AOL hijack, can not download files a.s.o.

Discussion in 'Malware Help (A Specialist Will Reply)' started by boogieman, Oct 27, 2012.

  1. boogieman

    boogieman Private E-2

    Hi

    I am helping a friend getting her PC working but it has not worked very well.
    ISSUES:
    - AOL search assistan can NOT be removed (no AOL related software installed in "add remove programs"

    - When starting IE 9 it says that "my search assistance have been manipulated by another software" (something like that but in swedish)

    - Can not access hotmail.com

    - Can not download files, says "cound not download" (but i can surf the web on most sites, but not hotmail)

    - Getting error message from catalyst control centre when starting PC that it could not start

    - Have run the "hijacked browser" part (MBR log in next post)

    - Have run the "read and run me first" part

    - Logs are attached. (it complained about MBR in MBR check - se next post for that log)

    - Since I could not download software all downloads and scans have been done in "safe mode" and of course with "run as administrator" and UAC disabled.

    Issues are the same as before doing the CClean and running the tools

    Best regards
    Boogie
     

    Attached Files:

    boogieman, Oct 27, 2012
    #1
  2. boogieman

    boogieman Private E-2

    MBR log attached (due to max 5 atachments)
     

    Attached Files:

    boogieman, Oct 27, 2012
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you have issues running them in normal mode then? Elaborate please.

    I am not seeing any malware at all.


    Run this and attach the results.

    Using ESET's Online Scanner
     
    Kestrel13!, Oct 27, 2012
    #3
  4. boogieman

    boogieman Private E-2

    Hi

    The issues I experience is that I can not download some files.
    For example if I want to download: http://forums.majorgeeks.com/chaslang/files/MGtools.exe
    I click the link, I get the option "do you want to save..yadada"
    I choose save as and when the download has started IE says "MGTools.exe could not be downloaded.
    This is not ONLY valid for virus programs - it is the same thing for pictures or videos.

    I also can not visit some web pages like:
    https://www.avanza.se/
    http://www.hotmail.com/
    I just get "the web page could not be displayed"
    I dont live in a country where they block web pages and it works on my other PCs.

    while other pages works fine like
    http://www.google.se/

    Also my "search supplier" in IE9 settings is locked on to AOL - I can not uninstall it and if I do adressbar searches I am redirected via som sliredirectsearch adress to alnd on for example
    http://search.aol.se/aol/search?&query=dator&invocationType=tb50hpcnnbie7-sv-se

    This is a HP Compaq laptop with Win7 x64

    I ran the virus scan and it was clean except for the one MGTools file mentioned in your post. I choose to save the log but due to my problems to save files it was not saved. I forgot to go to safe mode.

    Do You have any clue what could be wrong?

    Thank You
    Boogie
     
    boogieman, Oct 31, 2012
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, go into safe mode and see if you ARE able to download files. Let me know.
    Also, does this happen in other browsers or just Internet Explorer?
     
    Kestrel13!, Oct 31, 2012
    #5
  6. boogieman

    boogieman Private E-2

    In safe mode there is no problem to download files.
    I downloaded all files during virus scan and I went in once more just now and downloaded MGtools.exe. No problem in safe mode (just the normal "this file is not downloaded often it might be unsafe" jibberish) - went right onto my desktop :)

    I can also go to avanza.se and hotmail.com i nsafe mode but not in normal startup mode.

    Also no search supplier popups in safe mode.

    I havent tried any other browsers.

    What ´do you think could be the issue?
    Anything more you would like to know?

    Best regards
    Ola
     
    boogieman, Nov 6, 2012
    #6
  7. boogieman

    boogieman Private E-2

    Could not edit post due to 10 min timeout so I will post an addition to the last one
    EDIT: I have installed comodo firewall and keep getting a javascript that wants to change a bunch of registry keys related to certificates. I have put it in sandbox for now. Se image in next post for popup and file
     

    Attached Files:

    boogieman, Nov 6, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please do and let me know.
     
    Kestrel13!, Nov 6, 2012
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is from the Hewlett Packard software you have installed.

    C:\Program Files (x86)\Hewlett-Packard\QLBCASL
     
    chaslang, Nov 6, 2012
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Normal behavior with IE9. Just use Save As and save it where you want a cancel the warning as long as you know the file is safe ( like MGtools.exe is ;) )
     
    chaslang, Nov 6, 2012
    #10
  11. boogieman

    boogieman Private E-2

    It doesnt matter if it is an unsafe file or not.
    It does not matter what i try to download - it downloads 99% then says "the file could not be downloaded"

    And if I cancel the warning on MGTools and download - the same thing - 99% and then "the file could not be downloaded"

    Doesnt matter if it:
    - right click and save as
    - click and save as
    - click and run

    FYI - I am very well experience windows user and a programmer (actually got my first computer when i was 9 yo), just so that you dont take me for the "average joe who knows just about nothing about computers" :)

    So if you want me to execute cmd scripts or bat-files or whatever - dont hesitate. But we really dont have to go through the "right click and save as" part ;)

    I have tried running IE without addons - still the same
    I have tried resetting IE to default settings - still the same

    But for sure it is something with IE and maybe HPs preinstalled AOL crap - but still IE is the browser that my friend wants to use so I dont see the meaning of flushing google chrome, firefox or any other browser down this allready laggy PC's throat. Do you?

    I mean how can that help getting IE9 working or even track down the problem in IE9 (more than getting black on white that it is IE9 that is the isse, but that is quite apparent allready)?

    Best regards
    Ola
     
    boogieman, Nov 7, 2012
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then do the below to see if this removes the AOL search junk ( not malware ).

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    And you need to run scans in Normal Boot mode and attach logs from normal boot as Safe Boot Mode scans are not to useful. Your problem may not have anything to do with malware.
     
    Last edited: Nov 7, 2012
    chaslang, Nov 7, 2012
    #12
  13. boogieman

    boogieman Private E-2

    1. The regfix did not work.
    I checked the keys before adding the fix and the following key was not present at all (search scope folder does not exist):
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

    Exited regedit and ran the script (no success message - just cmd prompt executing)
    Restarted the computer to apply the registry changes...just to be sure tpo have tried it out thoroughly.
    Checked in the reg and above post it still missing.
    Also I still can not remove AOL search and it is still the complaint prompt about search provider.

    2. I will run new scans in normal startup mode...ill be back in a bit...kind of busy but dont close the thread...i will come back as soon as i have a hole in the schedule :)

    Thanks 4 the support
    Boogie
     
    boogieman, Nov 14, 2012
    #13
  14. boogieman

    boogieman Private E-2

    Ok. I like to take one step at the time so did the following with the results described. Prepare to be :confused

    1. Disabled UAC
    2. Restarted PC for change to take effect
    - Suddenly I did not get any error meassage about Catalyst control centre errors (which I did before)
    3. Opened IE9
    - No error prompt about default search provider beaing changed
    4. Went to default search provider.
    Suddenly I could both set google as deafult AND remove AOL from the list
    5. Tried to access hotmail - it worked (before it did not but only from this Pc, my other pcs works fine)
    6. Tried to download files - MGtools.exe - it worked (now i am really confused)

    7. Turned on UAC again (position 3/4 from bottom so second highest level)
    8. Restarted
    9. When logging in i once again got the catalyst control centre error
    10. Opened IE
    - Got the catalyst control centre error once more
    - It complained about default search provider being changed again. Checked - AOL was not present since i removed it when UAC was off and google was the only and std search provider. Strange? How can it complain when everything looks ok?
    - Tried accessing hotmail via browser - did not work "web page can not be shown"
    - Tried downloading MGtools - it worked but desktop was not shown among download locations so i saved it on to the D-disk. Could it be disk dependant - lets find out ---->
    - Tried downloading IE9 to the C-disk MGtools folder - did NOT work (as before)

    So there it is:
    - if I turn off UAC everything seems to work
    - If i turn UAC on everything is messed up. Desktop not shown among save locations, can not access hotmail, catalyst control centre error messages, search provider changed error message, can not download files to C-disk.

    What on earth could be the problem?


    ps
    When i ran the regfix below - UAC was On so that could be the reason for that not working
    ds

    Thank you
    Boogie
     
    boogieman, Nov 14, 2012
    #14
  15. boogieman

    boogieman Private E-2

    Tried the same thing as below but with UAC just one step above OFF.
    Same results as with UAC two steps above OFF = does not work

    Its quite funny that it says that search provider has been changed to AOL, but when I look it is still google.
    If i search in the adress bar it also uses google so it seems to be some kind of hard coded error message?
     
    boogieman, Nov 14, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, let me make one comment and only one just to start. While you are working here to attempt to remove any malware problems, UAC should be disabled and should remain disabled until we give you the all clear and also give final instructions which would reenable it.

    Second, none of what you are mentioning in these last couple messages sounds like malware. I'm sorry but it sounds more like you are having problems dealing with how Windows works.

    Third, you still have never run scans from NORMAL boot mode and attached the new logs. As stated before, safe mode logs are not that helpful and we only want them when it is impossible to get them from normal boot mode.
     
    chaslang, Nov 16, 2012
    #16
  17. boogieman

    boogieman Private E-2

    Yes, I am aware of that. I dont know how I missed the step in the read and run me but i did. Getting old and senile I guess :D
    I know windows quite well, so that is not the issue I am afraid :)
    I should not recieve error messages about catalyst control centre regardless if i have UAC enabled or disabled.
    I should also be able to download files, photos aso regardless of UAC status (it should not stop at 99% saying "file could not be downloaded" when UAC is enabled)
    The same thing goes for accessing internet sites. UAC should not block internet sites that are safe like hotmail.
    But as You see from my message this is what happens.
    Turning off UAC resolves all problems but the girl that I am helping is not very familiar with PCs so I believe having UAC on is good for her. I never keep it on for my own PCs since I prefer having full control and less popups for everything I want to do.

    The reason I thought it was malware was because it kept changing search host, default start page in IE, error messages, not being able to download files.
    Changing start and search pages is quite common when it comes to malware as You know.
    The logs are coming up - scans are running.


    Thanks for the support so far
    Boogie
     
    boogieman, Nov 21, 2012
    #17
  18. boogieman

    boogieman Private E-2

    Here are the logs run in normal startup UAC disabled.


    Best regards
    Boogieman
     

    Attached Files:

    boogieman, Nov 21, 2012
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below is for that was in the RogueKiller log?
    Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files 
C:\ProgramData\AOL
C:\ProgramData\AVAST Software
C:\Program Files (x86)\ESET
C:\Windows\TEMP\HPSF.exe.config

:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{D158AE31-A3CA-431A-A776-A1B0E92E134C}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{1030021D-CAEA-4B4C-B48D-3FA951E508E0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{E496F463-113A-40C7-974C-3074F54F3B6E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1030021D-CAEA-4B4C-B48D-3FA951E508E0}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C9F46D4F-C324-47E2-8575-874A83A0BB4C}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E496F463-113A-40C7-974C-3074F54F3B6E}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 21, 2012
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds