What is this "Redirect" "Malware" Spyware?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Ladycarr, Oct 8, 2007.

  1. Ladycarr

    Ladycarr Private E-2

    HI! I am confused and need help. I think I have been invaded by a spyware infection trying to sell anti-spyware sanctioned by Microsoft???

    First, I used AVG free, CCleaner, and Spybot Search and destroy. They found stuff... asked for it to be corrected ... ran program again... says its clear.

    I am getting continuous pop up " Windows antivirus Windows has detected spyware infection! It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you Click here to protect you computer from spyware!"

    and "Warning Potential Spyware Operation Your computer is making unauthorized copys of you system and internet files. Run full scan now to prevent any mallisious access to you files Click here to download spyware removal " They seem to be selling AV Syptom Care.


    The pop up is constant.

    What if I used the "restore option" for a couple of days ago.

    Thank you for you help.

    Ladycarr
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. Ladycarr

    Ladycarr Private E-2

    Thank you for your help. Working my way through "read & run me first".

    Under use add/remove through control panel, I am denied access and asked to contact administrator.

    Also these links keep poping up //avsystemcare.com "SpywareRemoval and //nowayvirus.com. One is definately on the list to add/remove

    Will move forward with read me first and come back to add/remove.
     
  4. Ladycarr

    Ladycarr Private E-2

    Also, as I used control panel, run, MSconfig, Gen Tab, Normal, Apply, ... it gave me the option to restore to previouse date. I choose Sept 15 It tried to do it and it said it couldn't be done

    Also, my Spybot under Start, All programs, .. is highlighted and it keeps sending popups asking me to deny registry changes.

    P.S. Now it wont let me open the link on how to clean out quarntined Items. Just will not open.

    This bug is biteing me at every turn!


    Ok... I'll just keep going
     
    Last edited: Oct 9, 2007
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to continue on thru the steps in the READ ME even if you cannot access Add/Remove programs. Also only do what we ask you to do. Do not experiment on your own anymore (like using System Restore).
     
  6. Ladycarr

    Ladycarr Private E-2

    Dear Chaslang:

    Thank you for all your help!! I finished the "Run Me First" procedures and right now the computer seems very good.

    The Virus must have taken my control panel icon.. now it is back. It made my computer say that my computer was restricted and I needed to see the system administrator in add/remove programs.... now I can access it.

    In AVGfree virus vault there were 64 quarantined files.. virus "host", trojan "general". I saved a copy of the list in case we needed it.

    When I was being infected the web addresses I saw included: http:/ nowayvirus.com and http:/ avsystemcare.com/data/index.......

    Attached please find log files. I can't seem to get the AVG virus list to attach. The AVG files ends in extention csv . Maybe I could save it to a Wordperfect or Microsoft word file to be able to upload it. Thank you again for all your help.

    Jeanie (Ladycarr)
     

    Attached Files:

    Last edited: Oct 15, 2007
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why didn't you run AVG Antispyware as requested in the READ ME?

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete
    :
    C:\Documents and Settings\Jeanie\xl10041.exe
    C:\WINDOWS\system32\6260715975.sys
    C:\WINDOWS\system32\7559716062.sys

    Now run Ccleaner

    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  8. Ladycarr

    Ladycarr Private E-2

    Hi!

    Thank you for your last post. Why didn't I run AVG Antispyware?.... "Senior Moment" My brain thought AVG free thus AVG Anitspyware. Sorry.

    Well I ran AVG Antispyware. The first time it found something in my old hard drive archive.... kill2me. inbedded.... So I thought about it and ran it again and deleted it because I don't use the D: hard drive... it just has old stuff on it from my old computer.

    Uninstalled Java 2.... there is another update Java that I didn't touch.

    Ran HijackThis... which is in MGTools (right?) and checked and "fix" the files you mentioned.

    After figureing out how to do safe mode I went into Jeanie account and could not find the three files I am to delete. Went into Administrative account and found just the one xl10041.exe which I deleted... it went into the recyle bin. I then found ccleaner useing only default settings on Window tabs. May be AVG Antispyware got the other two????

    Only weard thing is that when I went to search again... just to make sure.. only my mouse would work.... not my letter key board. It seems to work fine in Jeanie account.

    Attached please find the files requested. I will use the computer for a little while and then follow "system restore step 8" if it is ok.

    Thank you for all your help.

    Best regards.

    Jeanie (Ladycarr)
     
  9. Ladycarr

    Ladycarr Private E-2

    Another senior moment.... attached please find the files
     

    Attached Files:

  10. Ladycarr

    Ladycarr Private E-2

    I found another GetRunKey in the folder with ShowNew.... I am using the seach in windows to find the files... Also I did not find a file named HJT... with the exception of something on my old hard drive. An image from 2003. Please disregard this file is not helpful.

    Thank you.

    Jeanie
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that! I did not explain this to you. I had you run a newer version of the READ & RUN ME which is not officially in use yet and while it makes things much easier and faster for everyone to complete the process. The process of getting additional logs after doing fixes needs to be explained more clearly now since many steps are taken out of your hands during the running of MGtools.exe. Even the fact of getting into safe mode (which was in the original READ ME) was not needed while running the new READ & RUN ME.

    MGtools.exe creates a C:\MGtools folder.
    In this folder are a bunch of files. The most frequently used and of importance to you are:
    • GetRunKey.bat - used to get a new runkeys.txt log
    • ShowNew.bat - used to get a new newfiles.txt log
    • analyse.exe - which is a renamed HijackThis.exe file. You can just double click on analyse.exe to get a HijackThis log when requested.
    • GetLogs.bat - will automatically get all of the above logs plus a couple more and will automatically put all the logs into the C:\MGlogs.zip file to making attaching logs easier.
    All of the lines I asked you to fix with HijackThis are still in your current HJT log (in the MGLogs.zip file you attached). Did you forget to do that step or did you forget to click Fix checked after selecting each line? Or did you get the log before you fixed the items? You need to make sure those items were fixed.

    You also did not tell me how things are working?
     
  12. Ladycarr

    Ladycarr Private E-2

    Hi!

    I just ran MGTools again and looked for the lines mentioned. They were not there. I must have attached an old log.

    When trying to attach GetLogs.bat in the GMTools folder it says
    unload errors, invalid file. I am getting this error message for all files I am trying to upload (attach) for you.

    I did a search for analyse.exe and found a folder in Caps in c:\WINDOWS\Prefetch\ANALYSE.EXE-OD... It also would not upload.

    I did a search for files modified today. Below please find HJT log... the only one that would upload for me.

    Thank you for all your help. Am I ready to continue with the directions to restore to a past time? How far back should I go? June 2007?


    Sincerely yours,

    Jeanie
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are not supposed to be trying to attach GetLogs.bat also you did not need to run MGtools.exe again. Running MGtools installs all the programs and also automatically runs the scans and creates the logs. As I stated in my previous message. You just needed to double click on the C:\MGtools\GetLogs.bat file which will run the scans and create the MGlogs.zip file which is what you would attach.

    Again, I'm not sure why you are searching for this or trying to upload it. It is not what was requeste. In the C:\MGtools folder you will see an analyse.exe file. This is a copy of the HijacThis.exe file which has been renamed to analyse.exe. We rename it because some forms of malware will hide themselves if they see hijackthis.exe running, but they will not recognize analyse.exe as HijackThis.


    Why do you want to use System Restore? If you restore to an older point you could just bring back any problems and malware that were already removed.

    Your current HijackThis log is clean. Are you still having problems??
     
  14. Ladycarr

    Ladycarr Private E-2

    Hi! No I don't seem to be having any problems ... with the exception that when I turn on the computer the boot is slower than it used to be ... and, Yahoo mail is very slow to come up compared to how it used to be. This I can live with.

    Oh... Im sorry, I thought the GMTools.zip file was the package the HJT programs were in and that they were unzipped from this file and installed on my computer. Sorry I was confused.

    I do not want to use system restore if I don't have to. I had a few problems in July and August and I am not sure that I would not be getting my problems back.

    Is there anything else I need to do? Can I keep AVG Anti spyware turn on and AVG free. I hope I my computer is safe.

    I think I was infected when I was searching for Black & Decker Inferwave Toaster Ovens.. (the one I bought was junk) the blurb said buy one get one free... I click on it and whamo Porn everywhere and ads wanting me to buy anti spyware. :(

    Thank you for all your help.

    Best regards,

    Jeanie
     

    Attached Files:

  15. Ladycarr

    Ladycarr Private E-2

    Hi!

    Well, I spoke too soon.

    I am now having problems with my Wordperfect E-Mail.

    "Runtime Error. Programs C:\Program Files\WordPerfect Mail\Programs\bin\WPMail.exe This program has request Runtime to terminate it in an unusual way, please contact the application's support team for more information."

    I used it earlier today, but now I can't check my mail at all.

    Thank you for your help and comments.

    Jeanie Ladycarr
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This does not appear to be malware. I would suggest you rethink the items you have installed and are running at startup. For example, do you really need to use the below:

    Google Toolbar
    Musicmatch Jukebox
    Quickbooks
    Yahoo Search Protection
    Yahoo Toolbar

    Also consider uninstall Ad-Aware 2007 unless you are going to purchase it. The free version offers no protection but always runs a service that wastes system resources and slows your PC down.

    Do you use InstallShield to automatically get updates or do you get updates on your own?


    Yes that is correct.

    At the end of malware cleaning, we have you toggle system restore off and then back on to flush all old restore points which could be infected. The final steps given below will discuss this.

    AVG Antispyware will only be a scanner after the 15 day trial period is over. At that time it will provide no protection from malware.



    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\newfiles.txt, C:\runkeys.txt, C:\GetUnKey.txt, and C:\MGlogs.zip logs that were created
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is not really a malware issue. If it keeps happening, you could try reinstalling WordPerfect. Otherwise try posting in the Software Forum about this problem.
     
  18. Ladycarr

    Ladycarr Private E-2

    Thank you Chaslang, for all your help. I think the computer is working good now. I tried to get my E-mail program WordPerfect Mail to work.. but it has a run time error and the Tech support at Corel basicly said the I have probably lost all in my mail box and that WordPerfect Mail is not a program ready for "Prime time".

    To be honest, I am a little worried that I did not finish the last steps like I was supposed to. Wanted E-mail to work first. Will complete now.

    Thank you for all your help. Do you have an E-mail program that you like. I did not like Outlook Express because I could not get the spell check to work.

    Have a great week.

    Best regards,

    Ladycarr Jeanie
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I have no real preference here. I use Outlook Express but that is mainly because I need it at work.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds