- c:\program files\TeamViewer
2011-01-25 13:59 . 2011-01-25 13:59 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\uTorrentBar
2011-01-21 03:30 . 2008-07-25 16:48 28672 ----a-w- c:\windows\system32\CtAudPth.exe
2011-01-21 03:30 . 2008-07-21 17:41 2830336 ----a-w- c:\windows\system32\stlang.dll
2011-01-21 03:30 . 2008-07-11 19:15 466944 ----a-w- c:\windows\system32\AESTFltr.exe
2011-01-21 03:30 . 2008-07-11 19:15 172032 ----a-w- c:\windows\system32\AESTCtrl.cpl
2011-01-21 03:30 . 2008-07-21 17:41 8101978 ----a-w- c:\windows\system32\idtsg.cpl
2011-01-20 15:50 . 2011-01-25 13:59 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Conduit
2011-01-20 12:48 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-19 03:03 . 2011-02-05 13:01 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2011-01-19 03:01 . 2011-01-19 03:01 -------- d-----w- c:\program files\Common Files\Skype
2011-01-19 03:01 . 2011-02-05 13:00 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2011-01-19 03:01 . 2011-01-24 01:14 -------- d-----r- c:\program files\Skype
2011-01-19 03:01 . 2011-01-19 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-01-19 02:23 . 2011-01-19 02:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-01-19 01:52 . 2011-01-19 01:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-18 07:14 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A9C635E9-4C1D-4503-B362-04C575A21F03}\mpengine.dll
2011-01-16 13:54 . 2011-01-17 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-01-14 23:27 . 2011-01-14 23:27 -------- d-sh--w- c:\documents and settings\All Users\Application Data\PIAYWOUCS
2011-01-14 23:26 . 2011-01-30 12:43 -------- d-sh--w- c:\documents and settings\All Users\Application Data\9b2e03
2011-01-11 16:07 . 2011-01-25 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-01-11 16:07 . 2011-01-18 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-08 23:43 . 2011-01-08 23:43 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\WMTools Downloaded Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-24 23:58 . 2010-12-24 23:58 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-20 23:09 . 2010-08-07 18:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-07 18:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-06-02 21:39 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 15:17 . 2010-11-13 15:17 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-11-13 15:17 . 2010-10-07 14:16 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-11-13 15:17 . 2010-11-13 15:17 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-11-13 15:16 . 2010-11-13 15:16 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-11-12 23:53 . 2010-08-11 00:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2009-06-02 22:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-10 04:33 . 2010-10-26 16:06 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-11-09 14:52 . 2008-04-13 23:00 249856 ----a-w- c:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-05 288040]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-07-11 466944]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-11-29 02:55 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Remote Access.lnk]
backup=c:\windows\pss\Dell Remote Access.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-31 01:11 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 20:21 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-10-31 01:06 2595616 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Dell Remote Access\\ezi_ra.exe"=
"c:\\Program Files\\Common Files\\Dell\\Advanced Networking Service\\hnm_svc.exe"=
"c:\\Program Files\\Common Files\\Dell\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Common Files\\Dell\\MySQL\\bin\\mysqld.exe"=
"c:\\Program Files\\Common Files\\Dell\\MySQL\\bin\\mysql.exe"=
"c:\\Program Files\\Common Files\\Dell\\apache\\php.exe"=
"c:\\Program Files\\Common Files\\Dell\\Remote Access File Sync Service\\dsl_fs_sync.exe"=
"c:\\Program Files\\Common Files\\Dell\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"40080:TCP"= 40080:TCP:Remote Access Media Server
"40090:TCP"= 40090:TCP:Streaming Web Cam
"40091:TCP"= 40091:TCP:Streaming Web Cam
"40092:TCP"= 40092:TCP:Streaming Web Cam
"40093:TCP"= 40093:TCP:Streaming Web Cam
"40094:TCP"= 40094:TCP:Streaming Web Cam

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Apache2.2;Remote Access Media Server;c:\program files\Common Files\Dell\apache\bin\httpd.exe [9/21/2007 12:26 PM 15872]
R2 dsl-db;Remote Access DB;c:\program files\Common Files\Dell\MySQL\bin\mysqld.exe [9/14/2007 12:35 PM 5730304]
R2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe [1/5/2009 4:19 PM 173296]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [1/28/2011 5:42 PM 2253688]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/2/2009 5:01 PM 108160]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [6/2/2009 5:00 PM 160256]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [1/28/2011 5:42 PM 25088]
S0 cerc6;cerc6; [x]
S1 MpKsl7a9f1dd3;MpKsl7a9f1dd3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6154476A-9BC3-4948-8FD8-4DDDB26DFBC2}\MpKsl7a9f1dd3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6154476A-9BC3-4948-8FD8-4DDDB26DFBC2}\MpKsl7a9f1dd3.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/7/2010 1:15 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [8/7/2010 2:46 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [8/7/2010 2:46 PM 3072]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/13/2008 6:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 18:15]

2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-07 18:15]

2011-02-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell
uInternet Settings,ProxyServer = http=127.0.0.1:25521
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dn3ucd4b.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-05 08:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1224)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(8656)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\idt\xpm09_6047v002\wdm\STacSV.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\IDT\WDM\sttray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\DellTPad\HidFind.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-02-05 08:06:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-05 13:06

Pre-Run: 217,687,457,792 bytes free
Post-Run: 217,585,360,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C4C9BF9815D24FADE88E1F5E8237E746

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#17
February 5, 2011 at 05:57:43

Ok now I did a scan with Maleware bytes again. It is still there.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5683

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/5/2011 8:50:21 AM
mbam-log-2011-02-05 (08-50-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 220647
Time elapsed: 31 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\User\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#18
February 5, 2011 at 16:55:19

Try this.

Spyware Doctor Starter Edition
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...


Report •

#19
February 5, 2011 at 18:24:01

umm spyware doctor is a hoax. it scans then trys to get you to buy it.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#20
February 5, 2011 at 19:58:08

Christopher,

Please run a scan with Rkill found here: http://download.bleepingcomputer.co... (after Rkill finishes, please DO NOT reboot as this will cause the malicious process to start up again), after you've run Rkill, please try re-scanning with MalwareBytes.

If this doesn't work for you, I'd like you run Gmer (which is a Rootkit detector/remover) just to be on the safe side. After it finishes, please post the log: http://majorgeeks.com/downloadget.p...

Before scanning with Gmer, please do the following in this order...

1) Disconnect from the internet and close ALL running programs.

2) Disable any Anti-Virus/Anti-Spyware software currently running to avoid conflicts.

3) Double click on "Gmer.exe", and allow it's .Sys driver to load.

4) Gmer will then open and run a quick scan. please DO NOT USE THE COMPUTER WHILE THE SCAN IS IN PROGRESS.

5) If you receive a warning about Rootkit Activity on your system and are asked to do a full scan click No.

6) Click the Scan button, and if you see a Rootkit Warning window click Ok (it should be the only option in the dialog box).

7) When the scan is finished, please click Save, and save the log to your desktop as Gmer.log

8) Click the Copy button and paste the log into your next reply.

9) Re-enable any Anti-Virus/Anti-Spyware software and any other security software you've disabled (Firewall).

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#21
February 6, 2011 at 01:18:54

OK I will try RKill later.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#22
February 6, 2011 at 14:17:17

Okay, I will assist you further once the log is posted.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#23
February 7, 2011 at 12:04:52

"umm spyware doctor is a hoax. it scans then trys to get you to buy it"
When you use the FREE version of a lot of programs, they would like you to buy it, even MBAM does that.

This screenshot is what I always get when the scan is finished.
http://www.mediafire.com/imageview....

When I googled > PUP.MightyMagoo, it was one of the programs that was successful.


Report •

#24
February 7, 2011 at 12:11:02

Im sorry Johnw. Maybe I got mixed up with another program. But I tried some spyware program and in order to remove what it found I was told I had to purchase. MBAM is 100% free and removes what it finds but there is a paid version that does a little more. I scanned again yesterday and nothing was found. Here is what I did. I went to the firefox folder deleted the extentions and rebooted. Scanned again and nothign found looked back in the forefox folder and extensions was back but no mighty magoo was found Ive scanned several times and all clean now. Sorry about the misunderstanding and thanks for the help.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#25
February 7, 2011 at 14:37:57

"but there is a paid version that does a little more"

Christopher, it runs in realtime as an AV, so in other words if one was to purchase MBAM, you would need to remove any other AV ( not to be confused with a spy program ) program.

I have been using MBAM free for about 8 years & it is one of the first tools I use for cleaning up an infected comp that I get to fix.


Report •

#26
February 7, 2011 at 15:25:22

OK I have used MBAM for a while also. I knew there was a paid version just didn't know what it all did. Not I remember seeing it had real time protection. Just like Super Antispyware has a real time protection and in the free one it protects your home page.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#27
March 4, 2011 at 09:02:08

Hi, this is Mighty Magoo Support. In the wake of some negative comments that have been made about our website, we want to reinforce that the Mighty Magoo site, downloads, and games are formally TRUSTe certified and audited. Mighty Magoo is not spyware, malware, a virus, or a hijacker of anything, nor has it ever been.

Our business model is to develop and publish free-to-play games to our site by requiring our audience to download the Mighty Magoo ad-supported software so as to become a member, unlock the site, and make the entire game library available. If you uninstall the software, the site will lock and the games will be unavailable to you.

In order to install the Mighty Magoo advertising software, you must respond to one of our owned and controlled landing pages that provide full disclosure in the About Us, Terms, and Privacy sections links. Since we recognize that many consumers may not read one of these three available selections, we also provide, at the first step of downloading, a fully detailed disclosure screen that clearly states what activities and actions the Mighty Magoo ad software performs. This ad software is not bundled with any other software. It has fully-branded disclosure on each ad unit and does not attempt to hide or obscure its activities.

The Mighty Magoo advertising software can be fully removed by using the Add/Remove Programs within Control Panel or using our “deactivation” software provided on the mightymagoo.com site. Removal of the software using various unsanctioned virus or spyware removal tools may not work properly and could cause greater problems for your Add/Remove Programs feature, browser, or operating system. We strongly recommend that you choose to remove the software using Add/Remove Programs or our deactivation software and not using third-party spyware, malware, or antivirus tools. This will completely remove all components of the Mighty Magoo advertising software.

If you have further questions or need support, please contact our toll-free number located on the About Us section of mightymagoo.com.


Report •

#28
March 4, 2011 at 13:07:51

Hi Magooroo,
I see this is a standard reply your site sends in response to bad press.
As you state your software is adware and AV scanners/ malware scanners pick it up.
Your WOT Web Of Trust rating is solid RED. Users of your site, have stated your site engages in c/card scams, gift reward scam, adware and malware, trojans? Your sister company's are Gamevance and Playshusi. It is known to contain the Duck Play virus.
You make a addon which is hard to remove and requires you to go back to a doggy site to remove it?
Why don't you change the way your site works and get your WOT rating changed by doing things that inspire trust in your service? Bomb barding kids with ads will not sell stuff.
That fact that TRUSTe has awarded you there seal is amazing!!
Until your WOT rating is GREEN I will be giving it a miss.
Sites like Free Online Games are rated GREEN and don't thrash my kids with ads or load doggy addons.


Report •


Ask Question