TechSpot

Pop Ups and Redirecting

By GearsPlayer211
Feb 19, 2010
Topic Status:
Not open for further replies.
  1. Hi techspot, All of a sudden now when I visit the normal sites I visit everyday like xbox.com or youtube or any other, a pop up comes up and says congrats you won, or I get redirected, I dont know what to do so hopefully someone can possibly help me. My Kaspersky isnt finding anything.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you would like us to check the system for malware, please follow the preliminary virus and malware removal steps HERE.

    Be sure to check the lines in Malwarebytes and Superantispyware to remove the entries found.

    Do not removal any entries in the HijackThis log. We will help with that.

    Attach all 3 logs to your next reply for review.
  3. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    Here are The Logs

    Here the Logs hopefully this will help, thank you very much.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    We have some work to do!
    Important! While the process is going on, please do not use any other programs unless I instruct you to. Turn off automatic updates. Do not install or uninstall any programs unless instructed.

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run> Copy and Paste the following text into the prompt:

    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
      [​IMG]
    • When its work is over, upon detection of malicious services and files the utility prompts for a reboot to complete the disinfection. Please reboot when prompted
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
    • You should get a screen like this:
      [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).

    Follow the prompts and attach the report to your next reply.
  5. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    What should i do now when enter into run prompt program says "Utility doesn't support x64 operating system"
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- I missed the 64 bit. I don't know of a similar program for the 64 bit OS. We can try the following. I'm using the HijackThis log, which also isn't good for the 64 bit OS.

    I'd like to ask a question though: at what point was this system worked on by the Geek Squad? Is this your personal computer or are you working on it for someone else? We offer free help for home computers, but personally, I'm not big on solving problems that others are going to get paid for! What you don't see is that the Geek Squad leaves it's tracks:
    O23 - Service: GSRestartSvc - Unknown owner - C:\ProgramData\Geek Squad\Custom\GSRestartSvc.exe (file missing)

    Please reopen HijackThis to 'do system scan only.'. Check the following if present: Note: Don't click on Fix Checked until all the entries have been checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - MRI_DISABLED - (no file)
    O4 - HKCU\..\Run: [fuserepiv] Rundll32.exe "c:\progra~3\jomuhuha\jomuhuha.dll",a
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C2370A83-364F-4105-905A-275EB21DFC24}: Domain = domain.invalid
    -------there are 34 of these entries. They are identical except First has CCS>>>>>>>> Last has CS33----
    -------------------------Check each one---------
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: GSRestartSvc - Unknown owner - C:\ProgramData\Geek Squad\Customizer\GSRestartSvc.exe (file missing)


    Close all Windows except HijackThis and click on "Fix Checked."[b/]
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Click on start> Run> type in services.msc> double click on each of the following Services and change the Startup type to Disabled> Stop the Service:
    GameConsoleService
    GSRestartSvc

    Exit Services

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.

      Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install Recovery Console, allow
    • If prompted to update, do so.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Rescan with HJT and leave a new log, along with Combofix report and Eset log
  7. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    No this is my personal computer, I used their online chat and asked them questions they never worked on it
  8. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    Combofix Not Working

    I disable virus protection and windows defender and it says combofix doesn't work for Windows Vista 64 bit system, and I searched internet for Combofix Vista and they all say Combofix can corrupt CPU I dont know what to do I checked the boxs for HIjackthis and fixed them and ran in safe mode and disabled those services. Should I go ahead with that next Virus Scanner you provided me with after Combofix?.
    Thanks
  9. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    ESET and New Hijack this Logs

    Here are new logs

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    HijackThis just isn't going to work: Let's do this and see what you have. The entry in the Eset log shows a very nasty TrojanClicker. I can try to move it but I'm not sure this works with 64 bit either:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Users\Owner\AppData\Local\VirtualStore\Windows\SysWOW64\net.net
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Thuis will work with 64 bit in place of HJT. Hold on Combofix until I can check on it
    Please download OTS to your Desktop
    • Close all other programs.
    • Double-click on OTS.exe to start the program.
    • Check the box that says Scan All Users
    • Under Additional Scans check the following:
      [o] Reg - Shell Spawning
      [o] File - Lop Check
      [o] File - Purity Scan
      [o] Evnt - EvtViewer (last 10)
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    Attach the report in next reply.
  11. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    Here are thos two logs

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Are you still having the same problems as you did originally? If anything is different, please let me know. I'm going to ask Broni to look at your logs and see if he knows what else can be run on the 64bit OS.
  13. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    Things are running alot better, no more redirecting and pop ups just want to make sure nothing else is on here thats all, thanks for all your help
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'd still like Broni to check your logs. The Event Viewer isn't working- may be system, not malware.
  15. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    And also I just did a Malware Bytes scan and found TDS Rootkit again
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Under the Standard Registry box change it to All.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  17. GearsPlayer211

    GearsPlayer211 TS Rookie Topic Starter

    Here are those two Logs

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.