Redirect Issue - Followed Stickied Instructions - Logs attached

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by scottfm, Sep 1, 2012.

  1. scottfm

    scottfm Private E-2

    Title says it all. Any help is greatly appreciated.

    Went through your Read-Me first instructions as well as the sticky about re-direct issues. Thanks!
     

    Attached Files:

    scottfm, Sep 1, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!​

    Run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.​

    Then select the Files tab and if the below exist, click the Delete button again.



    Then immediately reboot your PC. ​

    After reboot, run a new scan with RogueKiller and also Hitman Pro and save the logs as in original instructions and attach the new logs.
    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. ​

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )​

    Now attach the below log:

    • the new Hitman log
    • the new RogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 2, 2012
    #2
  3. scottfm

    scottfm Private E-2

    These registry entries were detected and removed by RK

    [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

    These were not in the scan I completed today.

    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-905103851-1920345335-3012668988-1000\$e4e3ac707a36f8227fc636b4b34da446\n.) -> FOUND


    These files were detected but I'm unfamiliar with this program specifically and couldn't find a way to select them for removal. I highlighted them and hit remove and it said they were "removed."

    [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
    [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

    After running the newest version of MGtools I saved to the root folder I rebooted.

    Unfortunately I am still having the same problems. On occasion the malware will spontaneously open a new tab and load a random spammy page.

    Thank you for your quick response. When you get a chance I'd appreciate it if you could take a look at the new logs and let me know what else I should do. I only really use this machine for gaming and multimedia. I don't do any work and there's not any pictures/movies I'll miss if it might just be easier to wipe the hard dive and reinstall windows.

    Thanks again.
     

    Attached Files:

    scottfm, Sep 2, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. It should not be necessary to reinstall.

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    chaslang, Sep 3, 2012
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds