the same PUP keeps reapperaing

Computing.Net > Forums > Security and Virus > the same PUP keeps reapperaing

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

the same PUP keeps reapperaing

Name: cmac32
Date: March 15, 2006 at 11:44:10 Pacific
OS: XP home edition SP2
CPU/Ram: Intel 4 1.60GHz 256
Product: Toshiba Satellite (laptop

Comment:

I keep having a PUP show up on my computer. My anti virus (McAfee virus scan versin 10.0) finds this the same PUP Dialer-269 and is file gdnUS2218[1].exe. When I click delete, it will sometimes delete other times it will tell me it is protected. even after I do what I can to get rid of it, it still comes back. It has also been turning off my antiviurs and firewall (McAfee personal firewall plus 7.1.113) but not every time.
I have ran two adware scanners and have deleted what it has found. Before the PUP is found and I am going to a website this message appears
"When you send information to the Internet, it might be possible for others to see this information. Do you want to contiune?" after this appears and I look in my history, a porn site is listed (threexs.com) even after history was cleared. I think I covered everything so any help would be great.
Thanks

Sponsored Link

Ads by Google

Response Number 1

Name: Johnw
Date: March 15, 2006 at 13:11:28 Pacific

Reply:

First job to do, go here.
ActiveX Spyware & Adware Scanning
<a href="http://www.spywareinfo.com/xscan.php"> size="3">http://www.spywareinfo.com/xscan.php">color="red">http://www.spywareinfo.com/xscan.php
This scanner is an ActiveX applet. After a short delay in which your browser downloads the control file, you will receive a "Warning Dialogue" requesting permission for the scanner to run. Click "Yes" and the applet will pop up and scan. You will be alerted if any spyware is found. When a spyware or malware is found, you will be alerted and asked if you want to remove it. If no spyware is found, the scanner will disappear on its own.
If nothing happens, or if you are using a browser other than Internet Explorer, click here and choose either "Open" or "Run this program from its current location". Do not choose "Download".
<a href="http://www.xblock.com/download/xclean_micro.exe"> size="3">http://www.xblock.com/download/xclean_micro.exe">color="red">http://www.xblock.com/download/xclean_micro.exe
==================================
Malware Removal and Prevention: Introduction
<a href="http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction"> size="3">http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction">color="red">http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
Malware Removal and Prevention: Overview
<a href="http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview"> size="3">http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview">color="red">http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview
If Your PC is Infested w/ Spyware & Adware...
<a href="http://spywarewarrior.com/sww-help.htm"> size="3">http://spywarewarrior.com/sww-help.htm">color="red">http://spywarewarrior.com/sww-help.htm
<a href="http://spywarewarrior.com/viewtopic.php?t=6914"> size="3">http://spywarewarrior.com/viewtopic.php?t=6914">color="red">http://spywarewarrior.com/viewtopic.php?t=6914
<a href="http://spywarewarrior.com/viewtopic.php?t=10"> size="3">http://spywarewarrior.com/viewtopic.php?t=10">color="red">http://spywarewarrior.com/viewtopic.php?t=10
<a href="http://spywarewarrior.com/viewforum.php?f=30"> size="3">http://spywarewarrior.com/viewforum.php?f=30">color="red">http://spywarewarrior.com/viewforum.php?f=30
====================================
Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis. Download and unzip HijackThis.exe into this folder.
<a href="http://www.merijn.org/downloads.html"> size="3">http://www.merijn.org/downloads.html">color="red">http://www.merijn.org/downloads.html
Or, <a href="http://tomcoyote.com/hjt/"> size="3">http://tomcoyote.com/hjt/">color="red">http://tomcoyote.com/hjt/
===================================
If possible run HJT in Normal mode ( not Safe ) with all your normal startup's working.
HijackThis Tutorial - How to Analyse your own log.
<a href="http://spywarewarrior.com/viewtopic.php?t=3624"> size="3">http://spywarewarrior.com/viewtopic.php?t=3624">color="red">http://spywarewarrior.com/viewtopic.php?t=3624
HijackThis log file analysis ( online )
<a href="http://hijackthis.de/index.php?langselect=english"> size="3">http://hijackthis.de/index.php?langselect=english">color="red">http://hijackthis.de/index.php?langselect=english
Or,
<a href="http://startup.networktechs.com/page-68.html"> size="3">http://startup.networktechs.com/page-68.html">color="red">http://startup.networktechs.com/page-68.html
<a href="http://hjt.iamnotageek.com"> size="3">http://hjt.iamnotageek.com">color="red">http://hjt.iamnotageek.com

Response Number 2

Name: Johnw
Date: March 15, 2006 at 13:14:17 Pacific

Reply:

Opp's, will have to do it this way.
First job to do, go here.
ActiveX Spyware & Adware Scanning
http://www.spywareinfo.com/xscan.php
This scanner is an ActiveX applet. After a short delay in which your browser downloads the control file, you will receive a "Warning Dialogue" requesting permission for the scanner to run. Click "Yes" and the applet will pop up and scan. You will be alerted if any spyware is found. When a spyware or malware is found, you will be alerted and asked if you want to remove it. If no spyware is found, the scanner will disappear on its own.
If nothing happens, or if you are using a browser other than Internet Explorer, click here and choose either "Open" or "Run this program from its current location". Do not choose "Download". http://www.xblock.com/download/xclean_micro.exe
Malware Removal and Prevention: Introduction
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
Malware Removal and Prevention: Overview
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview
If Your PC is Infested w/ Spyware & Adware...
http://spywarewarrior.com/sww-help.htm
http://spywarewarrior.com/viewtopic.php?t=6914
http://spywarewarrior.com/viewtopic.php?t=10
http://spywarewarrior.com/viewforum.php?f=30
Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis. Download and unzip HijackThis.exe into this folder.
http://www.merijn.org/downloads.html Or, http://tomcoyote.com/hjt/
If possible run HJT in Normal mode ( not Safe ) with all your normal startup's working.
HijackThis Tutorial - How to Analyse your own log
http://spywarewarrior.com/viewtopic.php?t=3624
HijackThis log file analysis ( online )
http://hijackthis.de/index.php?langselect=english
Or,
http://startup.networktechs.com/page-68.html
http://hjt.iamnotageek.com

Response Number 3

Name: cmac32
Date: March 16, 2006 at 12:02:17 Pacific

Reply:

This didn't help. It found it and deleted it but it still came back. Any other suggestions before I bring the computer in?

Response Number 4

Name: jabuck
Date: March 16, 2006 at 15:47:39 Pacific

Reply:

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Response Number 5

Name: cmac32
Date: March 16, 2006 at 19:00:30 Pacific

Reply:

I did highjack this
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\TPWRTRAY.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\quickenw\QAGENT.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\mrtMngr.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CMAC\Desktop\hijack\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.noblindlinks.com/sp.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmailb.uwgb.edu/exchweb/bin/auth/owalogon.asp?url=https://webmailb.uwgb.edu/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

touch.exe excel keep formula the same the same virus keeps coming back	the same site keep opening over and over why does the same emails keep coming why is that two of the same viruses keep coming bak
See More

Response Number 6

Name: jabuck
Date: March 16, 2006 at 19:26:33 Pacific

Reply:

Looks like we only got part of an HT log, or is this all of it?

Response Number 7

Name: cmac32
Date: March 16, 2006 at 19:31:26 Pacific

Reply:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\TPWRTRAY.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\quickenw\QAGENT.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\mrtMngr.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Documents and Settings\CMAC\Desktop\hijack\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.noblindlinks.com/sp.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmailb.uwgb.edu/exchweb/bin/auth/owalogon.asp?url=https://webmailb.uwgb.edu/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QAGENT] C:\quickenw\QAGENT.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe /P26 "EPSON Stylus CX4200 Series" /O6 "USB003" /M "Stylus CX4200"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37680.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

Response Number 8

Name: jabuck
Date: March 16, 2006 at 19:58:23 Pacific

Reply:

Looks like spyaxe also.
Please download
http://www.atribune.org/content/view/19/2/ by Atribune. We will run this in safe mode later.
Download Ewido Security Suite then set it up this way Ewido Setup Instructions We will run this from safe mode later also.
Please download smitRem.zip and save it to your desktop from this link http://noahdfear.geekstogo.com/smitRem.exe Do not run a it yet.
Open the file and it will extract itself to a new folder called SmitRem.
Reboot into safe mode by following the directions Here
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again, this is normal.
Wait for the tool to complete and Disk Cleanup to finish, this may take a while; please be patient.
Next go to Start > Control Panel > click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Run HT from safe mode, close all windows, place a check to the left of the following items and pres "fix checked":
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.noblindlinks.com/sp.shtml
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
While still in safe mode navigate to this folder and delete it if found:
C:\Program Files\Security Toolbar
While still in safe mode run ATF-Cleaner.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button
While stile in safe mode run Ewido.
When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop.
Please reboot into normal mode and post the ewido log.

Response Number 9

Name: cmac32
Date: March 20, 2006 at 13:03:55 Pacific

Reply:

+ Created on: 2:49:16 PM, 3/20/2006
+ Report-Checksum: FF1C4434
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads Enhanced -> Adware.Downloadware : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2382750585-2826650621-1505288338-1005\Software\Support Software -> Adware.NetworkEssentials : Cleaned with backup
HKU\S-1-5-21-2382750585-2826650621-1505288338-1005\Software\Support Software\Params -> Adware.NetworkEssentials : Cleaned with backup
C:\WINDOWS\system32\BO2202031216.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\fly.dll -> Dropper.Mudrop.w : Cleaned with backup
C:\WINDOWS\system32\ignet.dll -> Dropper.Mudrop.w : Cleaned with backup
C:\WINDOWS\system32\ignet2.dll -> Dropper.Mudrop.w : Cleaned with backup
C:\WINDOWS\system32\nostalgia.dll -> Dropper.Agent.og : Cleaned with backup
C:\WINDOWS\system32\SHAgent1007.dll -> Adware.BargainBuddy : Cleaned with backup

::Report End

Response Number 10

Name: jabuck
Date: March 20, 2006 at 15:13:36 Pacific

Reply:

Is the pup show still occuring and haow is the computer running?

Response Number 11

Name: cmac32
Date: March 20, 2006 at 18:04:19 Pacific

Reply:

PUP has not shown up at all since I did this and computer is running good so far

Response Number 12

Name: jabuck
Date: March 20, 2006 at 19:07:05 Pacific

Reply:

If you have any more problems lets us know, glad we could help.

Response Number 13

Name: mattbl
Date: March 30, 2006 at 21:03:00 Pacific

Reply:

I have the exact same problem and was wondering if I could get some help as well. I've included my hjt log. I assume I should follow the same steps but am unsure which items I should fix.
Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 10:53:09 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Common Files\AOL\1133847289\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133847289\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Response Number 14

Name: jabuck
Date: March 31, 2006 at 20:03:20 Pacific

Reply:

mattbl, Follow the instructions but don't try to delete anything with Hijack This. You should make a thread of you own or it is nearly impossible to find you post later.

Response Number 15

Name: mattbl
Date: April 1, 2006 at 21:29:57 Pacific

Reply:

Sorry about not making my own thread but your instructions worked as far as I can tell, no PUP notifications from McAfee for about an hour. Thanks a bunch for the help!

Sponsored Link

Ads by Google

trojan h91746.exe removal...

IE Crashing

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: the same PUP keeps reapperaing

gdnUS2218 Virus / Adware

Summary

www.computing.net/answers/security/gdnus2218-virus-adware/18156.html

nod 32 virus threat keeps poping up

Summary

www.computing.net/answers/security/nod-32-virus-threat-keeps-poping-up/18341.html

Portscan with the same IP as me???

Summary

www.computing.net/answers/security/portscan-with-the-same-ip-as-me/9472.html

From the Geek Dictionary
Gigabyte - 10^9 eight-bit bytes. This is not to be confused with Gibibytes which is 2...

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
wont boot up

Cpu Overheating

upgrade memory

PowerDVD displays a blank screen (Blu ray)

Pc problem

All Awaiting Reply

Tom's News
Queues in Manhattan Form as DROID Launches

Report: $99 iPhone 3GS in Time For the Holidays

Game Boy, Ball Gets Into Toy Hall of Fame

iPhone Developer Stealing Private Info

Nintendo: There is No Wii HD

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE