Search re-direct virus hard to kill

Discussion in 'Malware Help (A Specialist Will Reply)' started by Orange Blood, Nov 15, 2010.

  1. Orange Blood

    Orange Blood Private E-2

    The virus puts a text entry box on a new IE tab. If used for a search, ti gives questionable results. No other system damage that I can tell, but I want it gone anyway.

    I carefully went thru the READ ME FIRST material, and the logs are attached.
     

    Attached Files:

    Orange Blood, Nov 15, 2010
    #1
  2. Orange Blood

    Orange Blood Private E-2

    Attached is last required log file. And I'm attaching a WIndows error message that I get every time I resume from Standby. Windows reports a blue screen of death and says it recovered from that--please see file.

    Thanks for any help you can provide!
     

    Attached Files:

    Orange Blood, Nov 15, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
    Kestrel13!, Nov 16, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Attach the sas log.
    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Run this and attach the results.

    Using ESET's Online Scanner

    How are things running now?
     
    Kestrel13!, Nov 17, 2010
    #4
  5. Orange Blood

    Orange Blood Private E-2

    Thanks for the help. I completed all the suggested steps. Sadly, the problem remains. It has the same symptoms: when you click to open a new tab, it presents an alternative / undocumented search engine.

    Attached is the SAS log. I did receive a success message after running the fixme.reg file. Then used ESET online scanner--log file attached. It eliminated 2 threats, but again, the unwanted search engine remains embedded in IE.

    Any ideas on what to try next? Thanks again for your advice!
     

    Attached Files:

    Orange Blood, Nov 17, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Does the same thing happen in Safe mode?

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    Kestrel13!, Nov 18, 2010
    #6
  7. Orange Blood

    Orange Blood Private E-2

    I don't seem to have a safe mode. :( Here are my choices on boot-up.

    1) Microsoft Office Recovery Console
    2) do not select this [debugger enabled]
    3) Windows XP Home Edition

    The registry edit was successful.

    The 2 scan output files are attached.

    Thanks for hanging in there!
     

    Attached Files:

    Orange Blood, Nov 20, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try tapping F8 quite fast and repeatedly during boot up until you see a black screen with white writing, where safe mode will be one of your options. So let me know if it still occurs in safe mode with networking.

    C:\Documents and Settings\Craig Daugherty\Desktop\Shortcut to MGtools.exe.lnk <--- You can delete this, as you should not be running it via the shortcut anyway.

    Tell me the contents of this directory
    We need to run an OTL Fix

    • Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code:
    Code:
    :otl
@Alternate Data Stream - 2628 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

:files
C:\Documents and Settings\All Users\Application Data\Viewpoint
  
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

    In Internet Explorer, go to tools > manage add ons > as shown in the screenshot and let me know if you see anything unusual.

    Run this:

    Running Kaspersky Online Scanner

    Is it still happening?
     

    Attached Files:

    Kestrel13!, Nov 20, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds