PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal info

Discussion in 'Malware Help (A Specialist Will Reply)' started by dazedandconfuzed, Feb 4, 2010.

  1. dazedandconfuzed

    dazedandconfuzed Corporal

    Oh my gosh...where do I start? Well, the most pressing issue is on supposedly "secure" sites, I'm being asked for personal info. I went to log into my eBay account, and a window opened asking for very personal info, such as, my SS#, birth date, mother's maiden name, credit card and ATM account numbers and my ATM pin number! I contacted eBay, and they said they would never ask for that info. Then, this morning, I wanted to back-up with Mozy.com. After entering the info they wanted, a new window popped up again, asking for the same info! I called Mozy, they said they also would never ask for such sensitive info, such as my ATM pin number!

    I have been begging for help on another forum, but have not received a response. Please, please...can't somebody please help me??? I am almost in tears here!

    Thank you in advance to anybody that can save me!
     
    dazedandconfuzed, Feb 4, 2010
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Welcome to Major Geeks!

    Your starting point is to run the below procedure and attach the requested logs:

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Feb 4, 2010
    #2
  3. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Oh, thank you, thank you, thank you chaslang! You are an angel! I will do what you say.
     
    dazedandconfuzed, Feb 4, 2010
    #3
  4. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Good evening, chaslang. I need to let you know that my 'puter freezes up, and it can take me up to 2 hours to log back onto the 'net. I will be here 14 hours a day...just waiting for your posts. I don't want you to think I'm not concerned about my problem.

    Okay...I got down to the Windows XP cleaning download. But I have a few questions. It says not to save the downloads into a documents folder or a temp folder, but to save it exactly as it is downloaded. It's downloading into a temporary folder! How do I change where it's downloaded to?

    Also, the other says to change the download and save it as "mb.exe". How do I change it and where should I save it?
     
    dazedandconfuzed, Feb 4, 2010
    #4
  5. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Hi chaslang. Here are the first 4 logs. Hope I did everything correctly.
     

    Attached Files:

    dazedandconfuzed, Feb 5, 2010
    #5
  6. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Here ya go, chaslang. I hope all of the logs will help.

    Anxiously awaiting your reply,

    dazedandconfuzed
     

    Attached Files:

    dazedandconfuzed, Feb 5, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    I'm sorry but you need to attach the correct log. We specifically stated the log from MGtools is C:\MGlogs.zip
     
    chaslang, Feb 5, 2010
    #7
  8. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    I'm so sorry. Is this attachment what you need?
     

    Attached Files:

    dazedandconfuzed, Feb 5, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Yes that is the log that was requested and what you should have attached previously which would have prevented the additional delay in getting your problems fixed.

    You have a serious Master Boot Record infection.


    Please run the below tool from Prevx

    Prevx 3.0 use the button that says Download Prevx 3.0

    After running the Prevx scan, reboot and then continue with the below.


    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 12
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 17
    Java(TM) 6 Update 7
    Viewpoint Media Player <-- should have been uninstalled in step 5 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
    O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL (file missing)
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.2scarygames.com/scary-games/33/Hostel_The-Killing-Floor.html"
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Debra\Local Settings\Temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 7, 2010
    #9
  10. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Hi chaslang. I was able to sign in to one of my eBay accounts without that nasty window asking for my personal financial info!:)

    I've attached the requested logs and will be waiting (patiently) for your reply.
     

    Attached Files:

    dazedandconfuzed, Feb 8, 2010
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Your MGlogs.zip file contains incomplete info. Something must have caused a glitch. Please do the below so we can be sure you are clean.

    • First delete the current C:\MGlogs.zip file that you have.
    • Disconnect your PC from the internet by unplugging your cable
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • Make sure you do not run anything else while GetLogs.bat is running and collecting information.
    Then attach the new C:\MGlogs.zip
     
    chaslang, Feb 9, 2010
    #11
  12. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    As MGTools was running, I received the following error message 5 times:

    "C:\WINDOWS\system32\cmd.exe
    NTVDM has encountered a system error
    NTVDM has encountered a system error c0h choose 'Close' to terminate the
    application."

    I was given the choice to close or ignore, so I chose ignore.

    A couple of quick questions. Would it cause any problems if I used a SanDisk just to get my pictures and important files? Also, I want to unsubscribe to AOL's Safety & Security. Can I do these now, or do you want me to do nothing until you are finished with me?

    Thanks chaslang...I really appreciate your time and effort!
     

    Attached Files:

    dazedandconfuzed, Feb 9, 2010
    #12
  13. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    I got the dreaded blue dump screen. After starting up my pc again, the "Send Error Report" pop-up came on. I don't know if this will help anything, but I copied down the report:

    Technical Information About Error Report:

    Error Signature

    BCCode: 100000c5 BCP1: 00000004 BCP4: 8054BFD2 OSVer: 5_1_2600
    SP: 3_0 Product: 256_1
     
    dazedandconfuzed, Feb 9, 2010
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Yes this was why I was stressing getting another log from MGtools. I did not think you were clean and the log shows that PrevX failed to remove the root of the MBR infection. You will have to do the below which will require you having your Windows Boot CD.

    Now boot to the Recovery Console and run the fixmbrto clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command and boot back to normal mode, continue with the below. Do not waste any time doing the below until you have run the fixmbr command from the Recovery Console.

    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 12, 2010
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    You're welcome.

    You can and should do this ASAP.

    Not yet! Don't make any changes other than what we request.
     
    chaslang, Feb 12, 2010
    #15
  16. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Hi Chaslang.

    I did as you requested in the last quote above during our R&R session, and only ran the Prevx scan. I have been getting a Prevx pop-up screen which shows a threat ($mbr.0 in c\) Rootkit.mbr and has a "Cleanup Now" button I could click on. I haven't done so because I couldn't find anywhere in your previous instructions telling me to do that. Should I try that before going ahead with the Recovery Console thing? That Recovery thing seems very complicated and quite frankly, scares me a little! Will all of my files and folders be deleted?

    Before I do anything I am going to use a SanDisk and some DVD's to copy important files. Then if I do need to do the Recovery thing, I will proceed just as you have instructed.

    Thanks again and anxiously awaiting your reply!
     
    dazedandconfuzed, Feb 13, 2010
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    As stated in one of my last messages, PrevX failed to remove the problem. You need to run th fix I gave in message # 14 with fixmbr.

    It is not complicated. 98% of what is in there has nothing to do with what you are going to do. The link given was mainly to provide additional information.

    You don't need to do the installation part. You just need to boot from your CD and run the Recovery Console. And when the prompt appears you select your Windows partition (normally 1) and then you will run the fixmbr command. Afterwards, you will remove the CD and reboot.

    Yes as stated you should do this.
     
    chaslang, Feb 14, 2010
    #17
  18. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Oh no, chaslang. I can't find my CD! What in the world will I do now? Am I doomed? I have a drag-to-disk program. Is there any way I can make a CD or DVD to use to reboot?
     
    dazedandconfuzed, Feb 14, 2010
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    I did not notice all of your remarks previously stated about PrevX.
    Run it again and of course let it fix (Cleanup Now) the problem which is why we were running it. ;)

    Then run the Avenger fix again and attach anothe new log from Avenger and run C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file.
     
    chaslang, Feb 15, 2010
    #19
  20. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    I still had Prevx installed...so I removed it, rebooted, went through you link in post #9 and attempted to run it. However I got the following error message:

    Error: V911: Cleanup not licensed, please purchase a license from www.prevx.com

    I then did a search on the forums and found this thread which states that Prevx is no longer free. Here is the link to that: http://forums.majorgeeks.com/showthread.php?t=183051&highlight=prevx
     
    dazedandconfuzed, Feb 16, 2010
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    That's a very old post. For quite awhile at the end of 2009 and the beginning of 2010, Prevx would still fix this infection for free. Their website has multiple pages where they even stated this. Read the bottom of the below direct from their website: http://www.prevx.com/blog/131/MBR-Rootkit-reloaded.html Obviously now not true.

    We used it many times in the last few months successfully. They must have recently decide to not do this for free which means we will no longer be recommending there tool, and thus they shoot themselves in the foot. :( No free advertising..... in fact more bad advertising. ;)

    You will have to find your Windows Boot CD or borrow one so that you can boot to the Recovery Console and run fixmbr.
     
    chaslang, Feb 17, 2010
    #21
  22. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Hi chaslang. I didn't quite trust the DVD's I made with my pics and docs on them (they are irreplaceable), so I purchased a subscription to Mozy.com. I am in the process of backing up just pics and a few docs, but wow...it takes a lot longer than I imagined. I am on day 3 and about 46% transferred. As soon as the backup with Mozy is complete, I can go to Dell.com and restore my PC back to the way it was when it was shipped to me. I don't need a CD to do this. After the restore, I will do the R & R, then post the logs here for you to examine.

    Thanks so much for your help so far!
     
    dazedandconfuzed, Feb 19, 2010
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    You should be working on getting a boot CD to help avoid future problems like this. A CD is an absolute must and has been for the last few years due to how malware has progressed and also due to many problems that can occur within the Windows Operating System itself. If you had a CD now, you would not need to do the factory recovery. Even if you borrow one just to do the fixmbr you could avoid this. While I expect that restore to the way it was shipped should overwrite the infected MBR, I'm not positive that it will. Which could mean, you would still be infected afterwards and wasted your time. Also you would have a load of work in front of you in getting your PC back to the way you have it now.
     
    chaslang, Feb 19, 2010
    #23
  24. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Hi chaslang. Okay...I'm exhausted, frustrated and I have a headache. I'm giving up. I borrowed a CD, but it says that my version of Windows is more recent than the CD version. I checked on Microsofts website, and to combat that problem is overwhelming. I then went to dell.com to do a PC restore, but alas, part of the instructions state to press certain keys on the Dell "splash screen" when I start up my PC. I don't get a Dell splash screen, and I can't find out anything about it on Dell's support site. I guess I'll just have to live with my PC problems until I can afford to purchase the CD needed.

    Thank you for all your help. I will re-post (or reply to this thread) sometime in the future when I can proceed with your instructions. I'm sorry I have wasted your time and effort, both were greatly appreciated.
     
    dazedandconfuzed, Feb 23, 2010
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Exactly when did you see this? Was it after you got into the Recovery Console and when you tried to run fixmbr?
     
    chaslang, Feb 24, 2010
    #25
  26. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    After I click on "Install Windows XP" on the Welcome screen. The CD is Windows XP Home Edition, 2002 and I'm running Windows XP Media Center Edition.
    I happened upon this...I started by clicking on Control Panel, what is it?:
    Control panel>System>Advanced>Startup & Recovery>Settings>System Startup>Default Operating System...Windows XP Media Center Edition. There's a drop-down there, and when I click on it I get: "Microsoft Windows Recovery Console"\cmdcoms
    I haven't changed anything.
     
    dazedandconfuzed, Feb 24, 2010
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    You are not following the instructions for Booting to the Recovery console. I do not want you to install the Recovery Console. You should not have Windows running at all. What you need to do is boot up your computer from the CD (this may require changing your BIOS boot order to boot from the CD first). See option # 2 in this link which may help you understand better: http://support.microsoft.com/kb/314058

    I only want you to refer to option 2 in the above just to get you booted to the RC. I do not want you to run the procedures in that link. All we want you to do is get to the RC prompt which will be a DOS like screen saying C:\Windows> and then you need to just type in fixmbr and hit return.

    If you still need help doing this, perhaps the below will help with some screen snapshots:

    How to Enter Recovery Console From the Windows XP CD
     
    Last edited: Feb 25, 2010
    chaslang, Feb 25, 2010
    #27
  28. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    I was able to change my Bios and use the CD to get to the recovery console. I typed in fixmbr, hit return and waited for it to do it's thing. I didn't receive any error messages. I then restarted my PC and re-ran the CCleaner and ran the MGtools\getlogs.bat file as you requested. Now, when I try to upload the MGlogs.zip folder to this post I get the following:

    Manage Attachments
    Upload Errors
    MGlogs.zip:
    Upload of file failed.

    I have tried numerous times to upload it. I've re-started my PC and completely turned it off then back on. I still can't upload the .zip folder.

    What's next?
     

    Attached Files:

    dazedandconfuzed, Feb 25, 2010
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    You have to make sure that you are not trying to attach the log as previously attached. Let's make sure it is new by doing the following:
    • delete the current C:\MGlogs.zip file
    • re-run C:\MGtools\GetLogs.bat and make sure you allow it to finish
    • then attach the new C:\MGlogs.zip file. Watch for any specific errors when trying to upload. Like does it say the file is too large or anything else. It is very possible that your log got too large due to what the infection had done by adding the HelpAssistant folder
     
    chaslang, Feb 25, 2010
    #29
  30. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Trying again and crossing my fingers!

    Geez!!! I got the same...upload of file failed!
     
    dazedandconfuzed, Feb 25, 2010
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    What is the size of the file?
     
    chaslang, Feb 26, 2010
    #31
  32. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Wow...it's 2,766 KB! I deleted MGtools completely, then went back to R & R and started the procedure from the beginning. Again, 2,766 KB. I opened the .zip file. Here are the contents:

    avenger.txt
    combo.txt
    ffdata.txt
    GetUnKey.txt
    hijackthis.txt
    newfiles.txt
    procdll.txt
    runkeys.txt
    sysinfo.txt
    sysrest.txt
    User Info.txt
    winfiles.txt
     
    dazedandconfuzed, Feb 26, 2010
    #32
  33. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Hey...guess what. Just out of curiosity I clicked on Prevx 3.0...and this time it worked! Evidently it didn't find any problems (I stepped away for a few minutes and when I returned it had finished running and closed.) I ran a scan with Malwarebytes Anti-Malware, and it found no infections. I also noticed that there is a newer version of Ccleaner than the one I installed during R & R. (I didn't download it.)
     
    dazedandconfuzed, Feb 26, 2010
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    And that is why you cannot attach it. If you read the message being displayed you would see it told you it was too large.

    It is too large due to the infection you had. As stated in my last message, the Help Assistant folder was massive.

    Delete the C:\Avenger folder. Then rerun C:\MGtools\GetLogs.bat. Now you should be able to attach it.
     
    chaslang, Feb 27, 2010
    #34
  35. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Thanks. Here it is.
     

    Attached Files:

    dazedandconfuzed, Feb 27, 2010
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Your MBR infection has been removed. Now we have some miscellaneous cleanup to do before we can get to final instructions.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now uninstall Prevx since you don't need it and we are finished with it.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)

    At your option, fix any of the below since they are unnecessary and waste resource and slow down startup.[
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0" (User 'Default user')

    After clicking Fix, exit HJT.

    Now please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
    Code:
    :Processes
explorer.exe
 
:Services
 
:Files
  
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
:Commands
[purity]
[createrestorepoint]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Debra\Local Settings\Temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Feb 27, 2010
    chaslang, Feb 27, 2010
    #36
  37. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Well, I've accomplished everything down to: C:\Documents and Settings\Debra\Local Settings\Temp
    I'm having a bit of a problem there. If I attempt to use the "Select All", then "Delete these files" option, I either get a pop-up that says "such & such file cannot be deleted"...I click OK, then it just returns me to the list of files without deleting any, or I get an error message that says "This program is not responding".

    I can delete them at about 35 at a time, by holding down the control key, clicking on each file, then clicking the "Delete these files" option.

    I will continue to delete them that way until I get a reply. (I hope that reply comes soon, there are a lot of files to delete. :)
     
    dazedandconfuzed, Feb 27, 2010
    #37
  38. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Okay...here they are.
     

    Attached Files:

    dazedandconfuzed, Feb 27, 2010
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Okay your logs are clean. Just do the below and then final instructions.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    After clicking Fix, exit HJT.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Mar 2, 2010
    #39
  40. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Well, I'm still having some problems. I can log onto Internet Explorer, but then I may get a pop-up from IE that says "Internet Explorer has
    encountered a problem and needs to close. We are sorry for the inconvenience." "Send the report to Microsoft"     Here is the "tech info" :

    AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: mshtml.dll
    ModVer: 8.0.6001.18876 Offset: 0020a1ac
    It says the report is located here: C:\DOCUME~1\DEBRA\LOCALS~1\TEMP\2ece_appcompat.txt

    I did a search for that file so I could send it to you, but the search came up with no results.

    Then after I click "Send the report to Microsoft", I get a screen that states:
    "Webpage has expired".

    Or, it will let me sign in to my Windows Live account and get to my email page. However, if I attempt to write an email the screen goes white and a
    tab opens which says:

    "This tab has been recovered. A problem with this page has caused IE to close and reopen the tab." Then, another screen with:

    Internet Explorer has stopped trying to restore this website. It appears that the website continues to have a problem.

    Then, my email page comes back, I get another screen which says:

    "We were unable to return you to live.com."

    Then another "Send the report to Microsoft":

    Error Signature
    EventType : visualstudio7x80update P1 : msiexec.exe P2 : 1.0.1622.4946
    P3 : kb953297 P4 : 1033 P5 : 64c P6 : f P7 : install
    P8 : x86 P9 : 5.1.2600.2.3.0.256 P10 : 0

    NDP1.1sp1_KB953297_X86_wrapper.log
    NDP1.1sp1_KB953297_X86_msi.0.log
    version.txt

    It says the the report is located here: C:\Documents and Settings\Debra\Local Settings\Application Data\PCHealth\ErrorRep\QSignoff\42A57c3.cab

    I did find C:\Documents and Settings\Debra\Local Settings\Application Data\PCHealth\ERRORREP\QSignoff, but the folder was empty.

    I did follow your instructions, up to "step 6 of the Read Me". I did not disable or enable system restore.

    Should you give me instructions to remedy the problems with IE, may I remove unwanted programs (including AOL's Safety & Security Center) before
    I do step 6 of Read Me?

    Thanks!
     
    dazedandconfuzed, Mar 2, 2010
    #40
  41. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Oh, I also forgot this. A few days ago I had to do a hard shutdown. When I rebooted, I had a screen with this:

    Checking File System on C:
    The type of file is NTSF
    The volume is dirty

    CHKDSK
    (it completed the file verification)
    CHKDSK
    (it verified the indexes)
    CHKDSK
    (it verified the security descriptors)

    It said it corrected a bunch of errors in ??? (flashed on the screen too fast for me to read), then booted into Windows.

    Is any of this a problem?
     
    dazedandconfuzed, Mar 2, 2010
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    None of these are malware problems. You should post these in the Software Forum for continues help. Your other choice ( since you already did a backup of your data ) would be to reinstall Windows since your currently installed copy could be unpredictable.
     
    chaslang, Mar 3, 2010
    #42
  43. dazedandconfuzed

    dazedandconfuzed Corporal

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Thanks, I will pack up and move to Software. :-D

    Still wondering about:
    Checking File System on C:
    The type of file is NTSF
    The volume is dirty

    Is that a software issue?
     
    dazedandconfuzed, Mar 3, 2010
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: PLEASE. I'm BEGGING! Need MAJOR help! Redirect to pages asking for VERY personal

    Yes! Software/Hardware since the problem is with the file system on your hard disk.
     
    chaslang, Mar 4, 2010
    #44

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds