# Please Check my logs - I need a master

By gtbnyc
Apr 17, 2008
1. Hi, I had amazing help from Kritius here last time and my home computer is really crushed and in need of advanced help by a master here.
I'll attach my logs,

S

2. ### kritiusTS GuruPosts: 2,087

Is this the same computer?

This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

Go to Start > Run and copy/paste or type: taskmgr
• Under the Processes tab find the following tasks or processes:
ViewpointService.exe
ViewMgr.exe
• Highlight and click "End Process".
Click on Start > Run and type: services.msc
• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.
Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.

3. ### jobeardTS AmbassadorPosts: 13,979   +410

===================================================
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/Dustin/13 Feb 2003 04:30 to dustin@gotobaby.com877) 812.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: suspicious - 1 skipped
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/Customer Service/27 May 2003 18:37 from infootter Special Edition.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/Dustin/13 Feb 2003 04:30 to dustin@gotobaby.com877) 812.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/Specials/19 May 2003 05:23 from support@microsoft.com:Re: My details/your_details.pif Infected: Email-Worm.Win32.Sobig.b skipped
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst Mail MS Mail: infected - 1, suspicious - 2 skipped

these are VERY OLD and a simple delete will remove them (and the infections in your email)

just some of your infections include:
===============================
Trojan-Spy.HTML.Fraud.gen
Email-Worm.Win32.NetSky.q
Virus.Win32.Parite.b
Exploit.Win32.IMG-WMF.y

Fortunately, most of these have been quarantined

4. ### BobbyeHelper on the FringePosts: 16,392   +36

Not to tread on the help from kritius, but I recommend the following:

The following Active X Controls should be removed. You have an enormous potential for abuse by having these on your system,:

>>Real Network's bloated consortium of spy & ad apps...
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11df572b8a64c5d07b20/netzip/RdxIE601.cab

>>You should know that many have documented the the WorldWinner games site infects your computer with spyware and/or malware. It is also known to be a hackers hangout:
http://www.xomreviews.com/worldwinner.com
You have 2 Active X entries for this:
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldwinner.com/games/v42/territory/territory.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v44/bjattack/bjattack.cab

>>You should also know that the .akamai.net Domain puts out internet ads and should be added to your restricted sites. To that end, also remove:
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/KelloggCompany/Coupons.cab

>>Fun Web Products is sending them a record of every websearch you made, with your IP address:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab

>>GpcContainer Class / WebEx Communications, Inc
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB

The IP for the above if for "AdMission Corporation".

It is recommended that you remove any program associated with them:
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rcec.webex.com/client/latest/support/ieatgpc.cab

5. ### BobbyeHelper on the FringePosts: 16,392   +36

jobeard, I was researching my reply while you posted. It is possible that the presence of the multiple infections you found are due to the processes I listed for recommended removal.

6. ### gtbnycTS RookieTopic StarterPosts: 21

Attached is the log from dss

Please let us know what to do next.

7. ### kritiusTS GuruPosts: 2,087

Can you attach it as a .txt file, I dont open .doc files on here.

8. ### gtbnycTS RookieTopic StarterPosts: 21

Repost DSS

Here ya go sorry about that I forgot to do the txt here is the attachment updated.

Thank you!

9. ### kritiusTS GuruPosts: 2,087

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
[kill explorer]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup
purity
[start explorer]

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Fix entries using HiJackThis
• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSet up1.0.0.8.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldwinner.com/games/.../territory.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/...k/bjattack.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/KelloggCompany/Coup ons.cab

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\MyWebSearch

After that, Reboot, and post a new HijackThis log here in a reply as well as describing how your computer is running at the minute.

10. ### gtbnycTS RookieTopic StarterPosts: 21

here you go

Ok, here you go, I really really appreciate your expert help.

The computer still seems slower than it should be, but what do you see?

Thanks.

11. ### BobbyeHelper on the FringePosts: 16,392   +36

kritius, please review the following for gtbnyc to include in the removal:

>>GpcContainer Class / WebEx Communications, Inc
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB

The IP for the above if for "AdMission Corporation".

It is recommended that you remove any program associated with them:
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rcec.webex.com/client/latest...rt/ieatgpc.cab

(Found in original hijack log, still in current log) Subject to okay by kritius.

Also noticed this Event: Event ID/Source: 7034 / Service Control Manager/Event Description:
The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).. It has done this 1 time(s).

gtbnyc, check the Event viewer after the malware has been removed and see if you are still showing the Errors for AIM. You also have several other Error that will need to be resolved.

12. ### kritiusTS GuruPosts: 2,087

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
HERE

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rcec.webex.com/client/latest...rt/ieatgpc.cab
HERE

Are ok according to spywareblaster as well.

Fix entries using HiJackThis
• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Please open the OTMoveIt2 by OldTimer
• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
[kill explorer]
C:\Program Files\Viewpoint
C:\Program Files\MyWebSearch
purity
[start explorer]

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

13. ### BobbyeHelper on the FringePosts: 16,392   +36

kritius, did you read the IP information I left for 216.249.24.142?

The IP for the above if for "AdMission Corporation".

Even though it's a legitimate service, the Privacy Policy appears to violate the standards. I guess you have to stay within a certain box. I wish I hadn't done maintenance on my system last night- I should have referenced the site I got the info, other than just the ArinWhoIs IP ID.

14. ### gtbnycTS RookieTopic StarterPosts: 21

ok here you go

HIjack this file and move it file.
Please let me know. Thanks again.

I ran the kaspersky again yesturday before these two attached files and it showed like 30 problems just fyi, I attached them as well from last night,

15. ### BobbyeHelper on the FringePosts: 16,392   +36

Is there any reason what you haven't let Norton AV remove the quarantined Trojans> It's looks like you're still getting malware!

You System Restore is also infected. But I believe the protocol here is not to drop those points off until after you're clean. But DON'T use System Restore!

You're still showing entries fro NewDotNet and MyWebSearch. So it appears you didn't do the fixes kritius gave you in Message #9 and #12. You have a gazillion logs posted and show nothing fixed!

16. ### gtbnycTS RookieTopic StarterPosts: 21

HI, I am doing everything to the letter kritius has posted. I don't know why it appears otherwise. What specifically looks like I didn't do?

Thanks!

17. ### kritiusTS GuruPosts: 2,087

C:\Program Files\Norton AntiVirus\Quarantine\<=====Delete the contents of this folder but not the folder itself
C:\Deckard\System Scanner\backup\<=====Delete the contents of this folder but not the folder itself
C:\Program Files\Trend Micro\HijackThis\backups\<=====Delete the contents of this folder but not the folder itself

These e mails are infected and need deleted.
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/Specials/19 May 2003 05:23 from support@microsoft.com:Re: My details/your_details.pif
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst MailMSMaill:

Please open the OTMoveIt2 by OldTimer
• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
[kill explorer]
C:\Program Files\MyWay
C:\Documents and Settings\Stuart Sherman\Local Settings\Temporary Internet Files\Content.IE5\LLF01DH6
C:\WINDOWS\SYSTEM32\f3PSSavr.scr
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\SbCIe0261.dll
purity
[start explorer]

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

How is the computer running?

18. ### gtbnycTS RookieTopic StarterPosts: 21

The computer is still slow and takes a long time to launch browser and things like that. I was only able to delete the files up to delete up to the Outlook1.pst
in these post, there was no further extension?

C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Inbox/Specials/19 May 2003 05:23 from support@microsoft.com:Re: My details/your_details.pif
C:\Documents and Settings\Stuart Sherman\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst MailMSMaill:

I'll attach the hijack this, what do you think/ thanks

when the computer rebooted i lost the MoveIt copy/paste to show you, my bad

19. ### kritiusTS GuruPosts: 2,087

For the outlook files, the messages can be deleted from outlook or the .pst file can be deleted, its up to you.

The HJT log is clear, apart from the O16 entries that Bobbye pointed out and if you want to delete them its your choice, the computer will not be affected in any way.

20. ### gtbnycTS RookieTopic StarterPosts: 21

update and log

Ok, thanks,
The computer seemed to boot up a little faster today, but obv. not great, but getting there.

I deleted those 016 files and ran that kaspersky scan. It still showed what's below.

Scan Statistics:
Total number of scanned objects: 92456
Number of viruses found: 24
Number of infected objects: 54
Number of suspicious objects: 6
Duration of the scan process: 02:06:15

Please let me know what you think. Thank you very much as always.

21. ### kritiusTS GuruPosts: 2,087

Your all good to go, the only infected items are in

Norton System Restore Tool,
C:\System Volume Information\_restore
C:\_OTMoveIt\MovedFiles

I dont know enough about the Norton Tool to advise what to do with it, I tend to stay away from all things Norton apart from the removal tool.

We'll take care of the other stuff now.

This one is back too,
C:\WINDOWS\NDNuninstall4_80.exe

Boot into safe mode and delete it from there.

• Double-click OTMoveIt2.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

or

Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D

• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
• <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Topic Status:
Not open for further replies.