View Single Post

**ceewi1** · 02-20-2008, 11:12 PM

We're making progress, but there's still work to be done.

Your logfile shows signs of Viewpoint Manager.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it.

I suggest you remove it. To do so, click on Start -> Control Panel -> Add or Remove Programs. Click on Viewpoint Manager and click Remove.

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\WINNT\system32\rrrqr.bak1
C:\WINNT\system32\rrrqr.bak2
C:\WINNT\system32\rrrqr.ini2
C:\WINNT\devadwp.exe
C:\WINNT\Tasks\SpywareBot Scheduled Scan.job

Folder::
C:\Program Files\SpywareBot

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjhf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrr]
[-HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSystemCare]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplorer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjodxn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwxbkua]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msia]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qekyamxdvg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smwenmxamy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufhmbhqg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdyjrdxxusfhk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\whttqurheltf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpknfgqwxj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrraekunyuaj]

Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

If you chose to remove Viewpoint Manager, please also check the following entry (if still present):

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Please close all open windows except for HijackThis and choose Fix checked

While there are a number of Symantec entries in your log, they don't indicate the presence of an active anti-virus program.

If you don't have an active antivirus program, please download one of the following free antivirus clients and allow it to run a full scan before proceeding: AVG, AntiVir or avast!.

Please reboot your PC and post

The ComboFix log
A new HijackThis log
An update on how your PC is running now

02-20-2008, 11:12 PM	#5 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 21 Posts: 4,936	We're making progress, but there's still work to be done. Your logfile shows signs of Viewpoint Manager. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it. I suggest you remove it. To do so, click on Start -> Control Panel -> Add or Remove Programs. Click on Viewpoint Manager and click Remove. Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: File:: C:\WINNT\system32\rrrqr.bak1 C:\WINNT\system32\rrrqr.bak2 C:\WINNT\system32\rrrqr.ini2 C:\WINNT\devadwp.exe C:\WINNT\Tasks\SpywareBot Scheduled Scan.job Folder:: C:\Program Files\SpywareBot Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjhf] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrr] [-HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^infos.exe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSystemCare] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplorer] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjodxn] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwxbkua] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msia] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qekyamxdvg] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smwenmxamy] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufhmbhqg] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdyjrdxxusfhk] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\whttqurheltf] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpknfgqwxj] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrraekunyuaj] Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. CAUTION: Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running. Please run HijackThis and choose Do a system scan only. Place a check next to the following entries: O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) If you chose to remove Viewpoint Manager, please also check the following entry (if still present): O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe Please close all open windows except for HijackThis and choose Fix checked While there are a number of Symantec entries in your log, they don't indicate the presence of an active anti-virus program. If you don't have an active antivirus program, please download one of the following free antivirus clients and allow it to run a full scan before proceeding: AVG, AntiVir or avast!. Please reboot your PC and post The ComboFix log A new HijackThis log An update on how your PC is running now __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: XFX 7900GT RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 1TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides