Black internet free web hosting, hijack

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

 

The location for the logs from Malware Bytes and SUPERantispyware are as follows, and I need you to attach them into your next response here.

1. You are running combofix from the wrong location.

As specified in the R&R you must put it directly on your desktop.

2. Also delete MGTools.exe from your desktop, this was put in the wrong location as well.

3. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

4. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
c:\documents and settings\katy\log
Folder::
C:\Documents and Settings\katy\Local Settings\Application Data\ebwhqfmdr
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

5. Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

7. Let me know the behaviour of the computer now.

 

Do not apologise. No worries.

Not long because it's almost 3am here.

Don't forget to attach the C:\mglogs.zip into your next reply here. I'll drop by again tomorrow. Going to bed now.

 

Nothing to worry about, these are caught in system restore and they will no longer exist once we have toggled SR and followed final steps.

Sadly, sound issues and other non malware related issues can not be discussed here. Your best bet would be the software forum.

Not malware. Not to worry.

Normal.

Did you run TDSSKiller as requested? I suspect not. Please do so and attach the log it creates into your next reply.

 

As stated in a previous message:

Are you still having redirects?

 

Ok. Now please address my questions:

Are you still being redirected or not?

How's the PC running now?

 

Any remaining issues will have to be resolved in the appropriate forum, eg: software/hardware.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Katy45 I apologise, I missed some malware before.

If you have not yet removed ComboFix, then we will use it. If you have, just re-download it and leave it on your desktop.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File:
C:\System Volume Information\Microsoft\services.exe
C:\System Volume Information\Microsoft\smss.exe

Folder::
C:\System Volume Information\Microsoft

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes please. Re download MGTools.exe, save it to your C:\ Drive and re run it. Attach the C:\Mglogs.zip into your next reply here.

 

Please turn off system restore. Reboot and then run the ComboFix fix again. Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

You can ask questions any time.

Are you sure you turned off system restore? It must be off in order to remove those files. So you need to turn it off and reboot. Then run the fix. Since Combo didnt do it, lets try Avenger.

Download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Java is necessary to view some web info. You can download the latest version here:
Java Runtime 6

This should not be a problem. However, both SAS and MBAM will scan additional drives ---> but you have to have MBAM do a deep scan in order to select additional drives.

Not with this infection.

Go to the control panel / user accounts and you should be able to reset a password for the Admin. account.

It should have stayed off once you rebooted. This may be part of the infection process. We have only seen this in one other thread. So we are trying to come up with a procedure to deal with it. So, on that note:

Again disable system recovery first.

You will need to boot to the Recovery Console to remove this infection. That means that you have to go into your bios and set the cd as the first boot option. See the accompanying link.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


Then boot back into normal mode.

Now:

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

 

We can try a different track. Download bootkitremover.rar and save it to your desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
• After extracing remover.exe to your Desktop, double-click the remover.exe file to run the program.
• Attach or post inline here, the output from remover.exe

 

Do you have this system set up to dual boot? What is on partition D?

 

Do you have everything you need backed up to the D:\ drive? Do you have your xp cd? I want to cover all bases in case the fix goes wrong. There is that chance, so we want to minimize that.

Also, is this a Dell computer?

 

The problem exists in your MBR. We have two choices. One is to go ahead and do the recovery console fixmbr command. The second is to run the bootkit remover to fix it. That is why I want to know if all your personal data and files are backed up, in case we need to just wipe the C:\ drive and reinstall the OS on it.

This is what we need to do if going with option 2:

Now - please do the following:

* Click Start, Run then copy and paste the below into the Run box and click OK.

"%userprofile%\Desktop\remover.exe" fix \\.\PhysicalDrive0

* Now reboot your PC and after reboot continue with the below instructions.

See if these still exist:
C:\System Volume Information\Microsoft\services.exe
C:\System Volume Information\Microsoft\smss.exe
C:\System Volume Information\Microsoft
Delete them if they do.

* Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
o C:\MGlogs.zip

**Make sure you tell me how things are working now!

 

Is your D:\ drive a slave drive? Not a partition on your main master drive?

 

Sweet....it didnt turn into a brick!! LOL.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

 

Yes, turn off system restore, then reboot and re-enable it. There are no doubt restore points that have the infection in them, so we want to flush the system. You will now have a clean restore point if needed in the near future.

 

This is a very new type of infection that is going around. We frankly do not know if it is just intended to screw with windows users or have an alternative intent. I don't believe it was intended to steal any user info, at least not at this point. We deal with a lot of infections that seemingly have no other purpose than to cripple users system.

 

We hope that you will stay and participate in the forums. Do pay attention to the last link for How to Protect Yourself......

And you are most welcome.

 

Katy, I just remembered to ask you why you have your drives formatted as fat32? Is there a particular reason you have not changed them to NTFS?

 

None of our logs found it other than HJT> which doesn't give a date of origin. But during the course of the removal, you could have found the C:\System Volume Information\Microsoft folder and checked its date.

If you wish to start semi-fresh, you may want to reformat the D: drive. I don't think there is any malware on it, but at least then you would be sure. You could save those things that you know are clean.
Some protection software just will not run if they are compromised. That's often the first notice you get that you are in trouble.
Hope the garden is growing!