Computer Hope
Software => Computer viruses and spyware => Topic started by: LauraD on April 02, 2009, 03:17:39 PM
-
Two days ago, while trying to search for things on Google and Yahoo, I noticed every link I clicked on led me to an advertising site (lots of free prescription drugs! ::)) The search results page on Yahoo also looked different (the search bar was cut in half) and also lead me to false sites.
Today, whenever I search on Yahoo or Google, I am redirected to a blank page with long scroll bars on both the right side and bottom. I have tried other search engines with the same result! I am able to visit any web page through typing it into the address bar, but god forbid I try to Google search something.
I ran Spybot (no help) and deleted the program. I installed a year of McAfee and although it deleted some malicious trojans, I still have the same problem. Below is my hijack log:
[attachment deleted by admin]
-
Disable Spybot's TeaTimer
While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.
1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.
Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.
----------
Open HijackThis and select Do a system scan only.
Place a check mark next to the following entries: (if there)
- F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
- O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
- O1 - Hosts: 195.245.119.131 spyware-protector-2009.com
- O1 - Hosts: 195.245.119.131 www .spyware-protector-2009.com
- O1 - Hosts: 195.245.119.131 secure.spyware-protector-2009.com
- O1 - Hosts: 195.245.119.131 knocker
- O2 - BHO: (no name) - {FF67D7AF-D56B-40A8-8181-C0E26D8ECF61} - c:\windows\system32\hysyfso.dll
- O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
- O20 - Winlogon Notify: wghaoazz - C:\WINDOWS\SYSTEM32\hysyfso.dll
.
Important: Close all windows except for HijackThis and then click Fix checked.
Exit HijackThis.
----------
Download Malwarebytes' Anti-Malware (MBAM) (http://www.besttechie.net/tools/mbam-setup.exe)
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply.
.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
----------
Download GooredFix from one of the locations below and save it to your Desktop.
Link #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Link #2 (http://downloads.securitycadets.com/GooredFix.exe)
* Double-click GooredFix.exe to run it.
* Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.
----------
Next post please add the MBAM and GooredFix logs.
-
After fixing what you said from Hijack, I went back to do a Yahoo search and now receive search results, though they are same bad links from a few days ago.
I have tried three times to run MBAM but it will not load. It took several tries to download it, but when I try to open it from the desktop, nothing happens.
Here is my Goored Log:
GooredFix v1.92 by jpshortstuff
Log created at 18:07 on 02/04/2009 running Option #1 (Valued Customer)
Firefox version 3.0.8 (en-US)
=====Suspect Goored Entries=====
=====Dumping Registry Values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"
-
Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.
Download SDFix by AndyManchesta (http://www.filedropper.com/sdfix_1) and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with Administrative rights
* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.
Reboot your computer in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
When your computer has started in safe mode, and you see the desktop, close all open Windows.
* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK button.
C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).
-
Oh boy.
I began to run the program in safe mode. I left the room and when I came back it was back to the black screen with 'safe mode' in all four corners. It sat this way without any action for some time, tried cntrl-alt-del but to no avail. I rebooted the computer to try the program again, but when I clicked f8, I get a black screen saying "NTLDR is missing. Press cntrl-alt-del to restart."
I've pressed ctrl-alt-del, but it went right back to this screen.
What on earth do I do now :(
-
Will it restart in Normal Mode?
-
When the computer starts up, it shows the same message. It shows the "Dell" page for a second, with F2=Setup and F12= Boot Menu in the upper right corner.
-
What all besides the mouse and keyboard is plugged into the computer by USB?
Try unplugging everything but the mouse and keyboard and see if it starts up normally.
-
I have a laptop and all that is plugged in is the power cord.
-
Can you get back to the safe mode options by tapping F8 during startup?
-
Nope, it goes right back to the black screen.
-
Can you burn a disk with the other computer?
Avira AntiVir Rescue System
* Download the Avira AntiVir Rescue System (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html)
* Place a blank CD in your burner and double-click on the downloaded file.
* The program will automatically burn the CD for you.
* Place the burned CD into the affected computer and start the computer with the CD in the CD tray.
* On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
* Click on the Configuration button.
- Select Scan all files
- Select Try to repair infected files and Rename files, if they cannot be removed
- Select Scan for dialers
- Select Scan for joke programs (Jokes)
- Select Scan for games
- Select Scan for spyware (SPR)
* Click on Virus scanner
* Click on Start scanner at the bottom of the screen
Currently the program does not support saving a log. Please write down the list of items for Records, Suspect files, and Warnings then post them back here.
-
Apparently none of my CD's are writable, so it's off to the computer store tomorrow.
-
Do you have your Windows XP CD? If so start the computer with it in the disk drive and attempt a Repair Install http://www.michaelstevenstech.com/XPrepairinstall.htm#RI