Google Redirection Issue Alone did not get fixed after following README post steps

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by heyraam, May 1, 2011.

  1. heyraam

    heyraam Private E-2

    Hi,

    I have a Dell Lattitude E6400 laptop and the malware got installed on 04/23/2011 when browsing for some online streaming website. Since then I have been facing many problems out of which the major ones got fixed after following the steps mentioned in your thread Windows XP Malware Removal/Cleaning Procedure.

    Below are the problems solved after following the above post

    - Windows XP wouldn't restart and gets stuck during different times of the start up. Specifically when loading user preference settings after logon.
    - If by luck system starts, a process called a5fa2Ma3.exe gets started and hogs the CPU. Usually there are 6 to 8 of the same process will be running subequently.


    Because of which I couldn't use my Laptop at all. Now after comboFix I don't see the above two issues. The following issues are still plaquing my system

    - Google search results links are getting redirected. Mostly to the following page
    http://www.stopzilla.com/products/stopzilla/antivirus.do?aid=10690&cid=antivirus

    - Google Chrome browser is not working. When I start a popup comes up to say the tab is busy and that I have option to wait or kill. But never gets to normal state where I can start browsing.

    - Sometimes svchost.exe is taking 60 to 80% cpu power even though there is only one browser application running (apart from task manager to monitor the CPU usage).
     

    Attached Files:

    heyraam, May 1, 2011
    #1
  2. heyraam

    heyraam Private E-2

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    Adding MGlogs.zip


    Any help with solving this problem is appreciated?

    Thanks.
     

    Attached Files:

    heyraam, May 1, 2011
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    Please put ComboFix directly on your desktop, not in a folder as you have it here:
    Running from: c:\documents and settings\rramacha.APPLICATIONS\Desktop\Virus Removal\ComboFix.exe

    It is a bad idea to allow all users to have Admin. privileges.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 2, 2011
    #3
  4. heyraam

    heyraam Private E-2

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    Thanks TimW.

    Before I follow the steps you have mentioned. I have the following question.

    Do you want me to move the Combofix.exe to Desktop and run it first before downloading the avenger.exe?
     
    heyraam, May 4, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    Yes move it to the desktop, and before you complete Tim's fix I want you to do this:

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run

    Then run Tim's fix and attach new logs. :)
     
    Kestrel13!, May 4, 2011
    #5
  6. heyraam

    heyraam Private E-2

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    Thanks TimW and Kestrel13!

    I following your instructions and now I am able to browse using chrome browser. But when I orignially posted this thread, I thought the only issue was good redirection. But eventually I started noticing other issues and my Mcfee started complaining about some trojan virus as well. It said it removed it but I continue to get issues. These issues started building up one by one slowly in the last 10 days.

    I noted the following issues with my laptop before running the steps you mentioned.

    - While working, some ghost window will open and close and I won't see anything else
    - While typing anything in an editor, the cursor would jump off to some other location in the editor
    - When shutting down it will complain about a running process hello4.exe and even if I end the process the end process window will reappear. I had to switch off the laptop couple of times as I couldn't shutdown
    -Finally last couple of days, during start up a few blank windows will appear with hello4 in title and would dissapear eventually.


    I followed the following steps

    1. Moved ComboxFix to Desktop and ran
    2. Ran TDSSKiller.exe
    3. Ran Avenger.exe (with script provided by TimW)
    4. Ran CCleaner to remove temp files
    5. Ran MGTools/GetLogs.bat

    I have attached all the logs to this thread. Please take a look and let me know if there are any other malware in my system.


    Here is what I noticed after the reboot

    - I didn't see the blank hello4 window after startup this time
    - Google chrome is working just fine.
     

    Attached Files:

    heyraam, May 13, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    Java(TM) 6 Update 15 <--- uninstall outdated Java

    Please disable Spybot's TeaTimer.

    How to disable Spybot's TeaTimer

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
c:\documents and settings\rramacha.APPLICATIONS\Application Data\Gozy
File::
c:\windows\Wzalijevulasej.bin
RenV::
c:\program files\Adobe\Reader 10.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint .exe
c:\program files\DellTPad\Apoint .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\Host Intrusion Prevention\FireTray .exe
c:\program files\McAfee\VirusScan Enterprise\SHSTAT .exe
c:\program files\ScanSoft\PaperPort\IndexSearch .exe
c:\program files\ScanSoft\PaperPort\pptd40nt .exe
c:\program files\ScanSoft\PaperPort\Ereg\Ereg .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\windows\ime\IMJP8_1\IMJPMIG .exe
c:\windows\OrclOBI\synctime .exe
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, May 13, 2011
    #7
  8. heyraam

    heyraam Private E-2

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    When running ComboFix it always complains that "VirusScan Enterprise + AntiSpyware" is active. I just couldn't find a way to disable it. So I went ahead and ran ComboFix anyway.

    I followed the steps you have given and ran ComboFix and I have attached the log ComboFix.txt file. Since running getLogs.bat may old log files in my system, I directly attached the ComboFix.txt.

    Please let me know if you still want me to run getLogs.bat. Also I would like to let you know that in the last couple of weeks McFee scanner pops up once in a while and showed that it found certain virus. I have attached the screen shot with the virus file names.

    Please take a look and let me know if you still see some viruses in my system and any steps to remove them.
     

    Attached Files:

    heyraam, May 28, 2011
    #8
  9. heyraam

    heyraam Private E-2

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    BTW another problem that continue to exist is the google redirection. I am having to click on the google result link and open new window/tab. If I directly click on google results it mostly opens some search/spam website.
     
    heyraam, May 28, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Google Redirection Issue Alone did not get fixed after following README post step

    Does the redirection happen in all browsers? Which browser are you using. Please do run the C:\MGtools\GetLogs.bat and attach the new C:\MGLogs.zip.

    BTW, the screen shot is just showing infected system restore files, which we will remove once you are clean.
     
    TimW, May 29, 2011
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds