tatterjack
Posts: 75 +0
OK. I'll post again tomorrow.
Solved Google redirect, AV & IE damage
- Thread starter tatterjack
- Start date
tatterjack
Posts: 75 +0
I'll have a think about it over the weekend.
tatterjack
Posts: 75 +0
Possibly Resolved
Hi Broni,
Apologies for not posting yesterday. I decided I would go for a clean reinstall but since I had nothing to lose would give disinfecting one more try. Over the weekend I went over all the tool reports and prepared a list of all the registry entries, files and folders they deleted and also our actions round about the points we thought we had made headway. It's in a spreadsheet and I'd be happy to attach it if you would find it useful.
Here's the list of what I did. I've retained all the logs and can post these as well. All the tools were downloaded on a good machine and copied via a USB stick which was always reformatted after being in the infected machine.
1) Completely remove McAfee using the MCPR tool
2) Uninstalled Adobe Reader 8 via add/remove pgms
3) Followed these instructions to completely remove any remnants of Adobe Reader 8
4) Found and deleted AcroRd32Infomgr.exe in c:\program files\adobe...\reader\ It had the quill and inkwell icon used by the virus
5) Uninstalled Adobe Flash
6) Backed up the registry
7) Followed the instructions Here to restore the Safe Mode registry keys. This did not apparently work. The safeboot key was still empty.
8) Booted into OLTPE and use the remote registry tool and the file tool to remove the list of entries I made earlier
9) Compared acpi.sys to a copy from a good XP SP3 system. It was identical.
10) Searched for and deleted any remaining copies of lmllhkfv.exe
11) Emptied all temp and temp internet folders
12) Ran OTLPE quick scan which looked clean
13) Put copies of any tools I thought I would need on C:\ and the desktop
14) Rebooted normally
15) Ran Fixtdss "Tidserv has not been found"
16) Ran TDSSKiller. 0 threats.
17) Ran comboFix "Expired. Reduced functionality" Only stage 49 apparently But at least 3 reg keys and one module of the virus had returned.
Oh hubris
18) Redownloaded combofix and ran again (nb no Nirkmd message)
19) Unticked all startups and non-microsoft services in msconfig
20) Booted in OLTPE and removed all the reg keys and modules again
21) Rebooted normally
22) Ran new combofix. Apparently clean
23) Checked safeboot key. It was fully populated!
24) Ran Kaspersky scan with the Prompt action in case I lost the reports again. It found about 700 infections over two runs most of which I chose disinfect. They were dll's belongin to many different programs some of which I can uninstall some of which I need so we will see.
That's where I am now
Things I still have to do:
1) Uninstall the programs I don't need that were disinfected: Chrome, Belkin wireless, Virtual clone, HP Printer
2) Install a free AV, Java, flash, Adobe Reader
3) Test IE/Google
4) Test the programs I need
5) Virus check and replace if necessary remaining modules on the startup lists.
6) Clean out system Restore
7) Test safe Mode
5) Take a DriveImage
Please also accept my apologies for not involving you in this but with the California/UK time difference and the slowness of commnicating via Techspot it was just going to take too long.
I'll understand if you want to wash your hand of it but if you do have any advice I would be very grateful to receive it. I couldn't have done this without your assistance.
Hi Broni,
Apologies for not posting yesterday. I decided I would go for a clean reinstall but since I had nothing to lose would give disinfecting one more try. Over the weekend I went over all the tool reports and prepared a list of all the registry entries, files and folders they deleted and also our actions round about the points we thought we had made headway. It's in a spreadsheet and I'd be happy to attach it if you would find it useful.
Here's the list of what I did. I've retained all the logs and can post these as well. All the tools were downloaded on a good machine and copied via a USB stick which was always reformatted after being in the infected machine.
1) Completely remove McAfee using the MCPR tool
2) Uninstalled Adobe Reader 8 via add/remove pgms
3) Followed these instructions to completely remove any remnants of Adobe Reader 8
4) Found and deleted AcroRd32Infomgr.exe in c:\program files\adobe...\reader\ It had the quill and inkwell icon used by the virus
5) Uninstalled Adobe Flash
6) Backed up the registry
7) Followed the instructions Here to restore the Safe Mode registry keys. This did not apparently work. The safeboot key was still empty.
8) Booted into OLTPE and use the remote registry tool and the file tool to remove the list of entries I made earlier
9) Compared acpi.sys to a copy from a good XP SP3 system. It was identical.
10) Searched for and deleted any remaining copies of lmllhkfv.exe
11) Emptied all temp and temp internet folders
12) Ran OTLPE quick scan which looked clean
13) Put copies of any tools I thought I would need on C:\ and the desktop
14) Rebooted normally
15) Ran Fixtdss "Tidserv has not been found"
16) Ran TDSSKiller. 0 threats.
17) Ran comboFix "Expired. Reduced functionality" Only stage 49 apparently But at least 3 reg keys and one module of the virus had returned.
Oh hubris
18) Redownloaded combofix and ran again (nb no Nirkmd message)
19) Unticked all startups and non-microsoft services in msconfig
20) Booted in OLTPE and removed all the reg keys and modules again
21) Rebooted normally
22) Ran new combofix. Apparently clean
23) Checked safeboot key. It was fully populated!
24) Ran Kaspersky scan with the Prompt action in case I lost the reports again. It found about 700 infections over two runs most of which I chose disinfect. They were dll's belongin to many different programs some of which I can uninstall some of which I need so we will see.
That's where I am now
Things I still have to do:
1) Uninstall the programs I don't need that were disinfected: Chrome, Belkin wireless, Virtual clone, HP Printer
2) Install a free AV, Java, flash, Adobe Reader
3) Test IE/Google
4) Test the programs I need
5) Virus check and replace if necessary remaining modules on the startup lists.
6) Clean out system Restore
7) Test safe Mode
5) Take a DriveImage
Please also accept my apologies for not involving you in this but with the California/UK time difference and the slowness of commnicating via Techspot it was just going to take too long.
I'll understand if you want to wash your hand of it but if you do have any advice I would be very grateful to receive it. I couldn't have done this without your assistance.
tatterjack
Posts: 75 +0
Problem Resolved
I think the computer is now completely free of the virus and working normally. Here's a list of the remaining things I did
1) Uninstalled Chrome, Google toolbar, Belkin 54G Nework Adapter, Freecom Media Suite, Virtual Clone, Yahoo toolbar, WD Diags
2) Corrected time
3) Installed the following from standalone installers: AVG Free, Adobe Reader 10 (still had to Restore pdf file associations) , Flash 11, Java
4) Checked safemode worked OK
5) Checked sound worked OK
6) Checked all the programs stopped in Msconfig that I planned to keep at virustotal.com
smax4pnp.exe
hptlpxfx.exe
cvpnd.exe
idrivert.exe
mdm.exe
ose.exe
All passed 0/43 except idrivert.exe which got 1/43
I also checked them against the kapersky disinfected list. Only idrvert.exe and smax4pnp.exe were in it.
Decided none of them were essential so deleted them all from HKLM\Software\Microsoft\Shared Tools\Msconfig... and left the services disabled
7) Ran Hijack this and deleted SACORE (McAfee) and a couple of File Missing entries
8) Turned system Restore off then on to remove all previous checkpoints
9) Took a checkpoint and also created a Driveimage backup
10) Restarted, checked the registry entries and file locations the virus had used were all OK again
11) removed Google entries from Task Scheduler
12) Went online and tested IE, google etc. All OK.
13) uninstalled combofix
14) removed all the tools and output from C:\ and the desktop
Phew, I have a working, virus free computer and only a few points, most unessential, I would like to resolve:
a) how to be confident the mdm (machine debug manager) and ose (office source engine) services are safe to start again.
b) ditto the analog services file smax4pnp.exe and the HP file hptlpxfx.exe although I can always reinstall the sound and the printer.
c) and the idrivert.ex called by the Install Driver Table Manger Service though I'm not convinced it's required.
d) the only ones that really need fixed are the two entries for Cisco VPN. One is the service cvpnd.exe the other is an entry in the common Startup which points to an installer. I suspect a reinstall is the best idea here too.
e) i also need to check all my other programs still work, especially where Kapersky disinfected dll's.
Any further advice gratefully accepted.
I think the computer is now completely free of the virus and working normally. Here's a list of the remaining things I did
1) Uninstalled Chrome, Google toolbar, Belkin 54G Nework Adapter, Freecom Media Suite, Virtual Clone, Yahoo toolbar, WD Diags
2) Corrected time
3) Installed the following from standalone installers: AVG Free, Adobe Reader 10 (still had to Restore pdf file associations) , Flash 11, Java
4) Checked safemode worked OK
5) Checked sound worked OK
6) Checked all the programs stopped in Msconfig that I planned to keep at virustotal.com
smax4pnp.exe
hptlpxfx.exe
cvpnd.exe
idrivert.exe
mdm.exe
ose.exe
All passed 0/43 except idrivert.exe which got 1/43
I also checked them against the kapersky disinfected list. Only idrvert.exe and smax4pnp.exe were in it.
Decided none of them were essential so deleted them all from HKLM\Software\Microsoft\Shared Tools\Msconfig... and left the services disabled
7) Ran Hijack this and deleted SACORE (McAfee) and a couple of File Missing entries
8) Turned system Restore off then on to remove all previous checkpoints
9) Took a checkpoint and also created a Driveimage backup
10) Restarted, checked the registry entries and file locations the virus had used were all OK again
11) removed Google entries from Task Scheduler
12) Went online and tested IE, google etc. All OK.
13) uninstalled combofix
14) removed all the tools and output from C:\ and the desktop
Phew, I have a working, virus free computer and only a few points, most unessential, I would like to resolve:
a) how to be confident the mdm (machine debug manager) and ose (office source engine) services are safe to start again.
b) ditto the analog services file smax4pnp.exe and the HP file hptlpxfx.exe although I can always reinstall the sound and the printer.
c) and the idrivert.ex called by the Install Driver Table Manger Service though I'm not convinced it's required.
d) the only ones that really need fixed are the two entries for Cisco VPN. One is the service cvpnd.exe the other is an entry in the common Startup which points to an installer. I suspect a reinstall is the best idea here too.
e) i also need to check all my other programs still work, especially where Kapersky disinfected dll's.
Any further advice gratefully accepted.
Broni
Posts: 56,041 +516
Please run a free online scan with the ESET Online Scanner
- Disable your antivirus program
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- IMPORTANT! UN-check Remove found threats
- Accept any security warnings from your browser.
- Check Scan archives
- Click Start
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push List of found threats
- Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
tatterjack
Posts: 75 +0
ESET result
Eset result:
No threats found.
There was no List of found threats or Export to text file button so I took a screenshot if required.
Since I last posted I also ran an AVG scan which found no threats either.
I've also now tested all my applications and they all work with the exception of the Cisco VPN Client which fails with Reason 435: Firewall Policy Mismatch. I've found links suggesting missing zonealarm files are the problem so I'm hunting for those now. I think also one of the deletions was a Zonealarm service so I'll check that too. I'm on more familiar ground with this but if you have any suggestions I'll be happy to hear them.
Eset result:
No threats found.
There was no List of found threats or Export to text file button so I took a screenshot if required.
Since I last posted I also ran an AVG scan which found no threats either.
I've also now tested all my applications and they all work with the exception of the Cisco VPN Client which fails with Reason 435: Firewall Policy Mismatch. I've found links suggesting missing zonealarm files are the problem so I'm hunting for those now. I think also one of the deletions was a Zonealarm service so I'll check that too. I'm on more familiar ground with this but if you have any suggestions I'll be happy to hear them.
tatterjack
Posts: 75 +0
Indeed. Thanks again for all your help.
If I were interested in helping out in the forum what would I do?
If I were interested in helping out in the forum what would I do?
Broni
Posts: 56,041 +516
If you're interested there are free schools for it: http://www.uniteagainstmalware.com/schools.php
tatterjack
Posts: 75 +0
Thanks Broni. I'm happy for the thread to be closed now.
Latest posts
-
Sony's Ghost of Tsushima brings familiar PlayStation features to PC- Burty117 replied
-
Gamers are renting out GPU power for AI porn generation in return for Fortnite skins- Atmajaya2020 replied
-
Fallout TV show secures second season after stellar debut
- Atmajaya2020 replied
-
Logitech thinks the computer mouse needs an AI upgrade- Dimitrios replied
-
PlayStation 5 Pro will be bigger, faster, and better using the same CPU- Squid Surprise replied