TechSpot

Redirected searches (yeah, again)

Inactive
By mikelorus
Feb 6, 2010
  1. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Still getting pop-ups, haven't gotten any redirections yet.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    We may be getting somewhere then :)

    Can you check, if pop-ups happen in IE as well.
    Do pop-ups happen, only, when you actually use Firefox, or even with FF closed?
    Do you pop-up blocker enabled?

    Close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode). Still pop-ups?
     
  3. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Got a popup in IE

    Pop-ups only ocur when firefox is open

    I have a popup blocker enabled, but I don't know if it's doing its job correctly.

    Got a popup in safe mode.

    Is a new tab still considered a popup? They are kind of infrequent but noticeable still.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,156   +264

  5. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    still occasionally getting popups, but I guess it's not really a big deal.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Delete broni.com, download fresh copy of Combofix and give me new log.
     
  7. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Here's a fun new wrinkle, it says it cannot be saved because an unknown error occurred, and that I should try to save it in a different place. I can't save it to my desktop or anywhere.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Rename it to broni.com again BEFORE saving it to your desktop.
    Something is still hiding there.
     
  9. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    I had to run it in safe mode to get it to work
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    c:\documents and settings\Michael\Local Settings\Application Data\iohecvqxg
    
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  11. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    There we go, ran it in safe mode again.
     

    Attached Files:

     
  12. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    What about pop-ups?
     
  13. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Still there >.>
     
  14. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Those pop-ups are present in Firefox only, correct?
    When removing Firefox, are you sure, you completed 100% of all steps listed here: http://kb.mozillazine.org/Uninstalling_Firefox?
    It was important to remove all traces of FF. Simple Add\Remove won't do.

    Update Malwarebytes and run fresh scan.

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

    Download FoxScan from HERE, or HERE
    Double click on FoxScan.exe to start the scan.
    DOS-like window will pop-up.
    Press 2 for English. Press Enter.
    Be patient. It'll take few minutes.
    When the tool is done, it'll display:

    Search completed.
    Press any key to coninue...


    Press any key.
    Notepad window titled Rapport-FS.txt will open.
    Save the file to known location, and attach it to your next reply.
     
  15. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Can't download Foxscan, in the meantime I'll reinstall firefox again.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,156   +264

  17. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Reinstalled firefox again, Foxscan said
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    How is redirection?
    I don't understand something.
    Since you just performed clean FF install, how come do you have all those add-ons already?
     
  19. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    I used Mozbackup. Was I not supposed to backup addons? I have had all of them for a long time before I started having problems and I haven't gotten any since.
    Redirection seems to be better, popups occasionally though.
     
  20. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    ...and you sure, initially, you removed all FF traces following my link?

    Update Malwarebytes and run new scan.
    This time, run "full scan" instead of "quick scan".
    Post the log.

    Also...

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    Print these instructions out.

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.
     
  21. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Wtf this is getting out of hand. My computer now sometimes starts with internet connection, and sometimes does not. Other computers are still connected, and I have tried everything I know of to restart internet on the infected computer. I know the wire still works. Also, every time I restart the themes are reset. Do you think I have a little bit more than malware on my computer?

    I'll post the HJT and anti spyware results as soon as my computer starts with working internet.
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    I still want to see fresh Malwarebytes log.
    Judging from Super log, you got reinfected.
    Is it legit game, or some late torrent download?
     
  23. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Ugh sorry for being such a pain =.= I really appreciate the help and generosity.

    The game is the real game, I've had it since pretty much when the game came out.
     

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    All is cool. Don't worry about it :)

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    =======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  25. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    I had to run combofix in safe mode to get it to work (it blue screened otherwise) I hope that's okay.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.