Virus: Redirection, Adware

Hi. Please refrain from posting inline logs like you have.

You need to refer to these instructions and ensure that after you have covered everything, that you attach appropriate logs. Thanks.

READ & RUN ME FIRST. Malware Removal Guide

 

You haven't attached any of the logs asked for from running the R&R... :confused

 

Thankyou, and finally I need to see the MGlogs.zip from running MGTools.exe. Then I am able to give you a comprehensive fix with all the right info I require.

 

Repeating what Kestrel13! asked for.

 

Did you see a message about MGlogs.zip failing to be created?

• If Yes, did you see the notice about MGlogsR.zip ?
• If no, please do the below so we can debug.

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
getnetinf<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
getmsrv<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

I'm not sure this is an accurate statement. It actually looks like it was running per your logs and that you did not wait for it to finish. It can take awhile for it to finish scanning thru the regstry many times for variuous things and it has to create almost 100 MB of temporary files to do this.. Try again and this time wait for it to finish and for it to return to the command prompt window.

I'm not seeing any reason why you would have a problem running MGtools unless you did not disable protection software, disable UAC, or did not use Run As Administrator.

 

Nope! That is just the first of several dozen files that should be in the log and you should not be missing the ones you last attached from this ZIP file unless you are deleting the MGlogs.zip file. Try the below.

• Make sure UAC is disabled.
• Make sure that you shutdown your protection software.
• Now from the command prompt ( like you opened as administrator a few messages ago)
  • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
  • GetLogs <-- this attempts to run ALL of the scans that are part of MGtools. This can take as little as 3 minutes or as long as 30 minutes depending on your PC speed, how much else is running and how many files on your PC. Just let it run until it tells you it is finished. Watch for error messages.
    

 

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.


Uninstall DefaultTab


Re run Hitman and have it delete Potential Unwanted Programs.



http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

• [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\RunOnce : 2EB51696-6901-408A-BF56-3895B8F9C782 (cmd.exe /C start /D "C:\Users\ADMINI~1\AppData\Local\Temp" /B 2EB51696-6901-408A-BF56-3895B8F9C782.exe -postboot [x][-][x]) -> FOUND
• [SERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : 28858291 (C:\Windows\system32\28858291.sys [x]) -> FOUND
• [SERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 28858291 (C:\Windows\system32\28858291.sys [x]) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.



Delete these if they show:

• C:\Users\Administrator\AppData\Local\DownloadTerms
• C:\Windows\system32\28858291.sys
• C:\Users\ADMINI~1\AppData\Local\Temp" /B 2EB51696-6901-408A-BF56-3895B8F9C782.exe

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

 

Which browser(s)?

 

Uninstall it then with Revo Uninstaller and then reinstall and let me know how it is behaving.

 

Elaborate please. What adware and where exactly are you being redirected to?

 

Run this and attach the results.

Using ESET's Online Scanner

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

• Uninstall Google Chrome with Revo again.
• Leave it uninstalled until I say so.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Why is Google Chrome still installed when I asked you to uninstall it and keep it uninstalled until I let you know?

 

See file dates in MGlogs.zip. Very few were updated. It either was not run to completion or protection software got in the way, or not run as administrator

 

Having read what Chaslang typed, can you re run it and get me a fresh log please.

 

Also to insure that the embedded issue with Chrome is remove, you need to manually make sure the below two folders are deleted before reinstalling:

C:\Program Files (x86)\Google\Chrome
C:\Users\Administrator\AppData\Local\Google\Chrome