Help...Downloader/Adware.websearch wont budge

Welcome to Major Geeks!

That is what you are supposed to do if you still have problems. It was stated in the instructions.

 

This log is very incomplete. Where did you save the MGtools.exe file too? It needs to be on the same drive where you have Windows running from. This was explained in the instructions. I think you have Windows on drive D put you put MGtools on drive C which is a no no. Please correct this and attach a new log.

 

Drive C is not your boot drive. Drive D is where you have Windows installed and that is your boot drive. The only way MGtools will work 100% properly is by putting into the root folder of your Windows boot drive as stated in the READ & RUN ME. Now you have this correct.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\RunServices: [] winlog.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
D:\WINDOWS\Temp
D:\Documents and Settings\patricia sutherland\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I repeat.... not according to your logs. You are booting Windows from drive D as show in the below running process list that is from your logs:

Every process is shown as running from Drive D. So drive D is not just a backup. It is where you are running Windws from which is what I mean by Windows boot drive and you logs do show the below indicating that harddisk volume 1 is the boot device. But that is not where you are running Windows from.

Code:

Windows Directory D:\WINDOWS 
System Directory D:\WINDOWS\system32 
Boot Device \Device\HarddiskVolume1 
 
Drive C: 
Description Local Fixed Disk 
Compressed No 
File System NTFS 
Size 37.11 GB (39,851,446,272 bytes) 
Free Space 34.21 GB (36,733,857,792 bytes) 
Volume Name BOOT 
Volume Serial Number 48B26FF0 
 
Drive D: 
Description Local Fixed Disk 
Compressed No 
File System NTFS 
Size 33.51 GB (35,977,338,880 bytes) 
Free Space 16.44 GB (17,649,655,808 bytes) 
Volume Name BACKUP 
Volume Serial Number C48E1A16 
 
Partition Disk #0, Partition #0 
Partition Size 37.11 GB (39,851,449,344 bytes) 
Partition Starting Offset 32,256 bytes 
Partition Disk #0, Partition #1 
Partition Size 37.41 GB (40,172,267,520 bytes) 
Partition Starting Offset 39,851,481,600 bytes 

The Volume labels you gave drive C and D are Boot and Backup respectively but a volume label is just a name.

You will need to attach a log from Norton that shows me exactly what it is finding and where. Your logs are clean now! For all I know Norton could just be finding things in a quarantine or System Restore which we have not cleanup up yet. Also we have been scanning Drive D not C so if you have infections on drive C and it is truly a bootable drive then you need to boot from it and run cleaning procedures on it.

 

This is not going to change anything other than the fact the MGtools will not work since it needs to be on the drive where Windows runs from (which was stated in the READ & RUN ME) and that is drive D. Your new ComboFix log still shows you that Windows is running from drive D.

I'm not sure what you are now trying to accomplish but there is no malware for us to remove anymore. I asked you to attach a log from Norton but you have not done this so as far as I'm concerned your clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!