[metapaco]

Both my Firefox and IE will sometimes reddirect to either an adult google search or adult thumbnail page when I try to access certain domains. I know a bad piece of spyware removal software was installed about the time this started, I removed the program with its uninstaller a while back, and do not remember what it was, sorry.
My Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:59:00 AM, on 7/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\msvcmm32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AT&T Plug&Share 108Mbps Wireless Notebook Adapter\WLANMON.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {2E2F120D-B3C6-7150-FF0E-859DAF86A13B} - BoundRec.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Brong32] NsCplTray.exe
O4 - HKLM\..\Run: [bingo9] msag.exe
O4 - HKCU\..\Run: [clamav] WhatsNewBot.exe
O4 - HKCU\..\Run: [SYSTRAV] DCC_send.exe
O4 - HKCU\..\Run: [borlandg] powerdll.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: AT&T Plug&Share 108Mbps Wireless Notebook Adapter Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{8592A3E6-FA5F-40BF-8AC1-FDB8A6D92A29}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[Advertisements]

Hi metapaco

Please download FixWareout from one of these sites:

http://www.bleepingc.../Fixwareout.exe
http://downloads.sub.../Fixwareout.exe

• Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.

We'll need to temporarily disable TeaTimer that it won't prevent fixes:

# Run Spybot-S&D in Advanced Mode.
# If it is not already set to do this Go to the Mode menu select "Advanced Mode"
# On the left hand side, Click on Tools
# Then click on the Resident Icon in the List
# Uncheck "Resident TeaTimer" and OK any prompts.
# Restart your computer.

Move HijackThis to own folder, eg. C:\hjt

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) - {2E2F120D-B3C6-7150-FF0E-859DAF86A13B} - BoundRec.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [Brong32] NsCplTray.exe
O4 - HKLM\..\Run: [bingo9] msag.exe
O4 - HKCU\..\Run: [clamav] WhatsNewBot.exe
O4 - HKCU\..\Run: [SYSTRAV] DCC_send.exe
O4 - HKCU\..\Run: [borlandg] powerdll.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{8592A3E6-FA5F-40BF-8AC1-FDB8A6D92A29}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9

Close all windows including browser and press fix checked.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install Ewido by double clicking the installer.
• Follow the prompts. Make sure that Launch Ewido is checked.
• On the main screen under Your Computer's security.
• Click on Change state next to Resident shield. It should now change to inactive.
• Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
• Wait until you see the Update succesfull message.
  Note: If the Update now option is grayed out, follow the steps below.
• Click on Update on the toolbar.
• Under Manual update, click on the Start Update button.
• Wait until you see the Update succesfull message.

[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Please download ATF Cleaner by Atribune and save
it to desktop. Don't use it yet.

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

Please do a search:
"Run "Start">"Search">"All Files and Folders"> enter NsCplTray.exe in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Right click the file and select delete.

Empty Recycle Bin.

NOTE: That file may not exist at all! If it doesn't, just skip the step above.

Repeat step above for these:

msag.exe
WhatsNewBot.exe
DCC_send.exe
powerdll.exe

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.
[/list]Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
______________________________

Please post:

• c:\fixwareout\report.txt
• Ewido log
• A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

[Shaba]

Hi metapaco

Please download FixWareout from one of these sites:

http://www.bleepingc.../Fixwareout.exe
http://downloads.sub.../Fixwareout.exe

• Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.

We'll need to temporarily disable TeaTimer that it won't prevent fixes:

# Run Spybot-S&D in Advanced Mode.
# If it is not already set to do this Go to the Mode menu select "Advanced Mode"
# On the left hand side, Click on Tools
# Then click on the Resident Icon in the List
# Uncheck "Resident TeaTimer" and OK any prompts.
# Restart your computer.

Move HijackThis to own folder, eg. C:\hjt

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) - {2E2F120D-B3C6-7150-FF0E-859DAF86A13B} - BoundRec.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [Brong32] NsCplTray.exe
O4 - HKLM\..\Run: [bingo9] msag.exe
O4 - HKCU\..\Run: [clamav] WhatsNewBot.exe
O4 - HKCU\..\Run: [SYSTRAV] DCC_send.exe
O4 - HKCU\..\Run: [borlandg] powerdll.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{8592A3E6-FA5F-40BF-8AC1-FDB8A6D92A29}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{72DB7013-BF46-4B34-9C74-0FFE3A06C307}: NameServer = 85.255.114.34,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.34 85.255.112.9

Close all windows including browser and press fix checked.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install Ewido by double clicking the installer.
• Follow the prompts. Make sure that Launch Ewido is checked.
• On the main screen under Your Computer's security.
• Click on Change state next to Resident shield. It should now change to inactive.
• Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
• Wait until you see the Update succesfull message.
  Note: If the Update now option is grayed out, follow the steps below.
• Click on Update on the toolbar.
• Under Manual update, click on the Start Update button.
• Wait until you see the Update succesfull message.

[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Please download ATF Cleaner by Atribune and save
it to desktop. Don't use it yet.

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

Please do a search:
"Run "Start">"Search">"All Files and Folders"> enter NsCplTray.exe in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Right click the file and select delete.

Empty Recycle Bin.

NOTE: That file may not exist at all! If it doesn't, just skip the step above.

Repeat step above for these:

msag.exe
WhatsNewBot.exe
DCC_send.exe
powerdll.exe

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.
[/list]Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
______________________________

Please post:

• c:\fixwareout\report.txt
• Ewido log
• A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

[Shaba]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.