Need help removing Trojan BHO.H

emeurlott · July 24, 2010

Greetings and thank you for your time. I've had a Trojan BHO.H that keeps on appearing on my machine. My computer has also been sending out spam email and locking up/crashing. I'm assuming that it is all related to this same trojan that I can not remove. I've followed preliminary instructions from the page:

http://forums.malwarebytes.org/index.php?showtopic=9573

and it brought me to this point. So here are the requested files. Thanks for your help.

DDS (Ver_10-03-17.01) - NTFSX64

Run by Eric at 13:41:41.45 on Sat 07/24/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6143.4208 [GMT -7:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\system32\dlbucoms.exe

C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE

C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE

C:\Program Files (x86)\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe

C:\Windows\System32\spool\drivers\x64\3\E_IATIFBA.EXE

C:\Program Files (x86)\Pando Networks\Pando\Pando.exe

C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe

C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\Common Files\aol\1258682544\ee\aolsoftware.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\IObit\IObit Security 360\is360tray.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files\McAfee\VirusScan\mcods.exe

C:\Program Files (x86)\IObit\IObit Security 360\is360.exe

C:\Program Files\Common Files\McAfee\Core\mchost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Eric\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/

mLocal Page = c:\windows\syswow64\blank.htm

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files (x86)\aol toolbar\aoltb.dll

mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files (x86)\aol toolbar\aoltb.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files (x86)\aol toolbar\aoltb.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\users\eric\appdata\local\temp\low\COUPON~1.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files (x86)\common files\mcafee\systemcore\ScriptSn.20100707160623.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~2\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll

TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files (x86)\aol toolbar\aoltb.dll

TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\users\eric\appdata\local\temp\low\CouponsBar.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll

uRun: [EPSON NX110 Series] c:\windows\system32\spool\drivers\x64\3\e_iatifba.exe /fu "c:\windows\temp\E_S76D7.tmp" /EF "HKCU"

uRun: [Pando] c:\program files (x86)\pando networks\pando\Pando.exe /Minimized

mRun: [VolPanel] "c:\program files (x86)\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r

mRun: [sPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry

mRun: [Dell DataSafe Online] "c:\program files (x86)\dell datasafe online\DataSafeOnline.exe" /m

mRun: [PDVDDXSrv] "c:\program files (x86)\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Desktop Disc Tool] "c:\program files (x86)\roxio\roxio burn\RoxioBurnLauncher.exe"

mRun: [DellSupportCenter] "c:\program files (x86)\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [HostManager] c:\program files (x86)\common files\aol\1258682544\ee\AOLSoftware.exe

mRun: [EEventManager] c:\progra~2\epsons~1\eventm~1\EEventManager.exe

mRun: [sunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime

mRun: [iObit Security 360] "c:\program files (x86)\iobit\iobit security 360\IS360tray.exe" /autostart

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"

mRunOnce: [Launcher] c:\program files (x86)\dell datasafe local backup\components\scheduler\Launcher.exe

StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files (x86)\common files\adobe\calibration\Adobe Gamma Loader.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office11\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~2\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~2\mcafee\sitead~1\McIEPlg.dll

BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\MSKAPB~1.DLL

BHO-X64: McAfee Phishing Filter - No File

BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100707160623.dll

BHO-X64: scriptproxy - No File

BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\x64\mcieplg.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\x64\mcieplg.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB-X64: {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - No File

TB-X64: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File

mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRunOnce-x64: [DSUpdateLauncher] "c:\program files (x86)\dell datasafe local backup\components\dsupdate\hstart.exe" /noconsole /d="c:\program files (x86)\dell datasafe local backup\components\dsupdate" /runas "c:\program files (x86)\dell datasafe local backup\components\dsupdate\DSUpd.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\01gm618o.default\

FF - prefs.js: browser.search.selectedEngine - MyWebSearch

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com

FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZNxdm824YYUS&ptb=6AydQDRGR6Dpkoq6nARXgg&psa=&ind=2010051409&ptnrS=ZNxdm824YYUS&si=&st=kwd&n=77cef351&searchfor=

FF - component: c:\program files (x86)\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files (x86)\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files (x86)\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files (x86)\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\eric\appdata\roaming\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\users\eric\appdata\roaming\mozilla\firefox\profiles\01gm618o.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-17 528616]

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2009-11-17 55280]

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-7-7 75288]

R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-7-7 279752]

R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]

R2 IS360service;IS360service;c:\program files (x86)\iobit\iobit security 360\is360srv.exe [2010-5-28 311568]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-7 355440]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-7 355440]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-7 355440]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-7 355440]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-7 199032]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-7 244840]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-7 148520]

R2 SftService;SoftThinks Agent Service;c:\program files (x86)\dell datasafe local backup\SftService.exe [2009-11-17 658656]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-7 62416]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-7 189880]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-7 440688]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-11-17 215040]

R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2009-11-17 639512]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-12-26 135664]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\common files\creative labs shared\service\AL6Licensing.exe [2009-11-17 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2009-11-17 79360]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-7 93840]

S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-12 1255736]

=============== Created Last 30 ================

2010-07-24 20:41:07 0 ----a-w- c:\users\eric\defogger_reenable

2010-07-18 23:17:08 0 d-----w- c:\program files\iPod

2010-07-18 23:17:07 0 d-----w- c:\program files\iTunes

2010-07-18 23:17:07 0 d-----w- c:\program files (x86)\iTunes

2010-07-18 23:15:12 0 d-----w- c:\program files\Bonjour

2010-07-18 23:15:12 0 d-----w- c:\program files (x86)\Bonjour

2010-07-14 15:12:44 144384 ----a-w- c:\windows\system32\cdd.dll

2010-07-07 23:06:30 0 d-----w- c:\program files (x86)\McAfee.com

2010-07-07 23:06:23 0 d-----w- c:\program files (x86)\common files\McAfee

2010-07-07 23:06:22 9984 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-07-07 23:05:49 93840 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-07-07 23:05:49 75288 ----a-w- c:\windows\system32\drivers\mfenlfk.sys

2010-07-07 23:05:49 62416 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-07-07 23:05:49 440688 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-07-07 23:05:49 279752 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2010-07-07 23:05:49 189880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-07-07 23:05:45 0 d-----w- c:\program files\common files\McAfee

2010-07-07 23:05:44 0 d-----w- c:\program files\McAfee.com

2010-07-07 23:05:44 0 d-----w- c:\program files\McAfee

2010-07-07 23:05:43 0 d-----w- c:\program files (x86)\McAfee

2010-07-07 16:55:24 65536 --sha-w- c:\users\eric\ntuser.dat{644d1782-89e8-11df-b910-00038a000015}.TM.blf

2010-07-07 16:55:24 524288 --sha-w- c:\users\eric\ntuser.dat{644d1782-89e8-11df-b910-00038a000015}.TMContainer00000000000000000002.regtrans-ms

2010-07-07 16:55:24 524288 --sha-w- c:\users\eric\ntuser.dat{644d1782-89e8-11df-b910-00038a000015}.TMContainer00000000000000000001.regtrans-ms

==================== Find3M ====================

2010-05-27 07:24:13 34304 ----a-w- c:\windows\syswow64\atmlib.dll

2010-05-27 06:34:09 46080 ----a-w- c:\windows\system32\atmlib.dll

2010-05-27 04:11:32 366080 ----a-w- c:\windows\system32\atmfd.dll

2010-05-27 03:49:37 293888 ----a-w- c:\windows\syswow64\atmfd.dll

2010-05-21 05:52:30 1192960 ----a-w- c:\windows\system32\wininet.dll

2010-05-21 05:18:06 977920 ----a-w- c:\windows\syswow64\wininet.dll

2010-05-21 05:14:50 48128 ----a-w- c:\windows\syswow64\jsproxy.dll

2010-05-18 23:55:18 95520 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 23:55:18 119584 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-18 23:35:16 91424 ----a-w- c:\windows\syswow64\dnssd.dll

2010-05-18 23:35:16 107808 ----a-w- c:\windows\syswow64\dns-sd.exe

2010-05-09 09:46:00 961024 ----a-w- c:\windows\system32\CPFilters.dll

2010-05-09 09:45:57 552960 ----a-w- c:\windows\system32\msdri.dll

2010-05-09 09:14:55 641536 ----a-w- c:\windows\syswow64\CPFilters.dll

2010-05-06 12:42:05 1225216 ----a-w- c:\windows\syswow64\urlmon.dll

2010-05-06 12:41:55 606208 ----a-w- c:\windows\syswow64\mstime.dll

2010-05-06 12:41:53 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll

2010-05-06 12:41:53 5970944 ----a-w- c:\windows\syswow64\mshtml.dll

2010-05-06 12:41:49 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll

2010-05-06 12:41:49 10984448 ----a-w- c:\windows\syswow64\ieframe.dll

2010-05-01 15:07:05 3122176 ----a-w- c:\windows\system32\win32k.sys

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini

2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2010-01-22 11:19:26 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 05:12:52 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

2010-01-22 11:17:19 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:42:16.73 ===============

attach.zip

mbam_log_2010_07_24__12_13_22_.txt

DDS.txt

screen317 · August 5, 2010

Hi and welcome to Malwarebytes.

My apologies for the extended delay. Do you still need help?

emeurlott · August 5, 2010

Hi and welcome to Malwarebytes.
My apologies for the extended delay. Do you still need help?

Thanks for getting back to me. Yes. My machine needs some serious help.

screen317 · August 5, 2010

Hi,

Okay. Please update MBAM, run a Quick Scan, and post its log.

Also post a fresh DDS log and we'll take it from there.

Please also describe in detail what issues you are currently experiencing.

screen317 · August 29, 2010

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Sign In

Need help removing Trojan BHO.H

Recommended Posts

emeurlott

Link to post

Share on other sites

screen317

Link to post

Share on other sites

emeurlott

Link to post

Share on other sites

screen317

Link to post

Share on other sites

screen317

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information