BleepingComputer.com: Help to remove Findgala search redirect

Bump

Hello

I have changed the script see if it will run now

Run OTL Script

• Double-click OTL.exe to start the program.
  
• Copy and Paste the following code into the textbox. Do not include the word Code
  

  :otl
  IE - HKU\S-1-5-21-2605554684-3630929933-3143514118-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
  FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
  FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
  O4:64bit: - HKLM..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent File not found
  O4:64bit: - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe File not found
  O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
  O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe File not found
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
  O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
  O18:64bit: - Protocol\Handler\vsharechrome - No CLSID value found
  O18 - Protocol\Handler\vsharechrome - No CLSID value found
  @Alternate Data Stream - 171 bytes -> C:\ProgramData\TEMP:DFC5A2B2   
  O1 - Hosts: 188.119.151.113 www.google-analytics.com.
  O1 - Hosts: 188.119.151.113 ad-emea.doubleclick.net.
  O1 - Hosts: 188.119.151.113 www.statcounter.com.
  O1 - Hosts: 69.72.252.254 www.google-analytics.com.
  O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
  O1 - Hosts: 69.72.252.254 www.statcounter.com.
  :Files
  ipconfig /flushdns /c
  :Commands
  [PURITY]
  [EMPTYTEMP]
  [emptyjava]
  [EMPTYFLASH]
  

  
  
• Then click the Run Fix button at the top.
  
• Click .
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

Hi Gringo,

I tried running the updated script you provided in your latest post and I unfortunately got the same alert window error msg as my previous post when I ran the original script you provided in OTL.

Please let me know how you would like me to proceed. Thx.

AJ

Bump

:use HostsXpert:

Please download HostXpert.

• Unzip HostsXpert.zip
  
• Double click on HostsXpert.exe to launch the programme.
  
• Check to see if top button on left hand side says Make Writable ?
  • If it does. click on it then proceed to next instruction.
    
  • If not, just proceed to next instruction
  
  
• Then click on "Restore ms Hosts file" to restore your Hosts file to its default condidtion..
  
• Click on Make Read Only to secure it against further infection.
  
• Close program when complete.

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Hi Gringo,

I'm very sorry for the delay in getting back to you. I've been swamped at work, then Valentines, yadi yadi yada...No excuses. Thx for following up.

I followed your instructions but when I run HostsXpert.exe I immed get a Warning message:

Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit.

***HostsXpert will NOT reset these attributes.***


So I go ahead and click "OK" and the message pops up again and I press "OK" once again and the warning goes away.

With the program up and running, it shows what appears to be a "sample HOSTS" file and the "Make Writable?" button has red letter and the lock is "locked". I try clicking that and nothing seems to happen. I then proceeded to click "Restore MS Hosts File". The "Confirm" window pops up and I click "OK" there only to get an "Error" window saying:

ERROR: Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts

I tried to do this all twice and stopped trying fearing that I might make things worse. So that's as detailed an account ok my actions I can give.

Please let me know how to proceed. Also, thank you again for you help and patience with this. Take care.

AJ

Hello


I want you to navigate to C:\Windows\system32\DRIVERS\ETC\hosts right click on the file and select properties and see if it has read only ticked and if it does remove it


gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Hi Gringo,

I'm sorry for the delay in getting back to you. I was out of town for the long weekend and just returned home. In any case, after reading your post, I looked for the hosts file and if you can believe it, I couldn't find it?! I have hidden folders visible and I'm sure that I've accessed that file on this computer before, but for whatever reason, I don't have that file in the folder specified (and where I would expect to find it as I have on this and other computers I own).

Is it possible for Windows to run without that file? Could I be missing something? What should I do now? Thx.

AJ

BTW, the only files I see in the "etc" folder are:

lmhosts.sam
networks
protocol
services

So the "etc" folder only contains the 4 files listed above is that helps any. Thx.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\Windows\SysNative\drivers\etc\Hosts

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

Hi Gringo,

I was following the steps you provided and ComboFix seemed to be initiating just fine. A DOS prompt window called "Administrator: ." popped up and then a 2nd window popped up called "Version_12-02-02.02" containing the following msg:

Current date is 2012-02-21. ComboFix has expired
Click 'Yes' to run in REDUCED FUNCTIONALITY mode
Click 'No' to exit

So I clicked 'No' to exit and thought I'd run that msg by you before going ahead with the program in "REDUCED FUNCTIONALITY" mode.

Pls advise on how to move forward. Thx.

AJ

go ahead and let it update - it gets updated 2 or 3 times a day



gringo

Hi Gringo,

I followed your instructions and the same window msg appeared as described in my last post. This time I clicked "Yes" and when I did, the ComboFix icon disappeared from my desktop. I thought that maybe this was simply part of the process, so I left the laptop all day to complete it's process (even though it didn't look like anything was being processed). It's now the end of the day and it doesn't seem as though anything really happened and the ComboFix icon never came back? Is it possible that it uninstalled itself? Should I just reinstall it from the link you provided in earlier posts and try again? Pls advise. Thx.

AJ

Hello


you can download a new one from here

Link 1
Link 2
Link 3

save it to the desktop and then run the script


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\Windows\SysNative\drivers\etc\Hosts

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo