Jump to content

Google Redirect Virus


Recommended Posts

I started having trouble with my PC (running Windows XP) several days ago. Here are the symptoms I'm seeing:

(1) Google redirects. Often but not always when I click on a link in the results from a google search, I am redicted to a spammy ad site rather than the correct site associated with the search result.

(2) When I visit google by typing www.google.com in the address bar I get redirected to the preferences page with a warning telling me that my cookies have been disabled and setting preferences will not work until I enable cookies in my browser. It's true that I don't allow cookies for www.google.com (I have it marked as an exception) but this is nothing new and I've never had that problem before. I should also add that if I visit google by creating a new browser window (it's my default site) I don't get this error and am able to search.

(3) I get intermittent errors telling me that this or that exe has encountered a problem and needed to close. The most common one of these exe's is MessageCenterPlus.exe. I get errors popping up about that one every hour or so. Also on startup I get similar messages about nhc.exe and SUService.exe.

(4) Every once in a while (maybe a couple of times a day) the focus just randomly switches from Firefox to either some other program entirely or another firefox window.

The second through fourth symptoms may or may not be viruses though I suspect that they are related.

Here's what I've done so far (following the instruction in the tacked 'I'm infected post'):

(1) Ran a Malwarebytes quick scan which identified 12 threats all associated with AdWare.agent (or something very similar) and allowed MWBytes to remove the infected files / keys. After restarting I did another MWBytes quick scan which came up clean. Unfortunately though I still see all of the symptoms listed above. (log file for most recent scan included inline below)

(2) Downloaded Avira Antivirus Personal, updated it and did a complete scan which identified 96 viruses or unwanted program. Had it quarantine the problematic files and restarted. Still seeing the same symptoms.

(3) Downloaded DeFogger and disabled CD emulation drivers. (Note: contra the instructions on the "I'm infected" page, DeFogger did NOT ask me to reboot after it finished disabling the drivers but I did so anyway)

(4) Downloaded and ran DDS. (DDS.txt included inline below and Attach.txt zipped and attached)

(5) Downloaded and ran GMER. (ark.txt zipped and attached)

Let me know if you need anything else and thanks in advance for any help.

-ts1971

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6897

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/19/2011 2:17:29 PM

mbam-log-2011-06-19 (14-17-29).txt

Scan type: Quick scan

Objects scanned: 145214

Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Run by Administrator at 17:00:10 on 2011-06-19

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2332 [GMT -7:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe

C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\FreePDF_XP\fpassist.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Lenovo\Client Security Solution\password_manager.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

.

============== Pseudo HJT Report ===============

.

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: 90cd0c88: {1123b85b-f2a7-de5f-fdf9-6c8cb1e4d803} - c:\windows\system32\msidntld32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [<NO NAME>]

mRun: [TpShocks] TpShocks.exe

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe

mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent

mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe

mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NotebookHardwareControl] "c:\program files\notebook hardware control\nhc.exe" -quiet

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [FreePDF Assistant] c:\program files\freepdf_xp\fpassist.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\administrator\desktop\PartyPoker.lnk

IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 172.27.35.1

TCP: Interfaces\{EEDD885B-B6EC-4E15-B3BD-665DE4CFC845} : DhcpNameServer = 172.27.35.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

AppInit_DLLs: c:\windows\system32\msidntld32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\boiioctq.default\

FF - prefs.js: keyword.URL - hxxp://www.resultbar.com/?tmp=nemo_results_removelink&prt=RstbarPB&keywords=

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Diccionario de Espa

ark.zip

attach.zip

Link to post
Share on other sites

Hi ts1971

:welcome:

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi Kenny. Thanks in advance for all of your help. I ran ComboFix but don't see the ComboFix.txt log file anywhere. There may have been a problem; I'm not sure. I just (after allowing it to install Windows Recovery Console) kicked it off and walked away and when I came back 10 minutes later I had a logon screen. I do notice a ComboFix 'symlink' (I don't know the Windows terminology) to the root of my filesystem - C:/ComboFix. Should I run it again?

Thanks.

-ts1971

Link to post
Share on other sites

Hi,

Combofix log resides in your C: Drive. C:\ look for the most current log.

ComboFix.txt If you can't find it. Then run Combofix again and post the log please.

Okay, I have the log this time. It also didn't reboot my system this time so I have no idea what happened the last time through. It may have been that the reboot was necasarry to install Recovery Console. In any event, here is this log:

ComboFix 11-06-19.0r1 - Administrator 06/20/2011 11:53:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2429 [GMT -7:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Application Data\AD ON Multimedia

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\extensions\{dc614c40-c64f-4311-b106-49b60146cb77}

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\extensions\{dc614c40-c64f-4311-b106-49b60146cb77}\chrome.manifest

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\extensions\{dc614c40-c64f-4311-b106-49b60146cb77}\chrome\xulcache.jar

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\extensions\{dc614c40-c64f-4311-b106-49b60146cb77}\defaults\preferences\xulcache.js

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\extensions\{dc614c40-c64f-4311-b106-49b60146cb77}\install.rdf

c:\documents and settings\All Users\Application Data\Tarma Installer

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico

.

.

((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))

.

.

2011-06-20 15:32 . 2011-06-20 15:32 -------- d-----w- c:\windows\LastGood

2011-06-19 21:35 . 2011-06-19 23:38 -------- d-----w- c:\windows\system32\NtmsData

2011-06-19 21:34 . 2011-06-19 21:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira

2011-06-19 21:27 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-19 21:27 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-19 21:27 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-19 21:27 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-19 21:27 . 2011-06-19 21:27 -------- d-----w- c:\program files\Avira

2011-06-19 21:27 . 2011-06-19 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-17 06:49 . 2011-06-17 06:49 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2011-06-13 04:04 . 2011-06-13 04:04 0 ---ha-w- c:\documents and settings\Administrator\djopfpjzvg.tmp

2011-06-12 20:05 . 2011-06-12 20:05 175616 ----a-w- c:\windows\system32\msidntld32.dll

2011-06-12 08:27 . 2011-06-12 08:27 -------- d-----w- c:\program files\gs

2011-06-12 08:15 . 2011-06-19 21:08 -------- d-----w- c:\program files\Yontoo Layers

2011-06-12 08:12 . 2011-06-16 18:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FreePDF_XP

2011-06-12 08:11 . 2011-06-12 08:55 -------- d-----w- c:\program files\FreePDF_XP

2011-06-12 08:11 . 2011-06-12 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\FreePDF

2011-06-12 08:11 . 2010-06-18 04:56 45056 ----a-w- c:\windows\system32\unredmon.exe

2011-06-12 08:11 . 2010-06-18 04:56 116224 ----a-w- c:\windows\system32\redmonnt.dll

2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-20 15:35 . 2011-01-03 17:07 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys

2011-06-12 08:31 . 2011-05-14 05:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-29 16:11 . 2011-05-14 04:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11 . 2011-05-14 04:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-10-16 01:18 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

.

[-] 2008-10-16 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1123B85B-F2A7-DE5F-FDF9-6C8CB1E4D803}]

2011-06-12 20:05 175616 ----a-w- c:\windows\system32\msidntld32.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]

"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-20 487424]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-24 331776]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-24 208896]

"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]

"TpShocks"="TpShocks.exe" [2008-06-06 181536]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-08 165208]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-08 124248]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-13 3073336]

"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-12 423200]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-30 178712]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-30 150040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2010-06-18 370176]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

"_nltide_3"="advpack.dll" [2009-03-08 128512]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1954-2-14 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 12:07 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2008-08-08 14:44 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\msidntld32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 4:51 AM 19496]

R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/8/2008 6:20 PM 46144]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/19/2011 2:27 PM 136360]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [12/23/2008 12:13 AM 94208]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 4:55 AM 520192]

R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/8/2008 6:20 PM 253952]

R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [12/23/2008 12:24 AM 72448]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/19/2008 4:59 AM 243856]

R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [6/7/2007 10:06 PM 81280]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 4:24 AM 37312]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-10-31 18:14]

.

2011-06-20 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-12-23 21:17]

.

2011-06-20 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 05:18]

.

.

------- Supplementary Scan -------

.

TCP: DhcpNameServer = 172.27.35.1

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\

FF - prefs.js: keyword.URL - hxxp://www.resultbar.com/?tmp=nemo_results_removelink&prt=RstbarPB&keywords=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Diccionario de Espa

Link to post
Share on other sites

The search redirections should have stopped now. Have they? Also, your PC is missing some files. We'll use Dial-A-Fix to replace them.

  • Please download Dial-A-Fix from one of the following mirrors:

    [*]Extract the zip file to your desktop.

    [*]Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and ClickOK.jpg to continue.

    [*]Press the green double checkmark box (Looks like this:

    checkmark.png

    [*]UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

    ncheck.png

    Window.png[*]

    [*]Click on Go

    [*]Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

    [*]Close Dial-A-Fix

Next

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply. Also, let me know how your PC is doing?

Link to post
Share on other sites

Hi Again,

First a status: things are looking better. I believe that the google redirects have stopped. I can't say that with absolute certainty though as it wasn't something that happened every time. The issue with getting the cookies error when I'd access google via the URL bar has been resolved. I still do see the 'exe has encountered an error and has to shut down' errors for nhc.exe and SUService.exe though those may not be virus related. I dunno.

Anyway, I ran Dial-A-Fix to completion though, I did get a lot (>10) errors complaining that this or that dll was corrupted and couldn't be registered. I then ran ComboFix again (it asked me to restart afterwards, which I did). Thanks again and here is the log:

ComboFix 11-06-19.0r1 - Administrator 06/20/2011 12:46:54.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2514 [GMT -7:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))

.

.

2011-06-20 19:38 . 2011-06-20 19:53 -------- d-----w- c:\windows\system32\CatRoot2

2011-06-19 21:35 . 2011-06-19 23:38 -------- d-----w- c:\windows\system32\NtmsData

2011-06-19 21:34 . 2011-06-19 21:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira

2011-06-19 21:27 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-19 21:27 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-19 21:27 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-19 21:27 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-19 21:27 . 2011-06-19 21:27 -------- d-----w- c:\program files\Avira

2011-06-19 21:27 . 2011-06-19 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-17 06:49 . 2011-06-17 06:49 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2011-06-13 04:04 . 2011-06-13 04:04 0 ---ha-w- c:\documents and settings\Administrator\djopfpjzvg.tmp

2011-06-12 20:05 . 2011-06-12 20:05 175616 ----a-w- c:\windows\system32\msidntld32.dll

2011-06-12 08:27 . 2011-06-12 08:27 -------- d-----w- c:\program files\gs

2011-06-12 08:15 . 2011-06-19 21:08 -------- d-----w- c:\program files\Yontoo Layers

2011-06-12 08:12 . 2011-06-16 18:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FreePDF_XP

2011-06-12 08:11 . 2011-06-12 08:55 -------- d-----w- c:\program files\FreePDF_XP

2011-06-12 08:11 . 2011-06-12 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\FreePDF

2011-06-12 08:11 . 2010-06-18 04:56 45056 ----a-w- c:\windows\system32\unredmon.exe

2011-06-12 08:11 . 2010-06-18 04:56 116224 ----a-w- c:\windows\system32\redmonnt.dll

2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-20 19:54 . 2011-01-03 17:07 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys

2011-06-12 08:31 . 2011-05-14 05:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-29 16:11 . 2011-05-14 04:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11 . 2011-05-14 04:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-10-16 01:18 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

.

[-] 2008-10-16 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2011-06-20_18.56.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-06-20 19:54 . 2011-06-20 19:54 16384 c:\windows\temp\Perflib_Perfdata_854.dat

+ 2011-06-20 19:52 . 2011-06-20 19:52 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat

+ 2004-08-04 11:00 . 2011-06-20 19:23 67714 c:\windows\system32\perfc009.dat

- 2004-08-04 11:00 . 2011-06-20 15:35 67714 c:\windows\system32\perfc009.dat

+ 2004-08-04 11:00 . 2011-06-20 19:23 432924 c:\windows\system32\perfh009.dat

- 2004-08-04 11:00 . 2011-06-20 15:35 432924 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1123B85B-F2A7-DE5F-FDF9-6C8CB1E4D803}]

2011-06-12 20:05 175616 ----a-w- c:\windows\system32\msidntld32.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]

"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-20 487424]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-24 331776]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-24 208896]

"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]

"TpShocks"="TpShocks.exe" [2008-06-06 181536]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-08 165208]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-08 124248]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-13 3073336]

"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-12 423200]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-30 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-30 178712]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-30 150040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2010-06-18 370176]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

"_nltide_3"="advpack.dll" [2009-03-08 128512]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1954-2-14 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 12:07 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2008-08-08 14:44 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\msidntld32.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 4:51 AM 19496]

R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/8/2008 6:20 PM 46144]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/19/2011 2:27 PM 136360]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 11:19 AM 50704]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [12/23/2008 12:13 AM 94208]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 4:55 AM 520192]

R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/8/2008 6:20 PM 253952]

R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [12/23/2008 12:24 AM 72448]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/19/2008 4:59 AM 243856]

R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [6/7/2007 10:06 PM 81280]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 4:24 AM 37312]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-10-31 18:14]

.

2011-06-20 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-12-23 21:17]

.

2011-06-20 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 05:18]

.

.

------- Supplementary Scan -------

.

TCP: DhcpNameServer = 172.27.35.1

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\

FF - prefs.js: keyword.URL - hxxp://www.resultbar.com/?tmp=nemo_results_removelink&prt=RstbarPB&keywords=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Diccionario de Espa

Link to post
Share on other sites

Those errors are related to ThinkPad. Do you use the ThinkPad 11a/b/g/n Wireless LAN Mini-PCI Express Adapter? Or any of the

ThinkPad products?

Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Those errors are related to ThinkPad. Do you use the ThinkPad 11a/b/g/n Wireless LAN Mini-PCI Express Adapter? Or any of the

ThinkPad products?

Please run this online scan to help look for remnants.

Hmmm. I do use the wireless when I travel so I guess I must use that adapter. I don't use any of the other utilities though. I'm not sure why they would have started misbehaving all of the sudden. Once I get the virus stuff all straightened out maybe I'll look into updating them ...

Here's the ESET log:

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=b81f5bdb7da34e409fb23460fd89f73c

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-06-20 09:59:15

# local_time=2011-06-20 02:59:15 (-0700, US Mountain Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775141 100 93 0 45017259 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=122179

# found=10

# cleaned=0

# scan_time=4045

C:\JasonsDownloads\BandooV3.exe probably a variant of Win32/Adware.Bandoo.AA application (unable to clean) 00000000000000000000000000000000 I

C:\JasonsDownloads\SmitfraudFix.zip multiple threats (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\extensions\{dc614c40-c64f-4311-b106-49b60146cb77}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\boiioctq.default\extensions\{dc614c40-c64f-4311-b106-49b60146cb77}\chrome\xulcache.jar.vir JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{83816A0C-1213-4539-A553-0BFB3462DC43}\RP852\A0015847.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{83816A0C-1213-4539-A553-0BFB3462DC43}\RP857\A0017108.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{83816A0C-1213-4539-A553-0BFB3462DC43}\RP857\A0017110.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I

C:\WINDOWS\system32\msidntld32.dll Win32/TrojanDownloader.Agent.PDY trojan (unable to clean) 00000000000000000000000000000000 I

${Memory} Win32/TrojanDownloader.Agent.PDY trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

The other entities are in System Restore and Qoobox is part of ComboFix. We'll remove them in the next post. Let's remove these two files and due some house cleaning as well.

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services

    :Reg

    :Files
    C:\JasonsDownloads\BandooV3.exe
    C:\JasonsDownloads\SmitfraudFix.zip
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]


  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

The other entities are in System Restore and Qoobox is part of ComboFix. We'll remove them in the next post. Let's remove these two files and due some house cleaning as well.

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services

    :Reg

    :Files
    C:\JasonsDownloads\BandooV3.exe
    C:\JasonsDownloads\SmitfraudFix.zip
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]


  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I was asked to reboot and after reboot, here is the log:

All processes killed

========== PROCESSES ==========

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\JasonsDownloads\BandooV3.exe moved successfully.

C:\JasonsDownloads\SmitfraudFix.zip moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 39021 bytes

->Temporary Internet Files folder emptied: 490853 bytes

->Java cache emptied: 446680 bytes

->FireFox cache emptied: 57025354 bytes

->Flash cache emptied: 282801 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2483228 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 16384 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 58.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.18.0 log created on 06202011_153106

Files moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

It's a good idea to Flush your System Restore after removing malware and create a new restore point.

To SET A NEW RESTORE POINT:

1. Go to Start > Programs > Accessories > System Tools and click "System Restore".

2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

3. Then go to Start > Run and type: Cleanmgr

4. Click "OK".

5. Click the "More Options" Tab.

6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.

How to Create a Restore Point.

How to use Cleanmgr.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Tips for Speeding Up Your PC

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Hi Kenny,

I've updated / cleanup up just about everything I can find to clean up so I think that I'm all set. I really appreciate your help with this and I'll definitely be hitting your PayPal button (though not until tomorrow, I'm tirrreeeedddddd at the moment).

One last question: I have either update or uninstalled everything that OSI complained about except for one instance of IE which is located at:

C:\WINDOWS\ERDNT\cache\iexplore.exe

I have no idea what this is but I did a little googling and it looks like ERDNT is some kind of registry backup. Is that file safe? Or if not, can I just delte the ERDNT directory?

Thanks again.

-ts1971

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.