McAfee will not update

By kharms1969
Apr 4, 2009
Topic Status:
Not open for further replies.
  1. I ran through the 8 step process a couple times but I am still having issues. The issues are McAfee will not update my Zone Alarm, McAfee, and Spybot teatimer appear to me running if I look at the task manager but the icons do not show up in the system tray. I have attached the logs where items were found as well as ones from today where nothing was found. Let me know if there is anything in the Hijack this log that looks suspicious. My McAfee log shows it detected DNSChanger.r which it quarentined and I removed. It also detected Generic!Artemis which it removed. This seems to be related to a setup_U.exe file that is launched when I use Firefox.

    Thanks in Advance
    Kevin

    Here is the last log file from today.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay. In the future if you have to go through a cleaning again, you need only attach the most recent logs for each program.

    Remove Bad Entries From HijackThis:
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
    Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Control Panel> Internet Options> Security tab> Trusted Zone> Sites> remove the following:
    *.imageservr.com
    If you use thi site, it will then be available in the Internet Zone. If you do NOT use this Domain:
    Go to the Restricted Zone> Sites> type in *.imageservr.com> Add.

    Update Java:
  3. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    Completed your instructions

    Bobbye:
    I completed your instructions
    I ran into a problem with adding *.imageservr.com to the restricted zone.
    "this site you specified already exists in another zone, please remove from current zone before adding it to this zone" I was able to remove it from the trusted zone. I ran the LSP-Fix and it said no changes were necessary. I could not save a log file. I can upload a screen shot if you need it. I have attached the Hijack this file.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you remove it from the Trusted Zone first?

    There were two entries for this in the Trusted Zone- one was removed, the HKLM entry is from the Registry:
    * Download SDFix HERE and save it to your Desktop.
    * Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    See if imagesevr.com is gone from the Trusted Zone (Internet Options> Security> Trusted zone> Sites>> remove if there> put in the Restricted Zone.

    Rescan with HijackThis when through. Attack reports and log.

    Have you tried to update McAfee again? If not, please try- if Yes, run complete system scan and advise of results.

    The HJ log looks much better! You have some unnecessary programs starting on boot. These will use your resources and cause a slow down. If you would like help removing them from Startup and keeping them off, let me know:
    These are all legitimate processes but none need to start on boot.

    This still need to be done (Post #2): Update Adobe: Most current version: Adobe Reader 9.1
  5. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    Results of latest instructions

    Bobbye:

    I should have been more specific when I said

    When I looked in the trusted zone it is blank in both boxes. It is still blank in both boxes. Anywhere else I should look?

    I followed your instructions for SDFix. When I double click on the RunThis.bat file a box asks me if I want to continue in safe mode or reboot. I does not appear SDFix is running or doing anything. I do not see anywhere to type Y and no report is generated.


    I rescanned and attached the log. I noticed the following things still in there.

    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O20 - Winlogon Notify: iiffeBqO - C:\WINDOWS\


    Do these look suspicious to you?

    When I look in Help/about adobe acrobat 9 it says version 9.1.0

    I would be interested in ridding my start up of unnecessary programs.

    Thanks
    Kevin
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Take a breath and reboot the computer.
    Try to update McAfee again. Whether you can or cannot, run a full system scan and save the log. I need to see it.

    Get the most recent Kevin. I do a copy and paste for that and sometimes forget to change the update version. But I encourage you to try FoxIt instead. It's free, it does the same thing as the Adobe Reader and doesn't have all the bloat. If you get FoxIt, you can uninstall Adobe in Add/remove Programs in the Control Panel.

    Did you encounter this when you ran LSPFix?
    Please UPDATE and run LSPFix again. SAVE the log or do a right click> Copy image on Figures 3 and 4 shown on this site, http://www.bleepingcomputer.com/tutorials/tutorial59.html but form your log
    Save the image and attach it to next post.

    I cannot identify O20 - Winlogon Notify: iiffeBqO - C:\WINDOWS\
    Please download ComboFix
  7. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    Appears to be working now

    Bobbye:
    After following your instructions, it appears all is working again. I am able to update McAfee, and all of my icons load into the system tray such as McAfee, Zone Alarm, Spybot tea timer. It also appears I do not get redirected anymore. Before following your steps the URLs you posted for me would come up blank on this computer and I had to use my other computer and my flashdrive to get the info and applications I needed.

    ComboFix did not run as outlined in the instructions. I got what appeared to be the blue screen of death but after rebooting everything seemed normal again. The log for ComboFix appears to be called bug.txt. Here are my logs if you still want to look at them. It seems there are 2 new folders on my C drive called "32788R22FWJFW" and "Qoobox" that appeared tonight after I ran combo fix. I included a screen shot of the contents of
    "32788R22FWJFW". Does it look suspicious to you?





    I would also like to take you up on your offer to clean up these items.

    QuickTime Task]
    [RealTray]
    [DVDLauncher]
    [MimBoot]
    [MSConfig]
    [SunJavaUpdateSched]
    [Adobe Reader Speed Launcher]
    [updateMgr]
    O23 - Service: Java Quick Starter
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Regarding this: File Type: txt Bug.txt (1.0 KB, 0 views)
    Uninstall ComboFix:
    # Click START then RUN
    # Now type Combofix /u in the runbox and click OK (note space between x and /)
    · When shown the disclaimer, Select "2"

    Again download ComboFix HERE, install and run Combofix:
    Run the scan and save the report.
    Follow with new HijackThis scan, attach log.

    I may have to get someone to write code for specific removal if this doesn't handle it. We'll see.

    Re: "Qoobox": Qoobox is a folder created by Combofix to quarantine any infected files-you may delete the files in Qoobox.

    I will help you with stopping the programs you listed as soon as we complete the cleaning. I already have most written up as they are on so many startups!
  9. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    Bobbye:
    I followed your directions below but it does not uninstall combofix. It says it cannot be found? I have posted screen clippings of the error message I got and what typed into the runbox. I see a folder called Combofix on the C drive (C:/Combofix).

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Old dopey me! Should have realized ComboFix isn't actually installed so can't be uninstalled! I have those moments now and then.

    Let's try deleting the folder I see a folder called Combofix on the C drive (C:/Combofix) using a right click> Delete.
    Then do a search on the system in All Files & Folders for 32788R22FWJFW and Qoobox. Do a right click> Properties on each> see if any info is available. If the Qoobox is showing related to ComboFix, double click to open and let me know what is there.

    We may have to delete the Qoobox folder and then try downloading and running ComboFix again, but not until I know what's in it.
  11. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    Boobye:
    I cannot tell if Qoobox is related to Combofix. Here are some screen shots showing what is in Qoobox and its subfolders. There is catchme.log and _prim_do.zip. All the rest are empty folders. Let me know my next step.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Do a right click> Delete on all the Qoobox folders.

    EDIT: The only thing I can find for 'primdoo' is that it's a Domain name. Don't extract the files from the zip. If it's in the Qoobox, it goes.
  13. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    After I delete Qoobox, do I try to run Combofix again per your previous instructions in post #8?
     
  14. Tritton

    Tritton Newcomer, in training Posts: 136

    Just to add something in here
    McAfee and zone alarm are known not too get along with each other, so the fact it would update could be to do with zone alarm. second McAfee is a rubbish anti-virus anyway So i would just suggest getting a differant one
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Yes, download and run ComboFix. We were trying to get rid of the Qoobox folder.

    And update and scan with HijackThis after.

    Don't worry about McAfee at this point. Let's get it working, then is you want to change at some later date, wait until subscription is expiring. You paid bucks for the suite and although another program may be better, I have a big problem telling anyone to waste their money.

    You had malware and that can stop updates for security programs. I prefer to take a step at a time.
    But you can try disabling the ZA firewall if you want and see if that makes any difference. Best way is to boot into Safe Mode> use msconfig to access the startup menu> uncheck ZA True Vector and whatever else is checked for it. Reboot into Normal mode, ignore and close nag message.
  16. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    Bobbye:
    Here is the Combofix log and the Hijack this log. My McAffee updates fine with Zone Alarm on. It was the Malware. The downloading was fixed a few posts back.

    After reviewing the logs let me know the next step(s).
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Logs are looking better! Combofix cleaned up! I need to work on getting imageserver out of the Trusted Zone! Usually when the malware is gone and it's removed from the Trusted Zone, it can be Restricted and that's the end of it! The strange thing s that the entry without the (HKLM) was removed, but the (HKLM) entry is still there!

    Here are two Active X entries you need to disable:

    Open IE> Tools> Manage Add-ons> find each of the above> click to highlight> Disable.

    Make sure the only Java program in Add/Remove Programs is v6u13- it looks like you still have earlier versions installed.

    Okay, let's clean up some-I just want to be absolutely sure you tried to put .imageserver.com in Restricted sites.

    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:
    I am preparing directions to stop the Startups on your list- give me a bit- need to take a break.
  18. kharms1969

    kharms1969 Newcomer, in training Topic Starter

    McAffee now updates

    Bobbye:
    Thanks for your help. I look forward to the instructions for helping me clean up my startup.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I think Paul Collins (pacman) wrote the book on this. Please refer to the site for the information in the outline below. I give the outline so you will know what is available to you. each section is explained.

    Read Introduction: http://www.pacs-portal.co.uk/startup_index.htm

    Using the outline below from pacman, stop the particular startups. The descriptions are excellent and screen shots are also available.

    All of the above text is directly from the pacman site and is only meant and a guide as to what is available on the site.
    Stopping unnecessary startups
    1. Unchecking on Startup using the msconfig utility. Programs, 02 and 04 entries
    2. Disabling Active X objects 016 entries
    3. Changing Startup type for Services 023 entries.

    YOUR PROGRAMS:
    The text in BLUE are entries in your HijackThis log which can be checked for removal. For Service, Disable as given:
    JAVA:
    ADOBE READER:
    REAL PLAYER:
    QUICK TIME
    DVD LAUNCHER
    MCONFIG
    Mimboot is from MusicMatch. I couldn't find it in yourr log, but if you have the following, stop from Statup:
    Also missing "update manager."
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.