Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirects, Pop-Ups of Odd Websites


  • This topic is locked This topic is locked
25 replies to this topic

#1 rickmcm

rickmcm

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 10 June 2010 - 09:07 AM

Hi

I'm running Vista SP1 and have tried updating to SP2 but Windows Update won't complete and returns Error Code 80072EFE

Also I am getting browser redirects to strange sites and using Google or Yahoo Search takes me to even stranger ones, whatever result I click on.

Something weird and nasty has nestled in my PC - can anyone help me?

Thanks! :thumbsup:

BC AdBot (Login to Remove)

 


#2 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:07:10 PM

Posted 10 June 2010 - 10:53 AM

Rickmcm,

Do you have Malwarebytes on your pc? If so, update the definitions and post the scan log.

You might try to follow the following instructions (these work for all sorts of nasty's)
  • Print out these instructions as we may need to close every window that is open later in the fix.
  • It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
  • Before we can do anything we must first end the processes that belong to Security Master AV so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

    rkill.com Download Link
  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Master AV and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Master AV when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Master AV . So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

    Do not reboot your computer after running rkill as the malware programs will start again.
  • Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

    Malwarebytes' Anti-Malware Download Link
  • Once downloaded, close all programs and Windows on your computer, including this one.
  • Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
  • When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
  • MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.


    Posted Image

  • On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Security Master AV related files.
  • MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.


    Posted Image

  • When the scan is finished a message box will appear as shown in the image below.


    Posted Image

    You should click on the OK button to close the message box and continue with the Security Master AV removal process.
  • You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  • A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.


    Posted Image

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
  • When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
  • You can now exit the MBAM program.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#3 rickmcm

rickmcm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 10 June 2010 - 07:59 PM

Hi golfdude!

Thanks for your help, I do appreciate it.

I have Malwarebytes. Thankfully, I updated the definitions yesterday, as when I tried to update today, I got the message:

"MBAM_ERROR_UPDATING (12007,0, WinHttpSendRequest)"

I ran Malwarebytes, see log below, but got this message whilst it was running:

"Host Process for Windows Services stopped working and was closed. A problem caused the application to stop working correctly. Windows will notify you if a solution is available."

Whilst going online to post this reply, a spurious browser window opened at www.caranddriver.com

I have not yet run rkill but will do that now. In the meantime, here's the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4183

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/10/2010 8:46:23 PM
mbam-log-2010-06-10 (20-46-23).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 342593
Time elapsed: 1 hour(s), 59 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 rickmcm

rickmcm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 10 June 2010 - 08:04 PM

Hi again

I just ran rkill and got the following message from McAfee:

"McAfee has detected a potentially unauthorized registry change to your computer.

About this Registry Change
SystemGuards: Internet Explorer Restrictions
Location: C:\Users\rick\AppData\Local\Temp\47EA.tmp\pev.rkexe

Spyware, adware, and other potentially unwanted programs can make registry changes to Internet Explorer Restrictions, affecting browser settings and options.

Should I allow or block that change?

Here is rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as rick on 06/10/2010 at 21:01:24.


Processes terminated by Rkill or while it was running:


C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\rick\Desktop\rkill.com


Rkill completed on 06/10/2010 at 21:01:32.


Thanks!

#5 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:07:10 PM

Posted 11 June 2010 - 07:16 AM

rickmcm,

Your OS- Vista- is not up to date. I believe SP-2 is available and am wondering why your pc didn't automatically download and install this.

Just for the heck of it, try manually checking for updates (Control Panel, either "Windows Update" or "System and Security", "Windows Update" depending on what "veiw by" is set to). I am wondering if the malware you have is causing Windows Automatic Update not to work.

If you are able to update the OS, do the following:

1. Download TFC.exe and SuperAntiSpyware Free edition and save them to your Desktop.
2. Click on the SuperAntiSpyware Setup program and install the program. Allow it to update the definitions. Don't run the scan yet.
3. Click on TFC.exe and run the Temp File Cleaner.
4. Perform a Quick Scan with SAS. If it requires a Reboot- do that.
5. Post the SAS log. The Log can be found at "Preferences" button, "Statistics/Logs" tab in the program. Not sure why they make these so hard to find....

And for what it is worth- I never had any luck with McAfee back in the day on my own pc's or any of the pc's I have worked on. A real resource eater and a pain in the a$$ to remove.

On the other hand, I have had good success with Avast Free on pc's with teenage users that kept getting re-infected. After installing Avast Free they haven't called me to clean the pc again....

If you decide to replace McAfee with Avast- Download the Avast Setup program to your Desktop and download the McAfee "Removal Tool" (says it all!) to your Desktop. I would unhook from the Internet and run the removal tool, then the Avast install program then rehook up to the Internet.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#6 longshadow71

longshadow71

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 11 June 2010 - 08:43 AM

Odd, but I am having the same problem... Cannot connect to ANY microsoft sites at all... Also getting that funky error code when I try Widows Update. I am getting these odd sites popping up whenever I click from the searchbar, yet if I go to Google.com and search that way, it works. I have tried this with Internet Explorer, Mozilla Firefox as well as Opera.

I scanned with CA AntiVirus several times... I used the Rkill trick.... I did many full scans with Malawarebyte's Anti-Malware as well as Spybot S&D. No viruses nor adware are being detected...

I, however, am running Vista's SP2...

It's more annoying than damaging. Any further options to explore here?

#7 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:07:10 PM

Posted 11 June 2010 - 08:46 AM

Longshadow71,

Hello and welcome to Bleeping Computer :thumbsup:

However, to get help with your own pc problem- please start your own thread.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#8 rickmcm

rickmcm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 11 June 2010 - 10:02 AM

Hi golfdude

I can't get Vista to update, see my original post, probably because of the malware, so I can't use TFC and SuperAntiSpyware, correct? What can I try next?

McAfee keeps finding a trojan called New Malware.j which is a heuristic indication.

#9 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:07:10 PM

Posted 12 June 2010 - 03:03 PM

#1- missed the OS update in your earlier post. Sometimes I get confused :thumbsup:

If you have access to another computer please download RKILL and save it to a flash drive. Transfer this to the infected computer and run it. Run it several times if it works the first time. I have had to run it 3 times to kill some of the baddies.

It this doesn't work, we go to step four.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#10 rickmcm

rickmcm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 12 June 2010 - 03:53 PM

Hi again

I did try to update Vista again today, but wasn't able to, got the same error number as previously.

I just downloaded rkill on another pc and ran it 5 times on my machine, same reults each time:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as rick on 06/12/2010 at 16:49:21.


Processes terminated by Rkill or while it was running:


C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe


Rkill completed on 06/12/2010 at 16:49:27.

And Step 4 would be..?

Thanks

Rick

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:10 PM

Posted 12 June 2010 - 06:26 PM

Hello the malware probably changed your setting, per the error..

Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 rickmcm

rickmcm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 13 June 2010 - 10:48 AM

Hello the malware probably changed your setting, per the error..

Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."



Hi Boopme

I tried that just now but 'Use Proxy' was already unchecked.

Any suggestions what I try now..?

Thanks

Rick

#13 rickmcm

rickmcm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 15 June 2010 - 06:10 PM

Hello

I haven't heard from anyone in 2 days. Is there something I can/should be/shouldn't be doing?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:10 PM

Posted 15 June 2010 - 07:54 PM

Seems there was no Step 4, only what they copied from our removal guide. I thought they were going to finish and not hang you. Noted:

What Antivirus and firewall is running . It may work if you disable one then the other. trying in between. Only go and get MBAM while disabled.
If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:07:10 PM

Posted 15 June 2010 - 08:53 PM

Rickmcm,

You have a staff member helping you now- and one of the best.

I will bow out now- follow Boopme's instructions.

Take care.

PS Boopme- for some reason I never recieved an email that rickmcm replied to me last post. Not sure why???

Anyway, please help them out.

Edited by golfdude, 15 June 2010 - 08:57 PM.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users