Author Topic: help with virus? (Read 30460 times)

wshwind · « **Reply #30 on:** February 23, 2008, 06:21:08 PM »

Ok Thanks.... Here's what I got

oldman · « **Reply #31 on:** February 23, 2008, 06:37:35 PM »

some more to clean. Are things improving on your end?

Open HJT, run a system scan only, check mark these lines if present

O21 - SSODL: KbdPrx - {01ad806b-3219-4aa4-be5e-39c18911e809} - C:\WINDOWS\Installer\{01ad806b-3219-4aa4-be5e-39c18911e809}\KbdPrx.dll (file missing)
O21 - SSODL: DrvMon - {65aa727e-edd2-4396-966d-3a05112b739f} - C:\WINDOWS\Installer\{65aa727e-edd2-4396-966d-3a05112b739f}\DrvMon.dll (file missing)
O21 - SSODL: AvpPrx - {ac30c57f-c8fb-48f5-93fd-c9a6577e64f8} - C:\WINDOWS\Installer\{ac30c57f-c8fb-48f5-93fd-c9a6577e64f8}\AvpPrx.dll (file missing)
O21 - SSODL: VolumeRam - {1d35c5dd-9f8f-49a2-8c04-4db84357e10d} - C:\WINDOWS\Installer\{1d35c5dd-9f8f-49a2-8c04-4db84357e10d}\VolumeRam.dll (file missing)
O21 - SSODL: zip - {b1240015-2f58-49bc-9a93-0ef9ffec7ee9} - C:\WINDOWS\Installer\{b1240015-2f58-49bc-9a93-0ef9ffec7ee9}\zip.dll (file missing)
O21 - SSODL: SrvAlrt - {abb85924-42b2-45a1-99d7-6776e8051568} - C:\WINDOWS\Installer\{abb85924-42b2-45a1-99d7-6776e8051568}\SrvAlrt.dll (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

File::
C:\Program Files\tmp46265.exe
C:\Program Files\tmp48125.exe
C:\Program Files\tmp48703.exe
C:\Program Files\tmp48687.exe
C:\Program Files\tmp532265.exe
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msfw.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\WINDOWS\System32\credu.dll

Folder::
C:\Program Files\toawbhfc

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

wshwind · « **Reply #32 on:** February 24, 2008, 08:09:50 AM »

Hi there,
Yes things are alot better. No more "bad image" pop-up windows, no more display altered by virus warnings and so far no more redirects when going to a site. I will go through the rest first thing in the morning.

oldman · « **Reply #33 on:** February 24, 2008, 08:12:11 AM »

Good, please post back when you are done.

wshwind · « **Reply #34 on:** February 24, 2008, 05:32:48 PM »

Hi There,
Here's the hjk log

wshwind · « **Reply #35 on:** February 24, 2008, 05:33:22 PM »

and here's the combo fix log

wshwind · « **Reply #36 on:** February 24, 2008, 05:37:57 PM »

Hi
I have a question. I keep getting a window asking me if I want to keep blocking BackWeb-137903.exe. I am unsure if I should be blocking or not.

oldman · « **Reply #37 on:** February 24, 2008, 05:45:43 PM »

Yes, keep blocking it, we will remove it. Is it a firewall that's blocking it?

Give me a bit to check the logs.

oldman · « **Reply #38 on:** February 24, 2008, 06:31:55 PM »

This is looking good, just a little more.

The file in question is from HP, but it is concidered adaware, and usually removed. It doesn't effect the operation of the HP product and this thing does use some resources.

This is from Castlecops

"Based upon HP's own description from here - "With the My HP Center, consumers have access directly from the desktop to Internet sites featuring special offers for HP customers ranging from personal finance and shopping to digital imaging and music" I have classified this as adware."

If you want to keep it do not do the HJT fix and remove this from the combofix fix before running it.
File::
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

Please run the combofix, though, it will give us a look at a couple of folders.

Open HJT, run a system scan only, check mark these lines if present

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

File::
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

DirLook::
C:\WINDOWS\SYSTEM32\bak
C:\WINDOWS\SYSTEM\bak

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt

Also you have this

Viewpoint Manager Service

not really harmfull, considered foistware (something you didn't install). It will install with Aol. Let me know.

Thanks

wshwind · « **Reply #39 on:** February 25, 2008, 04:45:31 AM »

Hi there,

I fixed the back web, attached logs following.
Question... Why is the mcafee still showing up with files missing? I tried the removal tool ect. I thought it was finally gone. Also Viewpoint, can I remove it the same way as all the rest? hijack, check box, click fix.
i really don't believe I need it.
I have looked up what I can about Avast. Will the free downloads for the avast be enough? can I keep it with spybot,avg ect.?
Did I also tell you that you are absolutely wonderful for assisting me with this.

I am grateful there are kind souls that still believe in helping another person in need.

wshwind · « **Reply #40 on:** February 25, 2008, 04:46:19 AM »

and hijack

wshwind · « **Reply #41 on:** February 25, 2008, 04:51:04 AM »

When I remove viewpoint, can I also remove C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe?
I am not to sure about this product. I would rather go with Avast if possible and remove all other anti virus programs.

Thanks again

oldman · « **Reply #42 on:** February 25, 2008, 04:55:20 AM »

Hi here are the instructions for viewpoint, it has to be uninstalled first.

Just scroll down.

http://www.pchell.com/support/viewpoint.shtml

I'll check your logs while you are doing the viewpoint.

Files\Authentium\AntiVirus\dvpapi.exe

That's your anti virus program, let's clean up the rest and look at uninstalling it so you can use avast.

oldman · « **Reply #43 on:** February 25, 2008, 05:14:26 AM »

We've got a bit more to do.

Please download FindAWF and save it to your desktop

* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

For mcafee, the service is still running, so

open HJT checkmark these lines

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)

click fix, close HJT

Next click start button, click run, and copy and paste these lines, one at a time into the run box, hitting enter after each one

sc stop McShield
sc delete McShield
sc stop MCVSRte
sc delete MCVSRte

Thanks for the kind words. There are a lot of helpers out there, unfortunately, there are more bugs and the helpers get spread pretty thin on all forums. We appreciate the understanding and paitence when the help seems slow.

Please forgive me, but I must as, if nesseccary, how are you at manually deleting and moving files? Just in case we have to.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\SYSTEM\bak\hpsysdrv.DAT
C:\WINDOWS\SYSTEM\hpsysdrv.DAT

scroll down a bit and click "send file", wait for the results and post then in your next reply.

wshwind · « **Reply #44 on:** February 28, 2008, 04:12:51 PM »

Ok here are the logfiles.... As for manually deleting and moving files, I don't see it being a big issue. I am a quick learner and have been self teaching myself on computers.. but basically so far I have been fooling around with css,javascript,xml,html ect....tcp/ip...basic maintenance... and now learning my way around bugs. lol always had a knack for puzzles.

Author Topic: help with virus? (Read 30460 times)

wshwind

Re: help with virus?

oldman

Re: help with virus?

wshwind

Re: help with virus?

oldman

Re: help with virus?

wshwind

Re: help with virus?

wshwind

Re: help with virus?

wshwind

Re: help with virus?

oldman

Re: help with virus?

oldman

Re: help with virus?

wshwind

Re: help with virus?

wshwind

Re: help with virus?

wshwind

Re: help with virus?

oldman

Re: help with virus?

oldman

Re: help with virus?

wshwind

Re: help with virus?