Sign in to follow this  
Guest Lavaman08

Trojan Warning....need Help To Remove

Recommended Posts

Guest Lavaman08

Hey,

 

I'm getting error messages and alerts from my taskbar about a Trojan called "WinAntiVirus Pro". I ran the scan through AdAware. However, it does not seem to have refrained the Trojan from occurring. Here is my HJThis Log....any help would be appreciated. Thanks in advance!

 

Thank You,

- David

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 5:19:25 PM, on 7/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\PROGRA~1\MICROS~4\wcescomm.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

C:\Program Files\America Online 9.0a\waol.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

c:\program files\common files\aol\1142145455\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\common files\aol\1142145455\ee\aolsoftware.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\America Online 9.0a\shellmon.exe

c:\program files\common files\aol\1142145455\ee\anotify.exe

C:\Program Files\hijackthis\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/a3cbf610b4...f946b770_35.exe

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Share this post


Link to post
Share on other sites

Hi,

 

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Then reboot.

 

Check and fix this entry in HijackThis:

 

O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/a3cbf610b4...f946b770_35.exe

 

I'm getting error messages and alerts from my taskbar about a Trojan called "WinAntiVirus Pro"
Are you still getting this? Because as far as I can see, there are no bad entries in your HijackThislog apart from above one and that one isn't causing this. But then again, HijackThis doesn't show all info we need, so do next..

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites
Guest Lavaman08

Ok,

 

My PC is having trouble rebooting. As it starts up, a blue screen momentarily comes up (roughly for 1 second then immediately reboots). In order to restart the PC I have to choose the "Last Known Good Configuration (your most recent settings that worked)" option. The blue screen states some kind of error has been detected and needs to reboot. Spyware does do some strange things to a PC, but with that said, AOL Spyware keeps alerting me it has detected "WinAntiVirus Pro" and has "blocked" it. However, I'm pretty sure that doesn't block or better yet remove the Trojan all together. I followed the steps and here is the latest ComboFix Log:

 

- David

 

 

"David" - 07-07-06 19:59:10 Service Pack 2

ComboFix 07-01-15 - Running from: "C:\Program Files"

 

((((((((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 ))))))))))))))))))))))))))))))))))

 

 

2007-07-04 22:36 <DIR> d-------- C:\Program Files\McAfee

2007-07-04 22:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee

2007-07-04 22:32 23,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NaiFiltr.sys

2007-07-04 22:30 344,064 -ra------ C:\WINDOWS\SYSTEM32\mcinsctl.dll

2007-07-04 22:30 270,336 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll

2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood

2007-07-04 22:30 <DIR> d-------- C:\Program Files\McAfee.com

2007-07-04 21:24 <DIR> d-------- C:\avenger

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-05-16 11:12 683520 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll

2007-05-09 00:53 2508 --a------ C:\DOCUME~1\David\Application Data\$_hpcst$.hpc

2007-04-25 10:21 144896 --a------ C:\WINDOWS\SYSTEM32\schannel.dll

2007-04-18 12:12 2854400 --a------ C:\WINDOWS\SYSTEM32\msi.dll

2007-04-16 22:47 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll

2007-04-16 22:45 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll

2007-04-16 22:45 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll

2007-04-16 22:45 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe

2007-04-16 22:45 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

2007-04-16 22:45 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll

2007-04-16 22:45 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll

2007-04-16 22:45 1710936 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll

2007-04-13 13:31 103984 --a------ C:\WINDOWS\SYSTEM32\aoldial.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

"Aim6"=""

"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

"H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~4\\wcescomm.exe\""

"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"HostManager"="C:\\Program Files\\Common Files\\AOL\\1142145455\\ee\\AOLSoftware.exe"

"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"

"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"

"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""

"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"

"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"

"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"

"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

HTTPFilter REG_MULTI_SZ HTTPFilter\

DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

 

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\McAfee.com Update Check (DAVID-HUR7212OB-David).job

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

 

Completion time: 07-07-06 20:05:49

C:\ComboFix2.txt ... 07-07-03 00:54

C:\ComboFix3.txt ... 07-01-15 17:12

Edited by Lavaman08

Share this post


Link to post
Share on other sites

Hi,

 

ComboFix 07-01-15 - Running from: "C:\Program Files"

 

This is a real outdated version. You were actually supposed to use the latest version, so delete the Combofix you are having and redownload it from the link I posted.

 

But before you do, please uninstall McAfee, because from your first log, I see it's not properly installed since the related Services are missing. Then reboot after you uninstalled it. Don't reinstall it yet, but run Combofix first.

 

AOL Spyware keeps alerting me it has detected "WinAntiVirus Pro" and has "blocked" it
As I already said, I see no references to Winantispyware or the related dlls in your log that may cause this, so let me know where exactly AOL Antipsyware finds this entry/file. Because in above Combofixlog I don't really see anything suspicious either. So I wanted to be sure here that AOL Antispyware doesn't block legitimate files which may already explain a lot. AOL Antispyware is poor either and is known to show many false positives.

 

Do you get popups to buy WinAntispyware all the time?

I see C:\avenger present as well... What have you been deleting with The Avenger? Hopefully nothing legitimate... :o

Share this post


Link to post
Share on other sites
Guest Lavaman08

Hello again,

 

I was not aware of the outdated version of the ComboFix which I currently have. I will un-install McAfee in a bit. In response to finding the entry file for the spyware, I get a little alert notification at the bottom of the screen informing me it has detected "WinAntiVirus Pro", then gives me an option to "View Blocked Items". However, when I choose that option it brings me to a screen where it lists all the recent scan's and does show a date of when it found the spyware, then tells me the name of the spyware then the security of it being a "Trojan". I am not sure exactly where to go to locate it's entry file.

 

As far as getting popups; I do not. I suspect if I were to un-block the potential Trojan via AOL AntiSpyware, it would then permit the activity of popups from WinAntiVirus Pro. So to be on the safe side I let the Anti Spyware block the Trojan perhaps to "hold off" anything from proceeding.

 

I recently had spyware which with the help of "HJThis", a VSA Member such as yourself, helped me through the steps to remove what was necessary. Thus he had me install these programs which might explain the date of the version.

Edited by Lavaman08

Share this post


Link to post
Share on other sites
I get a little alert notification at the bottom of the screen informing me it has detected "WinAntiVirus Pro", then gives me an option to "View Blocked Items". However, when I choose that option it brings me to a screen where it lists all the recent scan's and does show a date of when it found the spyware, then tells me the name of the spyware then the security of it being a "Trojan". I am not sure exactly where to go to locate it's entry file.
That doesn't make sense. It should display where it is blocking it.

When exactly do you get that alert? Because I really think this is a false positive though....

Anyway, can you also point me to the thread where HJThis helped you previously, so I can figure out what was deleted or not....

Share this post


Link to post
Share on other sites
Guest Lavaman08
That doesn't make sense. It should display where it is blocking it.

Three catagories are listed Scan Date ...Status ... Potential Threat ...having highlighted the threat, it gives me an option to Restore or Delete. I'm guessing its a false positive like you said. Should I Restore the potential threat? Perhaps it is a false alarm...

 

When exactly do you get that alert? Because I really think this is a false positive though....

Periodically. Every 5-10 minutes or so...

 

Anyway, can you also point me to the thread where HJThis helped you previously, so I can figure out what was deleted or not....

Sure, ... http://www.lavasoftsupport.com/index.php?s...ic=6056&hl=

Edited by Lavaman08

Share this post


Link to post
Share on other sites

Anyway, can you download the latest version of Combofix, run it and post the log?

Share this post


Link to post
Share on other sites
Guest Lavaman08

Here is my most recent ComboFix Log:

 

 

"David" - 2007-07-07 14:10:56 - ComboFix 07-07-07.4 - Service Pack 2 FAT32

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\wpcap.dll

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_FWSVC

-------\LEGACY_NETWORK_MONITOR

-------\LEGACY_VSPF

-------\FWSvc

-------\Network Monitor

-------\vspf

 

 

((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))

 

 

2007-07-07 14:10 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-07 02:17 23,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NaiFiltr.sys

2007-07-04 22:36 <DIR> d-------- C:\Program Files\McAfee

2007-07-04 22:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee

2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-13 17:31:04 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]

2005-11-30 13:17 585728 --a------ C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HostManager"="C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe" [2006-09-25 19:52]

"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]

"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 16:33]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-16 02:11]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]

"Aim6"="" []

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44]

"AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [2005-07-12 00:17]

 

 

Contents of the 'Scheduled Tasks' folder

2007-07-07 02:42:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

 

**************************************************************************

 

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-07 14:23:39

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-07 14:28:52 - machine was rebooted

C:\ComboFix3.txt ... 2007-07-03 00:54

C:\ComboFix2.txt ... 2007-07-06 20:05

C:\ComboFix-quarantined-files.txt ... 2007-07-07 14:28

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

The WinAntiVirusPro leftovers should be deleted now as I see from your combofix log.

 

Please delete the C:\Qoobox folder.

Share this post


Link to post
Share on other sites
Guest Lavaman08

Ok,

 

I did that. What should I do now..

 

Thanks,

-David

Share this post


Link to post
Share on other sites
Guest Lavaman08

That blue error screen at re-boot. I still cannot restart my PC regularly. In order to reboot I have to choose the "Last Known Good Configuration" setting. That blue scren states "A problem has been detected and windows has been shut down to prevent damage to your computer". However, at restart, it just returns to the same screen. What should I do?

Edited by Lavaman08

Share this post


Link to post
Share on other sites

Well, I asked you previously to uninstall McAfee as it was not properly installed as no related services were running, but in your latest HijackThislog, I still see some related McAfee components + drivers present which may explain BSODs

 

Let me explain why I suspect McAfee..

 

From your Combofix log - these are the files/folders being added recently:

 

2007-07-04 22:36 <DIR> d-------- C:\Program Files\McAfee

2007-07-04 22:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee

2007-07-04 22:32 23,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NaiFiltr.sys

2007-07-04 22:30 344,064 -ra------ C:\WINDOWS\SYSTEM32\mcinsctl.dll

2007-07-04 22:30 270,336 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll

2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood <== this is where you had chosen lastgood configuration

2007-07-04 22:30 <DIR> d-------- C:\Program Files\McAfee.com

2007-07-04 21:24 <DIR> d-------- C:\avenger

 

All other files around it are all related with McAfee. Because they are the only ones being added recently.

With only one exception of The Avenger you have been using - so I really have no clue why you used the Avenger for since I gave no instructions to use it, so I wonder what you have been deleting there..

 

Anyway, McAfee needs to go..

* Download and run the McAfee Consumer Products Removal tool (MCPR.exe).

Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 versions of McAfee consumer products.

  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware

Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe

  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
     
  • Press Y on the keyboard.
  • Wait for the computer to restart.

All McAfee products are now removed from your computer.

These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

Share this post


Link to post
Share on other sites
Guest Lavaman08
Well, I asked you previously to uninstall McAfee as it was not properly installed as no related services were running, but in your latest HijackThislog, I still see some related McAfee components + drivers present which may explain BSODs

 

I did un-install McAfee as soon as you had asked me to. The only way I did it was through Add Remove Programs. The remaining files you see must be leftovers which I did not manually remove.

 

With only one exception of The Avenger you have been using - so I really have no clue why you used the Avenger for since I gave no instructions to use it, so I wonder what you have been deleting there..

 

...Again I explained why I had the Avenger. I said that I previously was told to use it by another VSA. Secondly, I did not use it to remove anything presently on the computer... it's there because I was told to use it awhile ago for another instance...

 

As for the McAfee un-installer, I will get on that now.

 

- David

Edited by Lavaman08

Share this post


Link to post
Share on other sites
Again I explained why I had the Avenger. I said that I previously was told to use it by another VSA
Yes, I understand that part, but the strange thing is, you received help in january... and from your Combofix-log, C:\Avenger is under the part:

 

((((((((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 ))))))))))))))))))))))))))))))))))

 

2007-07-04 21:24 <DIR> d-------- C:\avenger

 

That doesn't make sense... that's why I asked.

Share this post


Link to post
Share on other sites
Guest Lavaman08

Oh yes, because I was not able to retrieve my password for that account, I wasn't able to ask for any help regarding this current Trojan. So my only hope was to re-follow those steps HJThis had instructed, hoping it would potentially solve the current problem. All I did was run the avenger...nothing came up so nothing was deleted. But I see your point. I apologize for the misunderstanding.

 

If it serves any help, here is my latest HJ This Log...

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:01:05 PM, on 7/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\PROGRA~1\MICROS~4\wcescomm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\America Online 9.0a\waol.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

c:\program files\common files\aol\1142145455\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\common files\aol\1142145455\ee\aolsoftware.exe

C:\Program Files\America Online 9.0a\shellmon.exe

C:\Program Files\hijackthis\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Share this post


Link to post
Share on other sites

Hi,

 

All I did was run the avenger...nothing came up so nothing was deleted. But I see your point. I apologize for the misunderstanding.
The Avenger is no Scanner. It is a very powerful tool which is used to delete files/keys. If you're using it in the wrong way, it may damage a computer. So I recommend you delete the Avenger.

 

Not sure if you read my post previously about Viewpoint, because I still see it installed here. But leave that for now as it actually doesn't make much sense you uninstall it since you have AOL running and it will always ask to reinstall again in that case.

 

Can you also rescan with Combofix and post the log?

Share this post


Link to post
Share on other sites

By the way, no Protection is running here since we uninstalled McAfee (which was already corrupted anyway), so make sure your Windows Firewall is turned on.

And I suggest you install another Antivirus. Look in my signature below for the ones I recommend. Avira is a great free Antivirus.

Share this post


Link to post
Share on other sites
Guest Lavaman08

Ok will do...I believe the Firewall is operating. Here is my latest ComboFix Log:

 

 

Note: I deleted the icon of Avenger from the location I saw it in. Not sure if that completly removes the program. Thanks, and as for Viewpoint, I did not miss your post. I went to Add Remove Programs and removed anything containing Viewpoint. For the remaining files, I'm not sure. How would I delete the "inside" files. ...Here is my ComboFix Log:

 

 

"David" - 2007-07-07 19:16:37 - ComboFix 07-07-07.4 - Service Pack 2 FAT32

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_FWSVC

-------\LEGACY_NETWORK_MONITOR

-------\LEGACY_VSPF

-------\FWSvc

-------\Network Monitor

-------\vspf

 

 

((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))

 

 

2007-07-07 18:43 561,272 --a------ C:\Program Files\MCPR.exe

2007-07-07 14:10 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-04 22:30 <DIR> d-------- C:\WINDOWS\LastGood

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-13 17:31:04 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]

2005-11-30 13:17 585728 --a------ C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HostManager"="C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe" [2006-09-25 19:52]

"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]

"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 16:33]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-16 02:11]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]

"Aim6"="" []

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44]

"AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [2005-07-12 00:17]

 

 

Contents of the 'Scheduled Tasks' folder

2007-07-07 02:42:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

 

**************************************************************************

 

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-07 19:27:55

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-07 19:33:10 - machine was rebooted

C:\ComboFix3.txt ... 2007-07-06 20:05

C:\ComboFix-quarantined-files.txt ... 2007-07-07 19:33

C:\ComboFix2.txt ... 2007-07-07 14:28

 

--- E O F ---

Edited by Lavaman08

Share this post


Link to post
Share on other sites
Guest Lavaman08

Sure,

 

 

Logfile of HijackThis v1.99.1

Scan saved at 5:01:09 AM, on 7/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\PROGRA~1\MICROS~4\wcescomm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\devldr32.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

c:\program files\common files\aol\1142145455\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\common files\aol\1142145455\ee\aolsoftware.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\America Online 9.0a\waol.exe

C:\Program Files\America Online 9.0a\shellmon.exe

C:\Program Files\hijackthis\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Share this post


Link to post
Share on other sites

Hi,

 

Is Viewpoint still present in add/remove programs?

If so, uninstall it again.

 

If not,

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Then go to start > run and copy and paste next command in the field:

 

sc delete "Viewpoint Manager Service"

 

Hit enter.

 

reboot your Computer and delete the C:\Program Files\Viewpoint - folder

 

let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites
Guest Lavaman08

Ok, for some reason it was present...again. I un-installed Viewpoint Media Player. Note I did not follow the rest of the steps u posted as Viewpoint was present. Should I follow the proceeding steps anyway?

Edited by Lavaman08

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this