TechSpot

please please help with urlcpvfeed!

By 87togo
Jun 21, 2007
  1. this thing is killing me! please tell me what to do. HJT log attached
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi 87togo and welcome to techspot. =)

    You are running an outdated version of HijackThis.
    You can obtain the latest version from the link in my signature.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service
    poolsv
    svhost


    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    Viewpoint Manager

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [{00-0B-B4-44-ZN}] C:\windows\system32\mmdsregn.exe CHD003
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qwinnndt.exe CHD003
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\qwinnndt.exe
    O4 - Global Startup: ORiNOCO Client Manager.lnk = ?
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2215bfa02a3988e40d01/netzip/RdxIE601.cab
    O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
    O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\
    C:\WINDOWS\poolsv.exe
    C:\WINDOWS\svhost.exe
    C:\WINDOWS\system32\qwinnndt.exe

    Reboot into normal mode and rehide your protected OS files.

    Please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. 87togo

    87togo TS Rookie Topic Starter

    Working the instructions to the letter. Thanks!

    87togo
     
  4. 87togo

    87togo TS Rookie Topic Starter

    followed all instructions

    momok:

    I followed all the instructions as best I could. I did have to log on and look at a few things on the 'net between running AdAware and AVG Spyware in step 14 of Howard's preliminary removal procedure.

    I have attached the three logs you asked for, and the AVG Antirootkit scan, it found 7 of my music files that had issues. I didn't know how to create a log of that for you.

    I really appreciate your help, and the TS Special Forces!

    87togo
     
  5. 87togo

    87togo TS Rookie Topic Starter

    indetity theft

    momok:

    I posted an older hijackthis log to another board (tomcoyote.org) and got the following response. Should I take their advice?

    Thanks,

    87togo

    "Identity Theft

    I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
    The infection is delivered by the W32.Mydoom.I@mm worm.
    It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...

    IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and re-install your operating system and applications.

    We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the internet.

    The decision whether to reformat or not should be based on:
    The use of the computer - this is the primary factor in the decision whether to reformat and re-install, or just disinfect.
    The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a backdoor worm, the worst kind.

    If the computer has been used for any important data, you are strongly advised to do the following, immediately:
    Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
    Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
    If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
    From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
    DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
    Take any other steps you think appropriate for an attempted identity theft.

    While you are deciding whether to reformat and re-install, this can be a useful link."
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi

    I definitely agree with the advice given. To help make your judgement easier, please see our thread HERE.

    Let me know which route you intend to take.


    Regards,
    Your friendly momok =)

    This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. 87togo

    87togo TS Rookie Topic Starter

    Momok:

    I will try to figure out what to do.... meantime, I will start changing passwords (from another computer).

    I use that computer for everything!

    I did make a complete image of this drive a while ago. Is there any way to discover when the MyDoom infection happened? I might be abe to reinstall that image.

    Thanks,

    87togo
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I'm afraid I am unable to tell you that as I do not have a combofix log from you before I asked you to fix svhost.exe.

    Judging from your current ComboFix log, the earliest nasty file I see in there was created on 17th June. However, the your system may have been infected before that. You'll have to recall when your problems first appeared, and take away a few days before then to be safe.

    Just to check, when and where did you make a complete image of your drive? Are there other drives/partitions on this system?


    Regards,
    Your friendly momok =)

    This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. 87togo

    87togo TS Rookie Topic Starter

    Could I restore the backup (afer formatting my hard drive) and then post a Combofix log of the restored system to see if it is infected?

    Thanks,

    87togo
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I'm not sure how you can do a restore if you completely format your hard drive? In any case, I do hope you have taken the necessary steps to safeguard your sensitive information.

    Regards,
    Your friendly momok =)

    This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. 87togo

    87togo TS Rookie Topic Starter

    Hi momok,

    I finally restored my system from a backup image. I then downloaded and used HijackThis and ComboFix. The logs are attached. I am wondering if the MyDoom worm is in my machine now that I have done the restore. Hopefully it was not in there when I made the image. Meanwhile, I am going to to through Howard Hopkins preliminary removal process. Please let me know if MyDoom is present. When I am done with the removal, I will post new logs.

    Many thanks,

    87togo
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    From those 2 logs, I do not signs of the MyDoom infection. However that system state is definitely not clean. When you are done with the logs I shall proceed to help you clean, or alternatively you may choose to reformat.

    I suspect the worm was downloaded when your internet security was already compromised by your infections.

    Post your new logs in the next reply, or let me know if you wish to reformat.


    Regards,
    Your friendly momok =)

    This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. 87togo

    87togo TS Rookie Topic Starter

    Hello again,

    Yes it seems quite infected, so I ran the standard cleaning process. I've attached my new logs. Please let me know what to do next.

    Thanks!

    87togo
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.

    Boot into safe mode under your normal user name. See how HERE
    Next turn on "Show all files and folders, including hidden and system". See how HERE

    1. Go to start > run and type services.msc. Press the enter key.
      Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

      Viewpoint Manager Service

    2. Go to start > Control Panel > Add and Remove Programs.
      Remove anything related to the following:

      Viewpoint Manager

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

      O4 - Global Startup: ORiNOCO Client Manager.lnk = ?

      O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll

      O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2215bfa02a3988e40d01/netzip/RdxIE601.cab

      O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe

      O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

      Close HJT.

    4. Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.

      [​IMG]

      This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    5. Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. 87togo

    87togo TS Rookie Topic Starter

    Hi,

    Okay, the logs are attached. Please let me know what to do next.

    Many thanks,

    87togo
     
  16. momok

    momok TS Rookie Posts: 2,265

    Well done.

    Have HijackThis fix these entries:
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
    O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} -
    O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} -

    Apart from that, your logs look clean now.

    1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
      You may also delete the C:\avenger and C:\VundoFix Backups folder and its contents.

    2. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    3. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. 87togo

    87togo TS Rookie Topic Starter

    Friendly momoc,

    Thank you so much for your help!!!! You and the TS Special Forces are to be commended for your battle against the malicious and invasive species of sub-human hackers/virus writers of the world.

    It has been a great pleasure working with you, even though the circumstances themselves were unpleasant.

    I wish you great success in all of your endevours,

    87togo
     
  18. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Thank you for the kind comments. Enjoy your clean system!

    Regards,
    Your friendly momok =)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...