Browser Redirecting

ManWarBear · May 31, 2014

Good Morning,

A couple of weeks ago, whenever I downloaded a pic or file from the internet a message would appear when I clicked on the properties of the file or pic. "This file came from another computer and might be blocked to help protect this computer."

This has not been a problem per se though it does annoy me a little. The real problem started last night and I'm not sure if the two are even related. I tried to go on paltalk but it wouldn't load. After a few attempts it finally loaded but then I was abruptly kicked off. It began indicating that it was performing a download/update, so I let it. After it was complete I tried logging back on but again it wouldn't allow me to. I finally thought "Screw it. I'll just watch movies online." but that didn't go so well. My browser kept getting redirected whenever I put a url into the address bar. I then downloaded all the programs indicated in the majorgeeks cleaning process but I didn't begin the clean up until this morning. Rogue Killer looks as though it has detected some root kit activity and there are some registry keys that I don't recognize.

Kestrel13! · May 31, 2014

Hi did you purposely set a restriction to hide your desktop items?

ManWarBear · Jun 1, 2014

No I did not. I take it that that is a bad sign.
I apologize for the late response. I was out yesterday and just got back.
I'm not sure if my desktop items being hidden has anything to do with a group policy editor policy that was recently put onto my system, even though my version of windows doesn't have a group policy editor.

Kestrel13! · Jun 2, 2014

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2529950924-2413168481-1851909273-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2529950924-2413168481-1851909273-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2529950924-2413168481-1851909273-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2529950924-2413168481-1851909273-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> FOUND

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKU\S-1-5-21-2529950924-2413168481-1851909273-1000\Software\APN PIP]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now re run RogueKiller again and attach the new log.

ManWarBear · Jun 2, 2014

The registry merge worked.

Kestrel13! · Jun 2, 2014

How are things running?

ManWarBear · Jun 2, 2014

Things are running fine but all of the things in RogueKiller's antirootkit activity tab have me very worried. Thank you very much for getting rid of that group policy that was on all downloaded files. It's no longer there.

Kestrel13! · Jun 3, 2014

Look yourself on the rootkit tab using RogueKiller. When I scan on my machine it lists a whole bunch, but it does show them coloured in green and says they are legit. What about yours?

ManWarBear · Jun 3, 2014

Mine are all colored red and in previous recent uses of RogueKiller there was never anything listed under the antirootkit tab.

ManWarBear · Jun 3, 2014

Okay, so I just updated RogueKiller and all the stuff that was red in the antirootkit tab is now orange and it appears as though 4 of the previously removed registry listings are now back.

Kestrel13! · Jun 3, 2014

OK, I looked again and I don't think any of those items are a problem at all.

How are things running? Ready for final steps now?

ManWarBear · Jun 3, 2014

Whatever group policy was added to my machine is back. I just want whatever is adding this stuff to be gone.

Kestrel13! · Jun 4, 2014

What group policy are you talking about?

ManWarBear · Jun 4, 2014

On every file that gets downloaded from the internet, when I open the properties of the file it says. "This file came from another computer and might be blocked to help protect this computer."

Kestrel13! · Jun 4, 2014

I suggest you post about that in the software forum. Is your browser redirecting any more or not?

ManWarBear · Jun 4, 2014

Nope. Software Forum, gotcha. Thanks.

Kestrel13! · Jun 4, 2014

No problem.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Browser Redirecting

ManWarBear Private First Class

Attached Files:

RKreport_SCN_05312014_084513.log

mbam-log-2014-05-31 (08-52-00).txt

TDSSKiller.3.0.0.37_31.05.2014_08.59.16_log.txt

HitmanPro_20140531_0914.log

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ManWarBear Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ManWarBear Private First Class

Attached Files:

RKreport_DEL_06022014_083743.log

RKreport_SCN_06022014_090309.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ManWarBear Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ManWarBear Private First Class

ManWarBear Private First Class

Attached Files:

RKreport_SCN_06032014_054616.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ManWarBear Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ManWarBear Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ManWarBear Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member