Skip to main content

Trojan Warning....need Help To Remove

Comments

61 comments

  • Customer

    Hi,

     

    I see you have Viewpoint installed...

    Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

    I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.




    • Viewpoint



    • Viewpoint Manager



    • Viewpoint Media Player



    Then reboot.

     

    Check and fix this entry in HijackThis:

     

    O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/a3cbf610b4...f946b770_35.exe

     

    I'm getting error messages and alerts from my taskbar about a Trojan called "WinAntiVirus Pro"
    Are you still getting this? Because as far as I can see, there are no bad entries in your HijackThislog apart from above one and that one isn't causing this. But then again, HijackThis doesn't show all info we need, so do next..

     

    * Download Combofix to your desktop.

    Doubleclick combofix.exe

    Follow the prompts.

    Don't click on the window while the fix is running, because that will cause your system to hang.

     

    When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

    Post the contents of this log in your next reply.

    Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

    0
  • Customer

    Ok,

     

    My PC is having trouble rebooting. As it starts up, a blue screen momentarily comes up (roughly for 1 second then immediately reboots). In order to restart the PC I have to choose the "Last Known Good Configuration (your most recent settings that worked)" option. The blue screen states some kind of error has been detected and needs to reboot. Spyware does do some strange things to a PC, but with that said, AOL Spyware keeps alerting me it has detected "WinAntiVirus Pro" and has "blocked" it. However, I'm pretty sure that doesn't block or better yet remove the Trojan all together. I followed the steps and here is the latest ComboFix Log:

     

    - David

     

     

    "David" - 07-07-06 19:59:10 Service Pack 2

    ComboFix 07-01-15 - Running from: "C:\Program Files"

     

    ((((((((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 ))))))))))))))))))))))))))))))))))

     

     

    2007-07-04 22:36 <DIR> d-------- C:\Program Files\McAfee

    2007-07-04 22:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee

    2007-07-04 22:32 23,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NaiFiltr.sys

    2007-07-04 22:30 344,064 -ra------ C:\WINDOWS\SYSTEM32\mcinsctl.dll

    2007-07-04 22:30 270,336 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll

    2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood

    2007-07-04 22:30 <DIR> d-------- C:\Program Files\McAfee.com

    2007-07-04 21:24 <DIR> d-------- C:\avenger

     

     

    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

     

     

    2007-05-16 11:12 683520 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll

    2007-05-09 00:53 2508 --a------ C:\DOCUME~1\David\Application Data\$_hpcst$.hpc

    2007-04-25 10:21 144896 --a------ C:\WINDOWS\SYSTEM32\schannel.dll

    2007-04-18 12:12 2854400 --a------ C:\WINDOWS\SYSTEM32\msi.dll

    2007-04-16 22:47 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll

    2007-04-16 22:45 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll

    2007-04-16 22:45 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll

    2007-04-16 22:45 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe

    2007-04-16 22:45 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

    2007-04-16 22:45 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll

    2007-04-16 22:45 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll

    2007-04-16 22:45 1710936 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll

    2007-04-13 13:31 103984 --a------ C:\WINDOWS\SYSTEM32\aoldial.dll

     

     

    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

     

    *Note* empty entries & legit default entries are not shown

     

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

    "MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

    "Aim6"=""

    "updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

    "H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~4\\wcescomm.exe\""

    "AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

    "HostManager"="C:\\Program Files\\Common Files\\AOL\\1142145455\\ee\\AOLSoftware.exe"

    "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"

    "Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"

    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    "VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"

    "VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""

    "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"

    "MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"

    "MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"

    "MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"

     

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

     

     

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

    LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

    NetworkService REG_MULTI_SZ DnsCache\

    rpcss REG_MULTI_SZ RpcSs\

    imgsvc REG_MULTI_SZ StiSvc\

    termsvcs REG_MULTI_SZ TermService\

    HTTPFilter REG_MULTI_SZ HTTPFilter\

    DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

     

     

     

    Contents of the 'Scheduled Tasks' folder

    C:\WINDOWS\tasks\McAfee.com Update Check (DAVID-HUR7212OB-David).job

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

     

    Completion time: 07-07-06 20:05:49

    C:\ComboFix2.txt ... 07-07-03 00:54

    C:\ComboFix3.txt ... 07-01-15 17:12

    0
  • Customer

    Hi,

     


    ComboFix 07-01-15 - Running from: "C:\Program Files"

     

    This is a real outdated version. You were actually supposed to use the latest version, so delete the Combofix you are having and redownload it from the link I posted.

     

    But before you do, please uninstall McAfee, because from your first log, I see it's not properly installed since the related Services are missing. Then reboot after you uninstalled it. Don't reinstall it yet, but run Combofix first.

     

    AOL Spyware keeps alerting me it has detected "WinAntiVirus Pro" and has "blocked" it
    As I already said, I see no references to Winantispyware or the related dlls in your log that may cause this, so let me know where exactly AOL Antipsyware finds this entry/file. Because in above Combofixlog I don't really see anything suspicious either. So I wanted to be sure here that AOL Antispyware doesn't block legitimate files which may already explain a lot. AOL Antispyware is poor either and is known to show many false positives.

     

    Do you get popups to buy WinAntispyware all the time?

    I see C:\avenger present as well... What have you been deleting with The Avenger? Hopefully nothing legitimate...

    0
  • Customer

    Hello again,

     

    I was not aware of the outdated version of the ComboFix which I currently have. I will un-install McAfee in a bit. In response to finding the entry file for the spyware, I get a little alert notification at the bottom of the screen informing me it has detected "WinAntiVirus Pro", then gives me an option to "View Blocked Items". However, when I choose that option it brings me to a screen where it lists all the recent scan's and does show a date of when it found the spyware, then tells me the name of the spyware then the security of it being a "Trojan". I am not sure exactly where to go to locate it's entry file.

     

    As far as getting popups; I do not. I suspect if I were to un-block the potential Trojan via AOL AntiSpyware, it would then permit the activity of popups from WinAntiVirus Pro. So to be on the safe side I let the Anti Spyware block the Trojan perhaps to "hold off" anything from proceeding.

     

    I recently had spyware which with the help of "HJThis", a VSA Member such as yourself, helped me through the steps to remove what was necessary. Thus he had me install these programs which might explain the date of the version.

    0
  • Customer

    I get a little alert notification at the bottom of the screen informing me it has detected "WinAntiVirus Pro", then gives me an option to "View Blocked Items". However, when I choose that option it brings me to a screen where it lists all the recent scan's and does show a date of when it found the spyware, then tells me the name of the spyware then the security of it being a "Trojan". I am not sure exactly where to go to locate it's entry file.
    That doesn't make sense. It should display where it is blocking it.

    When exactly do you get that alert? Because I really think this is a false positive though....

    Anyway, can you also point me to the thread where HJThis helped you previously, so I can figure out what was deleted or not....

    0
  • Customer

    That doesn't make sense. It should display where it is blocking it.

    Three catagories are listed Scan Date ...Status ... Potential Threat ...having highlighted the threat, it gives me an option to Restore or Delete. I'm guessing its a false positive like you said. Should I Restore the potential threat? Perhaps it is a false alarm...

     

    When exactly do you get that alert? Because I really think this is a false positive though....

    Periodically. Every 5-10 minutes or so...

     

    Anyway, can you also point me to the thread where HJThis helped you previously, so I can figure out what was deleted or not....

    Sure, ... http://www.lavasoftsupport.com/index.php?s...ic=6056&hl=

    0
  • Customer

    Anyway, can you download the latest version of Combofix, run it and post the log?

    0
  • Customer

    Hi,

     

    The WinAntiVirusPro leftovers should be deleted now as I see from your combofix log.

     

    Please delete the C:\Qoobox folder.

    0
  • Customer

    Here is my most recent ComboFix Log:

     

     

    "David" - 2007-07-07 14:10:56 - ComboFix 07-07-07.4 - Service Pack 2 FAT32

     

     

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

     

     

    C:\WINDOWS\system32\packet.dll

    C:\WINDOWS\system32\pthreadVC.dll

    C:\WINDOWS\system32\wpcap.dll

     

     

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

     

     

    -------\LEGACY_FWSVC

    -------\LEGACY_NETWORK_MONITOR

    -------\LEGACY_VSPF

    -------\FWSvc

    -------\Network Monitor

    -------\vspf

     

     

    ((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))

     

     

    2007-07-07 14:10 51,200 --a------ C:\WINDOWS\nircmd.exe

    2007-07-07 02:17 23,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NaiFiltr.sys

    2007-07-04 22:36 <DIR> d-------- C:\Program Files\McAfee

    2007-07-04 22:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee

    2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood

     

     

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

     

    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

    2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

    2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

    2007-04-13 17:31:04 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll

     

     

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

     

     

    *Note* empty entries & legit default entries are not shown

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]

    2005-11-30 13:17 585728 --a------ C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "HostManager"="C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe" [2006-09-25 19:52]

    "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]

    "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 16:33]

    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-16 02:11]

    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

     

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]

    "Aim6"="" []

    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

    "H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44]

    "AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [2005-07-12 00:17]

     

     

    Contents of the 'Scheduled Tasks' folder

    2007-07-07 02:42:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

     

    **************************************************************************

     

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

    Rootkit scan 2007-07-07 14:23:39

    Windows 5.1.2600 Service Pack 2 FAT NTAPI

     

    scanning hidden processes ...

     

    scanning hidden autostart entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden files: 0

     

    **************************************************************************

     

    Completion time: 2007-07-07 14:28:52 - machine was rebooted

    C:\ComboFix3.txt ... 2007-07-03 00:54

    C:\ComboFix2.txt ... 2007-07-06 20:05

    C:\ComboFix-quarantined-files.txt ... 2007-07-07 14:28

     

    --- E O F ---

    0
  • Customer

    what problems are you still having?

    0
  • Customer

    Ok,

     

    I did that. What should I do now..

     

    Thanks,

    -David

    0
  • Customer

    That blue error screen at re-boot. I still cannot restart my PC regularly. In order to reboot I have to choose the "Last Known Good Configuration" setting. That blue scren states "A problem has been detected and windows has been shut down to prevent damage to your computer". However, at restart, it just returns to the same screen. What should I do?

    0
  • Customer

    Well, I asked you previously to uninstall McAfee as it was not properly installed as no related services were running, but in your latest HijackThislog, I still see some related McAfee components + drivers present which may explain BSODs

     

    Let me explain why I suspect McAfee..

     

    From your Combofix log - these are the files/folders being added recently:

     

    2007-07-04 22:36 <DIR> d-------- C:\Program Files\McAfee

    2007-07-04 22:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee

    2007-07-04 22:32 23,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NaiFiltr.sys

    2007-07-04 22:30 344,064 -ra------ C:\WINDOWS\SYSTEM32\mcinsctl.dll

    2007-07-04 22:30 270,336 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll

    2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood <== this is where you had chosen lastgood configuration

    2007-07-04 22:30 <DIR> d-------- C:\Program Files\McAfee.com

    2007-07-04 21:24 <DIR> d-------- C:\avenger

     

    All other files around it are all related with McAfee. Because they are the only ones being added recently.

    With only one exception of The Avenger you have been using - so I really have no clue why you used the Avenger for since I gave no instructions to use it, so I wonder what you have been deleting there..

     

    Anyway, McAfee needs to go..

    * Download and run the McAfee Consumer Products Removal tool (MCPR.exe).

    Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 versions of McAfee consumer products.


    • McAfee Security Center


    • McAfee VirusScan


    • McAfee Personal Firewall Plus


    • McAfee Privacy Service


    • McAfee SpamKiller


    • McAfee Wireless Network Security


    • McAfee SiteAdvisor


    • McAfee Data Backup


    • McAfee Network Manager


    • McAfee Easy Network


    • McAfee AntiSpyware



    Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe


    • Click Save and save the file to any folder on the computer.


    • Navigate to the folder where the file is saved.


    • Double-click MCPR.exe.


    • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
      Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
      After the second window appears, the program will begin the cleanup.


    • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
      The machine must reboot to complete the un-installation. Reboot now? [y.n]
       


    • Press Y on the keyboard.


    • Wait for the computer to restart.



    All McAfee products are now removed from your computer.

    These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

    0
  • Customer

    Well, I asked you previously to uninstall McAfee as it was not properly installed as no related services were running, but in your latest HijackThislog, I still see some related McAfee components + drivers present which may explain BSODs

     

    I did un-install McAfee as soon as you had asked me to. The only way I did it was through Add Remove Programs. The remaining files you see must be leftovers which I did not manually remove.

     

    With only one exception of The Avenger you have been using - so I really have no clue why you used the Avenger for since I gave no instructions to use it, so I wonder what you have been deleting there..

     

    ...Again I explained why I had the Avenger. I said that I previously was told to use it by another VSA. Secondly, I did not use it to remove anything presently on the computer... it's there because I was told to use it awhile ago for another instance...

     

    As for the McAfee un-installer, I will get on that now.

     

    - David

    0
  • Customer

    Oh yes, because I was not able to retrieve my password for that account, I wasn't able to ask for any help regarding this current Trojan. So my only hope was to re-follow those steps HJThis had instructed, hoping it would potentially solve the current problem. All I did was run the avenger...nothing came up so nothing was deleted. But I see your point. I apologize for the misunderstanding.

     

    If it serves any help, here is my latest HJ This Log...

     

     

    Logfile of HijackThis v1.99.1

    Scan saved at 7:01:05 PM, on 7/7/2007

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\Program Files\Canon\CAL\CALMAIN.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\WINDOWS\system32\devldr32.exe

    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\Program Files\Messenger\MSMSGS.EXE

    C:\PROGRA~1\MICROS~4\wcescomm.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Program Files\America Online 9.0a\waol.exe

    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

    C:\PROGRA~1\MICROS~4\rapimgr.exe

    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

    c:\program files\common files\aol\1142145455\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

    c:\program files\common files\aol\1142145455\ee\aolsoftware.exe

    C:\Program Files\America Online 9.0a\shellmon.exe

    C:\Program Files\hijackthis\hijackthis\HijackThis.exe

     

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"

    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b

    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab

    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    0
  • Customer

    Again I explained why I had the Avenger. I said that I previously was told to use it by another VSA
    Yes, I understand that part, but the strange thing is, you received help in january... and from your Combofix-log, C:\Avenger is under the part:

     

    ((((((((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 ))))))))))))))))))))))))))))))))))

     

    2007-07-04 21:24 <DIR> d-------- C:\avenger

     

    That doesn't make sense... that's why I asked.

    0
  • Customer

    By the way, no Protection is running here since we uninstalled McAfee (which was already corrupted anyway), so make sure your Windows Firewall is turned on.

    And I suggest you install another Antivirus. Look in my signature below for the ones I recommend. Avira is a great free Antivirus.

    0
  • Customer

    Hi,

     

    All I did was run the avenger...nothing came up so nothing was deleted. But I see your point. I apologize for the misunderstanding.
    The Avenger is no Scanner. It is a very powerful tool which is used to delete files/keys. If you're using it in the wrong way, it may damage a computer. So I recommend you delete the Avenger.

     

    Not sure if you read my post previously about Viewpoint, because I still see it installed here. But leave that for now as it actually doesn't make much sense you uninstall it since you have AOL running and it will always ask to reinstall again in that case.

     

    Can you also rescan with Combofix and post the log?

    0
  • Customer

    Ok will do...I believe the Firewall is operating. Here is my latest ComboFix Log:

     

     

    Note: I deleted the icon of Avenger from the location I saw it in. Not sure if that completly removes the program. Thanks, and as for Viewpoint, I did not miss your post. I went to Add Remove Programs and removed anything containing Viewpoint. For the remaining files, I'm not sure. How would I delete the "inside" files. ...Here is my ComboFix Log:

     

     

    "David" - 2007-07-07 19:16:37 - ComboFix 07-07-07.4 - Service Pack 2 FAT32

     

     

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

     

     

    -------\LEGACY_FWSVC

    -------\LEGACY_NETWORK_MONITOR

    -------\LEGACY_VSPF

    -------\FWSvc

    -------\Network Monitor

    -------\vspf

     

     

    ((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))

     

     

    2007-07-07 18:43 561,272 --a------ C:\Program Files\MCPR.exe

    2007-07-07 14:10 51,200 --a------ C:\WINDOWS\nircmd.exe

    2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood

     

     

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

     

    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

    2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

    2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

    2007-04-13 17:31:04 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll

     

     

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

     

     

    *Note* empty entries & legit default entries are not shown

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]

    2005-11-30 13:17 585728 --a------ C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "HostManager"="C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe" [2006-09-25 19:52]

    "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]

    "Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 16:33]

    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-16 02:11]

    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

     

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]

    "Aim6"="" []

    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

    "H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44]

    "AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [2005-07-12 00:17]

     

     

    Contents of the 'Scheduled Tasks' folder

    2007-07-07 02:42:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

     

    **************************************************************************

     

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

    Rootkit scan 2007-07-07 19:27:55

    Windows 5.1.2600 Service Pack 2 FAT NTAPI

     

    scanning hidden processes ...

     

    scanning hidden autostart entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden files: 0

     

    **************************************************************************

     

    Completion time: 2007-07-07 19:33:10 - machine was rebooted

    C:\ComboFix3.txt ... 2007-07-06 20:05

    C:\ComboFix-quarantined-files.txt ... 2007-07-07 19:33

    C:\ComboFix2.txt ... 2007-07-07 14:28

     

    --- E O F ---

    0
  • Customer

    Can you post a new HijackThislog please?

    0
  • Customer

    Sure,

     

     

    Logfile of HijackThis v1.99.1

    Scan saved at 5:01:09 AM, on 7/8/2007

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\Program Files\Canon\CAL\CALMAIN.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\Program Files\Messenger\MSMSGS.EXE

    C:\PROGRA~1\MICROS~4\wcescomm.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\WINDOWS\system32\devldr32.exe

    C:\PROGRA~1\MICROS~4\rapimgr.exe

    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

    C:\WINDOWS\System32\svchost.exe

    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

    c:\program files\common files\aol\1142145455\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

    c:\program files\common files\aol\1142145455\ee\aolsoftware.exe

    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

    C:\Program Files\America Online 9.0a\waol.exe

    C:\Program Files\America Online 9.0a\shellmon.exe

    C:\Program Files\hijackthis\hijackthis\HijackThis.exe

     

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"

    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b

    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab

    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    0
  • Customer

    Hi,

     

    Is Viewpoint still present in add/remove programs?

    If so, uninstall it again.

     

    If not,

     

    * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

     

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

     

    * Click on Fix Checked when finished and exit HijackThis.

    Make sure your Internet Explorer is closed when you click Fix Checked!

     

    Then go to start > run and copy and paste next command in the field:

     

    sc delete "Viewpoint Manager Service"

     

    Hit enter.

     

    reboot your Computer and delete the C:\Program Files\Viewpoint - folder

     

    let me know in your next reply how things are now.

    0
  • Customer

    Ok, for some reason it was present...again. I un-installed Viewpoint Media Player. Note I did not follow the rest of the steps u posted as Viewpoint was present. Should I follow the proceeding steps anyway?

    0
  • Customer

    Yes, please follow the rest of my steps.

    0
  • Customer

    Ok,

     

    I did the Fix Checked part. I then went to Start > Run and typed in sc delete "Viewpoint Manager Service". A window promptly came up for about a half a second and closed. Next, after reboot, I navigated to the Viewpoint folder. However, when I attempted to delete the folder I got a pop up saying: "Cannot delete AOLUserShell.Dll". It was saying make sure its not write-protected and what not.

     

    To update you on the status of the PC, I'm still getting those Trojan alerts from AOLAntiSpyware, and at reboot, I still get that blue screen... :angry:

    0
  • Customer

    Well, as long as you have to choose lastgood known configuration, the malware that was removed previously (Winantivirus drivers) will be replaced again.. and that explains why Combofix deleted it once again afterwards...

    So, as long as you'll get that BSOD and you choose lastgood, it will restore the bad drivers again and I am pretty sure it will restore the McAfee drivers again as well, resulting in a next BSOD.

     

    Sidenote...

    The fact that your Windows XP is installed on a FAT32 machine is not uncommon for the cause of BSODs. When on FAT32, files may get easily corrupted > result in BSODs.

    FAT is retained to maintain compability with non-NT machines. If you do not require this compability, do yourself a favor & convert to NTFS

     

    So, something certainly went corrupted here. And as I explained previously, every time you choose the lastgood known configuration, it will just re-add the bad drivers and other drivers we already removed, so actually we are running in circles here, because after all, what we removed will be restored again.

     

    Searching for the right cause will be like searching for a needle in a haystack, and God knows what else was corrupted, because you had some pretty nasty infections present previously (january) and malware damages A LOT.

    I don't understand why back in january, the one that was helping you, didn't tell you about the risks and future problems that may arise when you deal with such nasty infections manually.

    Anyway, we can hunt some more and try to repair the damage, but I cannot guarantee that this will actually solve it... because as I explained previously; malware damages a lot and not all damage can always be repaired. That's why most people format and reinstall their system afterwards anyway.

     

    When you're getting the BSOD, what does it exactly say there? Because that info is important to know.

    If you can't figure it out:

    1. Open Control Panel -> System.

    2. Select the Advanced tab.

    3. Select Settings from the "Startup and Recovery" section.

    4. From "Write Debugging Information" select "small memory dump (64 KB)".

    5. Write down the location of the dump file, so that you can find it after

    the BSOD. That's the info I need. So send the dump file to miekiemoesATmvps.org (replace AT with @)

     

    Also do next..

     

    Download and Save blacklight to your desktop.

    F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml

    (fsbl.exe - graphical user interface)

    Double-click fsbl.exe then accept the agreement.

    click > scan then > next,

    You'll see a list of all items found - if found, so don't worry it tells that there were no files found.

    In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...

    There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

    Post the contents of the log in your next reply.

    0
  • Customer

    4. From "Write Debugging Information" select "small memory dump (64 KB)".

    5. Write down the location of the dump file, so that you can find it after

    the BSOD. That's the info I need. So send the dump file to miekiemoesATmvps.org (replace AT with @)


     

    After I complete step 4: Is there an option of where to save the dump file? because all I see is "Small dump directory" which lies underneath "Write Debugging Information". Is that what I should note or should I click Ok, then hit enter before it will ask me where to save anything else.

    0
  • Customer

    On the BSOD, the error says the following:

     

    "A problem has been detected and Windows has been shut down to prevent damage to your computer.

     

    If this is the first time you've seen this stop error screen, restart your computer. If this screen again, followthese steps:

     

    Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. try changing video adapters.

     

    Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select Advanced Startup options, and then select Safe Mode.

     

    Technical information:

     

    ***STOP: 0x0000007e (0xC0000005, 0x806A7F31, 0xFC8D357C, 0xFC8D3278)

    0
  • Customer

    Look at this screenshot:

     

     

    Where it says "Small dump directory", the path to the dumpfile is present in there. In above screenshot, you see %Systemroot%\Minidump (so in that folder, the dumpfile will be created).

    However, it's possible it is pointed to somewhere else on your drive where the dumpfile is created. Anyway, it's that dumpfile I need present in that folder.

    So once you know where the dumpfile will be created, REBOOT your system and after reboot, navigate to the folder where the dumpfile is created and then send me that dumpfile

    0
  • Customer

    Thanks for the lengthy replies,

     

    I edited my previous post: By taking a photo of that BSOD, I was able to jot down everything it stated. Let me know if that reply should void following the Small Dump Directory steps.

     

    Thanks a bunch,

    - David

    0

Please sign in to leave a comment.