antivirus sites blocked, google searches redirected

Mookiee · 12-06-2008, 10:22 AM

Thank you for taking the time to look at my issue.

I first noticed a problem when I got some kind of error message on startup about "viewpointservic.exe" (it was not "viewpointservice.exe" with the "e" at the end). I tried searching online about the problem, but every link I clicked on in Google searches came to marketing websites. Copying and pasting links directly into the address bar would work, but any antivirus site I tried to access was blocked completely (including this forum--I'm on my wife's laptop at the moment). The internet connection seems to be running very slowly as well.

I removed Viewpoint Media Player through Add/Remove Programs, but that of course has not solved the problem. I had recently switched from AVG to Avast, and thinking that that may have been the problem, I removed Avast and reinstalled AVG (which cannot update itself, since access to www.avg.com is blocked).

I downloaded dds and gmer and transfered them to my desktop on a thumb drive. Gmer would not run (double clicking resulted in a brief moment of the hourglass mouse icon and then nothing), but I was able to run dds. The log is below, and the "attach" file is attached.

Thank you in advance for your help!

DDS (Version 1.0) - NTFSx86
Run by (my name removed) at 11:58:51.03 on Sat 12/06/2008
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.829 [GMT -5:00]

============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\(my name removed)\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\winnt\system32\msdxm.ocx
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [PCTVOICE] pctspk.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\winnt\system32\msdxm.ocx
AppInit_DLLs: avgrsstx.dll
SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - c:\winnt\system32\NETSHELL.dll

============= SERVICES / DRIVERS ===============

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SONYPVM1.SYS [2008-10-21 28224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2008-12-5 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2008-12-5 26824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-5 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-5 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2008-12-5 76040]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2008-3-9 61712]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" []

=============== Created Last 30 ================

2008-12-06 11:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_158.dat
2008-12-06 10:25 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-05 23:55 10,520 a------- c:\winnt\system32\avgrsstx.dll
2008-12-05 23:55 76,040 a------- c:\winnt\system32\drivers\avgtdix.sys
2008-12-05 23:55 97,928 a------- c:\winnt\system32\drivers\avgldx86.sys
2008-12-05 23:55 <DIR> --d----- c:\winnt\system32\drivers\Avg
2008-12-05 23:54 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-05 23:54 <DIR> --d----- c:\program files\AVG
2008-12-05 23:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SpeedBit
2008-12-05 23:10 479,298 a------- c:\winnt\system32\wbocx.ocx
2008-12-05 23:10 172,032 a------- c:\winnt\system32\AniGIF.ocx
2008-12-05 23:10 50,688 a------- c:\winnt\system32\wbhelp2.dll
2008-12-05 23:10 <DIR> --d----- c:\program files\DAP
2008-12-05 18:16 16,384 a------t c:\winnt\system32\Perflib_Perfdata_220.dat
2008-12-04 14:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_20c.dat
2008-11-25 00:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-25 00:47 <DIR> --d----- c:\program files\common files\AOL
2008-11-25 00:47 473 a---h--- C:\IPH.PH
2008-11-10 09:42 <DIR> --d----- c:\program files\Bridge Builder

==================== Find3M ====================

2008-12-05 12:10 23,136 a------- c:\winnt\system32\nvModes.dat
2008-10-20 12:48 249,856 -------- c:\winnt\Setup1.exe
2008-10-20 12:48 73,216 a------- c:\winnt\ST6UNST.EXE
2008-09-19 12:04 128,790 a------- c:\winnt\hpwins10.dat
2008-09-15 10:28 19,573 a------- c:\winnt\DIIUnin.dat
2008-09-15 00:13 1,644,432 a------- c:\winnt\system32\WIN32K.SYS
2008-09-08 03:14 1,121,280 a------- c:\winnt\system32\msxml3.dll
2008-03-09 20:38 21,952 ----h--- c:\program files\folder.htt
2008-03-09 20:38 271 ----h--- c:\program files\desktop.ini
2002-08-09 11:08 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 11:59:24.02 ===============

sUBs · 12-06-2008, 11:07 AM

1. Download this file

2. Double click to run it

3. When finished, it shall produce a log for you. Post that log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Mookiee · 12-06-2008, 11:49 AM

Thanks for the quick reply. ComboFix required a restart, and after it finished and displayed the log, Windows did not load properly. (The taskbar at the bottom of the screen did not appear, and no icons appeared on the desktop.) A second restart got everything loading properly, but I thought I would mention it in case it is at all unusual.

ComboFix 08-12-06.01 - (my name removed) 2008-12-06 13:28:39.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.754 [GMT -5:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\drivers\TDSSmqlt.sys
c:\winnt\system32\h@tkeysh@@k.dll
c:\winnt\system32\TDSSbrsr.dll
c:\winnt\system32\TDSSlxwp.dll
c:\winnt\system32\TDSSnmxh.log
c:\winnt\system32\TDSSoiqh.dll
c:\winnt\system32\TDSSosvd.dat
c:\winnt\system32\TDSSrhym.log
c:\winnt\system32\TDSSriqp.dll
c:\winnt\system32\TDSSsihc.dll
c:\winnt\system32\TDSStkdu.log
c:\winnt\system32\TDSSxfum.dll
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 13:27 . 08-12-06 13:27 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_32c.dat
2008-12-06 10:25 . 08-12-06 10:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-05 23:55 . 08-12-06 13:32 <DIR> d-------- c:\winnt\system32\drivers\Avg
2008-12-05 23:55 . 08-12-05 23:55 97,928 --a------ c:\winnt\system32\drivers\avgldx86.sys
2008-12-05 23:55 . 08-12-05 23:55 76,040 --a------ c:\winnt\system32\drivers\avgtdix.sys
2008-12-05 23:55 . 08-12-05 23:55 10,520 --a------ c:\winnt\system32\avgrsstx.dll
2008-12-05 23:54 . 08-12-05 23:54 <DIR> d-------- c:\program files\AVG
2008-12-05 23:54 . 08-12-05 23:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\avg8
2008-12-05 23:10 . 08-12-05 23:50 <DIR> d-------- c:\program files\DAP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-05 23:10 . 08-12-05 23:10 479,298 --a------ c:\winnt\system32\wbocx.ocx
2008-12-05 23:10 . 08-12-05 23:10 172,032 --a------ c:\winnt\system32\AniGIF.ocx
2008-12-05 23:10 . 08-12-05 23:10 50,688 --a------ c:\winnt\system32\wbhelp2.dll
2008-12-05 18:16 . 08-12-05 18:16 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_220.dat
2008-12-04 14:08 . 08-12-04 14:08 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_20c.dat
2008-11-26 12:13 . 08-11-26 12:13 <DIR> d-------- c:\program files\Alwil Software
2008-11-25 00:48 . 08-12-05 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 00:47 . 08-11-25 00:53 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-25 00:47 . 08-11-25 00:48 473 --ah----- C:\IPH.PH
2008-11-10 09:42 . 08-11-17 10:29 <DIR> d-------- c:\program files\Bridge Builder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\OpenOffice.org2
2008-12-05 13:54 --------- d-----w c:\program files\Diablo II
2008-12-02 03:12 --------- d-----w c:\documents and settings\(my name removed)\Application Data\gtk-2.0
2008-10-21 20:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-21 19:59 --------- d-----w c:\program files\Sony_usb
2008-10-20 17:48 73,216 ----a-w c:\winnt\ST6UNST.EXE
2008-10-20 17:48 249,856 ------w c:\winnt\Setup1.exe
2008-10-20 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\GetRightToGo
2008-10-16 19:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-09-15 05:13 1,644,432 ----a-w c:\winnt\system32\WIN32K.SYS
2008-09-08 08:14 1,121,280 ----a-w c:\winnt\system32\msxml3.dll
2008-03-10 01:38 271 ---h--w c:\program files\desktop.ini
2008-03-10 01:38 21,952 ---h--w c:\program files\folder.htt
2002-08-09 16:08 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [03-02-10 10:27 4501504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-10-15 01:04 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-12-05 23:54 1261336]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe]
"PCTVOICE"="pctspk.exe" [03-02-24 15:35 163840 c:\winnt\system32\pctspk.exe]
"nwiz"="nwiz.exe" [03-02-10 10:27 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2008-10-21 28224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\Drivers\avgldx86.sys [2008-12-05 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\Drivers\avgtdix.sys [2008-12-05 76040]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-03-09 61712]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SystemRoot%\system32\msafd.dll

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\(my name removed)\Application Data\Mozilla\Firefox\Profiles\jcsapru3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 13:33:47
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\winnt\TEMP\a3f7353f-8382-47d2-a1e3-c31eca825071.tmp 0 bytes
c:\winnt\system32\Perflib_Perfdata_5a8.dat 16384 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(188)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2008-12-06 13:35:37
ComboFix-quarantined-files.txt 2008-12-06 18:34:31

Pre-Run: 10,217,508,864 bytes free
Post-Run: 10,383,306,752 bytes free

146 --- E O F --- 2008-11-13 00:01:49

sUBs · 12-06-2008, 11:54 AM

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

Driver::
Viewpoint Manager Service
Folder::
c:\program files\Viewpoint

Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

---------------

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------

In your next post, please include fresh logs from:

Online scan

ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Mookiee · 12-06-2008, 02:29 PM

When I dragged CFScript.txt into Combo-Fix, it generated an error, saying that I could not "rename ComboFix to Combo-Fix" and to please use only alphanumeric characters. Then it told me that a new version of ComboFix was available, and asked if I would please install that (I said yes). Afterward, it ran and generated the log that is posted below.

I have AVG Free running, and I wasn't able to find any place to disable it while I ran the Kaspersky scan. I hope this doesn't mess anything up! The Kaspersky scan log is below as well.

Also, now I am able to navigate normally (or so it appears) on the internet. AVG is still acting a bit funny--resident shield says it is not active, but also says that it is currently running. AVG also acts as if there are still active scans in process (it has thought that since before I first posted to this site).

Thanks again for all the help--I'm looking forward to fully eradicating this stuff.

ComboFix 08-12-06.03 - (my name removed) 12/06/2008 14:04:44.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.758 [GMT -5:00]
Running from: c:\documents and settings\(my name removed)\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\(my name removed)\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 14:09 . 16,384 c:\winnt\system32\Perflib_Perfdata_3f4.dat
2008-12-06 10:25 . 08-12-06 10:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-05 23:55 . 08-12-06 13:32 <DIR> d-------- c:\winnt\system32\drivers\Avg
2008-12-05 23:55 . 08-12-05 23:55 97,928 --a------ c:\winnt\system32\drivers\avgldx86.sys
2008-12-05 23:55 . 08-12-05 23:55 76,040 --a------ c:\winnt\system32\drivers\avgtdix.sys
2008-12-05 23:55 . 08-12-05 23:55 10,520 --a------ c:\winnt\system32\avgrsstx.dll
2008-12-05 23:54 . 08-12-05 23:54 <DIR> d-------- c:\program files\AVG
2008-12-05 23:54 . 08-12-05 23:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\avg8
2008-12-05 23:10 . 08-12-05 23:50 <DIR> d-------- c:\program files\DAP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-05 23:10 . 08-12-05 23:10 479,298 --a------ c:\winnt\system32\wbocx.ocx
2008-12-05 23:10 . 08-12-05 23:10 172,032 --a------ c:\winnt\system32\AniGIF.ocx
2008-12-05 23:10 . 08-12-05 23:10 50,688 --a------ c:\winnt\system32\wbhelp2.dll
2008-11-26 12:13 . 08-11-26 12:13 <DIR> d-------- c:\program files\Alwil Software
2008-11-25 00:48 . 08-12-05 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 00:47 . 08-11-25 00:53 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-25 00:47 . 08-11-25 00:48 473 --ah----- C:\IPH.PH
2008-11-10 09:42 . 08-11-17 10:29 <DIR> d-------- c:\program files\Bridge Builder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 19:01 --------- d-----w c:\documents and settings\(my name removed)\Application Data\OpenOffice.org2
2008-12-05 13:54 --------- d-----w c:\program files\Diablo II
2008-12-02 03:12 --------- d-----w c:\documents and settings\(my name removed)\Application Data\gtk-2.0
2008-10-21 20:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-21 19:59 --------- d-----w c:\program files\Sony_usb
2008-10-20 17:48 73,216 ----a-w c:\winnt\ST6UNST.EXE
2008-10-20 17:48 249,856 ------w c:\winnt\Setup1.exe
2008-10-20 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\GetRightToGo
2008-03-10 01:38 271 ---h--w c:\program files\desktop.ini
2008-03-10 01:38 21,952 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@Sat 2008-12-06_13.33.58.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\winnt\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [03-02-10 10:27 4501504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-10-15 01:04 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-12-05 23:54 1261336]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe]
"PCTVOICE"="pctspk.exe" [03-02-24 15:35 163840 c:\winnt\system32\pctspk.exe]
"nwiz"="nwiz.exe" [03-02-10 10:27 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2008-10-21 28224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\Drivers\avgldx86.sys [2008-12-05 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\Drivers\avgtdix.sys [2008-12-05 76040]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-03-09 61712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SystemRoot%\system32\msafd.dll

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\(my name removed)\Application Data\Mozilla\Firefox\Profiles\jcsapru3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 14:10:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2008-12-06 14:16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 19:15:55
ComboFix2.txt 2008-12-06 18:35:39

Pre-Run: 10,387,607,552 bytes free
Post-Run: 10,343,563,264 bytes free

119 --- E O F --- 2008-11-13 00:01:49

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 6, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 17

00
Records in database: 1440582
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 37855
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:11:29

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINNT\system32\drivers\TDSSmqlt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSbrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSoiqh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSxfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1

The selected area was scanned.

sUBs · 12-06-2008, 02:37 PM

Quote:

Also, now I am able to navigate normally (or so it appears) on the internet. AVG is still acting a bit funny--resident shield says it is not active, but also says that it is currently running. AVG also acts as if there are still active scans in process (it has thought that since before I first posted to this site).

Malware likes to target/disable the resident scanners. It's probable that AVG got somehow corrupted. It should be fixed by uninstalling > reboot > re-installing the program

------------

Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

Uninstall ComboFix ... do not skip this step
This process will perform some post cleanup measures.
Do this by going to to Start > Run & typing in ComboFix /u
ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

Mookiee · 12-06-2008, 02:47 PM

It turns out that AVG is now back to normal with simply a reboot (no uninstall or reinstall needed).

I uninstalled ComboFix successfully, but my schedule requires that I shut down the computer and attend to other things at the moment. I will come back tomorrow to finish up. In the meantime, thank you so much for your help!

12-06-2008, 11:07 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,459 OS: N/A	Re: antivirus sites blocked, google searches redirected 1. Download this file 2. Double click to run it 3. When finished, it shall produce a log for you. Post that log Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

12-06-2008, 11:49 AM	#3 (permalink)
Mookiee Registered User Join Date: Dec 2008 Posts: 7 OS: Windows 2000	Re: antivirus sites blocked, google searches redirected Thanks for the quick reply. ComboFix required a restart, and after it finished and displayed the log, Windows did not load properly. (The taskbar at the bottom of the screen did not appear, and no icons appeared on the desktop.) A second restart got everything loading properly, but I thought I would mention it in case it is at all unusual. ComboFix 08-12-06.01 - (my name removed) 2008-12-06 13:28:39.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.754 [GMT -5:00] WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\system32\drivers\TDSSmqlt.sys c:\winnt\system32\h@tkeysh@@k.dll c:\winnt\system32\TDSSbrsr.dll c:\winnt\system32\TDSSlxwp.dll c:\winnt\system32\TDSSnmxh.log c:\winnt\system32\TDSSoiqh.dll c:\winnt\system32\TDSSosvd.dat c:\winnt\system32\TDSSrhym.log c:\winnt\system32\TDSSriqp.dll c:\winnt\system32\TDSSsihc.dll c:\winnt\system32\TDSStkdu.log c:\winnt\system32\TDSSxfum.dll c:\winnt\Web\default.htt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-06 13:27 . 08-12-06 13:27 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_32c.dat 2008-12-06 10:25 . 08-12-06 10:25 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-05 23:55 . 08-12-06 13:32 <DIR> d-------- c:\winnt\system32\drivers\Avg 2008-12-05 23:55 . 08-12-05 23:55 97,928 --a------ c:\winnt\system32\drivers\avgldx86.sys 2008-12-05 23:55 . 08-12-05 23:55 76,040 --a------ c:\winnt\system32\drivers\avgtdix.sys 2008-12-05 23:55 . 08-12-05 23:55 10,520 --a------ c:\winnt\system32\avgrsstx.dll 2008-12-05 23:54 . 08-12-05 23:54 <DIR> d-------- c:\program files\AVG 2008-12-05 23:54 . 08-12-05 23:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\avg8 2008-12-05 23:10 . 08-12-05 23:50 <DIR> d-------- c:\program files\DAP 2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpeedBit 2008-12-05 23:10 . 08-12-05 23:10 479,298 --a------ c:\winnt\system32\wbocx.ocx 2008-12-05 23:10 . 08-12-05 23:10 172,032 --a------ c:\winnt\system32\AniGIF.ocx 2008-12-05 23:10 . 08-12-05 23:10 50,688 --a------ c:\winnt\system32\wbhelp2.dll 2008-12-05 18:16 . 08-12-05 18:16 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_220.dat 2008-12-04 14:08 . 08-12-04 14:08 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_20c.dat 2008-11-26 12:13 . 08-11-26 12:13 <DIR> d-------- c:\program files\Alwil Software 2008-11-25 00:48 . 08-12-05 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-25 00:47 . 08-11-25 00:53 <DIR> d-------- c:\program files\Common Files\AOL 2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\AOL OCP 2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL 2008-11-25 00:47 . 08-11-25 00:48 473 --ah----- C:\IPH.PH 2008-11-10 09:42 . 08-11-17 10:29 <DIR> d-------- c:\program files\Bridge Builder . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\OpenOffice.org2 2008-12-05 13:54 --------- d-----w c:\program files\Diablo II 2008-12-02 03:12 --------- d-----w c:\documents and settings\(my name removed)\Application Data\gtk-2.0 2008-10-21 20:00 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-21 19:59 --------- d-----w c:\program files\Sony_usb 2008-10-20 17:48 73,216 ----a-w c:\winnt\ST6UNST.EXE 2008-10-20 17:48 249,856 ------w c:\winnt\Setup1.exe 2008-10-20 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\GetRightToGo 2008-10-16 19:13 202,776 ----a-w c:\winnt\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\winnt\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\winnt\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\winnt\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\winnt\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\winnt\system32\wups.dll 2008-09-15 05:13 1,644,432 ----a-w c:\winnt\system32\WIN32K.SYS 2008-09-08 08:14 1,121,280 ----a-w c:\winnt\system32\msxml3.dll 2008-03-10 01:38 271 ---h--w c:\program files\desktop.ini 2008-03-10 01:38 21,952 ---h--w c:\program files\folder.htt 2002-08-09 16:08 32,528 ----a-w c:\winnt\inf\wbfirdma.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [03-02-10 10:27 4501504] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-10-15 01:04 39792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-12-05 23:54 1261336] "Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe] "PCTVOICE"="pctspk.exe" [03-02-24 15:35 163840 c:\winnt\system32\pctspk.exe] "nwiz"="nwiz.exe" [03-02-10 10:27 323584 c:\winnt\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2008-10-21 28224] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\Drivers\avgldx86.sys [2008-12-05 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\Drivers\avgtdix.sys [2008-12-05 76040] R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-03-09 61712] S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Newly Created Service - PROCEXP90 . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe . ------- Supplementary Scan ------- . uStart Page = about:blank IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - LSP: %SystemRoot%\system32\msafd.dll O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd FireFox -: Profile - c:\documents and settings\(my name removed)\Application Data\Mozilla\Firefox\Profiles\jcsapru3.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 13:33:47 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\winnt\TEMP\a3f7353f-8382-47d2-a1e3-c31eca825071.tmp 0 bytes c:\winnt\system32\Perflib_Perfdata_5a8.dat 16384 bytes scan completed successfully hidden files: 2 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(188) c:\winnt\system32\wzcdlg.dll c:\winnt\system32\WZCSAPI.DLL . Completion time: 2008-12-06 13:35:37 ComboFix-quarantined-files.txt 2008-12-06 18:34:31 Pre-Run: 10,217,508,864 bytes free Post-Run: 10,383,306,752 bytes free 146 --- E O F --- 2008-11-13 00:01:49

12-06-2008, 11:54 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,459 OS: N/A	Re: antivirus sites blocked, google searches redirected Open NOTEPAD and copy/paste the text in the quotebox below into it: Code: Driver:: Viewpoint Manager Service Folder:: c:\program files\Viewpoint Save this as "CFScript" Referring to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. --------------- Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator. Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. --------------- In your next post, please include fresh logs from: Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

12-06-2008, 02:29 PM	#5 (permalink)
Mookiee Registered User Join Date: Dec 2008 Posts: 7 OS: Windows 2000	Re: antivirus sites blocked, google searches redirected When I dragged CFScript.txt into Combo-Fix, it generated an error, saying that I could not "rename ComboFix to Combo-Fix" and to please use only alphanumeric characters. Then it told me that a new version of ComboFix was available, and asked if I would please install that (I said yes). Afterward, it ran and generated the log that is posted below. I have AVG Free running, and I wasn't able to find any place to disable it while I ran the Kaspersky scan. I hope this doesn't mess anything up! The Kaspersky scan log is below as well. Also, now I am able to navigate normally (or so it appears) on the internet. AVG is still acting a bit funny--resident shield says it is not active, but also says that it is currently running. AVG also acts as if there are still active scans in process (it has thought that since before I first posted to this site). Thanks again for all the help--I'm looking forward to fully eradicating this stuff. ComboFix 08-12-06.03 - (my name removed) 12/06/2008 14:04:44.2 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.758 [GMT -5:00] Running from: c:\documents and settings\(my name removed)\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\(my name removed)\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_VIEWPOINT_MANAGER_SERVICE -------\Service_Viewpoint Manager Service ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-06 14:09 . 16,384 c:\winnt\system32\Perflib_Perfdata_3f4.dat 2008-12-06 10:25 . 08-12-06 10:25 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-05 23:55 . 08-12-06 13:32 <DIR> d-------- c:\winnt\system32\drivers\Avg 2008-12-05 23:55 . 08-12-05 23:55 97,928 --a------ c:\winnt\system32\drivers\avgldx86.sys 2008-12-05 23:55 . 08-12-05 23:55 76,040 --a------ c:\winnt\system32\drivers\avgtdix.sys 2008-12-05 23:55 . 08-12-05 23:55 10,520 --a------ c:\winnt\system32\avgrsstx.dll 2008-12-05 23:54 . 08-12-05 23:54 <DIR> d-------- c:\program files\AVG 2008-12-05 23:54 . 08-12-05 23:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\avg8 2008-12-05 23:10 . 08-12-05 23:50 <DIR> d-------- c:\program files\DAP 2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpeedBit 2008-12-05 23:10 . 08-12-05 23:10 479,298 --a------ c:\winnt\system32\wbocx.ocx 2008-12-05 23:10 . 08-12-05 23:10 172,032 --a------ c:\winnt\system32\AniGIF.ocx 2008-12-05 23:10 . 08-12-05 23:10 50,688 --a------ c:\winnt\system32\wbhelp2.dll 2008-11-26 12:13 . 08-11-26 12:13 <DIR> d-------- c:\program files\Alwil Software 2008-11-25 00:48 . 08-12-05 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-25 00:47 . 08-11-25 00:53 <DIR> d-------- c:\program files\Common Files\AOL 2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\AOL OCP 2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL 2008-11-25 00:47 . 08-11-25 00:48 473 --ah----- C:\IPH.PH 2008-11-10 09:42 . 08-11-17 10:29 <DIR> d-------- c:\program files\Bridge Builder . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 19:01 --------- d-----w c:\documents and settings\(my name removed)\Application Data\OpenOffice.org2 2008-12-05 13:54 --------- d-----w c:\program files\Diablo II 2008-12-02 03:12 --------- d-----w c:\documents and settings\(my name removed)\Application Data\gtk-2.0 2008-10-21 20:00 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-21 19:59 --------- d-----w c:\program files\Sony_usb 2008-10-20 17:48 73,216 ----a-w c:\winnt\ST6UNST.EXE 2008-10-20 17:48 249,856 ------w c:\winnt\Setup1.exe 2008-10-20 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\GetRightToGo 2008-03-10 01:38 271 ---h--w c:\program files\desktop.ini 2008-03-10 01:38 21,952 ---h--w c:\program files\folder.htt . ((((((((((((((((((((((((((((( snapshot@Sat 2008-12-06_13.33.58.33 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 01:02:28 163,328 ----a-w c:\winnt\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [03-02-10 10:27 4501504] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-10-15 01:04 39792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-12-05 23:54 1261336] "Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe] "PCTVOICE"="pctspk.exe" [03-02-24 15:35 163840 c:\winnt\system32\pctspk.exe] "nwiz"="nwiz.exe" [03-02-10 10:27 323584 c:\winnt\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2008-10-21 28224] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\Drivers\avgldx86.sys [2008-12-05 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\Drivers\avgtdix.sys [2008-12-05 76040] R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-03-09 61712] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . . ------- Supplementary Scan ------- . uStart Page = about:blank IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - LSP: %SystemRoot%\system32\msafd.dll O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd FireFox -: Profile - c:\documents and settings\(my name removed)\Application Data\Mozilla\Firefox\Profiles\jcsapru3.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 14:10:17 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(192) c:\winnt\system32\wzcdlg.dll c:\winnt\system32\WZCSAPI.DLL . Completion time: 2008-12-06 14:16:43 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-06 19:15:55 ComboFix2.txt 2008-12-06 18:35:39 Pre-Run: 10,387,607,552 bytes free Post-Run: 10,343,563,264 bytes free 119 --- E O F --- 2008-11-13 00:01:49 -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, December 6, 2008 Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, December 06, 2008 1700 Records in database: 1440582 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 37855 Threat name: 5 Infected objects: 5 Suspicious objects: 0 Duration of the scan: 01:11:29 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINNT\system32\drivers\TDSSmqlt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1 C:\Qoobox\Quarantine\C\WINNT\system32\TDSSbrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1 C:\Qoobox\Quarantine\C\WINNT\system32\TDSSoiqh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1 C:\Qoobox\Quarantine\C\WINNT\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1 C:\Qoobox\Quarantine\C\WINNT\system32\TDSSxfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1 The selected area was scanned.

12-06-2008, 02:47 PM	#7 (permalink)
Mookiee Registered User Join Date: Dec 2008 Posts: 7 OS: Windows 2000	Re: antivirus sites blocked, google searches redirected It turns out that AVG is now back to normal with simply a reboot (no uninstall or reinstall needed). I uninstalled ComboFix successfully, but my schedule requires that I shut down the computer and attend to other things at the moment. I will come back tomorrow to finish up. In the meantime, thank you so much for your help!