Google redirection problems

Discussion in 'Malware Help (A Specialist Will Reply)' started by blackcat1999, Feb 26, 2013.

  1. blackcat1999

    blackcat1999 Private E-2

    Hi, I'm hoping someone can help: I’ve have been having some problems with IE9 and google redirection.

    I have followed the cleaning procedure outlined in the sticky for Vista and Win 7 Malware Removal/Cleaning Procedure.

    I have completed steps 1-4, and after step 4 I let my computer run for a few days and everything seemed to be fine.

    Yesterday I completed step 5 Enable UAC and rebooted my computer, since then IE has not been able to connect to any websites except for google.co.uk

    I then disabled the UAC and IE is working ok.

    I’m worried there may still be some malware lurking on the computer and don’t want to proceed to step 6.

    I attach the 5 logs.

    Thanks.
     

    Attached Files:

    blackcat1999, Feb 26, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKLM\[...]\Run : sclpn (rundll32.exe "C:\Users\Alex\AppData\Roaming\sclpn.dll",Init) -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : dredt ("C:\Windows\System32\rundll32.exe" "C:\Users\Alex\AppData\Roaming\dredt.dll",set_packswap) -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : btxpns ("C:\Windows\System32\rundll32.exe" "C:\Users\Alex\AppData\Roaming\btxpns.dll",Malloc) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Now run Hitman and have it remove these items:
    C:\Users\Alex\AppData\Roaming\dredt.dll
    C:\Users\David M\AppData\Roaming\bcspt.dll
    C:\Users\David M\AppData\Roaming\sngag.dll

    Reboot and rescan with both RogueKiller and Hitman and attach those new logs as well.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 26, 2013
    #2
  3. blackcat1999

    blackcat1999 Private E-2

    Thank you for your response Tim.
    I've started the first part of the process and ran RogueKille.exe.
    After the scan I couldn't locate the files


    • [RUN][SUSP PATH] HKLM\[...]\Run : sclpn (rundll32.exe "C:\Users\Alex\AppData\Roaming\sclpn.dll",Init) -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : dredt ("C:\Windows\System32\rundll32.exe" "C:\Users\Alex\AppData\Roaming\dredt.dll",set_packswap) -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : btxpns ("C:\Windows\System32\rundll32.exe" "C:\Users\Alex\AppData\Roaming\btxpns.dll",Malloc) -> FOUND
    I ran the scan again but still couldn't find the files.
    I have stopped at the point and attach the latest 2 Rogue Killer logs.
     

    Attached Files:

    blackcat1999, Feb 27, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You still need to run Hitman and attach a new log.
     
    TimW, Feb 27, 2013
    #4
  5. blackcat1999

    blackcat1999 Private E-2

    Hitman log attached.

    Time difference means I won't be able to post for a few hours.
    I will keep the computer running overnight and not shut it down.
     

    Attached Files:

    blackcat1999, Feb 27, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You ran it, but you didn't remove what it found as I asked you to do in post #2.
     
    TimW, Feb 28, 2013
    #6
  7. blackcat1999

    blackcat1999 Private E-2

    Hi Tim,

    Sorry, I thought, when I couldn't find the files, it best not to proceed any further.

    Ok. I have carried out the steps in post #2 and attach the logs.

    Computer seems to be running ok, but webpages seem a bit slow to open in IE.
     

    Attached Files:

    blackcat1999, Mar 1, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. It may be Outpost that is slowing you down. In any event, we can do our final cleanup.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Mar 1, 2013
    #8
  9. blackcat1999

    blackcat1999 Private E-2

    I haven't been able to finish the steps outlined in your last post. So I haven't made any changes since posting the log.
    The computer was used at the weekend, as normal, but then today the computer isn't booting properly.

    When the computer is switched on, it is slow to boot up, then there is the blue screen crash dump, the computer then restarts and reboots into a windows error recovery message, if I leave it to start normally it just repeats the process as above. I can restart in safe mode.

    Any suggestions?
     
    blackcat1999, Mar 4, 2013
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Start up and go into safe mode. Open msconfig and disable all start up items. Try to boot to normal mode. Let me know what happens.
     
    TimW, Mar 4, 2013
    #10
  11. blackcat1999

    blackcat1999 Private E-2

    Hi, went in through safe mode to msconfig and disabled all the start up items. Restarted comp into normal mode, took approx 3 mins to reboot, then got a windows error recovery message with different restart options, selected start windows normally and the comp goes into the reboot-blue screen-restart cycle.

    It is very odd as everything was ok on Friday; it is my parents comp and I wasn't able to finish the steps in post #8. They did report that on going to a website it kept saying that the page had expired. I don't know if that's any clue.
     
    blackcat1999, Mar 4, 2013
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, it is not malware related, so I suggest you post in the software forum for additional assistance.
     
    TimW, Mar 5, 2013
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds