Please help!!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Divalish, Jul 9, 2007.

  1. Divalish

    Divalish Private E-2

    Hello there! I've gone through all of the steps of the malware removal guide and some of the alternative options and I still can't log into google.com, do searches, etc. I'm on a laptop that I use for work so I'm in dire need here! Thanks in advance, I know you guys do good work!!!
     

    Attached Files:

    Divalish, Jul 9, 2007
    #1
  2. Divalish

    Divalish Private E-2

    Here are the rest of the logs for my scans...
     

    Attached Files:

    Divalish, Jul 9, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You forgot to attach the log from AVG Antispyware.

    I assume you meant you cannot connect to www.google.com not log into it?

    Are you using wwww.google.com or are you using google.com?
    Try putting the following into the address bar: http://64.233.161.99
    And then hit return or the Go button.
    What happens?


    Your logs don't really show anything that could be causing this so it could just be something at your end that is blocking it. I do have a few things that you should do.

    First you need install and rename HijackThis as requested in the READ ME since it will not effectively detect some new malware unless you do this. Please do this now.

    Then I highly recommend that you uninstall and never use Messenger Plus! Live which is the cause of many thousands of PCs being infected with malware. And this latest version is even causing Virtumonde infections. This was mentioned in the uninstall list given in step 0 of the READ ME.

    Is your copy of Spy Sweeper a paid version of a free trial version? If free, you should uninstall it as it will not fix anything for you and will just slow your PC down.

    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
      [*]It will create a folder named HostsXpert in whatever folder you extract it to.
      [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
      [*]Click the X to exit the program
    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\ldr1F.tmp

    Also while in safe mode, locate the below file and rename it (
    right click on it and select Rename ) to rspsc32.sys.bak
    C:\WINDOWS\system32\drivers\rspsc32.sys

    Now reboot in normal mode

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Jul 10, 2007
    #3
  4. Divalish

    Divalish Private E-2

    Hey there, thanks a bunch.

    Not done yet. I have no log to attach for avg antispyware. Even though I selected the option to produce a log after every scan, there are no reports. And I literally can't log into google. I always use www.google.com and when I try to log in to check my mail, IE tells me that the certificate is not valid and not to proceed. Blocked. When I try to search from the site, it gives me a bunch of garbage (invalid search results to various other search sites) and the same thing happened when I used the IP address you gave me.

    But in the meantime, I'll complete the rest of the stuff you suggested. This was just an FYI for clarity's sake.
    Until the next...
     
    Divalish, Jul 11, 2007
    #4
  5. Divalish

    Divalish Private E-2

    Hello once again.
    I couldn't find the following file:
    I have also attached the files you requested. I also installed IE 7 w/ SP2 and still have the google issue. :cry
    This is a copy of what it says when I try to login:

    There is a problem with this website's security certificate.

    The security certificate presented by this website was not issued by a trusted certificate authority.
    The security certificate presented by this website has expired or is not yet valid.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
    We recommend that you close this webpage and do not continue to this website.
    Click here to close this webpage.
    Continue to this website (not recommended).
    More information


    If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
    When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
    If you choose to ignore this error and continue, do not enter private information into the website.

    For more information, see "Certificate Errors" in Internet Explorer Help.

    Other than this, the scans ran smoothly. Frustrating though it is, I really appreciate your help. Thanks
     

    Attached Files:

    Divalish, Jul 11, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run ATF-Cleaner exactly as requested? It does not look like it. I see files from as far back as June 1st in your
    C:\Documents and Settings\Monumental Records\Local Settings\Temp\ folder which should have been emptied if you ran ATF-Cleaner

    I still see Messenger Plus! Live installed! Does this mean that you are not going to uninstall this purveyor of malware?

    My point was about the wording! You say login. Do you mean login or do you mean connect? You don't need to login at www.google.com. It is just a URL to Google's main page and does not require a login so I'm trying to find out exactly what you are talking about.

    If you are talking about logging into email at google then that is something totally different and has nothing to do with being unable to connect to www.google.com.

    So just directly answer the below question:

    Does your browser allow you to connect to www.google.com?


    Certificate problems are more than likely not malware problems. You probably have a corrupted certificate. Perhaps you should read thru the below and see if anything there helps you:

    http://www.us-cert.gov/cas/tips/ST05-010.html


    You could also try doing the below!
    • Check and make sure your clock is correct.
    • In Internet Explorer, on the Tools> Internet Options> Content tab
    • In the next window titled Certificates notices the left and right little arrow buttons ( < > ) to the right of all the tabs
    • Click the right arrow until you see the Untrusted Publishers tab
    • You should see something like below:
    http://www.askdavetaylor.com/0-blog-pics/internet-explorer-certificates.jpg


    You should see the publisher listed that's causing you such problems (i.e. something from Google). I only have the above in my Window. Just delete the entries here from Google by clicking on each one to select it, then clicking "Remove". Quit/Exit ALL browser session. Now restart. How are things now?
     
    Last edited: Jul 11, 2007
    chaslang, Jul 11, 2007
    #6
  7. Divalish

    Divalish Private E-2

    Hi there!
    I ran the ATF Scan exactly as indicated. It was the easiest one since no install, select all and run! There isn't a way to mess that up so I don't know why it didn't pick up on that errant file.

    I just installed msn plus the same day that I posted for help, so I have uninstalled as per your advice. Forgot about that one! The issues are pre-existing.

    I can connect to the google website. I cannot do a search that will return valid google entries. What I get is a results page containing a bunch of links to shop for whatever (i.e. shop for "fix internet explorer", buy "fix internet explorer", etc.). Each time I proceed to the next results page, it adds slashes:
    (i.e. Pg 1 search box on google = fix \"internet explorer"\
    Pg 2 search box on google = fix \\"internet explorer"\\
    Pg 3 search box on google = fix \\\"internet explorer"\\\
    Pg 4 search box on google = fix \\\\"internet explorer"\\\\)
    Also, the results pages look fake (16 color as opposed to the crisp raised lettering)

    When I attempt to login to google for the purpose of checking my email, that is when I get the error message and I can't log in. This is as much a problem if not moreso than the search issues. I can't access my mail on this laptop.

    I followed your advice re: the certificates. I can't find anything at that web site that was in any way helpful. Educational, not helpful. I looked in the Certificates window as you suggested and my untrusted publishers tab is identical to your screenshot.

    Please help meeeee!!! :cry :cry
     
    Divalish, Jul 12, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure that your problems are due to malware but let's run the below since this infection has been know to cause problems with Google Searches.

    Run this WareOut Removal and attach the log. Let me know if there are any changes.


    Have you tried using another browser like Mozilla FireFox
     
    chaslang, Jul 12, 2007
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds