Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mode

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Amarea, Jul 3, 2009.

  1. Amarea

    Amarea Private E-2

    First off, please forgive me. I can only supply my HijackThis and Malware Bytes logs as they are the only programs I had installed prior to this problem.

    It started a week or so ago when I had the stupid Security System Pro problem. I downloaded HijackThis, Malware Bytes and AVG at that time and it took care of it. Or so I thought. After that all of my searches on Google started to be redirected unless if I opened the cached version.

    Today I could not open any of my .exe files. It would open the "open with" dialogue box and I would have to go to the C drive, find the program file and click on the program there to get it to open. Basically telling it to open with itself.

    I tried to download ComboFix as it was suggested as well as the other downloads in the thread to read before posting. I cannot open or download any new programs. They won't open period. When I tried to download all the required stuff to post here, I am getting the message "Internet Explorer has encountered a problem and needs to close" and it won't even let me get to the page or it will download but it will pop up with the "Open With" dialogue box.

    I also cannot boot in ANY safe mode. It just restarts over and over when I try to boot in safe mode.

    AVG found and removed (so I thought) Manson\liser.exe but that's the only Trojan it's found other than some tracking cookies.

    Can anyone help? My HijackThis and Malware Bytes logs are below. As I stated earlier in the post, I can't even download the other programs to provide the additional logs.

    Thank you!
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    You need to download the programs to a different computer and transfer via cd. We need to see the logs from running ComboFix and MGTools. There is no reason MGTools will not run.

    Let's do this in the meantime:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run HJT by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now use windows explorer to find and delete:
    C:\WINDOWS\system32\mswwyd.exe
    C:\WINDOWS\system32\msegt.exe

    Now see if you can install and run the other tools.
     
  3. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    I removed those things from HJT as requested and still cannot open ComboFix or MGTools. Even from a CD.

    Message I get for MGTools = Failed to run GetLogs.bat, working dir = \MGtools (check to see if this file is in the EXE)

    Combofix literally opens a hundred "Open With" dialogue boxes.

    Please advise what to do next.
     
  4. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Also, the AVG I had could not be fully disabled so I had to uninstall it completely. I could only disable certain parts of it but not the Anti Virus portion.

    I did also discover that I cannot access the Add/Remove Programs either. I get an error. I had to use CCleaner to uninstall AVG.
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    You did download MGTools to the C:\ drive? Have you tried renaming it? Have you tried changing it from ,exe to .com? Look in the MGTools folder and try double clicking on C:\MGTools\analyse.exe. Try doing that for each of these:
    C:\MGTools\getrunkeys.bat
    C:\MGTools\shownew.bat
     
  6. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    How do I change from a .exe to a .com?
     
  7. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    ETA: nevermind... I figured it out.

    I am still running into the same problem. I double click to open, it opens the "Open with" box. I browse and click the program again and it just continues to open new "Open With" boxes. When I finally just close out the boxes, it gives me the same error as before. Changing those file names didn't do anything either.
     
  8. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Analyse just runs HJT.

    Here is what I am getting when I try to run the other files you suggested:



    Running scan with GetRunKeys.Bat - (c) 01/28/2006 By Chaslang


    NOTE: Ignore any error messages about not finding registry keys!
    Just wait for the program to finish running!!

    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    'swreg' is not recognized as an internal or external command,
    operable program or batch file.
    ** GetRunKey.bat does not exist ** Make sure you have followed directions on
    the download page for MGtools!

    ** locate.com does not exist ** Make sure you have followed directions on
    the download page for MGtools!

    ** grep.exe does not exist ** Make sure you have followed directions on
    the download page for MGtools!

    ** ltime.exe does not exist ** Make sure you have followed directions on
    the download page for MGtools!

    GetRunKey.bat failed to execute because it has not been installed properly.
    Also check possible error messages and fixes on the download page
    for GetRunKey. GetRunKey will terminate now!

    C:\MGTools\temp\header0.txt
    Press any key to continue . . .
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    The above explains your problem. You need to answer TimW's question
    You were supposed to download and save MGtools.exe to the root folder of your C drive and run it from there. Where did you download it to and where are you running it from.
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Delete the MGTools folder, MGTools.exe and the MGlog,zip if it exists. Use a different computer to download it and transfer via cd. Make sure you do put the MGTools.exe on the root drive (normally the c drive).

    Then see if it will run.
     
  11. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Ok, I downloaded directly to my C:\ Drive. Is there a subfolder I should be downloading to?
     
  12. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Tried it with the disc. "Open With" box opening repeatedly.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    NO! You need to put it where the instructions stated and that is the root folder. Thus you should have C:\MGtools.exe

    And after you run it, there will also be a C:\MGtools folder which will contain all of the tools that are part of MGtools. And you will also have a file name C:\MGlogs.zip which will contain results of the various scans.
     
  14. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Ok, and as I posted above, all it does when I try to run it is open repeated "Open With" dialogue boxes. This is one of my biggest problems. Even saving it as a .com does not allow me to open it.

    I was able to get RootRepeal to run and have attached the log for it.
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    How are you trying to run MGtools.exe? Are you running it from a Windows Explorer window by simply clicking on it? How did you get RootRepeal to run if MGtools.exe will not run?

    Can you do the following? Click Start, Run, and enter regedit in the box and click OK. Does the registry editor open?

    Does Malwarebytes still run? If so, run it and first make sure you update it by clicking the update tab. After updating, run a full scan and attach the new log.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Run HijackThis again by double clicking on it (select Do a system scan only) and select the following lines if any still exist (since this is a repeat of what TimW asked you to do) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F3 - REG:win.ini: load=C:\WINDOWS\system32\mswwyd.exe
    F3 - REG:win.ini: run=C:\WINDOWS\system32\msegt.exe
    O1 - Hosts: 69.46.228.174 www.mypbadreams.net
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - (no file)
    O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msdqjhjq.exe
    O4 - HKUS\S-1-5-18\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'Default user')
    O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
    O23 - Service: ghe3uydrt57iw54wuaehaamg80 - Unknown owner - C:\WINDOWS\ghe3uydrt57iw54wuaehaamg81.exe (file missing)
    O23 - Service: lgjrt6uiriri4u435846urhess80 - Unknown owner - C:\WINDOWS\lgjrt6uiriri4u435846urhess81.exe (file missing)
    O23 - Service: lich - Unknown owner - C:\WINDOWS\system32\lich.exe (file missing)

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    If you were able to run Avenger, attach the C:\avenger.txt log.

    Now see if you can get ComboFix and MGtools to run? If you can, then attach their logs.
     
  17. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    I am running it by clicking on it. When I do that, it pops up with an "open with" box. With SOME, not ALL, programs, I will click browse, go into my program files on the C:\ drive and choose the program again so in a sense, I am telling it to open by using itself. Some programs it works (like RootRepeal) and others it doesn't (like MGtools and ComboFix).

    Regedit will not work. It only opens an "Open With" box.

    Malwarebytes will still run if I open it the same way I listed above. However I cannot update it. I click updates, it downloads the updates and says that it will now close and install the new updates. When it does that, it again gives me an "open with" box but when I click Malwarebytes, it reopens the same version without the updates.

    I will attach the scan to my next post.

    Thank you for trying to help me!
     
  18. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Ok, I ran Avenger and got the error: Could not execute registry backup. (error - 2147221003: application not found). I've attached the log.

    Still running Malwarebytes.

    Still cannot run ComboFix or MGtools.
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Please attach a new log from HijackThis.

    Also locate MGtools.exe and right click on it. Select the option that says Open. Does that work?
     
  20. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Malwarebytes log attached.

    Right click and open gets the "open with" box too.
     

    Attached Files:

  21. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    New HJT attached
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Last edited: Jul 5, 2009
  23. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    First file I get an error 404: File Not Found

    Second one gives me an error that says

    Script: C:\runMGT.vbs
    Line: 3
    Char: 1
    Error: ActiveX component can't create object
    Code: 800A01AD
    Source: MicrosoftVBScript runtime error
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Try it again. I fixed the link.

    If you cannot run an exe after running this fixEXE.bat file, please download the below

    http://forums.majorgeeks.com/chaslang/files/fixEXE.inf


    and save it to your root folder. Then right click on it and select Install. Did that run? Can you run MGtools.exe now?
     
  25. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Installed both. Got the quick command promt both times but still can't open MG. Also, Install wasn't an option, just open. So I did that.
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Install should be an option. Apparently you have additional Windows problems besides malware.

    Do any of the below files still exist? If yes, see if you can delete them.
    C:\WINDOWS\system32\mswwyd.exe
    C:\WINDOWS\system32\msegt.exe
    C:\WINDOWS\system32\msdqjhjq.exe
    C:\Program Files\Manson\liser.exe
    C:\WINDOWS\ghe3uydrt57iw54wuaehaamg81.exe
    C:\WINDOWS\lgjrt6uiriri4u435846urhess81.exe
    C:\WINDOWS\system32\lich.exe
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Also try the below. Right click on MGtools.exe and select Rename. Change the name to MGtools.bat Now try double clicking on MGtools.bat to see if it will run.
     
  28. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Ok, I got the Install option to show up and installed.

    None of those files are still there.

    Still can't open MG. Getting the error: failed to run GetLogs.bat, working dir = \MGtools (check to see if this file is in the EXE)
     
  29. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Can't open even with it renamed
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Have you rebooted you PC since running HijackThis and deleting files previously? If not, please reboot and try again.

    Either way see if you can run the below procedures. The procedures may be a little out of date with actual steps now but they should be similar.

    Using ESET's Online Scanner

    Using BitDefender Online Scan
     
  31. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Combo and MG are now running.

    I've attached the logs.

    You are awesome :-D
     

    Attached Files:

  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    That's better.

    Now see if you can update MBAM and run a new scan and get the new log.

    Also run SUPERAntiSpyware and attach the log.
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    You can skip the online scanners too since we have made some progress.
     
  34. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Logs attached for SAS and MalwareBytes
     

    Attached Files:

  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Your MBAM logs always show that you are taking no action. You need to fix things before saving the log. Did you fix these?

    Note: I hope you were not running MBAM and SAS at the same time. If so, never run any scans at the same time.
     
  36. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Yes I fixed all the MBAM issues.

    And yes, guilty as charged. I did. Which should I run first? I will rerun them if needed.
     
  37. Amarea

    Amarea Private E-2

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    I'm heading to bed as I have to be to work in ummm 5 hours LOL...

    Please post your suggestions and I will do them when I get home tomorrow evening.

    Thanks for ALL of your help! You are the best!
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Various Issues - Google Redirect, Can't Run .exe files, can't boot in ANY safe mo

    Always run steps as requested and run the one at a time. Never in parallel. ;) You don't need to run them again, but you do need to do the below.

    You ran ComboFix from here: E:\ComboFix.exe

    You need to put it on your Desktop as requested or remaining steps will not work.

    Also note that earlier when I asked you to rename MGtools.exe to MGtools.bat you did not do this properly. You renamed it C:\MGtools.bat.exe which means it was still trying to run as an EXE file rather than a BAT file. You probably had not followed step 1 of the READ & RUN ME properly to show file extensions and were not seeing the EXE extension.

    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 5

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
    O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds