Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Impostor file aolsoftware.exe


  • Please log in to reply
7 replies to this topic

#1 ARMcKay

ARMcKay

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 11 April 2014 - 05:16 PM

Greetings -

I am helping a friend with a computer that appears to be infected. The friend was complaining that the AOL 9.7 software, running on Windows Vista, was not displaying e-mail in the inbox, and the favorites bookmarks have disappeared. I suspected a corrupted file - but upon using the system I discovered that the AOL software would self-start more than one instance without being prompted. A file window would open and close very quickly stating a file was being recycled. Also, when first logging on, a message would appear that a file was corrupted and AOL would be attempting to repair the file. This would fail, however, and then reasonably normal browsing and usage was possible after that, save for the additional self starting instances of the AOL software.

I did find a file aolsoftware.exe in the system32 folder. I have found evidence through online searches that that is likely a bad file. Attemps to delete it only cause it to regenerate. Upon discovering that, I did uninstall and reinstall the AOL 9.7 software. That seemed to restore the e-mail inbox to normal functioning. The favorites bookmarks are still gone - doubtful those will be recovered, but that is not critical.

I do not believe I have fixed everything yet. I suspect there is something deeper going on and I did update and run a full scan using MBAM. It did not show anything - but I am thinking root kit. Can you help me scan this system more thoroughly and see if we can find a culprit lurking in here?



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:12 AM

Posted 12 April 2014 - 04:31 AM

Also, when first logging on, a message would appear that a file was corrupted and AOL would be attempting to repair the file.

Hello -

This line above, seems to say that AOL files are corrupted, as there is no other reason for AOL to fix them.

HELP A-Z and CONTACT AOL are listed on their web site.

 

One item that is only assumed, and not stated, is that AOL is the ISP for that computer ?

 

 

Run System File Check from an Elevated Command Prompt
1. Open Elevated Command Prompt as per directions
2. Type sfc /scannow and press Enter (note the space between c and / as it must be there)
3. This should not take longer than 20 minutes to finish
4. NOTE : Do not touch the keyboard while this is running.

There is not a direct log, but tell me if you notice any errors found.

 

 

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If a security program requests permission to access the Internet, allow it to do so.

 

 

Please download MiniToolBox to desktop and run it.
Checkmark following boxes:

* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

 

 

Please post a snapshot with Speccy for more system details -
How to Publish a snapshot with Speccy <<-- Full Directions (only post the link)

 

 

Please download and run RKill by Grinler.

A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

At most the tool will run for about 2 minutes

Copy and Paste the log back here

 

 

Important: Do not reboot your computer until you complete the next step.

 

Next -

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile ( AdwCleaner[R0].txt) will open in Notepad for review.
* Now : Click on the Clean button (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report ( AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

You said that Malwarebytes Anti-Malware was already installed.

Please scan and post a log from the tool.

 

 



#3 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 14 April 2014 - 06:22 AM

Thank you for the instructions. The computer I am helping with is at another residence, so I will need time to execute these tasks. I did speak with the user yesterday and inexplicably, the favorites bookmarks have been restored. No idea how that happened, but pleased that it did.

 

The ISP is Comcast, not AOL.

 

I was able to talk the user through the first step, System File Check. I will get to the PC in person and perform the rest of the assignments and report back.



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:12 AM

Posted 14 April 2014 - 07:30 AM

The friend was complaining that the AOL 9.7 software, running on Windows Vista, was not displaying e-mail in the inbox

Is AOL a "Once used" ISP, as the AOL software is related to having an account with them.

AOL 9.7 software must have been installed from the site when the operator was with AOL. I see no other reason for it being there ??

 

It seems they have retained an email account from when they were customers with AOL.

Unless you can offer another reason for the way the programs are installed ??

 

Thanks for updating the topic for us -



#5 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 15 April 2014 - 12:29 PM

It is true, the AOL software is no longer necessary, but it used for access to e-mail addresses still used, and a few other things the user prefers to retain the software for. While I am not a fan of the software myself, I do the same thing at home.

This user wishes to retain the AOL software.

 

Here is the balance of the logs requested:

 

Security Check:

Results of screen317's Security Check version 0.99.81  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Norton Security Suite   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
  Adobe Flash Player     11.8.800.94 Flash Player out of Date!  
 Adobe Reader 10.1.9 Adobe Reader out of Date!  
 Google Chrome 33.0.1750.154  
 Google Chrome 34.0.1847.116  
 Google Chrome plugins...  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

Mini Toolbox:

 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by Rosemary (administrator) on 14-04-2014 at 16:59:48
Running from "C:\Users\Rosemary\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1       localhost


========================= Event log errors: ===============================

Application errors:
==================
Error: (04/13/2014 03:32:24 AM) (Source: Application Error) (User: )
Description: Faulting application aolbrowser.exe, version 0.4.41.1, time stamp 0x52f5b532, faulting module aolbrowser.exe, version 0.4.41.1, time stamp 0x52f5b532, exception code 0xc0000005, fault offset 0x00012c2c,
process id 0x124, application start time 0xaolbrowser.exe0.

Error: (04/12/2014 06:02:32 PM) (Source: Application Error) (User: )
Description: Faulting application aolbrowser.exe, version 0.4.41.1, time stamp 0x52f5b532, faulting module MSVCR90.dll, version 9.0.30729.4148, time stamp 0x4a594c79, exception code 0xc0000417, fault offset 0x0006ccb5,
process id 0x161c, application start time 0xaolbrowser.exe0.

Error: (04/11/2014 11:20:34 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {f3e45327-1f8e-4331-9317-7522fd09831b}

Error: (04/10/2014 02:26:42 PM) (Source: Application Error) (User: )
Description: Faulting application aolbrowser.exe, version 0.4.41.1, time stamp 0x52f5b532, faulting module libcef.dll, version 1.1180.705.0, time stamp 0x52685b32, exception code 0xc0000417, fault offset 0x0001f7a7,
process id 0x1228, application start time 0xaolbrowser.exe0.

Error: (04/09/2014 00:04:04 AM) (Source: Application Error) (User: )
Description: Faulting application hpqscnvw.exe, version 9.0.0.108, time stamp 0x45f50292, faulting module hpotiop4.dll, version 90.0.146.0, time stamp 0x45f4efe6, exception code 0xc0000005, fault offset 0x0001e7e9,
process id 0x894, application start time 0xhpqscnvw.exe0.

Error: (04/08/2014 07:36:49 PM) (Source: Application Error) (User: )
Description: Faulting application aolbrowser.exe, version 0.4.41.1, time stamp 0x52f5b532, faulting module libcef.dll, version 1.1180.705.0, time stamp 0x52685b32, exception code 0xc0000005, fault offset 0x00c9f785,
process id 0x1474, application start time 0xaolbrowser.exe0.

Error: (04/08/2014 01:40:41 PM) (Source: Application Error) (User: )
Description: Faulting application aolbrowser.exe, version 0.4.41.1, time stamp 0x52f5b532, faulting module ntdll.dll, version 6.0.6002.18881, time stamp 0x51da3e27, exception code 0xc0000005, fault offset 0x00066609,
process id 0x13c0, application start time 0xaolbrowser.exe0.

Error: (04/03/2014 09:40:09 PM) (Source: Application Hang) (User: )
Description: The program waol.exe version 9.7.0.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 17b4
Start Time: 01cf4f6f5e6eac7d
Termination Time: 318

Error: (04/01/2014 02:48:21 PM) (Source: Application Hang) (User: )
Description: The program waol.exe version 9.7.0.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 11f4
Start Time: 01cf4de30f683ba5
Termination Time: 16

Error: (04/01/2014 02:46:12 PM) (Source: Application Hang) (User: )
Description: The program waol.exe version 9.7.0.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 76c
Start Time: 01cf4de2a5ab2425
Termination Time: 8


System errors:
=============
Error: (04/10/2014 11:44:40 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.143 for the Network Card with network address 001AA09D8D24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (04/10/2014 11:37:47 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.148 for the Network Card with network address 001AA09D8D24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (04/10/2014 11:36:40 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.104 for the Network Card with network address 001AA09D8D24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (04/10/2014 09:16:20 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.100 for the Network Card with network address 001AA09D8D24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (04/09/2014 00:39:16 PM) (Source: Service Control Manager) (User: )
Description: 30000Netman

Error: (04/09/2014 03:38:46 AM) (Source: Service Control Manager) (User: )
Description: HP CUE DeviceDiscovery Service

Error: (04/09/2014 03:37:22 AM) (Source: Service Control Manager) (User: )
Description: SupportSoft Sprocket Service (dellsupportcenter)%%2

Error: (04/09/2014 03:05:46 AM) (Source: Service Control Manager) (User: )
Description: Windows Search%%1053

Error: (04/09/2014 03:05:46 AM) (Source: Service Control Manager) (User: )
Description: 30000Windows Search

Error: (04/09/2014 03:05:46 AM) (Source: Service Control Manager) (User: )
Description: Windows Search%%1053


Microsoft Office Sessions:
=========================
Error: (09/29/2012 07:30:37 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 13, Application Name: Microsoft Office OneNote, Application Version: 12.0.6606.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (03/04/2009 00:34:32 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 16 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (02/07/2009 04:08:17 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 212 seconds with 180 seconds of active time.  This session ended with a crash.

Error: (05/13/2008 10:06:49 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 79429 seconds with 360 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2014-04-10 00:37:20.038
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:37:19.820
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:37:19.586
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:37:19.368
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:37:19.134
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:37:18.900
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6000.16386_none_32a3e3ecf533e7fe\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:34:52.774
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:34:52.540
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:34:52.291
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-10 00:34:52.057
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\fveapi.dll because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

 Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer (Version: 7.1.8)
Adobe Flash Player 11 ActiveX (Version: 11.5.502.135)
Adobe Flash Player 11 Plugin (Version: 11.8.800.94)
Adobe Reader X (10.1.9) (Version: 10.1.9)
AIO_Scan (Version: 90.0.200.000)
AOL Install (Version: 1.0.0)
AOL Messaging Toolbar
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support (Version: 1.1.4.7)
Apple Software Update (Version: 2.1.0.110)
Bonjour (Version: 1.0.104)
BufferChm (Version: 90.0.146.000)
C4200 (Version: 90.0.200.000)
C4200_doccd (Version: 90.0.200.000)
c4200_Help (Version: 90.0.200.000)
Catalina Savings Printer (Version: 1.0.0)
CCleaner (Version: 4.04)
Cisco Connect (Version: 1.4.11200.0)
Conexant D850 PCI V.92 Modem
Copy (Version: 90.0.146.000)
Coupon Printer for Windows (Version: 4.0)
Coupon Printer for Windows (Version: 5.0.0.3)
Create and Print Plugin 4.0.8045 (Version: 4.0.8045)
CustomerResearchQFolder (Version: 1.00.0000)
Dell DataSafe Online (Version: 1.0.15)
Dell Getting Started Guide (Version: 1.00.0000)
Destination Component (Version: 090.000.091.086)
DeviceDiscovery (Version: 110.0.180.000)
DeviceManagementQFolder (Version: 1.00.0000)
DHTML Editing Component (Version: 6.02.0001)
Digital Line Detect (Version: 1.21)
DocProc (Version: 9.0.0.0)
DocProcQFolder (Version: 1.00.0000)
EarthLink Setup Files (Version: 2005.2.178.0.2.2)
eSupportQFolder (Version: 1.00.0000)
Google Chrome (Version: 34.0.1847.116)
Google Desktop (Version: 5.9.1005.12335)
Google Toolbar for Internet Explorer
Google Update Helper (Version: 1.3.23.9)
HP Customer Participation Program 9.0 (Version: 9.0)
HP Imaging Device Functions 9.0 (Version: 9.0)
HP OCR Software 9.0 (Version: 9.0)
HP Photosmart All-In-One Software 9.0 (Version: 9.0)
HP Photosmart Essential 2.01 (Version: 2.01)
HP Photosmart Essential2.01 (Version: 1.01.0000)
HP Product Assistant (Version: 100.000.001.000)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 9.0 (Version: 9.0)
HP Update (Version: 5.003.001.001)
HPDiagnosticAlert (Version: 1.00.0000)
HPProductAssistant (Version: 90.0.146.000)
HPSSupply (Version: 2.2.0.0000)
Intel® PRO Network Connections 12.1.11.0 (Version: )
Internet Service Offers Launcher (Version: 1.00.0000)
iTunes (Version: 7.6.2.9)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
MarketResearch (Version: 90.0.146.000)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft IntelliPoint 6.2 (Version: 6.20.182.0)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Outlook Web Access S/MIME (Version: 6.5.7638.1)
Microsoft VC9 runtime libraries (Version: 1.0.0)
Microsoft VC9 runtime libraries (Version: 2.0.0)
Modem Diagnostic Tool (Version: 1.0.17.8)
Move Media Player
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Music, Photos & Videos Launcher (Version: 1.00.0000)
NetWaiting (Version: 2.5.44)
Norton Security Suite (Version: 21.2.0.38)
NVIDIA Drivers
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Product Documentation Launcher (Version: 1.00.0000)
PS_AIO_ProductContext (Version: 90.0.200.000)
PS_AIO_Software (Version: 90.0.200.000)
PS_AIO_Software_min (Version: 90.0.200.000)
PSSWCORE (Version: 2.01.0000)
QuickTime (Version: 7.4.5.67)
Realtek High Definition Audio Driver
Revo Uninstaller 1.94 (Version: 1.94)
Roxio Creator Audio (Version: 3.3.0)
Roxio Creator BDAV Plugin (Version: 3.3.0)
Roxio Creator Copy (Version: 3.3.0)
Roxio Creator Data (Version: 3.3.0)
Roxio Creator DE (Version: 3.3.0)
Roxio Creator Tools (Version: 3.3.0)
Roxio Express Labeler (Version: 2.1.0)
Roxio MyDVD DE (Version: 9.0.116)
Roxio Update Manager (Version: 3.0.0)
RTC Client API v1.2 (Version: 1.2.0000)
Scan (Version: 9.0.0.0)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 90.0.146.000)
Sonic Activation Module (Version: 1.0)
Status (Version: 110.0.180.000)
Toolbox (Version: 90.0.146.000)
TrayApp (Version: 110.0.180.000)
UnloadSupport (Version: 9.0.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
User's Guides
VideoToolkit01 (Version: 90.0.146.000)
Viewpoint Media Player
WebReg (Version: 90.0.146.000)
Windows Mobile Device Center (Version: 6.1.6965.0)
Windows Mobile Device Center Driver Update (Version: 6.1.6965.0)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 54%
Total physical RAM: 3069.45 MB
Available physical RAM: 1397.09 MB
Total Pagefile: 6367.93 MB
Available Pagefile: 4286.4 MB
Total Virtual: 2047.88 MB
Available Virtual: 1960.34 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:455.71 GB) (Free:330.02 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.58 GB) NTFS
5 Drive g: (UUI) (Removable) (Total:14.59 GB) (Free:13.29 GB) FAT32

========================= Users: ========================================

User accounts for \\ROSEMARY-PC

Administrator            Guest                    Rosemary                 


**** End of log ****
 

Speccy Link:

http://speccy.piriform.com/results/GxlqvfLVYJVB7yDlgqVb28i

 

RKill:

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/14/2014 05:05:03 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!

  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


Performing miscellaneous checks:

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 04/14/2014 05:06:42 PM
Execution time: 0 hours(s), 1 minute(s), and 38 seconds(s)
 

AdwCleaner Scan:

 

# AdwCleaner v3.023 - Report created 14/04/2014 at 17:10:22
# Updated 01/04/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Rosemary - ROSEMARY-PC
# Running from : C:\Users\Rosemary\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AOL Toolbar
Folder Deleted : C:\ProgramData\Viewpoint
Folder Deleted : C:\Program Files\AOL Toolbar
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Users\Rosemary\AppData\Local\AOL Toolbar
Folder Deleted : C:\Users\Rosemary\AppData\Local\PackageAware

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16545


-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Rosemary\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2391 octets] - [14/04/2014 17:08:06]
AdwCleaner[S0].txt - [2374 octets] - [14/04/2014 17:10:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2434 octets] ##########
 

AdwCleaner Result:

 

# AdwCleaner v3.023 - Report created 14/04/2014 at 17:08:06
# Updated 01/04/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Rosemary - ROSEMARY-PC
# Running from : C:\Users\Rosemary\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found C:\Program Files\AOL Toolbar
Folder Found C:\Program Files\Viewpoint
Folder Found C:\ProgramData\AOL Toolbar
Folder Found C:\ProgramData\Viewpoint
Folder Found C:\Users\Rosemary\AppData\Local\AOL Toolbar
Folder Found C:\Users\Rosemary\AppData\Local\PackageAware

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\Uniblue
Key Found : HKLM\Software\Viewpoint

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16545


-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Rosemary\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2251 octets] - [14/04/2014 17:08:06]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2311 octets] ##########
 

 

MBAM scan from 4/9/14:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.04.06.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Rosemary :: ROSEMARY-PC [administrator]

4/9/2014 10:51:18 PM
mbam-log-2014-04-09 (22-51-18).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 410670
Time elapsed: 1 hour(s), 46 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

 

 



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:12 AM

Posted 15 April 2014 - 04:46 PM

Hi -

From those logs, you have cleaned the computer out, but almost nothing in the way of infections.

 

Parts of the AOL Tool Bar were removed in the clean-up, but you can Google and reinstall if you wish.

There is now a new version of Malwarebytes Anti-Malware (V2.0.1) This passes V1.75.0.1300

If you wish to Re-scan you should remove the old version first => MBAM Clean Instructions

 

* Download Malwarebytes Anti-Malware Free and save it to your desktop
* Double click the desktop icon, click Run, then OK
* Click Next
* Select I accept the agreement then continue to click Next then finally click Install
** Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
* If you are notified the Database is out of date click Update Now
* Click Scan Now >>

----------

** Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
* Click Start (Start, Search, All files and folders for Windows XP) then type mbam
* Double click one of the four following files (if one does not work try the next one, and so on) -

A black command window will open. Follow those instructions until the Malwarebytes program starts the scan

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com
----------

** When completed click the down arrow on Export Log and select Text file (*.txt)
* Save the file to your desktop as MBAM
* Click Apply Actions then restart your computer if requested
* Copy and past the contents of MBAM.txt in your reply

 

 

 

Clear Cache / Temp Files

Download TFC by OldTimer to your desktop
• Please double-click TFC.exe to run it.
• For Vista, Win 7 / 8 right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process.
• Once it's finished it may reboot your machine.
• If it does not, please manually reboot the machine yourself to ensure a complete clean.



#7 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 17 April 2014 - 05:59 PM

MBAM.txt:

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/17/2014
Scan Time: 5:47:33 PM
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.04.17.07
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Rosemary
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 237024
Time Elapsed: 10 min, 40 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
TDC ran normally.
 
Looks like we are clean?


#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:12 AM

Posted 17 April 2014 - 06:43 PM

No problem.

 

Just see how it operates for the next few days, and it should be OK -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users