Help Requested

I posted the following yesterday and was told I had infected files in my recycle bin and temporary internet files. SO I ran CC Cleaner again and went through the whole "Read me First" process.

First off, I followed the READ ME FIRST procedures located at http://forums.majorgeeks.com/showthread.php?t=35407.

Background--> My McAfee kept alerting me that I was infected with the "Fake Alert-D" Trojan. Everytime I closed the alert, a new one would pop up and IE would open and direct me to some web page to buy spyware removal software. So I ran a number of scans (Ad-Aware SE, Spybot S&D, SPycatcher and a McAfee Virusscan). A number of items were found and I thought that solved the problem so I shut down for the night. Next morning when I restarted, same thing started happening. When I tried to run McAfee Security Center, I got a message that said some components had failed to initialize or download properly. Then it started to download automatically but froze up when it began installation. So I attempted to download from McAfee.com manually. Same thing happened. It downloads but will not install (gets stuck). So now it has removed all McAfee Virus Scan and Firewall from the system). But Windows Security Center says that both are running fine and are updated and protecting my PC but they are no where to be found.

I was able to download McAfee briefly last night but then my PC was running super sluggish and I got an error message a number of times like "DCOM Service Process Launcher" failed to initialize and NT Authority/System was shutting down. I heard this might be "Blaster" worm so I attempted to find it with no luck.

I have attached the logs but as an FYI: After I ran BitDefender, it said I was infected with "Backdoor.Optix.Pro.1" in the C:\Recyclers\S-1-5-21-1078081533-1364-725345543-1005\DC3\includesearchbar.EXE=>wise0018. It said it was "infected, disinfection failed, deleted and update failed"

 

Other attachments

 

Before we begin this fix I need you to shut down Spy Sweeper and SpyCatcher so they will not block anything we try to fix.

Please look in Add/Remove Programs for the following and uninstall them if found:

Learn2 Player

Viewpoint Media Player

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://69.50.184.51/find4u/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)

O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder

O9 - Extra button: Help - {06509F3E-8796-46EE-8040-0FE400E96F65} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {AA85E700-389A-4684-BBDD-2158624375A5} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {EB06ACA2-2094-4E4B-8BE8-131EA9A8F281} - http://www.comcast.net (file missing) (HKCU)

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint

C:\WINDOWS\about.htm

C:\WINDOWS\didduid.ini

C:\WINDOWS\System32\bdlds.dll

Next, run CCleaner to clean up cookies and temp files.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Ok I did all that was instructed. Here is the new log but I noticed that the one is still there you told me to remiove. I tried to "Fix" it 2x but it is still there.

O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

 

Bump. Sorry dont want this to get lost.

 

We start with the oldest threads and work out way to the newest so bumping actually makes you wait longer.


Click Start > Run > type services.msc and Click OK

Locate McAfee Real-time Scanner (McShield) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate McAfee SystemGuards (McSysmon) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate NVIDIA Driver Helper Service (NVSvc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, Click Start -> Run ->

sc delete McShield
(Press Enter)

sc delete McSysmon
(Press Enter)


Once your done, reboot and let me know how things are running.

 

When I right click on McAfee Real-time Scanner (McShield) in the Service Properties window, I get the following message:

"Configuration Manager: The specified device instance does not correspond to a present device."

Then the properties opens up and McShield is already stopped. When I attempt to Disable it by changing the Startup Type to Disabled and click Apply, I get this message:

"Unable to open service McShield for writing on Local Computer. Error 5: Access Denied."

I could not change it to disable. I typed in the delete command in the run dialog box, rebooted, but McShield remains (everything else is gone).

 

If it's disabled your ok.

How is everything else running? Any problems?

 

It is not disabled (I could not change that) it is just stopped.

As for running, everything is running fine except I still cannot install McAfee. Should I just give up and use other antivirus software or does the fact that I cannot install McAfee mean I am stil infected? It downlaods fine but freezes upon installation.

 

If your trying to install McAfee you need to first uninstall AVG. Personally I recommend AVG over any other antivirus. If your going to purchase one then I recommend Kaspersky or PC-cillin.

 

I will stick with AVG then. What about a Firewall, is the Microsoft one adequate or is there another one out there?

I really appreciate all your help. Greatly appreciated.

 

No, it's not good enough to be a firewall, personally I recommend ZoneAlarm Free.

Check out this article on How to Protect yourself from malware!