Google Redirect Virus; Certain Sites Blocked; Cannot Open .exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Eeled, Mar 1, 2010.

  1. Eeled

    Eeled Private E-2

    Hi! I would like to thank everyone beforehand for any possible help.
    My computer recently caught some problems, and here are some observations I saw:

    1. Google links redirected to random spam sites.
    2. Certain sites blocked. (Yahoo answers, bleepingcomputer, techforums, etc.)
    3. Cannot open some .exe files (Everytime I try to open spyware doctor, spybot, etc. I get a "___ has stopped working. Windows is checking for a solution to the problem." For some others, nothing pops up.)
    4. My computer is not running slowly.
    5. I get random "Internet Explorer has stopped working" (when I wasn't even using it). There's also a "Runll32.exe (<- or something similar to that) has stopped working..." randomly popping up sometimes.)
    6. Windows Security is turned off and can't turn back on.

    I tried to follow some guides for people with similar symptoms, but the problem still persists.

    Some problems while trying to follow the Read and Run Me guide:
    1. Computer crashes when trying to install SAS.exe
    2. Successfully installed malwarebytes, but can't run it. (__ has stopped working, etc...)
    3. FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000f8) when trying to run RootRepeal.

    I managed to get a MGTools log. Hopefully I followed the directions correctly!
    Thank you again and sorry for the bother!
     

    Attached Files:

  2. evilfantasy

    evilfantasy Malware Fighter

    Welcome to MajorGeeks!


    Try not to restart the computer until one of the tools we use does it for you or tells you to.

    If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

    1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the next one.

    Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * When finished it will create a log.
    * Please post the rkill.log in the next reply.

    * If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.


    Once you've gotten one of them to run then try to immediately run the following.


    2) Download and run exeHelper

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Add the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    3) If you already have Malwarebytes be sure to update it before running the scan!

    Download Malwarebytes' Anti-Malware (MBAM)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to the following:

    * Update Malwarebytes' Anti-Malware
    * Launch Malwarebytes' Anti-Malware

    * Then click Finish
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * Copy and Paste the entire report in your next reply.

    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
     
  3. Eeled

    Eeled Private E-2

    Hi! Thanks for replying!

    Attached are the logs for rkill and exehelper. However, when I tried to run Malwarebytes, it still gives me "___ has stopped working. etc etc"


    I reran the exehelper two times in case I did something wrong, but it still can't open. :(
     

    Attached Files:

  4. evilfantasy

    evilfantasy Malware Fighter

    Try this please.

    Download ComboFix from one of the below links. You must rename it before saving it!

    Important! You MUST save ComboFix to your desktop.

    Link #1
    Link #2

    Rename ComboFix to Combo-Fix before saving it to the desktop.

    [​IMG]

    [​IMG]

    Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

    Double click on Combo-Fix.exe & follow the prompts.

    Vista and Windows 7 users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

    Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    When the scan completes it will open a text window.

    Post the contents of that log in your next reply.

    Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
     
  5. Eeled

    Eeled Private E-2

    When trying to run ComboFix, it seems Norton and Spyware Doctor were actually still running in the background.

    (According to Read&Run, there should only be one av, so I decided to just uninstall Norton.)

    However, I cannot temporarily disable Spyware Doctor. (I can't access the controls with the .exe blockage problem)

    I didn't think it was a good idea to run ComboFix with SD still in the background, or should I...?
     
  6. evilfantasy

    evilfantasy Malware Fighter

    Is it the free version of Spyware Doctor? If so just uninstall it to run CF.
     
  7. Eeled

    Eeled Private E-2

    Hi! Thanks a lot, I believe ComboFix did the trick!

    No more redirecting, and I can access my blocked .exe files now!

    I've attached the log. I don't know why, but for some reason, the headings are in chinese?
     

    Attached Files:

  8. evilfantasy

    evilfantasy Malware Fighter

    Do you know what these are?


    Please go to Jotti's malware scan
    (If more than one file needs scanned they must be done separately and logs posted for each one)

    * Copy the file path in the below Code box:
    Code:
    c:\windows\System32\shsvcs.dll
    * At the upload site, click once inside the window next to Browse.
    * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    * Next click Submit file
    * Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    * This will perform a scan across multiple different virus scanning engines.
    * Important: Wait for all of the scanning engines to complete.
    * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
     
  9. Eeled

    Eeled Private E-2

    Attached Files:

    • IDB.zip
      File size:
      131 bytes
      Views:
      2
    • UDB.zip
      File size:
      1.1 MB
      Views:
      2
  10. evilfantasy

    evilfantasy Malware Fighter

    Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.
     
  11. Eeled

    Eeled Private E-2

    The MgTools log is attached =)
     

    Attached Files:

  12. evilfantasy

    evilfantasy Malware Fighter

    Disable Spybot's TeaTimer

    While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with any fixes we make. Please disable TeaTimer for now until you are clean.

    1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
    2. Run Spybot S&D
    3. Go to the Mode menu, and make sure Advanced Mode is selected.
    4. On the left hand side, choose Tools > Resident
    uncheck Resident TeaTimer and OK any prompt and Restart your computer.

    Note:
    If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.




    Go to Add or Remove Programs and uninstall:
    • Viewpoint Media Player



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
    • O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (file missing)
    • O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    • O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (file missing)

    After clicking Fix checked, exit HijackThis.



    Go to Start > Run and type Notepad.exe then click OK.

    Copy and paste the following text within the code box into the new Notepad file.

    Code:
    @ECHO OFF
    sc stop Browser Defender Update Service
    sc delete Browser Defender Update Service
    exit
    In Notepad select File and Save as
    Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

    Next double click fixservice.bat to run it.
    A black box should open and close after a short time, this is normal.
    Do not continue until the black box has closed
    Delete fixservice.bat from the Desktop.



    Now locate and delete these folders (if found):

    C:\Program Files\Spyware Doctor
    C:\Program Files\AVG

    Run CCleaner and then restart the computer.



    You need to install an antivirus. These are all free and work very good. Only install one!

    1) Avast! Home Edition
    2) AVG Free Edition
    3) Avira AntiVir Personal
    4) Microsoft Security Essentials for Windows Vista\Windows 7



    Now you need to update Windows with some Service Packs. Vista is currently at SP2 and you have not even gotten SP1.

    Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)



    How is your computer running now?
     
  13. Eeled

    Eeled Private E-2

    Sorry for the late reply!
    My computer is running great now. :hyper

    Thank you SO much for the help!
     
  14. evilfantasy

    evilfantasy Malware Fighter

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds