[Resolved] Ccleaner/ Redirect problem...

[Smallz]

So i am currently working my way through the 8 step guide for malware removal? and at step 2 regarding the use of Ccleaner, Im unsure what this will actually do. i looked at the summary results and in the, Windows Explorer - recent documents tab there are about 190 files that it suggests i delete...now will this delete the actual file? for example a word doc that is listed there? There are a few listed that i need to keep or belong to the other user of this computer.

Also i saw another thread that suggested not usung Ccleaner at all....whats my best option...?

 

[Smallz]

Also I may as well add what I have in the way of logs.
Im not the only user of this computer, my dad is the primary user as well as my brother who started usig it in the last couple of weeks and thats when I started noticing problems, more so in the last 2 or 3 days, mostly with google redirecting and opening up a new window when a search item is clicked.

also I have yet to run CCleaner fully as I am unsure what precautions to take.

Thanks.

 

[Bobbye]

Some of us prefer TFC- Temporary File Cleaner instead of CCleaner. Please run that as you have many temp files:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

When you have finished with TFC:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.

Leave the Combofix report on your next reply. There is evident of an autorun infection. I'll check the logs while you do that.

 

[Smallz]

I tried to save combofix as Combo-Fix(.exe) bit after it seemed to be running for a while it stopped and came up with warning about combofix not bieng affiliated with a couple sites and asked if I wanted to continue. Then stated I could not change the name to Combo-Fix(.exe) and to try another name using alphanumeric charaters.

 

[Smallz]

Again and it seems to be running fine...

 

[Smallz]

I ran combo fix and it revolted my comp twice. After the second reboot it came up saying it was preparing a log report bit it now seems to have stalled. The windown with that message is still up and nothing is happening....

 

[Bobbye]

Your searches are being hijacked and sent through a site in the Ukraine. It's a DNS Changer malware infection.

Do you want to continue?

 

[Smallz]

Yes I do.

Regarding the combo fix. My computer shutdown. So I started it back up and google seems to be running ok now. Also my antivirus has downloaded it's update which I wasn't able to do before as well as windows installer is updating now automatically too. I looked for a log report for CF but could not find one.

 

[Bobbye]

Look for Combo-Fix(.exe) You did rename it, right?

 

[Smallz]

Renamed it when I first installed it and it stopped running and said it couldn't be renamed. Whe it stopped I doubled clicked the icon again and ran. It was after the second reboot after it deleted files and was preparing the log that everything seemed to freeze.

 

[Smallz]

so i tried to download CF again....renaming it as Combo-Fix(.exe) before download and when i click to start it it says it cannot be renamed as this and to try renaming it something else using alphanumeric charecters and changes the name of itself back to ComboFix on the desktop....

Any ideas?

 

[Smallz]

Bump......

 

[Bobbye]

You're bumping the thread because I haven't finished you in a day???! I help others also- did you think otherwise?

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

When finished, attempt download again.

Run new HijackThis scan and leave now log.

Do NOT bump this thread again unless 72 hours have past with no reply.

 

[Smallz]

You're bumping the thread because I haven't finished you in a day???! I help others also- did you think otherwise?

Do NOT bump this thread again unless 72 hours have past with no reply.

YO, I didnt mean anything by bumping the thread. Im fully aware that you help others on this forum. I dont expect expect to be helped, finished or anything in a day or less or a week or more. Im completly grateful of the help you offer and are giving...it was nothing more than a friendly bump...didnt mean to piss you off in anyway. 72 hours it is.....

 

[Smallz]

Heres my new Hijack this log.

I downloaded ComboFix as instructed but when I try to run it I get this Error messege:

"You cannot rename ComboFix as Combo-Fix(.exe)

Please use another name, preferably made up of alphanumeric characters"

 

[Bobbye]

If you original problems have been resolved, skip Combofix. The HJT log looks fine. Just run an online AV scan to make sure we haven't missed anything:

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If log is clean, I'll have you remove the cleaning tools and old restore points.

 

[Smallz]

I'll run this later tonight....thanks.

 

[Smallz]

Ok heres the eset log...

 

[Bobbye]

Thank you.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Program Files\RegiCleanse System Optimizer\RegiCleanse.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

See if you can get this program to work after you finish with OTM:

Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

 

[Smallz]

Ran OTM, heres the log.

The page for the SDFix download was not available.

 

[Bobbye]

Since this is your dad's computer, he may want to handle this:
DNS Changer
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

 

[Smallz]

Ok, that was all fine. connected back to the net with no problems.

heres the new MBAM log.

 

[Bobbye]

Has the problem been resolved?

 

[Smallz]

the google redirect seems to have been fixed\, however the browser still seems to redirect if a URL is typed incorrectly and the computer seems a little slugish to start up...

 

[Bobbye]

If you type a URL incorrectly, you won't get the correct site....

Let's try one more thing and see if it will clear whatever is stopping Combofix or SDFix from running:

Please download exeHelper to your desktop.

Please Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

(Once we have finished cleaning, I'll have you remove all the cleaning tools and logs they created.)