please please help with urlcpvfeed!
- Thread starter 87togo
- Start date
- Status
momok
Posts: 2,127 +6
Hi 87togo and welcome to techspot. =)
You are running an outdated version of HijackThis.
You can obtain the latest version from the link in my signature.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Viewpoint Manager Service
poolsv
svhost
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
Viewpoint Manager
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{00-0B-B4-44-ZN}] C:\windows\system32\mmdsregn.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qwinnndt.exe CHD003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\qwinnndt.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = ?
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2215bfa02a3988e40d01/netzip/RdxIE601.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\qwinnndt.exe
Reboot into normal mode and rehide your protected OS files.
Please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.
Also, please let me know the results of the AVG Antirootkit scan
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You are running an outdated version of HijackThis.
You can obtain the latest version from the link in my signature.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Viewpoint Manager Service
poolsv
svhost
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
Viewpoint Manager
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [{00-0B-B4-44-ZN}] C:\windows\system32\mmdsregn.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qwinnndt.exe CHD003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\qwinnndt.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = ?
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2215bfa02a3988e40d01/netzip/RdxIE601.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\qwinnndt.exe
Reboot into normal mode and rehide your protected OS files.
Please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.
Also, please let me know the results of the AVG Antirootkit scan
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
followed all instructions
momok:
I followed all the instructions as best I could. I did have to log on and look at a few things on the 'net between running AdAware and AVG Spyware in step 14 of Howard's preliminary removal procedure.
I have attached the three logs you asked for, and the AVG Antirootkit scan, it found 7 of my music files that had issues. I didn't know how to create a log of that for you.
I really appreciate your help, and the TS Special Forces!
87togo
momok:
I followed all the instructions as best I could. I did have to log on and look at a few things on the 'net between running AdAware and AVG Spyware in step 14 of Howard's preliminary removal procedure.
I have attached the three logs you asked for, and the AVG Antirootkit scan, it found 7 of my music files that had issues. I didn't know how to create a log of that for you.
I really appreciate your help, and the TS Special Forces!
87togo
indetity theft
momok:
I posted an older hijackthis log to another board (tomcoyote.org) and got the following response. Should I take their advice?
Thanks,
87togo
"Identity Theft
I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by the W32.Mydoom.I@mm worm.
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and re-install your operating system and applications.
We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the internet.
The decision whether to reformat or not should be based on:
The use of the computer - this is the primary factor in the decision whether to reformat and re-install, or just disinfect.
The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a backdoor worm, the worst kind.
If the computer has been used for any important data, you are strongly advised to do the following, immediately:
Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to reformat and re-install, this can be a useful link."
momok:
I posted an older hijackthis log to another board (tomcoyote.org) and got the following response. Should I take their advice?
Thanks,
87togo
"Identity Theft
I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by the W32.Mydoom.I@mm worm.
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and re-install your operating system and applications.
We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the internet.
The decision whether to reformat or not should be based on:
The use of the computer - this is the primary factor in the decision whether to reformat and re-install, or just disinfect.
The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a backdoor worm, the worst kind.
If the computer has been used for any important data, you are strongly advised to do the following, immediately:
Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to reformat and re-install, this can be a useful link."
momok
Posts: 2,127 +6
Hi
I definitely agree with the advice given. To help make your judgement easier, please see our thread HERE.
Let me know which route you intend to take.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I definitely agree with the advice given. To help make your judgement easier, please see our thread HERE.
Let me know which route you intend to take.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Momok:
I will try to figure out what to do.... meantime, I will start changing passwords (from another computer).
I use that computer for everything!
I did make a complete image of this drive a while ago. Is there any way to discover when the MyDoom infection happened? I might be abe to reinstall that image.
Thanks,
87togo
I will try to figure out what to do.... meantime, I will start changing passwords (from another computer).
I use that computer for everything!
I did make a complete image of this drive a while ago. Is there any way to discover when the MyDoom infection happened? I might be abe to reinstall that image.
Thanks,
87togo
momok
Posts: 2,127 +6
Hi,
I'm afraid I am unable to tell you that as I do not have a combofix log from you before I asked you to fix svhost.exe.
Judging from your current ComboFix log, the earliest nasty file I see in there was created on 17th June. However, the your system may have been infected before that. You'll have to recall when your problems first appeared, and take away a few days before then to be safe.
Just to check, when and where did you make a complete image of your drive? Are there other drives/partitions on this system?
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I'm afraid I am unable to tell you that as I do not have a combofix log from you before I asked you to fix svhost.exe.
Judging from your current ComboFix log, the earliest nasty file I see in there was created on 17th June. However, the your system may have been infected before that. You'll have to recall when your problems first appeared, and take away a few days before then to be safe.
Just to check, when and where did you make a complete image of your drive? Are there other drives/partitions on this system?
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
I'm not sure how you can do a restore if you completely format your hard drive? In any case, I do hope you have taken the necessary steps to safeguard your sensitive information.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I'm not sure how you can do a restore if you completely format your hard drive? In any case, I do hope you have taken the necessary steps to safeguard your sensitive information.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hi momok,
I finally restored my system from a backup image. I then downloaded and used HijackThis and ComboFix. The logs are attached. I am wondering if the MyDoom worm is in my machine now that I have done the restore. Hopefully it was not in there when I made the image. Meanwhile, I am going to to through Howard Hopkins preliminary removal process. Please let me know if MyDoom is present. When I am done with the removal, I will post new logs.
Many thanks,
87togo
I finally restored my system from a backup image. I then downloaded and used HijackThis and ComboFix. The logs are attached. I am wondering if the MyDoom worm is in my machine now that I have done the restore. Hopefully it was not in there when I made the image. Meanwhile, I am going to to through Howard Hopkins preliminary removal process. Please let me know if MyDoom is present. When I am done with the removal, I will post new logs.
Many thanks,
87togo
momok
Posts: 2,127 +6
Hi,
From those 2 logs, I do not signs of the MyDoom infection. However that system state is definitely not clean. When you are done with the logs I shall proceed to help you clean, or alternatively you may choose to reformat.
I suspect the worm was downloaded when your internet security was already compromised by your infections.
Post your new logs in the next reply, or let me know if you wish to reformat.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
From those 2 logs, I do not signs of the MyDoom infection. However that system state is definitely not clean. When you are done with the logs I shall proceed to help you clean, or alternatively you may choose to reformat.
I suspect the worm was downloaded when your internet security was already compromised by your infections.
Post your new logs in the next reply, or let me know if you wish to reformat.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You may wish to copy and paste these instructions on notepad for easier reference later.
Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
- Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Viewpoint Manager Service
- Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
Viewpoint Manager
- After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: ORiNOCO Client Manager.lnk = ?
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2215bfa02a3988e40d01/netzip/RdxIE601.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Close HJT.
- Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.
This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.
- Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Well done.
Have HijackThis fix these entries:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} -
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} -
Apart from that, your logs look clean now.
Should you have any further problems, please post in this thread.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Have HijackThis fix these entries:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} -
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} -
Apart from that, your logs look clean now.
- Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
You may also delete the C:\avenger and C:\VundoFix Backups folder and its contents.
- Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
- After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
- Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.
Should you have any further problems, please post in this thread.
Regards,
Your friendly momok =)
This thread is for the use of 87togo only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Friendly momoc,
Thank you so much for your help!!!! You and the TS Special Forces are to be commended for your battle against the malicious and invasive species of sub-human hackers/virus writers of the world.
It has been a great pleasure working with you, even though the circumstances themselves were unpleasant.
I wish you great success in all of your endevours,
87togo
Thank you so much for your help!!!! You and the TS Special Forces are to be commended for your battle against the malicious and invasive species of sub-human hackers/virus writers of the world.
It has been a great pleasure working with you, even though the circumstances themselves were unpleasant.
I wish you great success in all of your endevours,
87togo
- Status
