Browser Redirection/AV8 (return of previous infections)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mpizzo10, Dec 30, 2010.

  1. mpizzo10

    mpizzo10 Private E-2

    First off, thank you for your help. A few months ago, a friend was having trouble with a PC, so I came here to get it fixed. The PC was really swamped by a false virus protection (Antivirus 8), the browsers were being redirected, and I couldnt access Windows Update.

    Chaslang helped me solve those issues, but it seems some of the problems have resurfaced. The owner of the PC told me that his browsing was being redirected. I came over and ran a MSE and MBAM scan. MSE found two infections located in the folder of AV8 (which I cannot find). MBAM also found 4 infections. After that, I did not have issues with web browsing.
    I posted here (in the old thread) to make sure that my fix wasnt superficial. Chaslang requested I start a new thread and follow the outlined Read & Run Me steps. I started doing that this morning. Last night, after I left the PC owner's house, he noticed AV8 running a "scan".

    I followed the steps today. My web browsing issues returned, but in a weird fashion. After running ComboFix, I could no longer access MajorGeeks or BleepingComputer. FF would tell me that the connection timed out, and IE would tell me that the page could not be displayed.

    I have seen instances where an infection blocks you from PC help sites, but never just two of them. Obviously, I didnt go through every PC help site, but I could access all of the ones off of the top of my head. I am now able to access both sites on IE and FF.

    Technically, I am not encountering any issues, but I have the feeling that AV8 will rear its ugly head again.

    One other thing, the MBAM log I am posting will be the one that found no infections. This log is from the scan I did today in following the steps of the Read & Run ME. The log from the scan that found 4 infections can be found in the original thread, which is now closed.

    Original thread:http://forums.majorgeeks.com/showthread.php?t=227297

    Thank you again.
     

    Attached Files:

  2. mpizzo10

    mpizzo10 Private E-2

    MBAM log.
     

    Attached Files:

  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, mpizzo10

    Please be patient while I review your logs.

    dr.m
     
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    *Comment: Giving all users of this pc "Adminstrator Accounts" is bound to lead to problems.

    Other than the tools our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Documents and Settings\Mario Graziano\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

    Consider updating this version Mozilla Firefox (3.6.12) to the most recent release: Mozilla Firefox 3 3.6.13 Final

    *I see no malware, but we have some leftover files and folders to remove. You also should upgrade your installed RAM for better performance. The minimum we recommend for XP SP3 is 1 GB, but it is highly recommended to have 2 GB.
    Step 1:
    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      [​IMG]
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:
    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Step 2:
    Using Windows Explorer - navigate to and delete:
    • Leftover Files:
      C:\aaw7boot.log
      C:\ViewpointKiller.log
    • Leftover Folders:
      C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint
      C:\Documents and Settings\Mario Graziano\.limewire
      C:\Documents and Settings\Mario Graziano\Application Data\AVG10
      C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
      c:\program files\Lavasoft

    Step 3:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    Step 4:
    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please attach the new C:\MGlogs.zip file to your next reply.


    *What malware problems are you still experiencing?
    dr.m
     
    Last edited: Dec 31, 2010
  5. mpizzo10

    mpizzo10 Private E-2

    Dr. M, thank you for your help. I ran the scans as requested. Few things:

    1) Administrator Privileges/User Accounts: Is there a quick way to combine all user accounts into one? I don't want to have separate accounts anymore (I thought I did when first installing XP). If not, what is the best way to handle the admin privileges.

    2) When removing the files and folders suggested, I could not find "c:\program files\Lavasoft". I had no trouble with the others.

    3) Obviously, one of the scans tells you what I have on my desktop. With the logs attached to this post, are you able to tell if I have removed everything I should from the desktop?

    4) Meant to mention this earlier: When following the Read & Run Me directions, I checked Add/Remove Programs for the software mentioned on that list. I found MyWaySearchAssistant, however there was no option to remove it.

    5) Is Newegg the best place to look for RAM?
    Thank you again for your time.
     

    Attached Files:

  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, mpizzo10

    Answers to your questions
    (1) To change a user's group or account type with Windows XP Pro
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/usercpl_overview.mspx?mfr=true

    *Please start a new thread in our Software Forum for any additional work on your PC's accounts.
    (2) Not a problem if it wasn't found
    (3) "Spyware Doctor" offers no ability to remove anything that is detected, unless you purchase it. Personally, I don't see the need for it - the freeware versions of MBAM & SAS serve me very well.
    (4) Removing unwanted "MyWaySearchAssistant"
    (5) Yes, Newegg has good prices.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Your logs look good! If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Safe surfing and "Happy New Year!" [​IMG]

    Support MajorGeeks!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds