[Pirated OS] System Check malware

Inactive
By Donjohnny
Mar 27, 2012
Topic Status:
Not open for further replies.
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I can't get consistent information on the dot com domain name you gave me. You are not describing a typical redirect. You can reset the browsers.

    Clarifying this:
    If you have a Windows operating system, Internet Explorer is the default browser. If you would rather that Firefox be the default browser, you would do this:

    Launch Firefox> Click on Tools> Options> Advanced> General tab> System Default section> Check "Always check to see if Firefox is my Default brouser"> Press "Check Now"> it will say something like "Firefox isn't the default- would you like it to be?"> Check 'Yes.'

    Then open Internet Explorer> Tools> Internet Options (or you can access Internet Options without using IE by going to the Control Panel> Internet Options(> Programs tab> Uncheck "Internet Explorer should check of it's the default browser'> Then click on Apply> Okay.

    Reboot the computer

    Now that you have made Firefox the default browser, any time you click on a link, it will open in Firefox.

    See if that helps. If it does, I have one more step.
  2. Donjohnny

    Donjohnny Newcomer, in training Topic Starter Posts: 37

    I followed your instructions and make Fire fox the Default browser then I did some google searches to test it out
    I did the same search in Firefox, IE and Chrome. I tried to click on the same links in every search. During each search I clicked on 3 links and below is what they did.


    IE with google.
    Clicked on a link the address bar said coachleather.com the loaded click.get-answers-fast.com
    Clicked on a link the address bar said coachleather.com the loaded click.expandedsearchanswers.com.
    Clicked on a link the address bar said coachleather.com the loaded the Google link address but failed to load page

    IE Yahoo
    Clicked on a link the address bar said coachleather.com the loaded another page that then redirected me to a third page. I closed out because I was concerned about additional viruses
    The same happened for the second link I clicked on.
    The third link actually loaded what I clicked on.

    Chrome Google
    Clicked on a link the address bar saidsearch.zoyco.com then loaded beesq.net
    Clicked on a link the address bar saidsearch.zoyco.com then loaded indexerq.net
    Clicked on a link the address bar clicks.the special search.com then loaded dsnextgen.com

    Chome Yahoo
    First link loaded just fine.
    Second link loaded just fine then chrome crashed.
    Third link the address bar said arb I did not catch the rest then it loaded another page (not the one i clicked on.)

    Firefox google
    First link adress bar said youngestangels.com then started to the the correct link, then it read youngest angels.com then reloaded the google search.
    second and third link did the same.

    Firefox yahoo
    First, second and third link loaded properly.
    As I was typing this on a second computer Firefox crashed.

    When I start up Word I get the notice "The add-in template is not valid. (C\Program Fitles\...\$FMaker.dot)"
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    This is caused by a corrupt Office Document Template trying to load either when you start Windows, when you start MS Office, or when a document requests a virus scan and you have Norton installed.

    Click Start> All Programs> point to Startup. If ~$FMaker.dot is present in the Startup folder, right click on it and choose "Delete".

    If you don't find it the above way:

    Navigate to C:\Program Files\Microsoft Office\Office\Startup. Do you see ~$FMaker.dot in that folder? If so, do the right click> Delete

    I don't think this is related to the redirect>>>unless the malware has corrupted something in the browser. I'll help you work on that tomorrow.
  4. Donjohnny

    Donjohnny Newcomer, in training Topic Starter Posts: 37

    I deleted FMaker.dot and now get no warning from Word on start up.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay! That is good news!

    Are you still getting the redirects? All browsers? How often?
  6. Donjohnny

    Donjohnny Newcomer, in training Topic Starter Posts: 37

    A little after starting the following message pops up in a warning box with the java logo: “Jusched.exe has encountered a problem and needs to close. We are sorry for the inconvience.”

    I could not get flash to update it said that installer failed.

    About half of my clicks off of serch engines were redirected. This happens with all browsers and bing, google, and yahoo. Google images will not load more than the first set of images, howeverll other search engines loaded images just fine.
    I have attached an example of a redirect below.

    Edit: Search redirect hyperlinks have been deleted by Bobbye.

    I also get random pop up ads in internet exploere even if I am just on techspot. This does not happen all the time.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Unless we can get something to run that will remove the malware, your only option will be to do a reformat/reinstall.

    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows is it?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
    ================================================
    Download Security Check by screen317 and save to the desktop
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt please
    • Post the contents of that document.
    ===============================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================

    I see some processes for Daemon running. You were suppose to remove it.
  8. Donjohnny

    Donjohnny Newcomer, in training Topic Starter Posts: 37

    I am not proud to admit this but my system is bootlegged (the computer was a gift from the previous owners widow). I am unable to get the copy he had. Bootlegged systems are a pain, I will never own one again. Do you have an alternative to the first step?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I had a feeling that the system wasn't legitimate. With all I had you run, if the system had had a legitimate license and been properly validated, it would have been clean.

    I do not support piracy. The fact that you knew this and continued to ask for my help for a month is very disturbing.

    This thread is closed. It will NOT be reopened.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.