Help needed with following Run&ReadMeFirst thread.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Severus, Sep 23, 2010.

  1. Severus

    Severus Private E-2

    Hi, firstly if this has been covered on another thread i'm sorry. I've tried looking at all threads which may be relevant but can't find any answer to what i'm hoping will be a simple yes/no.

    My problem (not what my question is about but thought i'd mention it in case it is relevant) is that since yesterday whenever i perform a search in google or yahoo i'm being redirected to various advertisiing sites (and also one asking me to verify the characters in a captcha box before clicking the button "further". There is no other info on this site apart from the webpage which is titled "help us to identify and protect against click fraud". I'm aware there are various threads about this at the moment which i will be following.

    As a side note to this the problem is only affecting IE8 (i tried uninstalling then reinstalling this lat night but still have the problem) but mozilla is working ok. When i booted up this morning i tried again with IE8, still got the problem and loaded up mozilla while IE8 was still open, mozilla then had the same redirects issue. I held my power button in to shut down and after a reboot mozilla was fine again.

    But right now i'm following the read&runme to make sure i make no further mistakes (as i scanned with avira, malwarebytes and superantispyware last night, and with CCleaner this morning also but am still getting the same problem).

    Anyway sorry for the long winded post. I'm currently at Step 2 of the read me and am unsure how many software firewalls i have. I hope you'll excuse my ignorance but i'm running Avira (which says guard active), SpywareGuard, i connect through a netgear router which i believe has a built in firewall, and i think i have the windows one running. Is this ok, and can i move to the next step of the thread?

    Any help would be greatly appreciated, i work from home using my pc so every day lost is a day i earn no money whatsoever so i'm willing to stay up and work on this for literally days on end to solve it. Hope someone can help with my question and if you have any other "idiot proof" suggestions for the steps i should take please do let me know.

    Thank you,
    Sev
     
    Severus, Sep 23, 2010
    #1
  2. Severus

    Severus Private E-2

    I'm not sure if my first post was clear or not, so just to clarify:

    What's confusing me is that according to the thread "Setting up a new computer" if you have windowsd firewall on and use a router (which i do) then you're well protected.

    So for the purposes of the Read&RunMe do i assume i'm running one? Or do i need to disable the windows firewall? (I realise now avira and spyware guard arent firewalls!!)

    Thanks
     
    Severus, Sep 23, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Don't worry about your firewall at this time, just run the scans and attach the requested logs.
     
    TimW, Sep 23, 2010
    #3
  4. Severus

    Severus Private E-2

    Hi, here are the logs as you requested.

    Had no trouble running any, i noticed combofix found a problem with "explorer" and deleted two files. Wondering if that may be it but don't want to try running IE until you tell me to in case this somehow makes matters worse.

    Thank you for taking the time to help with this it means a lot, looking forward to your reply.
     

    Attached Files:

    Severus, Sep 23, 2010
    #4
  5. Severus

    Severus Private E-2

    The MG tools log:
     

    Attached Files:

    Severus, Sep 23, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Combo found the main cause of your issues, but we still need to clean up a few things:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\Tcokevoyoxajijo.dat
c:\windows\Rlaze.bin

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{911C4A8E-0F75-4B83-BEB9-02BDDF29D11E}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 24, 2010
    #6
  7. Severus

    Severus Private E-2

    Hi Tim, here are the logs as requested.

    I noticed comboxfix deleted the two files from the c:\windows directory but don't see anything on the report to say it wiped those 5 browser helper objects from the registry. After dragging the CFscript.txt to the .exe i was asked to update, there's no chance this would've interupted the removal in any way?

    Looking forward to hearing from you, hopefully to say everything looks fine and i can try IE8!!
     

    Attached Files:

    Severus, Sep 24, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Sep 24, 2010
    #8
  9. Severus

    Severus Private E-2

    Tim, just done the steps to remove combofix, mgtools and tried out google on internet explorer, and it's working perfectly.

    So a sign of malware being present in internet explorer problems shows up in 02-BHO and 03-Toolbar sections of highjack this. You can spot a false entry by the fact it has no name and there is no destination given for it (every entry needing fixed says no file on highjack this).
    Am i correct in this assumption?

    And then what combofix is doing is wiping the registry of those browser helper objects? Correct?

    The part i'm unsure about is how you knew to delete the 2 files Tcokevoyoxajijo.dat and Rlaze.bin. I notice they are (were) both in the c:\windows directory, so is it a case of going through the listed files from one of the mgtools logs i uploaded previously and comparing this to a known list of correct entries?

    (Ie. if by any horrendous chance i was struck by IE problems again is there anywhere i can find a list of what should be in the c:\windows directory in order to see if i could guess what the problem is myself before calling in pro help if required?

    I'm no computer expert but i have a bit of a brain and like to learn and in the past have always managed to get rid of antivirus myself so any help you could give pointing me in the right direction to learning some more would be very much appreciated.

    You and the rest of the team here do a truly fantastic job, and i know you must hear it an awful lot but your help is more appreciated than you can imagine.

    Anyway, it would be fantastic if you had a spare minute at some point to answer my questions, if not it's cool, i understand you all give up your spare time to do this.

    In the event you dont get a chance to answer all i have left to say is: Thank you so much!
     
    Severus, Sep 24, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes and yes.

    Experience. Malware often is easy to spot by the nonsense names of some files. But this is not always the case.
    I don't know of any list because it will depend on what all is installed on your computer.
    Unfortunately we are too busy to offer training to anyone who is not already a recognized expert. There are a few websites that provide training rooms. The process can take awhile to complete since there is a lot to learn and the people training you are doing it in their free time. Make sure that you are serious about wanting to spend the time to learn and have the time to perform malware removal this because it takes a strong committment. Check out the below sites:

    BootCamp

    Geek U!

    What the Tech Classroom

    BleepingComputer Malware Removal Training Program
    You are most welcome. Stick around and visit the rest of the forums. Look at our malware threads and the logs that are posted, that may be the best way to learn.

    Safe surfing!! :)
     
    TimW, Sep 24, 2010
    #10
  11. Severus

    Severus Private E-2

    Thank you very much for those links! i will definitely be checking them out to see if i can be of any use.

    And yes i'll lurk in here and the other sections of the forum too and see what i can pick up from watching you experts at work.

    Cheers for the replies and for all the time you spent helping me, like i said VERY much appreciated so thank you.

    Bye!
     
    Severus, Sep 24, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are very welcome. We are always happy to have helped someone remove what nefarious people do to wreck computer systems. :)
     
    TimW, Sep 24, 2010
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds