Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

antivirus sites blocked, google searches redirected

This is a discussion on antivirus sites blocked, google searches redirected within the Resolved HJT Threads forums, part of the Tech Support Forum category. Thank you for taking the time to look at my issue. I first noticed a problem when I got some


 
 
Thread Tools Search this Thread
Old 12-06-2008, 09:22 AM   #1
Guest
 
Join Date: Dec 2008
Posts: 7
OS:



Thank you for taking the time to look at my issue.

I first noticed a problem when I got some kind of error message on startup about "viewpointservic.exe" (it was not "viewpointservice.exe" with the "e" at the end). I tried searching online about the problem, but every link I clicked on in Google searches came to marketing websites. Copying and pasting links directly into the address bar would work, but any antivirus site I tried to access was blocked completely (including this forum--I'm on my wife's laptop at the moment). The internet connection seems to be running very slowly as well.

I removed Viewpoint Media Player through Add/Remove Programs, but that of course has not solved the problem. I had recently switched from AVG to Avast, and thinking that that may have been the problem, I removed Avast and reinstalled AVG (which cannot update itself, since access to www.avg.com is blocked).

I downloaded dds and gmer and transfered them to my desktop on a thumb drive. Gmer would not run (double clicking resulted in a brief moment of the hourglass mouse icon and then nothing), but I was able to run dds. The log is below, and the "attach" file is attached.

Thank you in advance for your help!


DDS (Version 1.0) - NTFSx86
Run by (my name removed) at 11:58:51.03 on Sat 12/06/2008
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.829 [GMT -5:00]

============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\(my name removed)\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\winnt\system32\msdxm.ocx
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [PCTVOICE] pctspk.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\winnt\system32\msdxm.ocx
AppInit_DLLs: avgrsstx.dll
SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - c:\winnt\system32\NETSHELL.dll

============= SERVICES / DRIVERS ===============

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SONYPVM1.SYS [2008-10-21 28224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2008-12-5 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2008-12-5 26824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-5 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-5 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2008-12-5 76040]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2008-3-9 61712]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" []

=============== Created Last 30 ================

2008-12-06 11:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_158.dat
2008-12-06 10:25 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-05 23:55 10,520 a------- c:\winnt\system32\avgrsstx.dll
2008-12-05 23:55 76,040 a------- c:\winnt\system32\drivers\avgtdix.sys
2008-12-05 23:55 97,928 a------- c:\winnt\system32\drivers\avgldx86.sys
2008-12-05 23:55 <DIR> --d----- c:\winnt\system32\drivers\Avg
2008-12-05 23:54 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-05 23:54 <DIR> --d----- c:\program files\AVG
2008-12-05 23:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SpeedBit
2008-12-05 23:10 479,298 a------- c:\winnt\system32\wbocx.ocx
2008-12-05 23:10 172,032 a------- c:\winnt\system32\AniGIF.ocx
2008-12-05 23:10 50,688 a------- c:\winnt\system32\wbhelp2.dll
2008-12-05 23:10 <DIR> --d----- c:\program files\DAP
2008-12-05 18:16 16,384 a------t c:\winnt\system32\Perflib_Perfdata_220.dat
2008-12-04 14:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_20c.dat
2008-11-25 00:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-25 00:47 <DIR> --d----- c:\program files\common files\AOL
2008-11-25 00:47 473 a---h--- C:\IPH.PH
2008-11-10 09:42 <DIR> --d----- c:\program files\Bridge Builder

==================== Find3M ====================

2008-12-05 12:10 23,136 a------- c:\winnt\system32\nvModes.dat
2008-10-20 12:48 249,856 -------- c:\winnt\Setup1.exe
2008-10-20 12:48 73,216 a------- c:\winnt\ST6UNST.EXE
2008-09-19 12:04 128,790 a------- c:\winnt\hpwins10.dat
2008-09-15 10:28 19,573 a------- c:\winnt\DIIUnin.dat
2008-09-15 00:13 1,644,432 a------- c:\winnt\system32\WIN32K.SYS
2008-09-08 03:14 1,121,280 a------- c:\winnt\system32\msxml3.dll
2008-03-09 20:38 21,952 ----h--- c:\program files\folder.htt
2008-03-09 20:38 271 ----h--- c:\program files\desktop.ini
2002-08-09 11:08 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 11:59:24.02 ===============
Attached Files
File Type: txt Attach.txt (4.6 KB, 22 views)
Mookiee is offline  
Sponsored Links
Advertisement
 
Old 12-06-2008, 10:07 AM   #2
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



1. Download this file

2. Double click to run it

3. When finished, it shall produce a log for you. Post that log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
sUBs is offline  
Old 12-06-2008, 10:49 AM   #3
Guest
 
Join Date: Dec 2008
Posts: 7
OS:



Thanks for the quick reply. ComboFix required a restart, and after it finished and displayed the log, Windows did not load properly. (The taskbar at the bottom of the screen did not appear, and no icons appeared on the desktop.) A second restart got everything loading properly, but I thought I would mention it in case it is at all unusual.


ComboFix 08-12-06.01 - (my name removed) 2008-12-06 13:28:39.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.754 [GMT -5:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\drivers\TDSSmqlt.sys
c:\winnt\system32\[email protected]@@k.dll
c:\winnt\system32\TDSSbrsr.dll
c:\winnt\system32\TDSSlxwp.dll
c:\winnt\system32\TDSSnmxh.log
c:\winnt\system32\TDSSoiqh.dll
c:\winnt\system32\TDSSosvd.dat
c:\winnt\system32\TDSSrhym.log
c:\winnt\system32\TDSSriqp.dll
c:\winnt\system32\TDSSsihc.dll
c:\winnt\system32\TDSStkdu.log
c:\winnt\system32\TDSSxfum.dll
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 13:27 . 08-12-06 13:27 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_32c.dat
2008-12-06 10:25 . 08-12-06 10:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-05 23:55 . 08-12-06 13:32 <DIR> d-------- c:\winnt\system32\drivers\Avg
2008-12-05 23:55 . 08-12-05 23:55 97,928 --a------ c:\winnt\system32\drivers\avgldx86.sys
2008-12-05 23:55 . 08-12-05 23:55 76,040 --a------ c:\winnt\system32\drivers\avgtdix.sys
2008-12-05 23:55 . 08-12-05 23:55 10,520 --a------ c:\winnt\system32\avgrsstx.dll
2008-12-05 23:54 . 08-12-05 23:54 <DIR> d-------- c:\program files\AVG
2008-12-05 23:54 . 08-12-05 23:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\avg8
2008-12-05 23:10 . 08-12-05 23:50 <DIR> d-------- c:\program files\DAP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-05 23:10 . 08-12-05 23:10 479,298 --a------ c:\winnt\system32\wbocx.ocx
2008-12-05 23:10 . 08-12-05 23:10 172,032 --a------ c:\winnt\system32\AniGIF.ocx
2008-12-05 23:10 . 08-12-05 23:10 50,688 --a------ c:\winnt\system32\wbhelp2.dll
2008-12-05 18:16 . 08-12-05 18:16 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_220.dat
2008-12-04 14:08 . 08-12-04 14:08 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_20c.dat
2008-11-26 12:13 . 08-11-26 12:13 <DIR> d-------- c:\program files\Alwil Software
2008-11-25 00:48 . 08-12-05 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 00:47 . 08-11-25 00:53 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-25 00:47 . 08-11-25 00:48 473 --ah----- C:\IPH.PH
2008-11-10 09:42 . 08-11-17 10:29 <DIR> d-------- c:\program files\Bridge Builder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\OpenOffice.org2
2008-12-05 13:54 --------- d-----w c:\program files\Diablo II
2008-12-02 03:12 --------- d-----w c:\documents and settings\(my name removed)\Application Data\gtk-2.0
2008-10-21 20:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-21 19:59 --------- d-----w c:\program files\Sony_usb
2008-10-20 17:48 73,216 ----a-w c:\winnt\ST6UNST.EXE
2008-10-20 17:48 249,856 ------w c:\winnt\Setup1.exe
2008-10-20 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\GetRightToGo
2008-10-16 19:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-09-15 05:13 1,644,432 ----a-w c:\winnt\system32\WIN32K.SYS
2008-09-08 08:14 1,121,280 ----a-w c:\winnt\system32\msxml3.dll
2008-03-10 01:38 271 ---h--w c:\program files\desktop.ini
2008-03-10 01:38 21,952 ---h--w c:\program files\folder.htt
2002-08-09 16:08 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [03-02-10 10:27 4501504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-10-15 01:04 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-12-05 23:54 1261336]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe]
"PCTVOICE"="pctspk.exe" [03-02-24 15:35 163840 c:\winnt\system32\pctspk.exe]
"nwiz"="nwiz.exe" [03-02-10 10:27 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2008-10-21 28224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\Drivers\avgldx86.sys [2008-12-05 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\Drivers\avgtdix.sys [2008-12-05 76040]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-03-09 61712]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SystemRoot%\system32\msafd.dll

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\(my name removed)\Application Data\Mozilla\Firefox\Profiles\jcsapru3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-12-06 13:33:47
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\TEMP\a3f7353f-8382-47d2-a1e3-c31eca825071.tmp 0 bytes
c:\winnt\system32\Perflib_Perfdata_5a8.dat 16384 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(188)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2008-12-06 13:35:37
ComboFix-quarantined-files.txt 2008-12-06 18:34:31

Pre-Run: 10,217,508,864 bytes free
Post-Run: 10,383,306,752 bytes free

146 --- E O F --- 2008-11-13 00:01:49
Mookiee is offline  
Sponsored Links
Advertisement
 
Old 12-06-2008, 10:54 AM   #4
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:
Driver::
Viewpoint Manager Service
Folder::
c:\program files\Viewpoint
Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit https://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


---------------


In your next post, please include fresh logs from:
  1. Online scan
  2. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
sUBs is offline  
Old 12-06-2008, 01:29 PM   #5
Guest
 
Join Date: Dec 2008
Posts: 7
OS:



When I dragged CFScript.txt into Combo-Fix, it generated an error, saying that I could not "rename ComboFix to Combo-Fix" and to please use only alphanumeric characters. Then it told me that a new version of ComboFix was available, and asked if I would please install that (I said yes). Afterward, it ran and generated the log that is posted below.

I have AVG Free running, and I wasn't able to find any place to disable it while I ran the Kaspersky scan. I hope this doesn't mess anything up! The Kaspersky scan log is below as well.

Also, now I am able to navigate normally (or so it appears) on the internet. AVG is still acting a bit funny--resident shield says it is not active, but also says that it is currently running. AVG also acts as if there are still active scans in process (it has thought that since before I first posted to this site).

Thanks again for all the help--I'm looking forward to fully eradicating this stuff.


ComboFix 08-12-06.03 - (my name removed) 12/06/2008 14:04:44.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.758 [GMT -5:00]
Running from: c:\documents and settings\(my name removed)\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\(my name removed)\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 14:09 . 16,384 c:\winnt\system32\Perflib_Perfdata_3f4.dat
2008-12-06 10:25 . 08-12-06 10:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-05 23:55 . 08-12-06 13:32 <DIR> d-------- c:\winnt\system32\drivers\Avg
2008-12-05 23:55 . 08-12-05 23:55 97,928 --a------ c:\winnt\system32\drivers\avgldx86.sys
2008-12-05 23:55 . 08-12-05 23:55 76,040 --a------ c:\winnt\system32\drivers\avgtdix.sys
2008-12-05 23:55 . 08-12-05 23:55 10,520 --a------ c:\winnt\system32\avgrsstx.dll
2008-12-05 23:54 . 08-12-05 23:54 <DIR> d-------- c:\program files\AVG
2008-12-05 23:54 . 08-12-05 23:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\avg8
2008-12-05 23:10 . 08-12-05 23:50 <DIR> d-------- c:\program files\DAP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 23:10 . 08-12-05 23:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-05 23:10 . 08-12-05 23:10 479,298 --a------ c:\winnt\system32\wbocx.ocx
2008-12-05 23:10 . 08-12-05 23:10 172,032 --a------ c:\winnt\system32\AniGIF.ocx
2008-12-05 23:10 . 08-12-05 23:10 50,688 --a------ c:\winnt\system32\wbhelp2.dll
2008-11-26 12:13 . 08-11-26 12:13 <DIR> d-------- c:\program files\Alwil Software
2008-11-25 00:48 . 08-12-05 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 00:47 . 08-11-25 00:53 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-25 00:47 . 08-11-25 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-25 00:47 . 08-11-25 00:48 473 --ah----- C:\IPH.PH
2008-11-10 09:42 . 08-11-17 10:29 <DIR> d-------- c:\program files\Bridge Builder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 19:01 --------- d-----w c:\documents and settings\(my name removed)\Application Data\OpenOffice.org2
2008-12-05 13:54 --------- d-----w c:\program files\Diablo II
2008-12-02 03:12 --------- d-----w c:\documents and settings\(my name removed)\Application Data\gtk-2.0
2008-10-21 20:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-21 19:59 --------- d-----w c:\program files\Sony_usb
2008-10-20 17:48 73,216 ----a-w c:\winnt\ST6UNST.EXE
2008-10-20 17:48 249,856 ------w c:\winnt\Setup1.exe
2008-10-20 17:42 --------- d-----w c:\documents and settings\(my name removed)\Application Data\GetRightToGo
2008-03-10 01:38 271 ---h--w c:\program files\desktop.ini
2008-03-10 01:38 21,952 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((( [email protected] 2008-12-06_13.33.58.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\winnt\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [03-02-10 10:27 4501504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-10-15 01:04 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-12-05 23:54 1261336]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 c:\winnt\system32\mobsync.exe]
"PCTVOICE"="pctspk.exe" [03-02-24 15:35 163840 c:\winnt\system32\pctspk.exe]
"nwiz"="nwiz.exe" [03-02-10 10:27 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2008-10-21 28224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\Drivers\avgldx86.sys [2008-12-05 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\Drivers\avgtdix.sys [2008-12-05 76040]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-03-09 61712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SystemRoot%\system32\msafd.dll

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\(my name removed)\Application Data\Mozilla\Firefox\Profiles\jcsapru3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-12-06 14:10:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2008-12-06 14:16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 19:15:55
ComboFix2.txt 2008-12-06 18:35:39

Pre-Run: 10,387,607,552 bytes free
Post-Run: 10,343,563,264 bytes free

119 --- E O F --- 2008-11-13 00:01:49



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 6, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 1700
Records in database: 1440582
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 37855
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:11:29


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINNT\system32\drivers\TDSSmqlt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSbrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSoiqh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINNT\system32\TDSSxfum.dll.vir Infected: Trojan.Win32.Agent.arvz 1

The selected area was scanned.
Mookiee is offline  
Old 12-06-2008, 01:37 PM   #6
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Quote:
Also, now I am able to navigate normally (or so it appears) on the internet. AVG is still acting a bit funny--resident shield says it is not active, but also says that it is currently running. AVG also acts as if there are still active scans in process (it has thought that since before I first posted to this site).
Malware likes to target/disable the resident scanners. It's probable that AVG got somehow corrupted. It should be fixed by uninstalling > reboot > re-installing the program


------------


Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u


  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  3. Microsoft Windows Updatehttps://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  4. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → https://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • https://www.trillian.cc → Trillian or https://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • https://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • https://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • https://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - https://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.
sUBs is offline  
Old 12-06-2008, 01:47 PM   #7
Guest
 
Join Date: Dec 2008
Posts: 7
OS:



It turns out that AVG is now back to normal with simply a reboot (no uninstall or reinstall needed).

I uninstalled ComboFix successfully, but my schedule requires that I shut down the computer and attend to other things at the moment. I will come back tomorrow to finish up. In the meantime, thank you so much for your help!
Mookiee is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:38 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts