Trojan Warning....need Help To Remove

July 8, 2007

Ok,

I did the Fix Checked part. I then went to Start > Run and typed in sc delete "Viewpoint Manager Service". A window promptly came up for about a half a second and closed. Next, after reboot, I navigated to the Viewpoint folder. However, when I attempted to delete the folder I got a pop up saying: "Cannot delete AOLUserShell.Dll". It was saying make sure its not write-protected and what not.

To update you on the status of the PC, I'm still getting those Trojan alerts from AOLAntiSpyware, and at reboot, I still get that blue screen... :angry:

Edited July 8, 2007 by Lavaman08

miekiemoes · July 8, 2007

Well, as long as you have to choose lastgood known configuration, the malware that was removed previously (Winantivirus drivers) will be replaced again.. and that explains why Combofix deleted it once again afterwards...

So, as long as you'll get that BSOD and you choose lastgood, it will restore the bad drivers again and I am pretty sure it will restore the McAfee drivers again as well, resulting in a next BSOD.

Sidenote...

The fact that your Windows XP is installed on a FAT32 machine is not uncommon for the cause of BSODs. When on FAT32, files may get easily corrupted > result in BSODs.

FAT is retained to maintain compability with non-NT machines. If you do not require this compability, do yourself a favor & convert to NTFS

So, something certainly went corrupted here. And as I explained previously, every time you choose the lastgood known configuration, it will just re-add the bad drivers and other drivers we already removed, so actually we are running in circles here, because after all, what we removed will be restored again.

Searching for the right cause will be like searching for a needle in a haystack, and God knows what else was corrupted, because you had some pretty nasty infections present previously (january) and malware damages A LOT.

I don't understand why back in january, the one that was helping you, didn't tell you about the risks and future problems that may arise when you deal with such nasty infections manually.

Anyway, we can hunt some more and try to repair the damage, but I cannot guarantee that this will actually solve it... because as I explained previously; malware damages a lot and not all damage can always be repaired. That's why most people format and reinstall their system afterwards anyway.

When you're getting the BSOD, what does it exactly say there? Because that info is important to know.

If you can't figure it out:

1. Open Control Panel -> System.

2. Select the Advanced tab.

3. Select Settings from the "Startup and Recovery" section.

4. From "Write Debugging Information" select "small memory dump (64 KB)".

5. Write down the location of the dump file, so that you can find it after

the BSOD. That's the info I need. So send the dump file to miekiemoesATmvps.org (replace AT with @)

Also do next..

Download and Save blacklight to your desktop.

F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml

(fsbl.exe - graphical user interface)

Double-click fsbl.exe then accept the agreement.

click > scan then > next,

You'll see a list of all items found - if found, so don't worry it tells that there were no files found.

In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...

There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

Post the contents of the log in your next reply.

July 8, 2007

4. From "Write Debugging Information" select "small memory dump (64 KB)".
5. Write down the location of the dump file, so that you can find it after

the BSOD. That's the info I need. So send the dump file to miekiemoesATmvps.org (replace AT with @)

After I complete step 4: Is there an option of where to save the dump file? because all I see is "Small dump directory" which lies underneath "Write Debugging Information". Is that what I should note or should I click Ok, then hit enter before it will ask me where to save anything else.

July 8, 2007

On the BSOD, the error says the following:

"A problem has been detected and Windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen again, followthese steps:

Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select Advanced Startup options, and then select Safe Mode.

Technical information:

***STOP: 0x0000007e (0xC0000005, 0x806A7F31, 0xFC8D357C, 0xFC8D3278)

Edited July 8, 2007 by Lavaman08

miekiemoes · July 8, 2007

Look at this screenshot:

Where it says "Small dump directory", the path to the dumpfile is present in there. In above screenshot, you see %Systemroot%\Minidump (so in that folder, the dumpfile will be created).

However, it's possible it is pointed to somewhere else on your drive where the dumpfile is created. Anyway, it's that dumpfile I need present in that folder.

So once you know where the dumpfile will be created, REBOOT your system and after reboot, navigate to the folder where the dumpfile is created and then send me that dumpfile

July 8, 2007

Thanks for the lengthy replies,

I edited my previous post: By taking a photo of that BSOD, I was able to jot down everything it stated. Let me know if that reply should void following the Small Dump Directory steps.

Thanks a bunch,

- David

miekiemoes · July 8, 2007

Doesn't it say anything more for the technical information? Didn't it mention a filename? Because a STOP: 0x0000007e can mean anything. Open your Event Viewer (start > run and type: eventvwr.msc)

Under System in Event Viewer, let me know what latest error is displaying there (exact errors) - look at the time when the error was created, because it has to be the error that was created the same time when you got your BSOD

Can you remember since when this started?

Anyway, can you also perform the scan with Blacklight?

July 8, 2007

As for the Scan results... once complete I clicked Next then it brought me to the next screen where I was able to click Finish. That was it...however it said it did not find any hidden files or anything as such so maybe thats why there were no Log's?

miekiemoes · July 8, 2007

The log is created the same place where fsbl.exe is present, even though it didn't find any hidden files.

Anyway, in that case, no need to post that log, since it already said it didn't find hidden files. :angry:

July 8, 2007

I believe the BSOD occurred around July 2-3 I will list you all recent Errors:

Error - 7/8/2007, Source: Service Control Manager, Catagorie: None, Event: 7206, User: N/A, User: DAVID-HUR7212OB

Error - 7/8/2007, Source: Service Control Manager, Catagorie: None, Event: 7000, User: N/A, User: DAVID-HUR7212OB

Error - 7/8/2007, Source: acpi, Catagorie: None, Event: 4, User: N/A, User: DAVID-HUR7212OB

Error - 7/8/2007, Source: acpi, Catagorie: None, Event: 5, User: N/A, User: DAVID-HUR7212OB

NOTE: These errors seem to repeat, possibly because of rebooting like you said in LastGood...now skipping the repetitive Errors...

Warning - 7/5/2007, Source: w32Time, Catagorie: None, Event: 36, User: N/A, User: DAVID-HUR7212OB

Warning - 7/3/2007, Source: Dhcp, Catagorie: None, Event: 1003, User: N/A, User: DAVID-HUR7212OB

Warning - 7/2/2007, Source: Tcpip, Catagorie: None, Event: 4226, User: N/A, User: DAVID-HUR7212OB

miekiemoes · July 8, 2007

Hi,

Above errors are how you see them in the main screen. That's not enough info as it doesn't show with what EXACTLY it is related. I don't need Warnings, I need the error part.

You can actually click these errors. Then click the copy/paste icon on top there and that will copy it to clipboard.

But I actually need the exact error created after a reboot, so when a BSOD appears.

So please reboot your system, then a BSOD will appear. Then choose the error for the exact time in your Event Manager when the BSOD appeared. That's the info I need.

Also do next..

* Download Deckard System Scanner to your Desktop.

Close all applications and windows.
Double-click on dds.exe to run it, and follow the prompts.
The scan may take a minute. When the scan is complete, a text file will open - main.txt
A folder (C:\Deckard\System Scanner) will also open which contains the main.txt and an extra.txt.
Copy and paste the contents of main.txt in your next reply. (Do not post the extra.txt - only post this when being asked)

July 8, 2007

I see, I did not know you were able to click on the errors. I copied and pasted the following info from the screens:

The following boot-start or system-start driver(s) failed to load:

FOPN

vspf

vspf_hk

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The DgiVecp service failed to start due to the following error:

The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I will jump on that Deckard System Scanner right now...

Edited July 8, 2007 by Lavaman08

miekiemoes · July 8, 2007

Please post the log from Deckard System Scanner :angry:

July 8, 2007

Sorry for the delay...here you go :angry:

Deckard's System Scanner v20070611.50

Run by David on 2007-07-08 at 14:56:56

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

7: 2007-07-08 18:57:13 UTC - RP141 - Deckard's System Scanner Restore Point

6: 2007-07-07 21:08:12 UTC - RP140 - System Checkpoint

5: 2007-07-06 16:18:44 UTC - RP139 - System Checkpoint

4: 2007-07-05 08:27:07 UTC - RP138 - System Checkpoint

3: 2007-07-04 08:16:22 UTC - RP137 - System Checkpoint

-- First Restore Point --

1: 2007-07-01 19:49:05 UTC - RP135 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 2:59:32 PM, on 7/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\PROGRA~1\MICROS~4\wcescomm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

c:\program files\common files\aol\1142145455\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\common files\aol\1142145455\ee\aolsoftware.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\America Online 9.0a\waol.exe

C:\Program Files\dss.exe

C:\Program Files\America Online 9.0a\shellmon.exe

C:\PROGRA~1\HIJACK~1\HIJACK~1\David.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142145455\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\HIJACK~1\backups\) -----------

backup-20070110-211706-199 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

backup-20070110-211707-266 O4 - HKLM\..\Run: [{311319F5-0505-1033-0420-010330010001}] "C:\Program Files\Common Files\{311319F5-0505-1033-0420-010330010001}\Update.exe" mc-110-12-0000272

backup-20070110-211708-740 O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcaw.dll,startup

backup-20070110-211708-135 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\lkxvkomt.dll",setvm

backup-20070116-212635-438 O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\shsdfsvd.dll (file missing)

backup-20070116-212635-559 O2 - BHO: (no name) - {C5316AC9-1FB3-4A03-ACB6-0F40410869D3} - C:\WINDOWS\system32\awttt.dll (file missing)

backup-20070706-195812-274 O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/a3cbf610b4...f946b770_35.exe

backup-20070708-111813-948 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

backup-20070708-111814-574 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 FOPN - c:\windows

S1 vspf - c:\windows\system32\drivers\vspf5.sys (file missing)

S1 vspf_hk - c:\windows\system32\drivers\vspf_hk5.sys (file missing)

S2 DgiVecp - c:\windows\system32\drivers\dgivecp.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S4 FWSvc (Firewall service) -

-- Scheduled Tasks -------------------------------------------------------------

2007-07-06 22:42:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-06-08 and 2007-07-08 -----------------------------

2007-07-08 14:55:09 468255 --a------ C:\Program Files\dss.exe

2007-07-08 05:32:37 0 d-------- C:\Program Files\MetaStream <METAST~1>

2007-07-04 22:30:50 0 d-------- C:\WINDOWS\LastGood

2007-07-04 21:24:18 0 d-------- C:\avenger

-- Find3M Report ---------------------------------------------------------------

2007-07-08 14:12:58 1742 --a------ C:\Program Files\fsbl-20070708180340.log <FSBL-2~1.LOG>

2007-05-09 00:53:14 2508 --a------ C:\Documents and Settings\David\Application Data\$_hpcst$.hpc

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"HostManager"="C:\\Program Files\\Common Files\\AOL\\1142145455\\ee\\AOLSoftware.exe"

"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"

"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

"Aim6"=""

"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

"H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~4\\wcescomm.exe\""

"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\

Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\

Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

HTTPFilter REG_MULTI_SZ HTTPFilter\

DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ALERTER

-- End of Deckard's System Scanner: finished at 2007-07-08 at 15:00:40 ---------

miekiemoes · July 8, 2007

Hi,

Do next please...

Go to start > run and copy and paste next commands in the field, one by one:

sc delete FOPN

Hit enter

sc delete vspf

Hit enter

sc delete vspf_hk

Hit enter

sc delete FWSvc

Hit enter

sc delete DgiVecp

Hit enter

sc stop "Viewpoint Manager Service"

Hit enter

sc delete "Viewpoint Manager Service"

Hit enter

After each command, a small Dos window should open and close again, this is normal.

Then RESCAN with Deckard System scanner and post the log in your next reply

miekiemoes · July 8, 2007

Extra note, what I have been thinking.. The related files are gone, as I see from the log:

S0 FOPN - c:\windows

S1 vspf - c:\windows\system32\drivers\vspf5.sys (file missing)

S1 vspf_hk - c:\windows\system32\drivers\vspf_hk5.sys (file missing)

S4 FWSvc (Firewall service) -

So actually AOL Antispyware is only flagging above services in the registry, NOT files, because they are gone. When no files attached, present, it can't do anything. Combofix already deleted some previously, but for some reason they were created again. And now I am starting to think that your AOL Antispyware is responsible for this. It detects a modification related with these services and blocks these modifications no matter what was done to these services and probably sees the deletion of these services also as a bad attempt and "restores" it again.

So in case your AOL Antispyware gives an alert afterwards again, is there an option to NOT let it blocking it? But allow it instead?

If not, then I guess in this case it's better to temporary uninstall AOL Antispyware until this issue is resolved, because I really have the feeling that AOL Antispyware is interfering with it here.

July 8, 2007

Deckard's System Scanner v20070611.50

Run by David on 2007-07-08 at 15:38:15

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 3:38:22 PM, on 7/8/2007