Malware Removal; Redirected to random sites when I click links

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by purpandgold, Dec 10, 2010.

  1. purpandgold

    purpandgold Private E-2

    Hi I followed the Malware Removal Guide and at the moment things seem fine. I would click links and they would randomly send me to random spam or search engine sites and from clicking around so far it seems like the issues may have been resolved, but I just want to make sure that they are so I am making a topic.

    I did not run RootRepeal because I have a 64 bit Windows 7 system. Also MGtools didn't seem to work for me because I ran it but it stayed stuck on this for a long time

    Running analyse.exe

    so I just decided to close it.

    Lastly I was wondering if I can configure my laptop to not show file extensions again because they kind of bother me. Will something bad happen if I do that?

    Hope to hear from you guys soon and thank you for the time!
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Then try renaming MGTools.exe to magpie.com and perhaps reboot into safe mode to try again.

    If it really does not work then I suggest you run this so that I can give you a more complete fix.

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  3. purpandgold

    purpandgold Private E-2

    After changing MGTools.exe to magpie.com I got it to work.

    I'm not exactly sure if this is the right log file because the instructions confused me a little but i went into Computer -> MGTools -> file log, so I'm hoping it's the right one.

    Thanks for the help so far!
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! The instructions said "Do not look in the MGtools folder". The log is C:\MGlogs.zip
     
  5. purpandgold

    purpandgold Private E-2

    mm well that's the thing and the reason why I was confused..I don't have an MGlogs.zip in the C drive...or at least I can't find it...
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If either of those seem to run at all then now look to see if there is a C:\MGlogs.zip file to attach.
     
  7. purpandgold

    purpandgold Private E-2

    After putting in GetRunKey I got these popups

    Unsupported 16-Bit Application
    The program or feature "\??\C:\MGTools\ltime.exe" cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

    and also

    The program or feature "??\C:\MGTools\locate.com cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

    After putting in ShowNew I got the same thing

    Unsupported 16-Bit Application
    The program or feature "\??\C:\MGTools\ltime.exe" cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

    and also got the second message with the \locate.com in it repeatedly
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm, lets try it this way

    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

    • Right click the Command Prompt entry and select Run As Administrator.
    • o It is critical that you run it this way.
    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.
    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

    Any luck?

    If not then you should run this:

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  9. purpandgold

    purpandgold Private E-2

    I did Run As Administrator as you told me too and after putting GRK64 I got this

    64 bit Windows OS found
    adding: runkeys.txt (160 bytes security)(deflated 83%)

    and I also did get an MGLogs.zip in my C drive! and have attached it accordingly. I exited the command prompt after a while though because I couldn't enter SN64 and it seemed like it was done so I hope that didn't do anything.

    After putting SN64 it also ran with no error messages and it produced a 'newfiles.txt.'

    I also got a 'runkeys.txt' after running the GRK64 but I closed it on accident so I wasn't able to attach it.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. I gave you the wrong batch files to run. I gave you the 32 bit versions because in your first message you attached a ComboFix log and ComboFix previously did not run on 64 bit systems. Looks like it now has added support for x64.

    Let's see if the full scan will work now with MGtools. Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.
    • Right click the Command Prompt entry and select Run As Administrator.
    • o It is critical that you run it this way.
    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.
    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GetLogs <-- this will try to run all scans from MGtools. Tell me what error messages, if any, you see.


    If it seems to run, attach the updated C:\MGlogs.zip file.
     
    Last edited by a moderator: Dec 12, 2010
  11. purpandgold

    purpandgold Private E-2

    No problem!

    It seemed to run and here is the attached zip file.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on your log, you did not disable UAC was requested and that may be why you originally had problems running MGtools.exe to get logs. You need to disable UAC now and then reboot and continue with the below.

    Download TDSSKiller from Kaspersky to your directly onto your Desktop
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
    • Allow the application to run if prompted by Windows or any security programs you have installed
    • It will start the scan and run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    • Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing the instructions in my last message and attaching the log from TDSSkiller, immediately continue with the below.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 14

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:54727
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\windows\TEMP
    C:\Users\Michael\Local Settings\TEMP

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  14. purpandgold

    purpandgold Private E-2

    Continuing on with the next steps right now
     

    Attached Files:

  15. purpandgold

    purpandgold Private E-2

    When I tried to delete the Local Settings\TEMP folder it said

    Location is not available
    C:\Users\Michael\Local Settings is not accessible.
    Access is denied.

    Besides that I followed all the rest of the steps and I feel and hope that everything is working correctly so far. Thanks for all the help!..I will post again if you guys find I didn't do something right or if something happens again :x
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not ask you to delete this folder. I asked you to delete files and folders in that folder. ;)

    Also you did not run ComboFix properly. You needed to make the CFScript.txt file and drag it ontop of ComboFix.exe. You just ran ComboFix by double clicking on it based on your log. Thus it did not fix what we want it to fix.


    You did not tell me how things are working.
     
  17. purpandgold

    purpandgold Private E-2

    Ahh crap

    mmm actually I did drag the CFScript.txt file above the Combofix.exe. It's just when I did that and ran it, it said that I had a version of Combofix that had an error and that I would need to get it again. So I re downloaded it but it gave me the same message but it continued to run so I figured it was ok. ack. Could you give me instructions over again?

    And as of now I haven't been redirected to anything yet, but I have been clicking and opening a lot less new tabs and links, so I'm not sure of the situation.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we will work around the problem with ComboFix by using another tool.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds