Redirected browser or Pop up

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jrcrook, Apr 4, 2007.

  1. jrcrook

    jrcrook Private E-2

    My work network is my homepage on Explorer. If I am not logged in when I launch I get a pop up or it redirects me to another web site that I don't want to be at.

    I have done everything in the Read me first area.

    Need help.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    No you have not! If you followed the directions, it states that you need to attach the 6 requested logs if you need help after running the READ ME.

    If you try to access a home page that is unavailable, based on what you have setup on your PC it is going to rerect to something other than your Home page since it has no choice. You should be more specific and say Where you are being redirected to.
     
  3. jrcrook

    jrcrook Private E-2

    Sorry about that. Here are the first 3. The redirect is Newpics4you.com
     

    Attached Files:

  4. jrcrook

    jrcrook Private E-2

    Here are the next 3.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Were the below Policies created by your work place?
    Now run this WareOut Removal and attach the FixWareOut log when you return.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{06152254-B3D3-4FC4-9588-5E4694DACA75}: NameServer = 85.255.116.138,85.255.112.19
    O17 - HKLM\System\CS1\Services\Tcpip\..\{06152254-B3D3-4FC4-9588-5E4694DACA75}: NameServer = 85.255.116.138,85.255.112.19
    O17 - HKLM\System\CS2\Services\Tcpip\..\{06152254-B3D3-4FC4-9588-5E4694DACA75}: NameServer = 85.255.116.138,85.255.112.19

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete the below if found (FixWareOut may have delete them already)
    :
    C:\WINNT\SYSTEM32\CSJMA.EXE
    C:\WINNT\SYSTEM32\SEVEN.EXE
    C:\WINNT\SYSTEM32\FAVSET.EXE

    Now run Ccleaner.
    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.
    1. FixWareOut log
    2. GetRunKey
    3. HJT


    Make sure you tell me how things are working now!
     
  6. jrcrook

    jrcrook Private E-2

    The only thing I could not get it to boot in safe mode. Tried 7 times and it would lock up at starting windows. Did everything in normal mode. Tested and everything is back to normal. Thanks so much. Here are the logs you requested.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not answer my question about those policies.

    Also you missed one O17 line. Fix the below:
    O17 - HKLM\System\CS2\Services\Tcpip\..\{06152254-B3D3-4FC4-9588-5E4694DACA75}: NameServer = 85.255.116.138,85.255.112.19

    Attach a new HJT log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds