Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gala Search Virus


  • Please log in to reply
9 replies to this topic

#1 NeedHelp7

NeedHelp7

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 04 June 2011 - 06:50 PM

I have the Gala search virus on my computer. I've read through a couple of the other posts and tried to follow along and remove the virus myself to no avail. My Eset Virus protection could not detect it and neither did the MBam SW from Malwarebytes. I also ran the TFC.exe.

Can someone please help me?

Thanks

Mike

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 04 June 2011 - 07:03 PM

Please run this batch file.

Open Notepad (go to Start > Run and type in Notepad and click OK).
Copy/paste the following text inside the code box into a new notepad document.

@ECHO OFF
regedit /e look1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"
regedit /e look2.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"
Type look*.txt >log.txt
start log.txt
del look1.txt look2.txt
del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save
  • Close the Notepad.
  • Locate look.bat on the desktop.
  • Double click the icon or Right-click to run it as administrator if you have Vista or Windows 7.
  • A notepad opens, copy and paste the content (log.txt) to your reply.

Posted Image
m0le is a proud member of UNITE

#3 NeedHelp7

NeedHelp7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 04 June 2011 - 07:45 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
@="Live Search"
"DisplayName"="@ieframe.dll,-12512"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"=dword:00000001
"SortIndex"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{3AA8E079-594A-4928-A2D7-20FAC3C39236}"
"Version"=dword:00000002
"DownloadUpdates"=dword:00000001
"UpgradeTime"=hex:84,33,c8,55,70,e9,c9,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURLFallback"="http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
"FaviconURLFallback"="http://www.bing.com/favicon.ico"
"FaviconPath"="C:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"URL"="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
"DisplayName"="Bing"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3AA8E079-594A-4928-A2D7-20FAC3C39236}]
"DisplayName"="Google"
"URL"="http://findgala.com/?&uid=2262&q={searchTerms}"
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconPath"="C:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{3AA8E079-594A-4928-A2D7-20FAC3C39236}.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADBS"
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"FaviconPath"="C:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{6A1806CD-94D4-4689-BA73-E35EA1EA9990}.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{94D85E74-C986-4888-8E3B-DFDDDA489DD9}]
"DisplayName"="Yahoo! Search"
"URL"="http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20100834,6686,0,8,0"

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 05 June 2011 - 03:54 AM

Yes, your registry has been hacked. Let me know which operating system you have (i.e., Vista)
Posted Image
m0le is a proud member of UNITE

#5 NeedHelp7

NeedHelp7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 05 June 2011 - 11:14 AM

XP

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 05 June 2011 - 11:26 AM

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, in the line below select Any for File Type.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly. Please also run the batch file from before again and post the log. Finally, tell me if the redirections have stopped.
Posted Image
m0le is a proud member of UNITE

#7 NeedHelp7

NeedHelp7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 05 June 2011 - 11:42 AM

The merge worked but the Gala virus is still present. Here is the log file again.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"=dword:00000001
"SortIndex"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
"Version"=dword:00000002
"DownloadUpdates"=dword:00000001
"UpgradeTime"=hex:84,33,c8,55,70,e9,c9,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3AA8E079-594A-4928-A2D7-20FAC3C39236}]
"DisplayName"="Google"
"URL"="http://findgala.com/?&uid=2262&q={searchTerms}"
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconPath"="C:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{3AA8E079-594A-4928-A2D7-20FAC3C39236}.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADBS"
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"FaviconPath"="C:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{6A1806CD-94D4-4689-BA73-E35EA1EA9990}.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{94D85E74-C986-4888-8E3B-DFDDDA489DD9}]
"DisplayName"="Yahoo! Search"
"URL"="http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20100834,6686,0,8,0"

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 05 June 2011 - 11:55 AM

Try this registry fix

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, in the line below select Any for File Type.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3AA8E079-594A-4928-A2D7-20FAC3C39236}]


NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly and if Gala is still present
Posted Image
m0le is a proud member of UNITE

#9 NeedHelp7

NeedHelp7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 05 June 2011 - 12:00 PM

THANK YOU!!! It merged successfully and the virus appears to be gone.

I am extremely grateful.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 05 June 2011 - 12:03 PM

You're welcome :thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users