TechSpot

Keep getting redirected from Google

By bigdawgright
Jun 1, 2010
  1. I've tried many programs to get rid of malware but have been unsuccessful. I've attached the log from hijack this. Thank you.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you want us to check for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply.

    We do not 'screen' for malware with HijackThis.

    You are running both McAfee and Avast antivirus programs. Please remove one of them.
     
  3. bigdawgright

    bigdawgright TS Rookie Topic Starter

    Well it took me a while so hopefully i did it right. i've attached all of the requested logs.
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looks like you have a Rootkit.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ===================================
    When the scan has finished, follow with this:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    
    Folder::
    c:\program files\Hitman Pro 3.5
    c:\docume~1\alluse~1\applic~1\Hitman Pro
    c:\docume~1\alluse~1\applic~1\Alwil Software
    
    Registry::
    Driver::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    You have a driver running that is related to the NForce Platform Drivers & Utilities for MSI motherboard. Do you or did you have a nVidia graphics card and an MSI motherboard?

    I am having you remove Hitman Pro for these reasons:
    Yes, a few. Based on what I read and the cleaning programs I run. Others may think differently. The publisher's description is:
    While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

    Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:
    The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability

    Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.[/quote]

    Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

    The new version of Hitman Pro, version 3, uses:
    None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.
     
  5. bigdawgright

    bigdawgright TS Rookie Topic Starter

    I've run combofix twice now and both times it shuts down and my computer reboots. am i doing something wrong?
     
  6. bigdawgright

    bigdawgright TS Rookie Topic Starter

    ran combofix in safe mode and it worked. i've attached both log files.

    yes, i do have a msi motherboard. i have an ati radeoon video card.
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you realize that you are running both Avast and McAfee? You will need to remove one of them. Multiple antivirus programs actually can make a system more vulnerable as well as slow it down. Use either of the instructions below for the AV program you don't want to keep: Reboot the computer after the uninstall.

    It's possible this was the cause of the problem with Combofix. The top of the logs shows:
    This means that Avast was running and the 'Resident' is likely the McAfee Shield which should be disabled.
    ======================================
    After you have handled the multiple antivirus program problem, go ahead with this:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    d:\ntglm7x.sys
    Folder::
    
    Registry::
    DDS::
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    
    DirLook::
    C:\rei
    FileFind::
    c:\program files\Reimage
    Driver::
    SetupNTGLM7X
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    From Prevyx about SETUPNTGLM7X.SYS
    • Safety Rating: Known Malware, do not run
    • Malware Family: Part of Malware group - Polymorphic File Exploit
    • Determination: Automatically determined using Prevx centralized heuristics
    • Malware Form: EXPLOIT
    Polymorphic is not a good word to hear when it comes to malware!

    I notice this driver is on the D drive. Is that a partition or a flash drive?
    ====================
    Follow with: run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =================================
    Please leave logs with next reply.
     
  8. bigdawgright

    bigdawgright TS Rookie Topic Starter

    I removed avast and i've attached the logs.
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Services
      :Reg
      
      :Files  
      C:\Program Files\Reimage\Reimage Repair\REI_AxControl.dll
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===============================
    It appears that you attempted to fix your problem by using an online automated 'fix' called Reimage I don't know where you got the download, but you also got malware. This was on 5/28/2010. Many of the sites that offer this free download are bad sites, including the first 2 in Google search for "Reimage."

    The Directory C:\rei contains such files as:
    AVupdate.exe>> Added by the MERKUR WORM!
    HBEDV.KEY>> key for Avira Suite- AKA pirating

    Many of the entries are just logs, but unidentifiable. I don't know the consequences of what all this programs may have done to your system. But I recommend that all entries be removed, including the Directory. I can do that with script if yo'd like.

    The entry you are removing in OTMoveIt above is a specific infected file from the Eset scan.
    C:\rei
    2010-05-28 23:20 . 2010-05-28 23:20 -------- d-----w- c:\program files\Reimage
     
  10. bigdawgright

    bigdawgright TS Rookie Topic Starter

    I've attached the OTMoveIt3 log. Also, if you could get me the script to remove the ReImage stuff I'd appreciate it. Thank you.
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
    ======================================
    Custom Script

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    C:\Program Files\Reimage\Reimage Repair\REI_AxControl.dll
    
    Folder::
    C:\rei
    c:\documents and settings\Michael Ayotte\Local Settings\Application Data\dmwagpwle
    c:\program files\Ask.com
    c:\program files\Reimage
    Registry::
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Follow with Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave both logs in next reply.
     
  12. bigdawgright

    bigdawgright TS Rookie Topic Starter

    I've attached the latest ComboFix and Eset logs.
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- my mail replies got inverted!

    Someday, you will realize why we recommend removing P2P programs:
    c:\\Program Files\\LimeWire\\LimeWire.exe
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    You never did tell me what problem you were having! So I'll just ask if they have been resolved. If they have, go ahead with the following:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you need more help.
     
  14. bigdawgright

    bigdawgright TS Rookie Topic Starter

    I've removed Limewire. Thanks for the advice. I knew it was bad but I didn't realize it was that bad.

    My original problem is gone (getting redirected Google searches).

    Thanks for all of your help. I've learned a lot from the process.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Sometimes the file sharing lesson can be a hard one to learn!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...