Need help getting rid of findgala

Howdy!
I am helping a friend get his computer back up and running and found issues with both I.E. and Chrome while using their search bars. If I type in a full URL, it will go to that site, but any search or partial comes back with “cannot display the page”.
Avast found Win32:Evo-gen [susp] and successfully quarantined it. Next scan was clean.
MBAM found no threats on either quick or full scan.
Downloaded OTL and ran as directed in the “Logs to assist in cleaning malware” thread.
Tried to start this post on the infected computer, and neither I.E. or Chrome will show the verification window to allow me to attach the txt files or even make the post - from that computer.
I don’t want to drop the files on a USB stick and put them on this computer, for fear of moving the virus over unintentionally.

Thanks!

Under the answer box there is a option called attachments and other options, is that working?

Tried to start this post on the infected computer, and neither I.E. or Chrome will show the verification window to allow me to attach the txt files or even make the post - from that computer.

If able to, you can zip the logs and upload to a fileshare site and give link here…
Another option is to install MCShield on clean computer and transfer file on USB stick ? … anyway essexboy is online so wait for his advice

On the host computer install the following programme to scan and clean (if necessary ) the USB drive

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then you can use the drive to transfer data

I installed McShield on the clean machine, scanned the USB media, copied the txt files that are attached below from the infected computer, and McShield scanned the USB media again when I plugged it in to this computer.
I have attached both the before and after scans from MBAM.

Thanks!

Also attach MCShield log … start > all programs > mcshield > logs > all scans

Essexboy will be back online later…

McShield is currently only installed on the clean computer.
I will still attach the log, but should I also install it on the infected computer, now?

Thanks!

Essexboy may want to clean it before you do…

Have you previous used McAfee / Symantec Norton on that computer ? … are they still installed?

It’s a friends computer, and I believe that he had subscribed to and installed Norton, but did not renew when the subscription expired. I don’t know about the McAfee. I have not uninstalled anything as of yet.

At some stage you will need to uninstall McAfee and Norton/Symantec as they will be bogging the system down (drivers and services still running)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes\{6E28F9CA-0DBC-459C-9CD7-625F7E0F88A4}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\.DEFAULT\..\SearchScopes\{6E28F9CA-0DBC-459C-9CD7-625F7E0F88A4}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-18\..\SearchScopes\{6E28F9CA-0DBC-459C-9CD7-625F7E0F88A4}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-3005819764-2930746350-104854367-1000\..\SearchScopes\{6980CFA7-6E27-49B1-8C89-46962DE2B5F9}: "URL" = http://findgala.com/?&uid=2363&q={searchTerms}
IE - HKU\S-1-5-21-3005819764-2930746350-104854367-1000\..\SearchScopes\{6E28F9CA-0DBC-459C-9CD7-625F7E0F88A4}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-3005819764-2930746350-104854367-1000\..\SearchScopes\{AA8D6475-50E6-0FAB-D17A-2CE8EC5002F9}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provider_code=Z083&partner_id=335&product_id=477&affiliate_id=&channel=US468&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110708&user_guid=A1CE12A26AA8400F86128F94E2EA7A1F&machine_id=6a3340bdea4c3f411a4311c719f0e4be&browser=IE&os=win&os_version=6.0-x86-SP0
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll File not found
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll File not found
O3 - HKLM\..\Toolbar: (IspAssistant Add-on) - {6DA1E850-9F71-4B3C-81A4-D9EEEF6FCD50} - C:\Program Files\IspAssistant Addon\ispassistant.dll ()
O3 - HKU\S-1-5-21-3005819764-2930746350-104854367-1000\..\Toolbar\WebBrowser: (IspAssistant Add-on) - {6DA1E850-9F71-4B3C-81A4-D9EEEF6FCD50} - C:\Program Files\IspAssistant Addon\ispassistant.dll ()
O4 - HKLM..\Run: [] File not found
@Alternate Data Stream - 188 bytes -> C:\Windows\System32\msln.exe:f5f858f1e57372221a7300ea7b6aa5bb

:Files
C:\Program Files\StartNow Toolbar
C:\Program Files\IspAssistant Addon

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[
]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]post the contents of JRT.txt into your next message.

Downloaded and ran as requested. Files are attached below.

Uninstall McAfee and Norton … when done use the vendors removal tool to clear any leftover files

Tools are found here http://singularlabs.com/uninstallers/security-software/ nr. #22a and #26a

Looks a lot better, how is the computer behaving now ?

I used the tools above to finish removing McAfee and Norton, but I’m still having search issues. I am also getting errors when I try to update Windows, or run MrFixit.

It appears that I’m being blocked from using the yahoo search engine, google search, and google.com. I did try ixquick and was able to complete searches just fine. If I try the same search from the address bar or search box in either Chrome or I.E., I get :

hxxp://www.google.ca/search?q=cast+boolits&oq=cast+boolits&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8
This webpage is not available

-in Chrome

or :
[i]Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

What you can try:
Diagnose Connection Problems

 More information [/i] 

The hosts file looks like this:

127.0.0.1 localhost
::1 localhost

(all of the italics above were added by me)

Please let me know what to check next!

Thanks!!

OK first we will look at the net data and then proceed from there

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[
]Report IE Proxy Settings
[]Reset IE Proxy Settings
[
]Report FF Proxy Settings
[]Reset FF Proxy Settings
[
]List content of Hosts
[]List IP configuration
[
]List Winsock Entries
[]List last 10 Event Viewer log
[
]List Installed Programs
[]List Devices
[
]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

Done, and results attached!

Thank you for all of your help so far, I really appreciate it!

An error was noted in the TCPIP file so I would like to investigate that further

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

ComboFix log is attached.
I still cannot get any results from the standard search tools in either I.E. or Chrome. If I type in the full URL in the address bar, it takes me right to the requested page - except www.google.com. That takes me to the “This webpage is not available” screen, in Chrome - or “the address is not valid” in I.E.

OK lets reset the network manually. Do any other computers using the same router have a similar problem ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:Files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
netsh advfirewall reset /c

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Ran the fix and the log is attached.

Still have the same issues.
I have 2 other computers accessing the router, and neither one has any issues. One is connected via cat5 and the other wirelessly. The one we are working on is connected via cat5.