McAfee will not update

[kharms1969]

I ran through the 8 step process a couple times but I am still having issues. The issues are McAfee will not update my Zone Alarm, McAfee, and Spybot teatimer appear to me running if I look at the task manager but the icons do not show up in the system tray. I have attached the logs where items were found as well as ones from today where nothing was found. Let me know if there is anything in the Hijack this log that looks suspicious. My McAfee log shows it detected DNSChanger.r which it quarentined and I removed. It also detected Generic!Artemis which it removed. This seems to be related to a setup_U.exe file that is launched when I use Firefox.

Thanks in Advance
Kevin

Here is the last log file from today.

 

[Bobbye]

Okay. In the future if you have to go through a cleaning again, you need only attach the most recent logs for each program.

Remove Bad Entries From HijackThis:
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {12D49DF1-F1F4-49BA-B8B8-80CBB8BD4AC7} - (no file)
O2 - BHO: (no name) - {EC634C9C-23BC-4499-BAED-0C6011D87241} - (no file)
O20 - AppInit_DLLs: pljcdr.dll bjrrbp.dll ywlmyw.dll
O20 - Winlogon Notify: iiffeBqO - iiffeBqO.dll (file missing)

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Control Panel> Internet Options> Security tab> Trusted Zone> Sites> remove the following:
*.imageservr.com
If you use thi site, it will then be available in the Internet Zone. If you do NOT use this Domain:
Go to the Restricted Zone> Sites> type in *.imageservr.com> Add.

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 13): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 13

Update Adobe: Most current version: Adobe Reader 9.1

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

1) Click HERE download LSPFix > Save to your desktop.

LSP-Fix attempts to correct Internet connection problems resulting from buggy or improperly-removed Layered Service Provider (LSP) software. When you start LSP-Fix, it will read the list of LSP modules from the Windows registry and verify that each module is present. If a module is missing, it is placed on the "Remove" list for removal. Advanced users can override suggested removals in the "Advanced" area. When "Finish" is pressed, the undesired entries are removed, and the remaining entries in the registry are renumbered to make them consecutive. The total module counts are then updated. Finally, the program will display a summary of the changes that were made.

Usage Instructions:
2) Once the exe file is on your desktop, double-click on it to open
3) LSP-Fix attempts to correct Internet connection problems resulting from buggy or improperly-removed Layered Service Provider (LSP) software. When you start LSP-Fix, it will read the list of LSP modules from the Windows registry and verify that each module is present.

If a module is missing, it is placed on the "Remove" list for removal.
This will move the filename to the right-hand column labeled Remove
When "Finish" is pressed, the undesired entries are removed, and the remaining entries in the registry are renumbered to make them consecutive.
The total module counts are then updated.
Finally, the program will display a summary of the changes that were made.
NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

Of course, it should be stated that if you are unsure of any of these procedures, please do not complete them and ask for assistance from a local computer tech, family friend, or other knowledgeable person.

Save the report. When finished, Update and rescan with HijackThis. Attach new log with LSPFix report on next reply.


This thread is for the use of kharms72 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

 

[kharms1969]

Completed your instructions

Bobbye:
I completed your instructions
I ran into a problem with adding *.imageservr.com to the restricted zone.
"this site you specified already exists in another zone, please remove from current zone before adding it to this zone" I was able to remove it from the trusted zone. I ran the LSP-Fix and it said no changes were necessary. I could not save a log file. I can upload a screen shot if you need it. I have attached the Hijack this file.

 

[Bobbye]

I ran into a problem with adding *.imageservr.com to the restricted zone.

Did you remove it from the Trusted Zone first?

There were two entries for this in the Trusted Zone- one was removed, the HKLM entry is from the Registry:
* Download SDFix HERE and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

See if imagesevr.com is gone from the Trusted Zone (Internet Options> Security> Trusted zone> Sites>> remove if there> put in the Restricted Zone.

Rescan with HijackThis when through. Attack reports and log.

Have you tried to update McAfee again? If not, please try- if Yes, run complete system scan and advise of results.

The HJ log looks much better! You have some unnecessary programs starting on boot. These will use your resources and cause a slow down. If you would like help removing them from Startup and keeping them off, let me know:

QuickTime Task]
[RealTray]
[DVDLauncher]
[MimBoot]
[MSConfig]
[SunJavaUpdateSched]
[Adobe Reader Speed Launcher]
[updateMgr]
O23 - Service: Java Quick Starter

These are all legitimate processes but none need to start on boot.

This still need to be done (Post #2): Update Adobe: Most current version: Adobe Reader 9.1

 

[kharms1969]

Results of latest instructions

Bobbye:

I should have been more specific when I said

I ran into a problem with adding *.imageservr.com to the restricted zone.
"this site you specified already exists in another zone, please remove from current zone before adding it to this zone" I was able to remove it from the trusted zone.

When I looked in the trusted zone it is blank in both boxes. It is still blank in both boxes. Anywhere else I should look?

I followed your instructions for SDFix. When I double click on the RunThis.bat file a box asks me if I want to continue in safe mode or reboot. I does not appear SDFix is running or doing anything. I do not see anywhere to type Y and no report is generated.


I rescanned and attached the log. I noticed the following things still in there.

O15 - Trusted Zone: *.imageservr.com (HKLM)
O20 - Winlogon Notify: iiffeBqO - C:\WINDOWS\


Do these look suspicious to you?

When I look in Help/about adobe acrobat 9 it says version 9.1.0

I would be interested in ridding my start up of unnecessary programs.

Thanks
Kevin

 

[Bobbye]

Take a breath and reboot the computer.
Try to update McAfee again. Whether you can or cannot, run a full system scan and save the log. I need to see it.

When I look in Help/about adobe acrobat 9 it says version 9.1.0

Get the most recent Kevin. I do a copy and paste for that and sometimes forget to change the update version. But I encourage you to try FoxIt instead. It's free, it does the same thing as the Adobe Reader and doesn't have all the bloat. If you get FoxIt, you can uninstall Adobe in Add/remove Programs in the Control Panel.

Did you encounter this when you ran LSPFix?

Finally, the program will display a summary of the changes that were made.
NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

Please UPDATE and run LSPFix again. SAVE the log or do a right click> Copy image on Figures 3 and 4 shown on this site, http://www.bleepingcomputer.com/tutorials/tutorial59.html but form your log
Save the image and attach it to next post.

I cannot identify O20 - Winlogon Notify: iiffeBqO - C:\WINDOWS\

If I split the entry iiffeBqO, I find this: IIFFE.DLLFraudulent Security Program
Using BqO results in * Trojan-Downloader or Backdoor Trojan.this:
But that is NOT the way to ID malware- I was just hoping for some clue to it.
So we will attempt to catch it another way:

Please download ComboFix

HERE

:
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.


Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

When through, update and scan with HijackThis again. Attach all logs and reports. This is only adding one more program to your system.

 

[kharms1969]

Appears to be working now

Bobbye:
After following your instructions, it appears all is working again. I am able to update McAfee, and all of my icons load into the system tray such as McAfee, Zone Alarm, Spybot tea timer. It also appears I do not get redirected anymore. Before following your steps the URLs you posted for me would come up blank on this computer and I had to use my other computer and my flashdrive to get the info and applications I needed.

ComboFix did not run as outlined in the instructions. I got what appeared to be the blue screen of death but after rebooting everything seemed normal again. The log for ComboFix appears to be called bug.txt. Here are my logs if you still want to look at them. It seems there are 2 new folders on my C drive called "32788R22FWJFW" and "Qoobox" that appeared tonight after I ran combo fix. I included a screen shot of the contents of
"32788R22FWJFW". Does it look suspicious to you?





I would also like to take you up on your offer to clean up these items.

QuickTime Task]
[RealTray]
[DVDLauncher]
[MimBoot]
[MSConfig]
[SunJavaUpdateSched]
[Adobe Reader Speed Launcher]
[updateMgr]
O23 - Service: Java Quick Starter

 

[Bobbye]

Regarding this: File Type: txt Bug.txt (1.0 KB, 0 views)

"Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP~n~nOS incompatible

Uninstall ComboFix:
# Click START then RUN
# Now type Combofix /u in the runbox and click OK (note space between x and /)
· When shown the disclaimer, Select "2"

Again download ComboFix HERE, install and run Combofix:

Download Combofix and save to your desktop:
Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Run the scan and save the report.
Follow with new HijackThis scan, attach log.

I may have to get someone to write code for specific removal if this doesn't handle it. We'll see.

Re: "Qoobox": Qoobox is a folder created by Combofix to quarantine any infected files-you may delete the files in Qoobox.

I will help you with stopping the programs you listed as soon as we complete the cleaning. I already have most written up as they are on so many startups!

 

[kharms1969]

Bobbye:
I followed your directions below but it does not uninstall combofix. It says it cannot be found? I have posted screen clippings of the error message I got and what typed into the runbox. I see a folder called Combofix on the C drive (C:/Combofix).

Uninstall ComboFix:
# Click START then RUN
# Now type Combofix /u in the runbox and click OK (note space between x and /)
· When shown the disclaimer, Select "2"

!

 

[Bobbye]

Old dopey me! Should have realized ComboFix isn't actually installed so can't be uninstalled! I have those moments now and then.

Let's try deleting the folder I see a folder called Combofix on the C drive (C:/Combofix) using a right click> Delete.
Then do a search on the system in All Files & Folders for 32788R22FWJFW and Qoobox. Do a right click> Properties on each> see if any info is available. If the Qoobox is showing related to ComboFix, double click to open and let me know what is there.

We may have to delete the Qoobox folder and then try downloading and running ComboFix again, but not until I know what's in it.

 

[kharms1969]

Boobye:
I cannot tell if Qoobox is related to Combofix. Here are some screen shots showing what is in Qoobox and its subfolders. There is catchme.log and _prim_do.zip. All the rest are empty folders. Let me know my next step.

 

[Bobbye]

Do a right click> Delete on all the Qoobox folders.

EDIT: The only thing I can find for 'primdoo' is that it's a Domain name. Don't extract the files from the zip. If it's in the Qoobox, it goes.

 

[kharms1969]

After I delete Qoobox, do I try to run Combofix again per your previous instructions in post #8?

 

[Tritton]

Just to add something in here
McAfee and zone alarm are known not too get along with each other, so the fact it would update could be to do with zone alarm. second McAfee is a rubbish anti-virus anyway So i would just suggest getting a differant one

 

[Bobbye]

Yes, download and run ComboFix. We were trying to get rid of the Qoobox folder.

And update and scan with HijackThis after.

Don't worry about McAfee at this point. Let's get it working, then is you want to change at some later date, wait until subscription is expiring. You paid bucks for the suite and although another program may be better, I have a big problem telling anyone to waste their money.

You had malware and that can stop updates for security programs. I prefer to take a step at a time.
But you can try disabling the ZA firewall if you want and see if that makes any difference. Best way is to boot into Safe Mode> use msconfig to access the startup menu> uncheck ZA True Vector and whatever else is checked for it. Reboot into Normal mode, ignore and close nag message.

 

[kharms1969]

Bobbye:
Here is the Combofix log and the Hijack this log. My McAffee updates fine with Zone Alarm on. It was the Malware. The downloading was fixed a few posts back.

After reviewing the logs let me know the next step(s).

 

[Bobbye]

Logs are looking better! Combofix cleaned up! I need to work on getting imageserver out of the Trusted Zone! Usually when the malware is gone and it's removed from the Trusted Zone, it can be Restricted and that's the end of it! The strange thing s that the entry without the (HKLM) was removed, but the (HKLM) entry is still there!

Here are two Active X entries you need to disable:

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -

Open IE> Tools> Manage Add-ons> find each of the above> click to highlight> Disable.

Make sure the only Java program in Add/Remove Programs is v6u13- it looks like you still have earlier versions installed.

Okay, let's clean up some-I just want to be absolutely sure you tried to put .imageserver.com in Restricted sites.

Download OTCleanIt HERE & save it to your desktop.

Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in *cleanmgr*
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

I am preparing directions to stop the Startups on your list- give me a bit- need to take a break.

 

[kharms1969]

McAffee now updates

Bobbye:
Thanks for your help. I look forward to the instructions for helping me clean up my startup.

 

[Bobbye]

I think Paul Collins (pacman) wrote the book on this. Please refer to the site for the information in the outline below. I give the outline so you will know what is available to you. each section is explained.

Read Introduction: http://www.pacs-portal.co.uk/startup_index.htm

Using the outline below from pacman, stop the particular startups. The descriptions are excellent and screen shots are also available.

START-UP APPLICATIONS
DO YOU REALLY NEED ALL OF THEM?

HOW CAN I IDENTIFY THESE PROGRAMS?
Windows Defender
MSConfig
AutoRuns
HijackThis™

HOW CAN I DISABLE THEM FROM RUNNING AT START-UP?
1) Using a program's own configuration options
2) Windows StartUp folder - Windows 9x/Me/NT/2000/XP/Vista
3) Windows Defender
4) AutoRuns
5) System Configuration Utility (MSConfig)
6) Use a 3rd party utility to control start-up programs (in HijackThis, 02, 03 and 04 entries)
7) Registry Editor -
8) WIN.INI
9) SYSTEM.INI

All of the above text is directly from the pacman site and is only meant and a guide as to what is available on the site.
Stopping unnecessary startups
1. Unchecking on Startup using the msconfig utility. Programs, 02 and 04 entries
2. Disabling Active X objects 016 entries
3. Changing Startup type for Services 023 entries.

YOUR PROGRAMS:
The text in BLUE are entries in your HijackThis log which can be checked for removal. For Service, Disable as given:
JAVA:

1. UNCHECK all Java entries on the Startup menu: Start> Run> msconfig> enter> Selective Startup Startup tab.
2. Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start.
3. Start> Run> services.msc> right click on JavaQuickStarterService)> Properties> Change Startup Type to Disabled> Stop the Service
4. Stop auto update:.Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> Click YES when asked to confirm> OK.
5. Make sure only the current version of Java v6u11 is in Add/Remove Programs in the Control Panel. Uninstall any other versions.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

ADOBE READER:

1. Use msconfig to UNCHECK all; Adobe Reader entries> Apply> OK
2. Open the Adobe Reader and Disable all Toolbars-unless you use the PDF feature frequently.
3. Change the Adobe LM Service to Manual Startup.
4. Only the most current version (now v9) should be listed in Add/Remove Programs.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

REAL PLAYER:

1. UNCHECK all 'Real', Real Player' and 'Real One' entries on the Startup menu
2. If you use Real Player disable the auto-update feature in your Tools- Preferences- Automatic Services- AutoUpdate (In RealPlayer).
Right click on Start> Exp[ore> Programs> Common> Real Update> right click> delete the file "realshed.exe"
C:\Program Files\Real\RealPlayer\RealPlay.exe
04 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

QUICK TIME

1. Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK
2. Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
3. Rename the qttask.exe file:
Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

DVD LAUNCHER

1. Use msconfig> uncheck any entries for CyberLink, PowerDVD and DVDLauncher
2. Using Windows Explorer: rught click on Start> Explore> Programs> CyberLink In PowerDVD> Configuration> Player UNCHECK Run.
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

MCONFIG

1. Click Start, Run and type "msconfig /auto". Check the option "Don't
show......." and press OK.
-or-
2. Download a fix from Doug's site:
http://www.dougknox.com/xp/scripts_..._nomsconfig.htm
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto

Mimboot is from MusicMatch. I couldn't find it in yourr log, but if you have the following, stop from Statup:

[MimBoot]> Music Match
mm_server C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_server.exe
MimBoot C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

Also missing "update manager."