Smart Defragmenter, et al- Mbam log - Can Bobbye or someone help?

Solved
By mb2cotter
Oct 31, 2010
Topic Status:
Not open for further replies.
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, you're clear on the MBR. What problems remain?
  2. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    I still have the interenet explorer problem described in post #17.
    Thanks
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Are you still overclocking? This isn't a malware problem. Go to Internet Options> Programs tab> Click on 'Reset Web Settings.'
  4. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    I uninstalled Prime95 a few days ago and I don't intend to reinstall it. If that's what you mean by overclocking then I guess I'm not.

    In post #16, you said, "And there will most likely be Registry entries related to the Adware.PurityScan I need to remove, so please download ComboFix from Here and save to your Desktop". As we discussed before, I was never able to run Combofix becasue I always got a BSOD during the scan. How do I tell if there are registry items that still need to be removed?

    I followed your suggestions for getting IR running, and it worked. Therefore, I was able to finally run the ESET scan. It said it found one threat. Do I need to remove it somehow since I unchecked "Remove found threats"? If so, how do I do that? Here's the ESET log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=3c46c97d54eaa847be6268f553d4f3d1
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-09 02:30:44
    # local_time=2010-11-08 07:30:44 (-0700, Mountain Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=3587 16777194 85 76 0 107331385 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=146185
    # found=1
    # cleaned=0
    # scan_time=6246
    C:\download\Nero-7.8.5.0_eng_trial.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files  
      C:\download\Nero-7.8.5.0_eng_trial.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    • ===================================
      Try Combofix again please. You ran it previously did you not?
  6. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    I ran the OTM. It asked me to reboot. After it rebooted, I got a Microsoft Windows error message that said "The system has recovered from a serious error." It listed the following error signature:

    BCCode : 24 BCP1 : 001902FE BCP2 : BA4EB254 BCP3 : BA4EAF50
    BCP4 : 88782B12 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

    It also said that the following files were included in the error report:

    C:\DOCUME~1\Mike\LOCALS~1\Temp\WERdf08.dir00\Mini103110-01.dmp
    C:\DOCUME~1\Mike\LOCALS~1\Temp\WERdf08.dir00\sysdata.xml



    Here's the OTM log:

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\download\Nero-7.8.5.0_eng_trial.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    User: Mike
    ->Temp folder emptied: 51868 bytes
    ->Temporary Internet Files folder emptied: 12246706 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 589 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 213746 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 12.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 11092010_164923

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_7d4.dat not found!
  7. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    In the previous post I posted the OTM log and some other info. Also, the combofix finally ran this time with out a BSOD. That's the first time it's completed successfully. Here's the log:

    ComboFix 10-11-09.01 - Mike 11/09/2010 17:06:21.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1470 [GMT -7:00]
    Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
    AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
    .

    ((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
    .

    2010-11-01 00:34 . 2010-11-01 00:34 -------- d--h--w- c:\windows\PIF
    2010-10-31 03:39 . 2010-10-31 03:39 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
    2010-10-31 03:39 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-31 03:39 . 2010-10-31 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-31 03:39 . 2010-10-31 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-31 03:39 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-30 22:49 . 2010-10-30 22:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-10-30 22:49 . 2010-10-30 22:49 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-30 22:49 . 2010-10-30 22:49 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-30 22:49 . 2010-10-30 22:49 -------- d-----w- c:\program files\Symantec
    2010-10-30 22:48 . 2010-10-30 22:48 -------- d-----w- c:\windows\system32\drivers\NAV
    2010-10-30 22:48 . 2010-10-30 22:48 -------- d-----w- c:\program files\Norton AntiVirus
    2010-10-30 22:48 . 2010-10-30 22:48 -------- d-----w- c:\program files\Windows Sidebar
    2010-10-30 22:14 . 2010-10-30 22:14 -------- d-----w- c:\program files\NortonInstaller
    2010-10-30 21:07 . 2010-10-30 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-10-28 14:42 . 2006-09-06 02:08 16896 ----a-w- c:\windows\system32\grwinsthlp.exe
    2010-10-28 01:53 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-28 01:53 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-28 01:53 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-28 01:52 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-06 15:32 . 2010-02-11 01:46 81920 ----a-w- c:\windows\system32\wxcode_msw28u_wxjson_CW.dll
    2010-11-06 15:32 . 2010-02-11 01:46 1073152 ----a-w- c:\windows\system32\wxcode_msw28u_wxcurl_CW.dll
    2010-11-06 15:32 . 2010-02-11 01:46 975872 ----a-w- c:\windows\system32\libxml2_CW.dll
    2010-11-06 15:32 . 2010-02-11 01:46 151552 ----a-w- c:\windows\system32\libexpat.dll
    2010-11-06 15:32 . 2010-02-11 01:46 720384 ----a-w- c:\windows\system32\cwalsp.dll
    2010-11-06 15:32 . 2010-02-11 01:46 1884160 ----a-w- c:\windows\system32\AltaRecovery.exe
    2010-10-02 00:06 . 2010-10-02 00:06 1409 ----a-w- c:\windows\QTFont.for
    2010-09-26 01:43 . 2006-09-03 23:54 60416 ----a-w- c:\windows\system32\rbap350.dll
    2010-09-18 18:23 . 2005-08-16 09:18 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2005-08-16 09:18 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2005-08-16 09:18 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2005-08-16 09:18 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2005-08-16 09:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2005-08-16 09:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51 . 2005-08-16 09:18 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2005-08-16 09:18 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2005-08-16 09:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2005-08-16 09:18 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-22 00:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2005-08-16 09:18 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2005-08-16 09:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
    @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
    [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
    2010-01-04 18:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
    @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
    [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
    2010-01-04 18:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
    "cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2010-11-06 353088]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 443968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
    backup=c:\windows\pss\Image Transfer.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2006-06-01 19:32 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
    2007-11-13 21:46 135168 ----a-w- c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
    2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
    2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
    2007-03-16 01:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2007-06-28 15:14 270648 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2006-07-30 02:34 5354792 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-04-27 15:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2007-06-22 19:20 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2006-08-23 16:24 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    2006-07-05 14:29 4538368 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\wdisplay\\ftpupd.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Chessmaster 8000\\Chessmaster.exe"=
    "c:\\Program Files\\Actiontec\\BroadBand\\gwconfig.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\msncall.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1201000.025\SymDS.sys [10/30/2010 3:49 PM 339504]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1201000.025\SymEFA.sys [10/30/2010 3:49 PM 666672]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [8/31/2010 3:57 PM 692272]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1201000.025\Ironx86.sys [10/30/2010 3:49 PM 134704]
    R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2/10/2010 6:46 PM 2109440]
    R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe [10/30/2010 3:49 PM 126904]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/15/2009 6:56 PM 24652]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/30/2010 3:50 PM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [10/19/2010 1:36 PM 341880]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 1:36 PM 135664]
    S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [7/13/2007 4:52 PM 29522]
    S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [12/28/2006 4:23 PM 727908]
    S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [12/28/2006 4:23 PM 44928]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 19:42]

    2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:35]

    2010-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.erieskies.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = http=127.0.0.1:50370
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    LSP: c:\windows\system32\cwalsp.dll
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: mylabbill.com\www
    Trusted Zone: remititonline.com
    Trusted Zone: turbotax.com
    TCP: {69C47182-A893-484C-B37A-A189215F0D6E} = 205.171.3.65,205.171.2.65
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    HKCU-Run-Start WingMan Profiler - (no file)
    HKLM-Run-NWEReboot - (no file)
    AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
    AddRemove-Move Networks Player_is1 - c:\documents and settings\Mike\Application Data\Move Networks\ie_bin\unins000.exe
    AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
    AddRemove-{F7D85304-98CF-4A30-A380-B6C59D15E58F} - c:\program files\InstallShield Installation Information\{F7D85304-98CF-4A30-A380-B6C59D15E58F}\setup.exe
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Mike\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-09 17:14
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.1.0.37\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(816)
    c:\windows\system32\cwalsp.dll
    c:\windows\system32\wxbase28u_vc_CW.dll
    .
    Completion time: 2010-11-09 17:17:56
    ComboFix-quarantined-files.txt 2010-11-10 00:17

    Pre-Run: 197,905,342,464 bytes free
    Post-Run: 197,859,246,080 bytes free

    - - End Of File - - 2CFCD9735429F0641AA4C632BA9DC6C1
  8. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    Should I be concerned about the error in post #31? Also, do post #31 and 32 look like all the viruseseses are gone?

    thanks
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    OTMovIt appears to have run successfully. Unless you continue to experience unexplained crahes, I wouldn't be concerned. Combofix look good- no sign of anything there. I'd like you to run HijackThis just to make sure there are no bad entries left:

    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    If the HJT logs is okay, I'll have to remove the ceaning tools. If you have any of the original problems, now would be the time to let me know- but you shouldn't!.
  10. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:40:18 PM, on 11/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\Actiontec\BroadBand\gwconfig.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAdvisor.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erieskies.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\IPSBHO.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/29.51/uploader2.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.13/ttinst.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{69C47182-A893-484C-B37A-A189215F0D6E}: NameServer = 205.171.3.65,205.171.2.65
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
    O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 11830 bytes
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please open HijackThis to 'do system scan only.' Check each of the following if present:

    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
    023 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    Close all Widows except HijackThis and click on "Fix Checked"

    Completely uninstall Viewpoint:
    Viewpoint installs itself with various other programs such as AOL ©, AOL © Instant Messenger, Netscape, certain Adobe applications, and other programs on the web that require the media player to show their content.

    How to Remove Viewpoint Media Player, Toolbar, or Manager

    1) Right-click on the clock in your taskbar and choose Task Manager
    2) Click on the Processes tab and search for VIEWMGR.EXE, if its found, click on it and then click End Task to close it
    3) Click on Start, Control Panel, Add/Remove Programs
    4) Uninstall any of the following programs associated with Viewpoint
    • Viewpoint Manager
    • Viewpoint Media Player
    • Viewpoint Toolbar
      5) Close the Add/Remove Programs and Control Panel
      6) Restart your computer

      Click on Start> Run> type in services.msc double click on the Viewpoint Manager Service> Change the Startup type to Disabled> Stop the Service.

      Warning: If you install AOL © Instant Messenger, Adobe Atmosphere plugin, or another program that requires Viewpoint, it will download and install again.
  12. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    I did all of the above. However, when I type in services,msc, I get a message saying that windows can't find services,msc. I looked in startup and services under msconfig and I don't see anyhting labeled "Viewpoint". I don't know if that's the smae thing, though.

    Out of curiosity, why did we delete the R1 registry setting above? Was that something that was added by a virus?

    Thanks for the help.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please accept my apology- I put in a comma instead of a period. First time I've done that.

    The correct command (which I am going to fix in my reply) should have been services.msc

    I had you remove the R1 HJT entry because of the port listed:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370

    Yes, it was for the redirect. If you do a search for the port number, you will find this is common in the redirects.

    Regarding Viewpoint: Here the full removal:
    This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player: To can have HJT remove the Service entry, then when HijackThis has finished, you can continue with the Viewpoint removal.

    To remove, find and remove Viewpoint Media Player

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Click on Start > Run and type: services.msc> OK
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    • Click on Start > Settings > Control Panel >Add/Remove Programs
    • Highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist: Open Windows Explorer> Programs:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder
    Exit Explorer.
     
  14. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    Thanks for the info. I did everything you listed, and I could not find any more Viewpoint listings anywhere, including under services.msc, both in and out of safe mode.

    Should I remove all of the antivirus programs that you asked me to download?

    Thanks.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're welcome. Viewpoint isn't malware. We object to it because it is put on the systenen without your knowledge or permission. It's called foistware.'

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    If there are any of the programs left, remove in Add/Rmove Programs and any left over logs. The only AV program was the Eset online scanner. You can remove that in Inetenet Explorer> Tools> Manage Addons> Disaable Nod32 here.

    Let me know if there are any more questions.
  16. mb2cotter

    mb2cotter Newcomer, in training Topic Starter Posts: 49

    I guess that's it. Thank you for all of your help. I appreciate it.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're welcome. Here's are some tips for you:

    Tips for added security and safer browsing:
    Note: Some of these prgrams may not work on Windows 7 or a 64bit OS.
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.