Browser Redirection - "read me" post steps done

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Goldline, Jan 17, 2010.

  1. Goldline

    Goldline Private E-2

    Hello

    It started a week ago when a friend wondered why I had sent him an email about Viagra... I didn't..

    Now, randomly, when I open my firefox I get redirected, almost all the time when I close the "hacked" webpage, my browser crashes and I have to restart it.

    I do have Facebook and if I only use it for my friend list and "farmville", I have read that malware like "Zango" had been uploaded from their website without consent.. (found during my scan, see attached log).

    Now, when I was doing the "noobie" steps before I could post, I ran into a problem, I cannot disable or deinstall my AVG (version9), it won't let me, I am going to attach the detail message it gives me to this message "avg.txt".

    ALSO! I wasn't able to run Combofix because of the above problem, I can't turn my antivirus off or deinstall it, it said it was not wise to run Combofix with the AV running so I didn't.

    I get redirected to website like "questbooster.com", will add more websites as I remember them or see them.

    MSconfig was already set to Normal Startup mode.
    I did the house cleaning (didn't find anything weird, did get rid of a bunch of old programs I don't use though).
    First scan did find something in the registry.


    Thank you in advance for giving me a hand here.
     

    Attached Files:

    Goldline, Jan 17, 2010
    #1
  2. Goldline

    Goldline Private E-2

    Thats what I get when I try to deinstall or reinstall AVG

    Local machine: installation failed
    Installation:
    Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
    Access is denied.
     

    Attached Files:

    • AVG.txt
      File size:
      438 bytes
      Views:
      2
    Goldline, Jan 17, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    See these instructions How to temporarily disable your AV protection

    Please double-click the RootRepeal.exe previously downloaded.

    * Select File then Scan
    * On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    * When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
    c:\windows\temp\a065ee79-586a-459e-9b4a-f7b61457ead2.tmp
    * After Wiping all files, immediately reboot your pc!

    Now run Ccleaner to clean out only temp files and nothing else!

    Make sure these folders are empty:
    C:\WINDOWS\Temp\
    C:\Documents and Settings\Helene\Local Settings\Temp\

    Did you set this:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zpecialoffer.com/indexie.html

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 18, 2010
    #3
  4. Goldline

    Goldline Private E-2

    So far so good it seems stable. Attached is the mglogs.zip you asked for.

    To answer your question I didn't install the "R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zpecialoffer.com/indexie.html", I don't even know what it is. How do I get rid of that please?
    I am in a routine when it comes to the internet, I stick to a few websites and I stay away from toolbars and such (sometimes though they seem to come closer on their own :-D).

    As for AVG, I was trying to disable it when it appeared "stuck", no icon in the icon tray, can't deinstall it either, I tried reinstalling, same, won't let me. I see its processes running though. Any idea how to fix that?

    Thanks a ton for your time!
     

    Attached Files:

    Goldline, Jan 18, 2010
    #4
  5. Goldline

    Goldline Private E-2

    Lastest update:

    Darn it.. I was browsing a website when another page opened out of the blue, it crashed my firefox. I wanted to copy the address of the website it wanted to take me to but my browser crashed before I could copy it.
     
    Goldline, Jan 18, 2010
    #5
  6. Goldline

    Goldline Private E-2

    I ran ComboxFix, here are the Comboxfix logs.
     

    Attached Files:

    Goldline, Jan 19, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Combo caught the system file that was corrupt. You still have items in your temp folders to remove. So let's just let Combo have another run and check all your logs again.

    You should first go to AVG Removal Tools.

    Now:
    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\Temp\01431646-6dbe-4caf-ae4b-196fdd2ca677.tmp
C:\WINDOWS\Temp\01fc085f-9533-4926-a498-5e5a3137b208.tmp
C:\WINDOWS\Temp\06bc39da-dd95-48bc-b9b6-136a514cf80d.tmp
C:\WINDOWS\Temp\0ec1ee09-83a1-4115-bf8e-aae72e532943.tmp
C:\WINDOWS\Temp\1c089919-6ea1-414a-83a6-c404e801589b.tmp
C:\WINDOWS\Temp\24145c2e-ed7d-4081-a20d-5610569a3908.tmp
C:\WINDOWS\Temp\29a963b7-a5cc-4356-9ab8-8bbaa820e151.tmp
C:\WINDOWS\Temp\3922da08-6ab0-4f0e-a941-b35c52d0a5e6.tmp
C:\WINDOWS\Temp\3e41438f-63af-498e-93da-b4061ab0abf7.tmp
C:\WINDOWS\Temp\4941c2f7-607c-4fd2-8722-512f842bee6e.tmp
C:\WINDOWS\Temp\4d0ad1b5-d0de-4353-9ad0-7d3544283704.tmp
C:\WINDOWS\Temp\5d3af6b3-ddb0-4ffc-ad82-f8a3afd6319b.tmp
C:\WINDOWS\Temp\6042a74a-1ce4-4894-b4f7-fa7e7c540344.tmp
C:\WINDOWS\Temp\60903326-6d24-4739-80c8-87b59b842e72.tmp
C:\WINDOWS\Temp\661daf46-4ebd-4cbc-8492-6663ac05938d.tmp
C:\WINDOWS\Temp\6723b463-1fbe-4c42-bd73-4d7daa1a55b6.tmp
C:\WINDOWS\Temp\6ceb9ea4-222b-4982-be74-c27960baed41.tmp
C:\WINDOWS\Temp\77b338eb-3f6e-4f94-b95a-33a589a2bb2d.tmp
C:\WINDOWS\Temp\7a2fd310-9059-42dc-8d7f-caf7f36ce926.tmp
C:\WINDOWS\Temp\88822207-bd5a-46b6-a773-a308b120c474.tmp
C:\WINDOWS\Temp\960c0dd2-57bc-42e0-84f2-0b4636efd4e8.tmp
C:\WINDOWS\Temp\ae48d9b6-62c8-43fa-9300-c059f325fedb.tmp
C:\WINDOWS\Temp\aec412ad-b9ab-4511-8d69-d8b707fc5bb8.tmp
C:\WINDOWS\Temp\b51db1fd-b1c3-4262-8868-81f803834f78.tmp
C:\WINDOWS\Temp\b5799247-970f-4f74-96c2-76df82b2c7cc.tmp
C:\WINDOWS\Temp\c2b5d14f-5302-4296-bfb8-a0da44efa60f.tmp
C:\WINDOWS\Temp\d244cfbe-b049-42db-92b6-1d5fa94ad711.tmp
C:\WINDOWS\Temp\d361e4c5-18aa-42bb-82cc-bd6ffdd479fc.tmp
C:\WINDOWS\Temp\d6af29da-db45-41a1-a8bc-f808fe5b78b1.tmp
C:\WINDOWS\Temp\e6927b65-661c-4cc5-a214-0fd510a547b1.tmp
C:\WINDOWS\Temp\eee113cd-6345-42b0-87a9-fcc9c0b57e96.tmp
C:\WINDOWS\Temp\f412a8c8-af51-4aa7-b324-c7e94feb2207.tmp
C:\WINDOWS\Temp\f7406dba-8777-43aa-9109-4bf6d409afdd.tmp
C:\WINDOWS\Temp\f8fe1c64-151c-4948-85b3-eaaf96ebbb11.tmp
C:\Documents and Settings\Helene\Local Settings\TempIMT22.xml
C:\Documents and Settings\Helene\Local Settings\IMT23.xml
C:\Documents and Settings\Helene\Local Settings\IMT24.xml
C:\Documents and Settings\Helene\Local Settings\PK2D.tmp
C:\Documents and Settings\Helene\Local Settings\PK2F.tmp
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Then reinstall your AVG program after rebooting and running CCleaner.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 21, 2010
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds