Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

McAfee Active Shield error message

2390 Views 14 Replies 2 Participants Last post by  Byteman
Everytime I boot up my computer this box pops up over an over again:

Mcafee Active Shield has found a suspect file on your computer.Mcafee strongly recommends that you scan your computer now.

I have scanned and nothing has changed

I use Aol 9.0 security edition....

Below is my log from HijackThis

HELP!!!!! I can not take it any more. I have tried everything....

Logfile of HijackThis v1.99.1
Scan saved at 8:53:43 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1136864626\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\\personal firewall\MPFService.exe
C:\Program Files\\antivirus\oasclnt.exe
C:\Program Files\\antivirus\mcvsescn.exe
C:\Program Files\\personal firewall\MPfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1136864626\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Common Files\AOL\1136864626\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1136864626\ee\aolsoftware.exe
C:\Program Files\America Online 9.0b\shellmon.exe
c:\program files\common files\aol\1136864626\ee\anotify.exe
c:\program files\common files\aol\1136864626\ee\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\AOL\1136864626\ee\SSCEvtHdlr.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136864626\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1136864626\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1136864626\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1136864626\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\\personal firewall\MPFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
See less See more
Not open for further replies.
1 - 5 of 15 Posts
Hi, First go to Add/Remove Programs on the Control Panel and remove WinAntiVirus (2006).

If it is not there, or
If you have any problems trying to remove it don't worry about it and just continue with this fix.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

_ _ _ _ _ _ _

After you post those, do this and post what it asks for.

Download AVG Anti-Spyware from HERE and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.

  1. Next, you will need the directions saved that are posted below, since you will be doing part of the work
    in Safe Mode where this forum and the Internet are not available! Print them out, or you can copy and paste the steps into a text file with Notepad and save it as steps.txt (or something else you'd like to call it) to your desktop.

  2. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
  3. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
  4. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  5. AVG will now begin the scanning process. Please be patient as this may take a little time.
    Once the scan is complete, do the following:
  6. If you have any infections you will be prompted. Then select "Apply all actions."
  7. Next select the "Reports" icon at the top.
  8. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
  9. Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
See less See more

Download and install SpyBot Search and Destroy 1.4

The main program is all you need, it updates when you install it...just put it on the desktop, or your favorite place to store downloads.

Here is a short guide with pics to help you install the program:

When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, agreeing to the user agreements, and pressing the Next button until you get to the Select Additional Tasks screen.

Put a check into "Use Internet Explorer Protection--SDHelper"

Do NOT elect TeaTimer, you have a protective program running that will possibly conflict with TeaTimer and prevent you from making changes we need to do.

You can create a Registry backup, always a good may take a couple of minutes so wait until
it has finished if you do backup.

Click on the Search for updates button, as shown in the red box in figure 4 above. This will make Spybot connect to a server on the Internet and determine if there are any available updates for Spybot. If there are no updates available it will tell you so, and then you can click on the Next button.

If updates are available then the Download all available updates button will become available and you should click on that following the prompts. You can use the TDS (US) server by using the black drop down little arrow next to the Server name> you have to do this as the program is made in Europe the default server is usually one over there, not that it matters much...

When the updates are installed click on the Next button.

Immunize Internet Explorer-- Click on "Immunize" and you will see the number of protections it will add,
run Immunize twice until it says "All known products are already blocked" and OK.

Click "Check for Problems" and let it scan, then hav eit remove all items in RED it finds.

You can post the results of SpyBot after you have fixed anything it finds> just re-start SpyBot,

up at the top of it's window select "Mode" and click Advanced then Tools and finally click
View Report and copy and paste that into your reply here.

What I am looking for is an entry like this:

(Name of malware, should be Winfixer or WinantivirusPro): User settings (Registry key, nothing done)

It you get that in your SpyBot report we have just a bit more to do.

_ _ _ _ _

I don't see any detected items found in System Restore, so you must have turned that off already? It's OK, but if you want to turn that back on after we are done, let me know, I will post the steps for you anyhow at the end.

Run hijackthis again, scan only> put checks next to these items if you see them, then, close this and all other browser windows so that nothing is open on screen but Hijackthis> then, when you have items I list checked, click "Fix Checked".

O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\vtuts.dll (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <<optional

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -

Empty the Recycle Bin.

The reason Vundo got in was the older version of Java you are using, you need the latest update> and recently, it's been updating often. Just hit the "Download Java" arrow button.

It may take awhile but it will finish.

Run VundoFix once again, save the log and post it.

Post a new Hijackthis log.
See less See more
Hi, For the SpyBot log, can you post it in 2 or 3 parts and post as separate replies.

Yes, post a new Hijackthis log.

After that, about all we need to do is update Java,

Did you understand this below?

Bytteman said:
I don't see any detected items found in System Restore, so you must have turned that off already? It's OK, but if you want to turn that back on after we are done, let me know, I will post the steps for you anyhow at the end.
If you have System Restore turned on, and have not flushed the Restore Points, we need to do that. If you have any doubts or questions, post in next reply. I will post the steps to do the System Restore Point work as a last step when you reply.

Were you able to update Java?
Hi, Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
See less See more
Hi, System Restore is either not running, or something else is wrong, but All XP machines have it.

Do this> Right click "MY Computer" and select Properties> then look at the System Restore tab, see what it says>

If "Monitoring" then Restore is on.

If "Turned Off" then someone at some time has turned off System Restore, you need to turn it back on, and then you can create the first new Restore Point as I posted above.

Let me know if it was found turned off, and do others use the computer??
1 - 5 of 15 Posts
Not open for further replies.