Unknown Services on my PC?

[Jacee]

Hi Ferrari458,

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

After running TFC and rebooting, I'd like you to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[Ferrari458]

Hi Ferrari458,

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

After running TFC and rebooting, I'd like you to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

Jacee I did everything you told me to do the Temp cleaning program cleaned 1GB of clutter from my pc then i ran the scan and it found one threat "E:\Program Files\AoA DVD Copy\option.ini probably a variant of Win32/Agent.NLNNCZG trojan cleaned by deleting - quarantined".

 

[richc46]

OK you are in good hands now.

 

[Ferrari458]

so there is nothing wrong with my pc now??

 

[richc46]

That I dont know, Jacee has to advise you in that area. I was just trying to reassure you that you will get the best of help with Jacee

 

[Ferrari458]

oh ok i'll wait for Jacee reply

 

[Jacee]

Let's do this ...

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If your's is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Save that log!! I will need to look at it and review it. Please copy and paste it in your next reply.

After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

IF CF won't run:
During the download, rename Combofix.exe to sVchost.exe

 

[Ferrari458]

Jacee I'll give this a try as soon as I get home (Im on a weekend trip with the fam) but i just have a quick question do you think i could be getting or am getting hacked?

 

[Ferrari458]

here is what combofix saved to the log and it scanned everything pretty quick i would say in about 8min is that normal?


ComboFix 11-10-15.04 - Isaac 10/16/2011 12:09:30.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1136 [GMT -7:00]
Running from: c:\users\Isaac\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Update.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-14 18:14 . 2011-10-14 18:14 -------- d-----w- c:\program files\ESET
2011-10-12 22:06 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 22:06 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 22:06 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 22:06 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 22:05 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 22:05 . 2011-09-14 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-10-12 22:04 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 22:04 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 22:04 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 22:04 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-07 18:10 . 2011-10-07 18:26 -------- d-----w- c:\users\Isaac\AppData\Roaming\DAEMON Tools Lite
2011-10-07 18:09 . 2011-10-07 18:10 -------- d-----w- c:\programdata\DAEMON Tools Lite
2011-10-07 17:44 . 2011-10-12 22:22 -------- d-----w- c:\users\Isaac\{75a16419-20b3-47d9-8dde-2465ce106776}
2011-10-07 17:44 . 2009-02-25 01:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2011-10-04 03:48 . 2011-10-09 21:33 -------- d-----w- c:\users\Isaac\VirtualBox VMs
2011-10-04 03:47 . 2011-10-15 06:21 -------- d-----w- c:\users\Isaac\.VirtualBox
2011-10-04 03:47 . 2011-10-03 23:49 158512 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2011-10-04 03:47 . 2011-10-03 23:49 91440 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2011-10-03 23:49 . 2011-10-03 23:49 82736 ----a-w- c:\windows\system32\drivers\VBoxUSB.sys
2011-10-03 23:49 . 2011-10-03 23:49 135472 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
2011-10-03 23:49 . 2011-10-03 23:49 116016 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2011-10-03 23:49 . 2011-10-03 23:49 104752 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-09-22 20:50 . 2011-10-13 05:31 -------- d-----w- c:\program files\HD Tune Pro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-11 05:37 . 2011-06-20 21:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 00:00 . 2010-07-08 17:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-19 22:59 . 2011-05-27 17:42 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-08-15 17:00 . 2011-05-27 17:42 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 17:00 . 2011-05-27 17:42 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 17:00 . 2011-05-27 17:42 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-08-15 17:00 . 2011-05-27 17:42 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 17:00 . 2011-05-27 17:42 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 17:00 . 2011-05-27 17:42 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 17:00 . 2011-05-27 17:42 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 17:00 . 2011-05-27 17:42 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 17:00 . 2011-05-27 17:42 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-08-15 17:00 . 2011-05-27 17:42 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-08-12 19:07 . 2011-08-12 19:07 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2011-07-20 17:50 . 2011-07-20 17:50 40960 ----a-r- c:\users\Isaac\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-07-20 17:50 . 2011-07-20 17:50 40960 ----a-r- c:\users\Isaac\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-05-08 9210400]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 136176]
R3 cpuz;cpuz;c:\users\Isaac\AppData\Local\Temp\cpuz.sys [x]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 136176]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [2011-10-03 82736]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;e:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-28 214904]
R4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-04-14 82952]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-10-03 158512]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-10-03 91440]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-28 214904]
S2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [2010-07-27 315392]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-28 214904]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-28 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-08-19 148520]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-10-03 104752]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-10-03 116016]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
LPDService REG_MULTI_SZ
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 03:13]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-20 03:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: $talisma_url$
TCP: DhcpNameServer =
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-10-16 12:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3310548295-1848807279-884578615-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:9e,0c,45,cb,6b,74,31,78,2f,ca,44,ac,63,24,36,d4,6b,6e,f6,af,72,e4,57,
e6,ad,53,21,fb,b6,01,82,96,92,71,85,0f,75,b6,02,26,3e,44,d5,c5,62,7b,b0,36,\
"??"=hex:59,e5,97,70,47,08,a5,1e,f6,13,83,cc,52,0d,a6,6c
.
[HKEY_USERS\S-1-5-21-3310548295-1848807279-884578615-1000\Software\SecuROM\License information*]
"datasecu"=hex:4d,d5,99,10,88,9c,c6,09,6e,f4,b4,77,de,8d,35,82,b7,f2,14,83,cf,
61,35,bd,39,79,62,d9,83,1b,89,4a,ed,22,e5,cc,99,c9,de,bc,30,92,4c,c9,6c,f5,\
"rkeysecu"=hex:51,d9,69,2e,b5,10,dd,c5,51,56,fa,e7,ca,8f,a3,32
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-16 12:15:00
ComboFix-quarantined-files.txt 2011-10-16 19:14
.
Pre-Run: 22,340,460,544 bytes free
Post-Run: 27,001,450,496 bytes free
.
- - End Of File - - 3FAE0153A950DCD7A7A3FC064E016978

 

[Jacee]

Did you install 'Whitesmoke' on this computer?
Did you add this to the Trusted Zone? $talisma_url$

Download CKScanner by askey127 from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

[Ferrari458]

nope I don't think i did(install whitesmoke or add talisma to trusted sites)

 

[Ferrari458]

this is what the ckscanner saved to the file:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.MHAATR
----- EOF -----