Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
[Resolved] Google Redirects, Cmd.exe crashes explorer.exe, dds will not run
As you can see by the title I am having several problems but I believe they are all caused by the same malware. First the symptoms: If I click on a google search result I am redirected away from the actual website to some other website usually an ad and I must go back to get the real site. In addition bleepingcomputer.com is blocked from Firefox (my browser of choice v 3.0.8) it just comes up blank. If I attempt to run Cmd.exe from the run dialog nothing appears and explorer crashes (the blue bar at the bottom goes away which i believe is indication of this) then when it reloads my tray bar is missing several of its components. Lastly as I was reading the post to read before posting here it told me to download DDS. The first mirror link did not work for me because as i said before bleepingcomputer is blocked but i was able to download it from the second mirror. When I run it a black window appears(like the kind that would appear for cmd.exe) but only briefly like under a second. Nothing else occurs as the instructions said would happen so I'm pretty sure it didn't work. I have read about similar problems with these combined symptoms in other threads but wanted to try to get personal help just to be sure. Thanks in advance for any advice/suggestions/help!
Didn't find the information you thought to find? Check out these Similar Threads
Please help still having problems need suggestions
So I haven't gotten any responses so I got Hijack this and ran its scan and have attached the log file I hope that someone will be able to help me now as others who have similar problems are having their problem solved with other logs so here goes.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:15 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Sorry to keep posting but I was able to run a Kaspersky online scan and i have a very short log file only one entry in fact. I would appreciate it if someone could help me remove this.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, April 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, April 06, 2009 00:15:45
Records in database: 2016084
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 138032
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 04:27:47
File name / Threat name / Threats count
C:\WINDOWS\system32\glindofo.dll Infected: Trojan-PSW.Win32.Delf.dmv 1
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If the machine reboots, the Results log can be found here:
c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run.
Thank you very much for the help and sorry it took me so long to respond I was traveling the past 2 days. Here are the log files,
for OTMoveIt:
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\glindofo.dll
C:\WINDOWS\system32\glindofo.dll NOT unregistered.
C:\WINDOWS\system32\glindofo.dll moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V6636DKA\notifier[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1X2PCI9E\notifier[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_c0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04102009_195140
Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V6636DKA\notifier[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1X2PCI9E\notifier[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_c0.dat not found!
Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: http://i204.photobucket.com/albums/b.../regMiekie.png
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards.
Now please reboot your computer.
I want to see if we can download this next tool.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
http://i266.photobucket.com/albums/i...oad_rename.gif
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on Combo-Fix.exe & follow the prompts.
Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.
No Validation is Required.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
** Please Note:
At times ComboFix may appear to stall, please be patient.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Please only run the tool once, ty.
Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.
You may need several replies to post the requested logs, otherwise they might get cut off.
I setup the hijack-this delete on reboot just fine but then after I created the fix.reg file and saw that it had the correct Icon a double-click results in explorer restarting and no prompt for merging or success dialog. What should I do know? I think this problem stems from the fact that I cannot run regedit on my machine without renaming it. Thanks
Open HijackThis. Click on Open the Misc Tools Section.
* On the screen, click on "Delete a file on reboot...".
* Copy/paste the following path into the dialog box that popped up, and click 'Open': C:\WINDOWS\epnowu.bvg
* HJT will ask you if you want to reboot, now. Click "NO".
Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the just text in blue below in it(don't forget to copy and paste REGEDIT4)
REGEDIT4
Save this as fix2.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: http://i204.photobucket.com/albums/b.../regMiekie.png
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards
So the computer now seems fine. As far as I can tell all the symptoms I had before have cleared up. No google redirects in five searches, can run cmd.exe with no problems, and my tray icons are back to normal. Here is the new HJT scan log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:09 AM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
Additional info: http://vil.nai.com/vil/content/v_137262.htm A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application.
If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.
Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the
following programs if present:
Viewpoint
Viewpoint Manager
Viewpoint Media Player
Your version of Adobe is out of date.
You can obtain the latest version of Adobe Reader from here, and the latest version of Flash Player from here.
For more information and links to Adobe updates and downloads click here.
NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.
The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)
O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)
Now please reboot the computer to set the registry.
Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of: Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================
NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run
You may need several replies to post the requested logs, otherwise they might get cut off.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:51 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, April 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, April 11, 2009 18:04:22
Records in database: 2035152
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 128956
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:51:00
File name / Threat name / Threats count
C:\_OTMoveIt\MovedFiles\04102009_195140\WINDOWS\system32\glindofo.dll Infected: Trojan-PSW.Win32.Delf.dmv 1
