TechSpot

Google redirect, AV & IE damage

Solved
By tatterjack
Oct 13, 2011
  1. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    OK. I'll post again tomorrow.
  2. Broni

    Broni Malware Annihilator Posts: 46,719   +254

    OK.................
  3. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    I'll have a think about it over the weekend.
  4. Broni

    Broni Malware Annihilator Posts: 46,719   +254

    No problem :)
  5. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Possibly Resolved

    Hi Broni,

    Apologies for not posting yesterday. I decided I would go for a clean reinstall but since I had nothing to lose would give disinfecting one more try. Over the weekend I went over all the tool reports and prepared a list of all the registry entries, files and folders they deleted and also our actions round about the points we thought we had made headway. It's in a spreadsheet and I'd be happy to attach it if you would find it useful.

    Here's the list of what I did. I've retained all the logs and can post these as well. All the tools were downloaded on a good machine and copied via a USB stick which was always reformatted after being in the infected machine.

    1) Completely remove McAfee using the MCPR tool
    2) Uninstalled Adobe Reader 8 via add/remove pgms
    3) Followed these instructions to completely remove any remnants of Adobe Reader 8
    4) Found and deleted AcroRd32Infomgr.exe in c:\program files\adobe...\reader\ It had the quill and inkwell icon used by the virus
    5) Uninstalled Adobe Flash
    6) Backed up the registry
    7) Followed the instructions Here to restore the Safe Mode registry keys. This did not apparently work. The safeboot key was still empty.
    8) Booted into OLTPE and use the remote registry tool and the file tool to remove the list of entries I made earlier
    9) Compared acpi.sys to a copy from a good XP SP3 system. It was identical.
    10) Searched for and deleted any remaining copies of lmllhkfv.exe
    11) Emptied all temp and temp internet folders
    12) Ran OTLPE quick scan which looked clean
    13) Put copies of any tools I thought I would need on C:\ and the desktop
    14) Rebooted normally
    15) Ran Fixtdss "Tidserv has not been found"
    16) Ran TDSSKiller. 0 threats.
    17) Ran comboFix "Expired. Reduced functionality" Only stage 49 apparently But at least 3 reg keys and one module of the virus had returned.

    Oh hubris

    18) Redownloaded combofix and ran again (nb no Nirkmd message)
    19) Unticked all startups and non-microsoft services in msconfig
    20) Booted in OLTPE and removed all the reg keys and modules again
    21) Rebooted normally
    22) Ran new combofix. Apparently clean
    23) Checked safeboot key. It was fully populated!
    24) Ran Kaspersky scan with the Prompt action in case I lost the reports again. It found about 700 infections over two runs most of which I chose disinfect. They were dll's belongin to many different programs some of which I can uninstall some of which I need so we will see.

    That's where I am now

    Things I still have to do:

    1) Uninstall the programs I don't need that were disinfected: Chrome, Belkin wireless, Virtual clone, HP Printer
    2) Install a free AV, Java, flash, Adobe Reader
    3) Test IE/Google
    4) Test the programs I need
    5) Virus check and replace if necessary remaining modules on the startup lists.
    6) Clean out system Restore
    7) Test safe Mode
    5) Take a DriveImage

    Please also accept my apologies for not involving you in this but with the California/UK time difference and the slowness of commnicating via Techspot it was just going to take too long.
    I'll understand if you want to wash your hand of it but if you do have any advice I would be very grateful to receive it. I couldn't have done this without your assistance.
  6. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Problem Resolved

    I think the computer is now completely free of the virus and working normally. Here's a list of the remaining things I did

    1) Uninstalled Chrome, Google toolbar, Belkin 54G Nework Adapter, Freecom Media Suite, Virtual Clone, Yahoo toolbar, WD Diags
    2) Corrected time
    3) Installed the following from standalone installers: AVG Free, Adobe Reader 10 (still had to Restore pdf file associations) , Flash 11, Java
    4) Checked safemode worked OK
    5) Checked sound worked OK
    6) Checked all the programs stopped in Msconfig that I planned to keep at virustotal.com

    smax4pnp.exe
    hptlpxfx.exe
    cvpnd.exe
    idrivert.exe
    mdm.exe
    ose.exe

    All passed 0/43 except idrivert.exe which got 1/43
    I also checked them against the kapersky disinfected list. Only idrvert.exe and smax4pnp.exe were in it.
    Decided none of them were essential so deleted them all from HKLM\Software\Microsoft\Shared Tools\Msconfig... and left the services disabled
    7) Ran Hijack this and deleted SACORE (McAfee) and a couple of File Missing entries
    8) Turned system Restore off then on to remove all previous checkpoints
    9) Took a checkpoint and also created a Driveimage backup
    10) Restarted, checked the registry entries and file locations the virus had used were all OK again
    11) removed Google entries from Task Scheduler
    12) Went online and tested IE, google etc. All OK.
    13) uninstalled combofix
    14) removed all the tools and output from C:\ and the desktop

    Phew, I have a working, virus free computer and only a few points, most unessential, I would like to resolve:

    a) how to be confident the mdm (machine debug manager) and ose (office source engine) services are safe to start again.
    b) ditto the analog services file smax4pnp.exe and the HP file hptlpxfx.exe although I can always reinstall the sound and the printer.
    c) and the idrivert.ex called by the Install Driver Table Manger Service though I'm not convinced it's required.
    d) the only ones that really need fixed are the two entries for Cisco VPN. One is the service cvpnd.exe the other is an entry in the common Startup which points to an installer. I suspect a reinstall is the best idea here too.
    e) i also need to check all my other programs still work, especially where Kapersky disinfected dll's.

    Any further advice gratefully accepted.
  7. Broni

    Broni Malware Annihilator Posts: 46,719   +254

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  8. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    ESET result

    Eset result:

    No threats found.

    There was no List of found threats or Export to text file button so I took a screenshot if required.

    Since I last posted I also ran an AVG scan which found no threats either.

    I've also now tested all my applications and they all work with the exception of the Cisco VPN Client which fails with Reason 435: Firewall Policy Mismatch. I've found links suggesting missing zonealarm files are the problem so I'm hunting for those now. I think also one of the deletions was a Zonealarm service so I'll check that too. I'm on more familiar ground with this but if you have any suggestions I'll be happy to hear them.
  9. Broni

    Broni Malware Annihilator Posts: 46,719   +254

    That would be a subject to a different forum.
  10. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Indeed. Thanks again for all your help.

    If I were interested in helping out in the forum what would I do?
  11. Broni

    Broni Malware Annihilator Posts: 46,719   +254

     
  12. tatterjack

    tatterjack TS Rookie Topic Starter Posts: 75

    Thanks Broni. I'm happy for the thread to be closed now.
  13. Broni

    Broni Malware Annihilator Posts: 46,719   +254

    Good luck!


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.