TechSpot

Google search results are getting redirected

By Ronian30
Apr 22, 2008
Topic Status:
Not open for further replies.
  1. Last week I had got infected with some type of virus that was changing my wallpaper to the blue screen with a link saying something on the lines of "your computer is infected with sypware" and I was also recieving false virus warning and task manager wouldn't open. From reading post I downloaded and ran combo fix and that seemed to fix all the problem I was having with that. The blue wallpaper and false warning went away and I was able again to access task manager. Only thing I see wrong with my PC now is that when ever I go to a search site like google my result links keep getting redirected. If you would look under the back arrow on the IE back toolbar you can ever see the words "redirect" and "jump". I ran windows defender and it found a couple spyware files it deleted. But I just searched google again and got redirected. Just wondering if you had any ideas on how to clean this sypware or what ever it is out of my pc.
     
  2. kritius

    kritius TS Guru Posts: 2,087

    Dont run ComboFix unless directed to.

    Post the logs from it here.
     
  3. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    I have to break it into 2 parts..... Part 1


    ComboFix 08-04-13.1 - Owner 2008-04-13 15:30:17.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.135 [GMT -4:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Program Files\Common Files\ssembl~1
    C:\WINDOWS\123messenger.per
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\asferror32.dll
    C:\WINDOWS\asycfilt32.dll
    C:\WINDOWS\athprxy32.dll
    C:\WINDOWS\ati2dvaa32.dll
    C:\WINDOWS\ati2dvag32.dll
    C:\WINDOWS\audiosrv32.dll
    C:\WINDOWS\autodisc32.dll
    C:\WINDOWS\avifile32.dll
    C:\WINDOWS\avisynthex32.dll
    C:\WINDOWS\aviwrap32.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\browserad.dll
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\changeurl_30.dll
    C:\WINDOWS\conf.inf
    C:\WINDOWS\default.htm
    C:\WINDOWS\didduid.ini
    C:\WINDOWS\ky.sxc
    C:\WINDOWS\licencia.txt
    C:\WINDOWS\msa64chk.dll
    C:\WINDOWS\msapasrc.dll
    C:\WINDOWS\mscon.sio
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\ntnut.exe
    C:\WINDOWS\PerfInfo
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\shdocpe.dll
    C:\WINDOWS\shdocpl.dll
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\000080.exe
    C:\WINDOWS\system32\000090.exe
    C:\WINDOWS\system32\awtsTNEv.dll
    C:\WINDOWS\system32\efcBussq.dll
    C:\WINDOWS\system32\enkubncr.dll
    C:\WINDOWS\system32\fhtbxrow.dll
    C:\WINDOWS\system32\lxdatlwu.ini
    C:\WINDOWS\system32\uninstall.exe
    C:\WINDOWS\system32\uwltadxl.dll
    C:\WINDOWS\system32\vENTstwa.ini
    C:\WINDOWS\system32\vENTstwa.ini2
    C:\WINDOWS\system32\wmsdkns.exe
    C:\WINDOWS\telefonos.txt
    C:\WINDOWS\textos.txt
    C:\WINDOWS\voiceip.dll
    C:\WINDOWS\winsb.dll
    D:\Autorun.inf

    ----- BITS: Possible infected sites -----

    hxxp://80.93.48.74
    .
    ((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
    .

    2008-04-13 15:11 . 2008-04-13 15:21 101,136 --a------ C:\WINDOWS\BM935feef2.xml
    2008-04-13 15:11 . 2008-04-13 15:11 3,648 --a------ C:\WINDOWS\system32\jboarmsi.dll
    2008-04-13 03:05 . 2008-04-13 03:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
    2008-04-13 03:04 . 2008-04-13 03:04 196,096 --a------ C:\WINDOWS\yvqjqrqd.dll
    2008-04-13 03:04 . 2008-04-13 03:04 70,144 --a------ C:\WINDOWS\tqdavkpk.dll
    2008-04-13 03:04 . 2008-04-13 03:04 70,144 --a------ C:\Documents and Settings\All Users\Application Data\notcrcfm.dll
    2008-03-17 18:58 . 2008-03-17 18:58 2,359,350 --a------ C:\WINDOWS\Manny2.bmp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-13 19:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-03-25 01:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
    2008-03-18 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
    2008-03-18 20:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\1ClickDVDCopy
    2008-03-17 19:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
    2008-03-12 20:21 --------- d-----w C:\Program Files\Java
    2008-03-10 20:51 18,816 ----a-w C:\WINDOWS\system32\drivers\dvd43llh.sys
    2008-03-10 20:51 --------- d-----w C:\Program Files\dvd43
    2008-02-25 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
    2008-02-19 20:25 --------- d-----w C:\Program Files\Apple Software Update
    2007-03-13 21:38 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
    2007-03-13 21:38 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
    2003-04-10 10:51 32 --sha-w C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
    2003-11-06 21:43 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
    2003-04-10 10:51 32 --sha-w C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
    .
     
  4. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    post 3 so i can add part 2
     
  5. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    post 4 so i can add part 2
     
  6. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    post 5 so i can add part 2
     
  7. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    Part 2


    Reg Loading Points
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
    C:\Program Files\Bat\Bat.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db41de82-1dd1-11b2-b7fd-fbaf280c36b9}]
    2008-04-13 03:04 70144 --a------ C:\WINDOWS\tqdavkpk.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW"="nview.dll" [2003-03-03 19:44 831557 C:\WINDOWS\system32\nview.dll]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [ ]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-10-12 18:13 7086080]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 19:44 4595712]
    "nwiz"="nwiz.exe" [2003-03-03 19:44 323584 C:\WINDOWS\system32\nwiz.exe]
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
    "ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
    "Lwinst Run Profiler"=".\Lwtest.exe" [ ]
    "RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44 65536]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-25 17:54 100056]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-03-01 15:49 826880]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-15 00:43 286720]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56 158208]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "ZyYWSYBlxC"= C:\Documents and Settings\All Users\Application Data\mxsfglgt\alktynyd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
    C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 06:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
    backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
    backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
    backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
    backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
    path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
    backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    --a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
    C:\Program Files\BitTorrent\bittorrent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\irfk]
    C:\WINDOWS\NITEAIM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
    C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\notcrcfm]
    regsvr32 /u C:\Documents and Settings\All Users\Application Data\notcrcfm.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
    --a------ 2002-07-31 22:28 81920 C:\WINDOWS\system32\ps2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
    --a------ 2003-05-13 17:07 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    --a------ 2003-05-22 01:20 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
    C:\WINDOWS\mrofinu72.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Manager]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvpbhzdu]
    C:\WINDOWS\system32\ypwxipit.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
    "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "C:\\Program Files\\AIM\\aim.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "24374:TCP"= 24374:TCP:BitComet 24374 TCP
    "24374:UDP"= 24374:UDP:BitComet 24374 UDP

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
    S2 MSSysInterv1;MSSysInterv;C:\WINDOWS\winself.exe service []
    S3 BUSlink;BUSlink MP3 USB Drive;C:\WINDOWS\system32\Drivers\BUSlink.sys [2002-11-01 22:52]
    S3 xlink;XLink Driver (xlink.sys);C:\WINDOWS\system32\Drivers\xlink.sys [2001-01-02 18:53]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-13 19:46:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2008-04-13 16:57:55 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
    - c:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
    .

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-13 15:46:18
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0


    .
    DLLs Loaded Under Running Processes
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\Softex\OmniPass\opxpgina.dll
    .
    Other Running Processes .
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\Navapsvc.exe
    C:\Program Files\Softex\OmniPass\omniServ.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-13 15:55:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-13 19:54:42
    Pre-Run: 70,238,896,128 bytes free
    Post-Run: 72,035,069,952 bytes free
     
  8. kritius

    kritius TS Guru Posts: 2,087

    In future post the logs as attachments. I cant really check over it now as im in work but I will look later.
     
  9. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    sorry here ya go.... same one
     
  10. kritius

    kritius TS Guru Posts: 2,087

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\BM935feef2.xml
      C:\WINDOWS\system32\jboarmsi.dll
      C:\WINDOWS\yvqjqrqd.dll
      C:\WINDOWS\tqdavkpk.dll
      C:\Documents and Settings\All Users\Application Data\notcrcfm.dll
      C:\WINDOWS\mrofinu72.exe
      
      Folder::
      C:\Program Files\Bat
      C:\Documents and Settings\All Users\Application Data\mxsfglgt
      
      Registry::
      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db41de82-1dd1-11b2-b7fd-fbaf280c36b9}]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
      "ZyYWSYBlxC"=-
      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\notcrcfm]
      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvpbhzdu]
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    P2P Warning!

    • IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

      Frostwire, BitTorrent

      Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
      Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

      I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

      References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
      http://www.techweb.com/wire/160500554
      http://www.internetworldstats.com/articles/art053.htm
      See Clean/Infected P2P Programs here

      I would recommend that you uninstall Frostwire, BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

      If you wish to keep it, please do not use it until your computer is cleaned.

    HighjackThis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log into your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
     
  11. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    Here are both post you needed...
     
     
  12. kritius

    kritius TS Guru Posts: 2,087

    Have you decided to keep the p2p software?

    This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

    Go to Start > Run and copy/paste or type: taskmgr
    • Under the Processes tab find the following tasks or processes:
      ViewpointService.exe
      ViewMgr.exe
    • Highlight and click "End Process".
    • Exit Task Manager.
    Click on Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder


    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll (file missing)
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
      C:\Documents and Settings\All Users\Application Data\notcrcfm.dll
      C:\WINDOWS\mrofinu72.exe
      C:\WINDOWS\system32\ypwxipit.exe
      C:\WINDOWS\winself.exe 
      
      Registry::
      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\notcrcfm]
      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvpbhzdu]
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.
     
  13. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    here is the latest combo log... and yeah i'm going to keep the p2p programs for the time being... i don't use them that much but i sometimes do...
     
  14. kritius

    kritius TS Guru Posts: 2,087

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      Folder::
      C:\Documents and Settings\All Users\Application Data\Viewpoint
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
     
  15. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    here are the 2 logs u needed. hey after the last combo fix run when the log popped up and i closed the log the pc kinda froze. the log closed but my desktop icons and taskbar didn't come back, i could move the mouse but couldn't do anything. so i just ctrl, alt deleted and restarted, and everything came back, was that ok? everything seems to be working fine... just wondering be/c it had not done that in the last 2 or 3 scans...
     

    Attached Files:

  16. kritius

    kritius TS Guru Posts: 2,087

    C:\Program Files\Norton AntiVirus\Quarantine\<=====Delete the contents of this folder but not the folder itself
    C:\QooBox\Quarantine\<=====Delete the contents of this folder but not the folder itself

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [kill explorer]
      C:\Program Files\mIRC\mirc.exe
      C:\Program Files\MySearch
      C:\Setup Files\AGSetup0609.exe
      C:\Setup Files\bittorrent-3.4.1.exe
      C:\Setup Files\mirc61.exe
      purity
      [start explorer]
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  17. Ronian30

    Ronian30 TS Rookie Topic Starter Posts: 29

    sorry it took so long to get back to ya,, hadn't been home for a couple days... here is the results below..

    Explorer killed successfully
    C:\Program Files\mIRC\mirc.exe moved successfully.
    C:\Program Files\MySearch\bar\History moved successfully.
    C:\Program Files\MySearch\bar\Cache moved successfully.
    C:\Program Files\MySearch\bar\1.bin moved successfully.
    C:\Program Files\MySearch\bar moved successfully.
    C:\Program Files\MySearch moved successfully.
    C:\Setup Files\AGSetup0609.exe moved successfully.
    C:\Setup Files\bittorrent-3.4.1.exe moved successfully.
    C:\Setup Files\mirc61.exe moved successfully.
    < purity >
    Explorer started successfully

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_215531
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.