Redirection problems and general slower running of PC

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by x0pticLukeZz, Feb 6, 2012.

  1. x0pticLukeZz

    x0pticLukeZz Private E-2

    Hey all,

    I've been having some redirection problems to various websites, sometimes from Google and sometimes if I type a URL in myself.

    I've followed the steps from the sticky on this subject up to step 4, my TDSSkiller log is attached. Should I continue on to run the MBRCheck?

    Thanks!:)
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    Yes! And then continue on with the READ & RUN ME which is mentioned right after MBRcheck.
     
  3. x0pticLukeZz

    x0pticLukeZz Private E-2

    MBRCheck log is attached
     

    Attached Files:

  4. x0pticLukeZz

    x0pticLukeZz Private E-2

    Attached are logs from SAS, MBAM and MGtools.

    Combofix would not run past the extraction stage; it displayed no blue screen as shown in the instructions.

    RootRepeal is not included since I am using Windows 7 x64.

    Also, MGtools displayed an error message stating that HiJackThis couldn't access the Hosts file for some reason.

    I'm still having redirection problems after performing all the cleanup procedures and scans! I think it started a day or two ago. I'm afraid I'm not sure what I was doing at the time, sorry :s
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Go back and re-run TDSSkiller and if the below still appear like last time, cure/delete them ( which ever option is presented ) this time
    Code:
    15:44:25.0608 5620 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
    15:44:25.0608 5620 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip 
    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - .DEFAULT User Startup: toap.exe (User 'Default user')

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    After reboot, copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Sean Walsh\Local Settings\Temp

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. x0pticLukeZz

    x0pticLukeZz Private E-2

    HostsXpert says "Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit."

    I click OK and the same window pops up, press it again and it goes away but the 'Make Writable?' button does nothing.

    The 'Restore MS Hosts file' button also comes up with an error.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running HostsXpert.exe by right clicking on it and selecting Run As Administrator.

    If that does not work, just continue on with the rest of the instructions anyway.
     
  8. x0pticLukeZz

    x0pticLukeZz Private E-2

    HostsXpert.exe still wouldn't work even running as administrator.

    Avenger rebooted my PC but didn't create avenger.txt anywhere nor show me a file on reboot... the closest thing I could find is the attached ozvxqu.txt

    I didn't download ATF Cleaner because it says it's for Windows XP or 2000 and I'm running Windows 7.

    Everything else seemed to go fine, I got the success message from fixme.reg and MGlogs.zip is attached.

    Still getting redirected I'm afraid and browsing still doesn't seem as fast as it should be.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Of course. That's because the fix with Avenger failed. It did not fix anything at all.

    Please try the same procedure again ( ignore ATF Cleaner ) after booting into safe mode. Also whether Avenger works properly or fails again, after the reboot from it, boot into safe mode a second time and see if ComboFix will run.

    Instead of ATF Cleaner, use CCleaner. Download and install CCleaner
    • Now run Ccleaner with the default options (that means don’t change anything) to clean out temporary files.
    • Only use the default settings on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.
     
    Last edited: Feb 8, 2012
  10. x0pticLukeZz

    x0pticLukeZz Private E-2

    Avenger, ComboFix and HostsXpert wouldn't work but I ran CCleaner successfully.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\Users\Luke\AppData\Local\Temp\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    C:\Users\Luke\AppData\Local\Temp\~!#E12E.tmp
    C:\ProgramData\7sS2lmg0.dat
    C:\Windows\TEMP\hki1143.exe
    C:\Windows\TEMP\hki1264.exe
    C:\Windows\System32\drivers\ibif.sys
    C:\Windows\System32\drivers\kpfvc.sys
    C:\Windows\SysWOW64\drivers\ibif.sys
    C:\Windows\SysWOW64\drivers\kpfvc.sys
    C:\Windows\System32\fv08j7LFs.com
    C:\Windows\SysWOW64\fv08j7LFs.com_
    C:\Windows\assembly\temp\@
    C:\Windows\assembly\temp\cfg.ini
    C:\Windows\assembly\temp\oemid
    C:\Windows\assembly\temp\version
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Users\Luke\AppData\Roaming\Microsoft\Windows\Templates\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    C:\ProgramData\7sS2lmg0.dat
    C:\ProgramData\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    c:\windows\Tasks\At*.job
    C:\Windows\assembly\temp\U
    C:\Users\Luke\AppData\Local\Temp\{0450AB7E-6644-45F5-BCD3-4BFF4E14B7D7}
    C:\Users\Luke\AppData\Local\Temp\{6C1D6858-40B5-48C5-90DE-DC46042DFBEE}
    C:\Users\Luke\AppData\Local\Temp\{9f11ca77-519a-44ec-9fa3-684e0d51a701}
    C:\Users\Luke\AppData\Local\Temp\{A38D7227-150B-45CD-898D-9C36603054ED}
    C:\Users\Luke\AppData\Local\Temp\{D6D1FF1C-E7BB-4980-B55F-C57955F2FF9F}
    C:\combofix
    C:\Users\Luke\Desktop\avenger.exe
    C:\avenger
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    C:\Windows\SysNative\drivers\etc\hosts
    ipconfig /flushdns /c
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    
    
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
     
  12. x0pticLukeZz

    x0pticLukeZz Private E-2

    Here are the logs
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that fix removed a bunch of issues but it did not fix everything it said it fixed. There is still an underlying infection from Zero Access and you hosts file is still locked. We need to collect some additional info especially since we cannot get ComboFix and Avenger to run properly.

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      drivers32 
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      dhcpcsvc.dll
      explorer.exe
      lsass.exe
      nsiproxy.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      tdx.sys
      userinit.exe
      winlogon.exe
      /md5stop
      C:\Windows\SysNative\drivers\etc\hosts
      %systemdrive%\*.*
      %systemdrive%\MGtools\*.*
      %systemroot%\*. /mp /s
      %SYSTEMROOT%\AppPatch\*.exe
      %SYSTEMROOT%\inf\*.exe
      %SYSTEMROOT%\Installer\*.exe
      %systemroot%\system32\*.sys /90
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      %PROGRAMFILES%\*.*
      %APPDATA%\Update\*.*
      %PROGRAMFILES%\Common Files\*.*
      %PROGRAMFILES%\Microsoft\*.*
      %ProgramFiles%\Microsoft Common\*.*
      %USERPROFILE%\My Documents\*.exe
      %USERPROFILE%\*.exe
      dir /b "%systemroot%\system32\*.exe" | find /i " " /c
      dir /b "%systemroot%\*.exe" | find /i " " /c
      hklm\system\currentcontrolset\services\dhcp
      hklm\system\currentcontrolset\services\afd
      hklm\system\currentcontrolset\services\tdx
      hklm\system\currentcontrolset\services\tcpip
      hklm\system\currentcontrolset\services\nsiproxy
      hklm\software\microsoft\windows\currentversion\run
      hklm\software\microsoft\windows\currentversion\runonce
      hklm\system\currentcontrolset\control\session manager\subsystems
      hklm\system\controlset001\control\session manager\subsystems
      hklm\system\controlset002\control\session manager\subsystems
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
  14. x0pticLukeZz

    x0pticLukeZz Private E-2

    There you go
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shut down any protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    O1 HOSTS File: ([2012/02/02 18:57:26 | 000,001,401 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1       localhost
    O1 - Hosts: ::1             localhost
    O1 - Hosts: 109.163.226.208 [URL="http://www.google-analytics.com"]www.google-analytics.com[/URL].
    O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
    O1 - Hosts: 109.163.226.208 [URL="http://www.statcounter.com"]www.statcounter.com[/URL].
    O1 - Hosts: 67.215.245.19 [URL="http://www.google-analytics.com"]www.google-analytics.com[/URL].
    O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    O1 - Hosts: 67.215.245.19 [URL="http://www.statcounter.com"]www.statcounter.com[/URL].
    O3:[B]64bit:[/B] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-3666389844-4192593307-1049294338-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
     
    :Files
    C:\32788R22FWJFW
    C:\Users\Luke\Desktop\ComboFix.exe
    C:\Windows\SysNative\dds_trash_log.cmd
    C:\Windows\SysNative\drivers\etc\hosts
    C:\Users\Luke\AppData\Local\db2am60oby25758xy4e00f7d271u4p355010g2o2s7gsn
    C:\Users\Luke\AppData\Local\Wmerazozahu.dat
    C:\Users\Luke\AppData\Local\Mkope.bin
    C:\ozvxqu.txt
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    dir C:\Users\Luke\AppData\Local\{B9C525E4-A8F0-43A7-B75B-817CF53121F5}
    dir C:\Users\Luke\AppData\Local\{AE3ADCAF-2EC2-46B1-8CD5-5758E0E6515C}
    dir C:\Users\Luke\AppData\Local\{69175AF6-B3BD-45FE-9F0D-C658E0702076}
    dir C:\Users\Luke\AppData\Local\{0D4A0BF8-5E12-45FA-B89F-A76922F0CD0A}
    dir C:\Users\Luke\AppData\Local\{2460E979-308D-4290-ACB1-2E1CFC6C625B}
    dir C:\Users\Luke\AppData\Local\{F6510A6D-2EE1-4C62-B4AA-D595BB42E540}
    dir C:\Users\Luke\AppData\Local\{7835F9DD-A555-4387-AA33-AF1ABC52E645}
    dir C:\Users\Luke\AppData\Local\{680F13F5-85F7-4482-B651-990175CDB7B8}
    dir C:\Users\Luke\AppData\Local\{D68218B9-E71B-4771-B6DA-4DB3F0E377BF}
    dir C:\Users\Luke\AppData\Local\{9C7781B4-4A7D-4F6C-828B-74B46B54C544}
    dir C:\Users\Luke\AppData\Local\{2B6CE598-E4E1-4328-9797-FD0FD466A64F}
    dir C:\Users\Luke\AppData\Local\{94BCC2A7-4E48-4839-9401-70C035726F75}
    dir C:\Users\Luke\AppData\Local\{07F79CC6-2A4F-483C-A0CA-6AA53E1AEC65}
    dir C:\Users\Luke\AppData\Local\{15AB81C5-6E28-4766-886F-10C1FB9F411E}
    dir C:\Users\Luke\AppData\Local\{0F4A50D2-7811-43AF-81EB-3568D13545B3}
    dir C:\Users\Luke\AppData\Local\{588B208C-F35A-49FA-81F3-B2DD07417F11}
    dir C:\Users\Luke\AppData\Local\{4E4D25E5-F35F-407E-BB39-0CA3CF71A29E}
    dir C:\Users\Luke\AppData\Local\{6AE6C089-2E10-4FBB-8843-A0E144A5B323}
    dir C:\Users\Luke\AppData\Local\{94CAC925-B8E1-490B-BA2B-BACB0C976E0B}
    dir C:\Users\Luke\AppData\Local\{3F2E92B1-8594-4735-8632-543A08A1DF60}
    dir C:\Users\Luke\AppData\Local\{9174E309-D316-42CB-8C31-72191936C16A}
    dir C:\Users\Luke\AppData\Local\{876083C9-66A5-4659-AE24-4F4FCE4BFEB1}
    dir C:\Users\Luke\AppData\Local\{81BF74B3-9151-48D9-8B0C-B92FCEDA3550}
    dir C:\Users\Luke\AppData\Local\{95B335A5-9FD3-4A18-ABA0-371B8067D626}
    dir C:\Users\Luke\AppData\Local\{645C6725-6836-40E0-8208-29F64411B370}
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
    "Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
    79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
    74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
    72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
    36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
    54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
    62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
    73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
    6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
    73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
    66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
    00
    [HKEY_LOCAL_MACHINE\system\controlset001\control\session manager\subsystems]
    "Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
    79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
    74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
    72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
    36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
    54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
    62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
    73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
    6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
    73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
    66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
    00
    [HKEY_LOCAL_MACHINE\system\controlset002\control\session manager\subsystems]
    "Windows"=hex(2):25,53,79,73,74,65,6D,52,6F,6F,74,25,5C,73,\
    79,73,74,65,6D,33,32,5C,63,73,72,73,73,2E,65,78,65,20,4F,62,6A,65,63,\
    74,44,69,72,65,63,74,6F,72,79,3D,5C,57,69,6E,64,6F,77,73,20,53,68,61,\
    72,65,64,53,65,63,74,69,6F,6E,3D,31,30,32,34,2C,32,30,34,38,30,2C,37,\
    36,38,20,57,69,6E,64,6F,77,73,3D,4F,6E,20,53,75,62,53,79,73,74,65,6D,\
    54,79,70,65,3D,57,69,6E,64,6F,77,73,20,53,65,72,76,65,72,44,6C,6C,3D,\
    62,61,73,65,73,72,76,2C,31,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,6E,\
    73,72,76,3A,55,73,65,72,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,33,20,53,65,72,76,65,72,44,6C,6C,3D,77,69,\
    6E,73,72,76,3A,43,6F,6E,53,65,72,76,65,72,44,6C,6C,49,6E,69,74,69,61,\
    6C,69,7A,61,74,69,6F,6E,2C,32,20,53,65,72,76,65,72,44,6C,6C,3D,73,78,\
    73,73,72,76,2C,34,20,50,72,6F,66,69,6C,65,43,6F,6E,74,72,6F,6C,3D,4F,\
    66,66,20,4D,61,78,52,65,71,75,65,73,74,54,68,72,65,61,64,73,3D,31,36,\
    00 
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  16. x0pticLukeZz

    x0pticLukeZz Private E-2

    OTL pops up with the error "Cannot create file C:\Windows\System32\drivers\etc\Hosts." as soon as I click Run Fix. It then just hangs on the next step of the fix, doesn't go any further.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hold down the Windows logo key and press the 'e' key to bring up Windows Explorer.
    Paste the below into the Address bar ( or navigate to the folder manually ) and press enter

    C:\Windows\System32\drivers\etc

    In the right window pane of Win Explorer, right click on the hosts file and select Properties. Then click the Security tab. What user names do you see in the Group or user names: box?
     
  18. x0pticLukeZz

    x0pticLukeZz Private E-2

    There's only an 'Authenticated Users' group.. seems a bit odd, there are usually a few different ones
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so click on the Authenticated Users group and then in the lower part of the form which has the title Permissions for Authenticated Users what do you see for for permissions in the Allow column? That is which of the below have check marks in the Allow column?

    Full control
    Modify
    Read & execute
    Read
    Write
    Special permissions
     
  20. x0pticLukeZz

    x0pticLukeZz Private E-2

    Read only
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And thus the problem. We need this to be Full control. See if you can get this to change. If you cannot change it. We will likely have to make a change to Ownership permissions.
     
  22. x0pticLukeZz

    x0pticLukeZz Private E-2

    Unable to change it I'm afraid
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • Okay then navigate back to the hosts file again and right click on it and select Properties again.
    • Then select the Security tab.
    • The click the Advanced button at the bottom of the form
    • On the next form click Edit
    • On the next Permissions form click the Add button
    • In the Enter the object name to select box type in Everyone
      • Type it exactly as shown with the capital E
    • Then click the Check Names button which should confirm the name
    • Then click OK to close this page
    • Then click Apply on the next form ( the Advanced Security Settings for hosts ) and then OK to close this form.
    • Now back on the hosts Properties form click the Edit button
    • On the Permissions for hosts form select the Everyone user just added
    • Then on the bottom click the Full control check box in the Allow column and click Apply and OK.
    • Did this work?
     
  24. x0pticLukeZz

    x0pticLukeZz Private E-2

    No it didn't. Got the same Access is Denied message
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did the Everyone user name get added successfully? Were you able to take ownership with it?

    Repeat the same steps for the etc folder itself and see if you can take ownership with the Everyone user name.
     
  26. x0pticLukeZz

    x0pticLukeZz Private E-2

    It won't let me add the Everyone user name on either the hosts file or the etc folder
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run the following:
    • please download GrantPerms.zip and save it to your desktop.
    • Unzip the file and run GrantPerms.exe
    • Copy and paste the following into the edit box of GrantPerms:
    Code:
    [B]C:\Windows\System32\drivers[/B]
    [B]C:\Windows\System32\drivers\etc[/B]
    [B]C:\Windows\System32\drivers\etc\hosts[/B]
    
    • Now Click Unlock.
    • When it is done click "OK".
    • Now click List Permissions and attach the which is the Perms.txt file that pops up.
    • A copy of Perms.txt will be saved in the same directory from where the tool is run.
    • Attach the Perms.txt log.
     
  28. x0pticLukeZz

    x0pticLukeZz Private E-2

    Here's the log
     

    Attached Files:

  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See if you can now right click on the C:\Windows\System32\drivers\etc\hosts file and select Delete
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also no matter whether you were able to delete the hosts file or not, please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.


    Option1: Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Option2: Enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  31. x0pticLukeZz

    x0pticLukeZz Private E-2

    Successfully deleted the hosts file and ran frst64, log attached
     

    Attached Files:

  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now boot into normal Windows can continue with the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • FixLog.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

    Attached Files:

  33. x0pticLukeZz

    x0pticLukeZz Private E-2

    Done both

    Things seem to be pretty much back to normal now, I haven't had any redirects in a while and browsing isn't slow any more
     

    Attached Files:

  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good job. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  35. x0pticLukeZz

    x0pticLukeZz Private E-2

    I ran into a hitch with uninstalling combofix.. I had installed it to the desktop, but I think the FRST64 fix has moved or deleted it as it says in Fixlog.txt

    I can still see all the hidden files and folders and I don't know if it's left some things behind due to not being uninstalled properly
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You never really got it to run properly before, thus it was never really fully installed which is why I removed it with FSRT. You can ignore that step and continue with the rest of the steps.
     
  37. x0pticLukeZz

    x0pticLukeZz Private E-2

    Everything's all cleaned up and the malware's all gone :-D
    Thanks very much for all your help and time!
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds