cannot load google redirect virus fixes

Discussion in 'Malware Help (A Specialist Will Reply)' started by Skysarge, Apr 18, 2010.

  1. Skysarge

    Skysarge First Sergeant

    Computer: PC Clone, OS Win XP Pro Service Pack 3

    Have what seems to be Google Redirect Virus. When trying to access web sites, get Involuntarily linked to sundry sites that are sometimes similar, sometimes not.
    Problem is Malware Bytes nor Avast scans find any virus. Using only Malware and Avast, no other Malware/Virus fix programs..
    Ran CC Cleaner.
    When trying to access yours or other recommended links, some will not download, or error message "Cannot find" comes up.
    Was able to use Goored Fix which is saved on notebook. Will provide copy of requested.
    Did try to reload OS XP Pro, but program disc damaged or file corrupt and will not load. Prefer not to reinvest in XP or Windows 7 if possible.
    Thank you in advance.
    Skysarge
     
    Skysarge, Apr 18, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Apr 18, 2010
    #2
  3. Skysarge

    Skysarge First Sergeant

    Thank you for assisting.
    Scan completed and (I hope) attached,
    Sarge
     

    Attached Files:

    Skysarge, Apr 18, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download combofix.exe to your desktop.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

TDL::
C:\WINDOWS\system32\drivers\atapi.sys
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now please follow these instructions and afterward, attach the requested logs:
    READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, Apr 19, 2010
    #4
  5. Skysarge

    Skysarge First Sergeant

    With the realization this might come across as somewhat dumb, I want to clarify something.
    You state "Make sure you have shut down all protection software..."
    As I see no off/on switches on these programs, short of uninstalling them how does one shut them down (Avast and Malware)?
    Thank you.
     
    Skysarge, Apr 20, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Apr 20, 2010
    #6
  7. Skysarge

    Skysarge First Sergeant

    Got through the drag txt to combo fix.
    As the program is loading (or whatever the terminology is) I get an error message "Are you trying to run CF Script The name CFScript appears to be incorrectly spelt."
    If I do nothing, it stays there in limbo, If I click on OK, it stops and has to be started again. If I do that it simply does the same thing,
    So, rather than spin my wheels - or in this case the hard drive - accomplishing nothing I will await further recommendations.
    Thank you,
    Skysarge:banghead
     
    Skysarge, Apr 21, 2010
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you spell it properly? Is there a file named CFScript.txt on your Desktop?
     
    chaslang, Apr 22, 2010
    #8
  9. Skysarge

    Skysarge First Sergeant

    I simply used "copy" so that it was exact.
    The is such a file, 57 bytes in size and its icon on desktop.
    Skysarge
     
    Skysarge, Apr 22, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just to be clear, you copied what I posted to you into notepad, saved it as CFScript.txt to your desktop. Is that right?
     
    TimW, Apr 22, 2010
    #10
  11. Skysarge

    Skysarge First Sergeant

    I am trying to retrace my steps for accuracy, and hope I am accurate.
    I used "copy" for:
    KILLALL::

    TDL::
    C:\WINDOWS\system32\drivers\atapi.sys

    and then pasted that to notebook and saved to desktop.
    I am pretty sure that is how I did it.

    I have an icon for CF Script.txt and I have an icon for Shortcut to ComboFix.exe and both are on desktop.

    Right now I am getting so confused I'm not sure of much of anything. Getting rid of this virus or bug or whatever is exasperating me. I've been at this for three weeks now.
    Thanks though for working with me on this.
    Skysarge
     
    Skysarge, Apr 22, 2010
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You cannot use a shortcut to combofix.exe!!!!! You need to put ComboFix.exe directly on your Desktop as specified in the instructions.
     
    chaslang, Apr 22, 2010
    #12
  13. Skysarge

    Skysarge First Sergeant

    Some months ago I incorporated a program that scans my downloads for viruses, then downloads them into a folder titled downloads.
    I edit and publish online newsletters for some organizations, and do a great deal of downloading from the net. This has served me pretty well until now.
    When I downloaded Combo Fix and CF Script they too went into the folder. I then took Combo Fix from the folder and sent it to desktop. CF Script could be downloaded and saved directly to desktop
    When you replied, and explained the problem with "shortcut" - something I was unaware of - I went to delete that download program. However, I do not remember what it is called, and so far have not found the program to delete it or shut it down.
    My apologies, I will continue working on that.
    Thank you for you help.
    Skysarge
     
    Skysarge, Apr 23, 2010
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All you have to do is copy the combofix.exe file directly to your Desktop from whereever you downloaded it. CFScript.txt is not something you download. It is a file you create and save yourself. Thus you can save it anywhere, but it needs to be on the Desktop with the combofix.exe file.


    Please run the MGtools scan as instructed in the below so we can see exactly what you have done. Attach the requested MGlogs.zip file when finished.

    Using MGtools
     
    chaslang, Apr 23, 2010
    #14
  15. Skysarge

    Skysarge First Sergeant

    per your request, attachments
     

    Attached Files:

    Skysarge, May 1, 2010
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not create the file we requested on your Desktop. We said to create a file named CFScript.txt

    What you created is the below which is not correct? You did not capitalize the first 3 letters and you put a space in the file name. If you don't follow our instructions properly, things will not work.

    Code:
     
"C:\Documents and Settings\Administrator\Desktop\"
cfscri~1.txt  Apr 21 2010          57  "cf script.txt"
     
    chaslang, May 1, 2010
    #16
  17. Skysarge

    Skysarge First Sergeant

    In an earlier posting on this, it was brought to my attention that combofix.exe shortcut on my desktop could not be used, and that combofix.exe should be copied directly to desktop.
    There is a program on my computer that copies downloads to C:\Documents and Settings\Administrator\My Documents\Downloads.
    At the time I installed it the idea was to have a a central location for downloads and decide from there what I wanted to do with the downloads or where to put them.
    It will only send or copy from downloads to desktop as shortcut. It does not offer other option for copying combofix.exe to desktop.
    I do not remember what the program is called.
    Sarge
     
    Skysarge, May 2, 2010
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please just open windows explorer and go to where you have ComboFix.exe stored, then click on it as you drag it to your desktop. That is all you need to do, other than fixing the name of the CFScript.txt and dragging it onto the ComboFix.exe on the desktop!
     
    TimW, May 2, 2010
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Perhaps you are just referring to how you explicitly setup FireFox under the Tools, Options menu! I suggest you change to be set like in the below snapshot under the Downloads section, so that you can always choose where to save things to and you can also create new folders on the fly to store the downloads in. Double click the thumbnail to expand it.
    ff-main.jpg
     
    chaslang, May 2, 2010
    #19
  20. Skysarge

    Skysarge First Sergeant

    Thank you, went to tools and found what you thought; changed setting.
    This seems to be constantly one glitch after another.
    Now getting warning message Avast is active and could interfere with combofix.exe
    I could not register Avast, nor could I update it. Scans with it kept giving me results that I have a clean virus free computer
    I tried uninstalling that program using the change or remove program, kept getting an uninstall error message. It could not uninstall Avast program.
    Used Revo Uninstaller to uninstall.
    Avast is not on my desktop, it does not show up in programs, it is not in the downloads.
    Suggestions appreciated. All I originally wanted to do was rid my system of the Google redirect virus, and all I seem to be doing is finding or compounding problems.
    I will sign back on tomorrow.
    Thanks
    Sarge
     
    Skysarge, May 2, 2010
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Have you renamed the CFScript.txt correctly? Did you drag it ontop of ComboFix.exe? If so, you need to attach the new ComboFix log (and also a new MGLogs.zip by running the C:\MGtools\GetLogs.bat file) as requested in post # 4.
     
    TimW, May 3, 2010
    #21
  22. Skysarge

    Skysarge First Sergeant

    Finally got ComboFix to have at it.
    Attached is log (I hope)
     

    Attached Files:

    Skysarge, May 3, 2010
    #22
  23. Skysarge

    Skysarge First Sergeant

    Think one file got lost somewhere, so let me see if this will deliver it.
     

    Attached Files:

    Skysarge, May 3, 2010
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You did not attach a new MGLogs.zip.

    Please follow these instructions:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
TDL::
C:\WINDOWS\system32\drivers\atapi.sys

File::
c:\windows\system32\ztvunrar36.dll
c:\windows\OkRihFx.dll
c:\windows\system32\drivers\pIHUnFw.dll
c:\windows\JEcWPJooN.exe
c:\windows\system32\uYDtUs.dll
c:\windows\system32\AeSucN.dll
c:\windows\MvsvbrhqA.dll
c:\windows\system32\yvBIQul.exe
c:\windows\system32\drivers\pNJGckUbd.dll
c:\windows\system32\NuVMinLKL.exe
c:\windows\system32\pRxWkqLV.dll
c:\windows\system32\drivers\YJmLSAAU.dll
c:\windows\system32\drivers\yNWaxk.exe
c:\windows\qOqqra.exe
c:\windows\iwUuTbyc.exe
c:\windows\system32\MHmgEb.exe
c:\windows\system32\mxFaF.dll
c:\windows\system32\ajHRuCYEW.dll

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\System32\eventlog.dll
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, May 5, 2010
    #24
  25. Skysarge

    Skysarge First Sergeant

    And once again...
    I find a file C:\ComboFix, but no C:\ComboFix.txt As they may be the same or may not be, I will await your recommendations of that.
    When I try to attach C:\MGlogs.zip, I get error message "You already attached this file in cannot load google redirect virus fixes thread."
    I will sign back on tomorrow, I go to work extremely early
    Skysarge
     
    Skysarge, May 5, 2010
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because you did not run C:\MGtools\GetLogs.bat as TimW requested at the end of his last fix. Unless you run a new scan, the log will not change.
     
    chaslang, May 6, 2010
    #26
  27. Skysarge

    Skysarge First Sergeant

    Alright, went back and attached is MGlogs.zip
    I still find no ComboFix,txt - I do find a ComboFix.
     

    Attached Files:

    Skysarge, May 6, 2010
    #27
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, we have gotten rid of one problem and now you have a new one.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now re-run MBAM

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * MBAM log
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 6, 2010
    #28
  29. Skysarge

    Skysarge First Sergeant

    I thought I read a posting about how to disable Avast, but no success in finding it.
    Last time I simply uninstalled it, then reloaded when ready.
    So, how do I disable Avast temporarily?
    Danka,
    Skysarge
     
    Skysarge, May 6, 2010
    #29
  30. Skysarge

    Skysarge First Sergeant

    "Now re-run MBAM"
    Sorry. Do not understand what you want re-run (?)
     
    Skysarge, May 7, 2010
    #30
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, May 7, 2010
    #31
  32. Skysarge

    Skysarge First Sergeant

    With some luck, attached are as requested
     

    Attached Files:

    Skysarge, May 7, 2010
    #32
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I can only assume that when you ran MBAM you had it fix all that it found, because the log you attached indicates no action taken.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 8, 2010
    #33
  34. Skysarge

    Skysarge First Sergeant

    There has to be a program in my con-puter called "glitch of the hour."
    Even my previous reply to you is off flitering around with Peter Pan.

    The instructions on turning off Malware..There is no Malware icon in the tray, and I find nowhere on the site to disable this. I did with Avast.
    Sarge
     
    Skysarge, May 8, 2010
    #34
  35. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What instructions for "turning off malware"? Are you referring to disabling your AV and AS software?
     
    TimW, May 8, 2010
    #35
  36. Skysarge

    Skysarge First Sergeant

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):
     
    Skysarge, May 8, 2010
    #36
  37. Skysarge

    Skysarge First Sergeant

    Tim,
    Is this the MBAM log you were looking for?

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4076

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/8/2010 3:43:11 PM
    mbam-log-2010-05-08 (15-43-11).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 155959
    Time elapsed: 1 hour(s), 9 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 21
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 9
    Files Infected: 15

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\6.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\setups (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\xtxllx88.default\Cache\5606D9C8d01 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\setups\mwsbarSp.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{0ACEE94B-1C3D-4BA3-9869-72D85DBEA9A9}\RP11\A0003074.dll (Rogue.VirusProtector) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{0ACEE94B-1C3D-4BA3-9869-72D85DBEA9A9}\RP15\A0003502.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{0ACEE94B-1C3D-4BA3-9869-72D85DBEA9A9}\RP15\A0003503.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{0ACEE94B-1C3D-4BA3-9869-72D85DBEA9A9}\RP15\A0003504.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{0ACEE94B-1C3D-4BA3-9869-72D85DBEA9A9}\RP15\A0003515.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\6.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\6.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\6.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\Cache\00569587.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Installr\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
     
    Skysarge, May 9, 2010
    #37
  38. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try doing this again.

    copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now please install an AV program from this list:> How to Protect yourself from malware!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, May 9, 2010
    #38
  39. Skysarge

    Skysarge First Sergeant

    Avast5 already installed.
    Attaching, I hope, MGlogs.zip

    Sarge
     

    Attached Files:

    Skysarge, May 9, 2010
    #39
  40. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good deal. Your logs are clean. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, May 9, 2010
    #40

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds