Google Redirect - Need Help Finalizing Fix

Discussion in 'Malware Help (A Specialist Will Reply)' started by ChunAsperEndao, Apr 12, 2009.

  1. ChunAsperEndao

    ChunAsperEndao Private E-2

    Some time ago, I contracted a number of problems, including a redirect from google search results in firefox. I thought that scans had eliminated everything, but the google redirect has continually come back, occuring not with every click, but seemingly at random. My most recent scans come up clean. I referred to this thread before posting a new one:

    http://forums.majorgeeks.com/showthread.php?t=182030

    Following TimW's advice to the other user, I've located this file:

    C:\Program Files\Mozilla Firefox\extensions\{77694D8F-E70A-4F7C-852B-42BCF5572DEA}\chrome\content\overlay.xul

    I renamed it to overlay.BAD, then started firefox, and performed several google searches. I'm no longer seeing the problem. However, I failed to locate C:\Windows\nhtomqef or any similar file. Is there something else I should look for, and can I delete overlay.BAD?

    I'm attaching the logs from my most recent scans, as well.
     

    Attached Files:

    ChunAsperEndao, Apr 12, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why am I not seeing any anti-virus software on this system???

    Yes delete the file you renamed to bad.

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now download and install:
    Java Runtime 6

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::


Driver::


File::
c:\windows\system32\20fjk348.exe
c:\windows\system32\g4XLmDe1.exe
C:\Program Files\Mozilla Firefox\extensions\{77694D8F-E70A-4F7C-852B-42BCF5572DEA}\chrome\content\overlay.xul

AtJob::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now install and AV program!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Apr 15, 2009
    #2
  3. ChunAsperEndao

    ChunAsperEndao Private E-2

    Looks good.

    Here are the new logs.

    I wasn't aware of my freeware anti-virus options until I referred to that section of the Major Geeks site. I went ahead and installed Avira AntiVir, which I'm sure will still be far from perfect, but better than nothing.
     

    Attached Files:

    ChunAsperEndao, Apr 16, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good job. Now there are just a few things left to do:

    First download a new copy of ComboFix to your desktop ( let it overwrite the old version)

    Then:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\tapmewkw
C:\WINDOWS\zjpawapx

Folder::
C:\WINDOWS\tapmewkw
C:\WINDOWS\zjpawapx
DirLook::
C:\WINDOWS\system32\pnUZ
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Apr 20, 2009
    #4
  5. ChunAsperEndao

    ChunAsperEndao Private E-2

    Done. Here's the new logs.

    Why did Combo Fix disappear from my desktop after running? Should I be alarmed?
     

    Attached Files:

    ChunAsperEndao, Apr 21, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not sure what you did. Are you saying you redownloaded to your desktop and ran it? Or then used the fix I gave you and dragged and dropped it onto CF, at which point it disappeared?

    Use windows explorer to find and delete:
    C:\WINDOWS\tapmewkw
    C:\WINDOWS\zjpawapx

    Did you download it again, as I don't see it on your desktop?
     
    TimW, Apr 24, 2009
    #6
  7. ChunAsperEndao

    ChunAsperEndao Private E-2

    It vanished after I redownloaded it and then ran it using the script you gave me. Anyway, I've downloaded another new copy of it, and I've deleted those two files you indicated.
     
    ChunAsperEndao, Apr 28, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then you need to get me the new log from COmbo as well as a new MGLogs.zip so I can be sure that you are clean. :)
     
    TimW, May 1, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds