Jump to content

Remove FindGala


Recommended Posts

Each time that I attempt a search in Internet Explorer, I am redirected to FindGala.  I have run Malwarebytes Anti-Malware in Safe Mode with Networking.  A couple of issues were found and removed; however, I am still redirected to FindGala when I try a search in Internet Explorer.  I have downloaded and run DDS.  DDS.txt and Attach.txt are attached.

 

Thank you in advance for your assistance!

dds.txt

attach.txt

Link to post
Share on other sites

  • Root Admin

You appear to be either heavily infected or at least also having software conflicts. Please run the following steps with your Trend antivirus temporarily disabled and post back the logs.

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

    STEP 02

    Please download Malwarebytes Anti-Rootkit from HERE

    • Unzip the contents to a folder in a convenient location.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
    STEP 03

    Please download Junkware Removal Tool to your desktop.

    • Shutdown your antivirus to avoid any conflicts.
    • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next reply message
    • When completed make sure to re-enable your antivirus
    STEP 04

    Please download AdwCleaner by Xplode to your desktop.

    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • If prompted by the User Account Control click Yes to allow it to run.
    • Under Actions click on the Delete button.
    • Click OK on all prompts.
    • You will be prompted to restart your computer. A text file will open after the restart.
    • Please post the entire contents of that logfile to your next reply.
    • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
    STEP 05

    button_eos.gif

    Please go here to run the online antivirus scannner from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings and ensure these options are ticked:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Click Scan
    • Wait for the scan to finish
    • If any threats were found, click the 'List of found threats' , then click Export to text file....
    • Save it to your desktop, then please copy and paste that log as a reply to this topic.
    Thanks
Link to post
Share on other sites

It is Trend Micro Security Agent which I did not see listed in the link provided.  When I right click on the icon in the system tray, my options are: Client/Server Security Agent Console, Component Versions, Update Now, Notification Settings, Plug-in Manager and Unload Client/Server Security Agent.  If I choose this last item, it prompts me for a password which I do not have.  When I purchased this computer a technician set it up including (supposedly) installing AntiVirus software.  I am no longer able to get in touch with the technician.  What are my options?

Link to post
Share on other sites

I'm self employed so it's a personal computer that I use for work...so I can make any necessary changes.  I followed the instructions that I found for manually removing Trend Micro Security Agent CSA (http://esupport.trendmicro.com/Pages/Manually-uninstalling-the-Security-Server-and-ClientServer-Security-Ag.aspx#CSA) and I purchased and installed the Pro version of Malwarebytes to use as my antivirus. 

 

I have completed Step 1 and Step 2, mbar-log.txt and system-log.txt attached.

 

Moving on to Step 3

mbar-log-2013-06-26 (00-42-23).txt

mbar-log-2013-06-26 (02-08-28).txt

system-log.txt

Link to post
Share on other sites

  • Root Admin

Okay well that is a nasty rootkit so please go ahead and run the MBAR scanner one more time after a reboot.

As for purchasing our product thank you but you should never do any type of financial transactions from an infected computer.

We'll do our best to get you cleaned up but also our program is not an antivirus product.

Please see the following.

http://helpdesk.malwarebytes.org/entries/20818081-Does-Malwarebytes-Anti-Malware-replace-antivirus-software-

Then proceed with the ESET scan as well. I'll check back on you again sometime tomorrow.

Thanks

Link to post
Share on other sites

Thanks Ron. I'm letting JRT run now and will complete steps 4 and 5 in the morning and report back. I would also appreciate any recommendations you would have for effective antivirus software that won't slow down my machine too much. Obviously what I had wasn't working very well.

Link to post
Share on other sites

  • Root Admin

We'll see when we get the logs back but often it's due to old exploited code like Java that helps these infections bypass security and get in in the first place.

I'll check back with you again tomorrow sometime. In the meantime you can install Microsoft Security Essentials as a free antivirus until you decide on another one or not.

http://windows.microsoft.com/en-us/windows/security-essentials-download

Link to post
Share on other sites

Steps 3 - 5 complete.  Here is the list of threats found by ESET:

 

C:\MRL Files\Downloaded software\SDFix\SDFix.exe Win32/PrcView application
C:\MRL Files\Downloaded software\Virus Malware Etc\SDFix.exe Win32/PrcView application
Operating memory a variant of Win32/TrojanDownloader.Tracur.AF trojan
 

JRT.txt and AdwCleaner[s1].txt attached.

 

I have downloaded and installed Microsoft Security Essentials.

 

Each time I reboot, I am also getting an error message.  Not sure if it is related to the other issues that I am having.  I have attached a jpeg of the error message.

AdwCleanerS1.txt

JRT.txt

post-142065-0-32892500-1372253763_thumb.

Link to post
Share on other sites

  • Root Admin

No we're not done yet. We still need to run some other tools to see why you're getting this error.

Please visit this webpage for instructions on downloading and running ComboFix: How to use ComboFix

Please make sure you disable your security applications before running ComboFix.

Once Combofix has completed it will produce and open a log file. Please attach that log file to your next reply.

If needed the file can be located here: C:\combofix.txt

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

Link to post
Share on other sites

  • Root Admin

The entry in post 10 with your image was due to a missing driver for Tivo

 

c:\users\MHENLEY\AppData\Local\TiVo\dzvhydec.dll

 

If the functionality of Tivo is impaired you may need to reinstall it if you're using it..

 

The computer should be clean now.  How is the computer running now?  Are you still seeing any signs of an infection?

 

 

Next, download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


 

Link to post
Share on other sites

Thanks Ron.  I'm not seeing any more symptoms and did not get the error message with the last restart.  I'm testing the Tivo software now and it appears to be running without problem.  I'll run the security check next and will post the log.

 

I'm also concerned about my husband's computer that is on the same home network as mine.  His computer doesn't have any specific symptoms of infection like mine did but it is running a bit slower than normal.  I'd like to run DDS on his machine too and have you take a look at DDS.txt and Attach.txt.  Can I post them to this thread or do I need to start a new thread?

Link to post
Share on other sites

  • Root Admin

Normally you would open a new ticket but once we're done here you can reply with the other one but please wait till we're done. Just a bit more..

 

Please uninstall ALL versions of Java

Please update your Adobe Flash player from Adobe.com

Please update your Adobe Reader from Adobe.com

 

Then go ahead and uninstall combofix.   Click on START and type in COMBOFIX.EXE  /UNINSTALL

 

If all goes well and not further issues then we can start on the other computer.   Basically run the same items I asked you to run in my first reply to you.

Link to post
Share on other sites

JAVA uninstalled, updated Adobe Flash and Reader, ComboFix uninstalled.  Everything seems to be running fine.  Thank you so much for your help.

 

I've run through the instructions from your initial post for my husband's computer.  It looks like he doesn't have any problems but I've posted the log files just to get your confirmation that all is OK.  ESET online found no threats so there is no associated log file.

AdwCleanerS1.txt

JRT.txt

mbar-log-2013-06-28 (07-22-41).txt

system-log.txt

Link to post
Share on other sites

  • Root Admin

Yes your other computer appears to mostly be okay.  Please run DDS and Security check on it and post those logs.

 

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment. 


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt


  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file


 

 

 

Next, download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


 

Link to post
Share on other sites

  • Root Admin

You need to update your Adobe Reader.  If you click on Help About there should be a link to check for updates.

 

You also may have some type of networking issue as this entry shows in the Event Logs.  It's possible it's a fluke and may not happen again though.

 

7/2/2013 6:24:05 AM, Error: NetBT [4307]  - Initialization failed because the transport refused to open initial addresses.

 

Aside from that the logs look okay.  Are there any other signs or issues related to malware going on with this other computer?

 

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.