Need help getting rid of findgala

It is a DNS problem of some sort

Could you set up OpenDNS and see if that resolves it http://www.opendns.com/home-internet-security/parental-controls/opendns-home/

OpenDNS is installed, but no change in how the searches perform.

Would I be better off to uninstall both Chrome and I.E. - and then re-install them - one at a time?
If so, what tools would you suggest to accomplish that cleanly?

Thanks!

OK first you will need to update Vista to service packs 1 and 2 and then install IE9 this will reset a lot of system files to where they should be

http://www.microsoft.com/en-gb/download/details.aspx?id=30 SP1
http://www.microsoft.com/en-gb/download/details.aspx?id=16468 SP2
http://windows.microsoft.com/en-gb/internet-explorer/ie-9-worldwide-languages IE9

Whenever I try to update to the next service pack, it ends with an internal error. I tried going to microsofts website to figure out what the error was, but they don’t list it separately, they just suggest to download and use their update preparation tool. Tried that, and it got lost “looking for updates”. I had to end it through the task manager. Rebooted and tried the Service Pack 1 installer again - same error.
Going back through our thread, I realized that I had never ran aswMBR. Downloaded the program and ran it. I am attaching a copy of the log to this message.

I believe the unknown is a daemon tool but lets check it out

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

That seems to have been the cure! I am now able to use the search feature in Chrome and I.E., without being blocked. I can also go directly to google.com with no problem.
TDSSKiller found 1 threat, which I didn’t write down, because I thought that a results file would be available after the reboot - my mistake. It did offer the option to cure the threat, and that’s what I chose, followed up by a reboot. But I didn’t copy the report file before I rebooted, and the report file after the reboot is pasted below. Avast’s active shield also caught the threat as soon as TDSSkiller exposed it, and gave me a “no worries, we stopped it” popup from the tray.

Current TDSSkiller report:

07:53:08.0414 0x0a14 TDSS rootkit removing tool 3.0.0.19 Nov 18 2013 09:27:50
07:53:10.0416 0x0a14 ============================================================
07:53:10.0416 0x0a14 Current date / time: 2014/01/21 07:53:10.0416
07:53:10.0416 0x0a14 SystemInfo:
07:53:10.0417 0x0a14
07:53:10.0417 0x0a14 OS Version: 6.0.6000 ServicePack: 0.0
07:53:10.0417 0x0a14 Product type: Workstation
07:53:10.0431 0x0a14 ComputerName: DEADEYE-PC
07:53:10.0446 0x0a14 UserName: Deadeye
07:53:10.0446 0x0a14 Windows directory: C:\Windows
07:53:10.0446 0x0a14 System windows directory: C:\Windows
07:53:10.0446 0x0a14 Processor architecture: Intel x86
07:53:10.0446 0x0a14 Number of processors: 2
07:53:10.0446 0x0a14 Page size: 0x1000
07:53:10.0446 0x0a14 Boot type: Normal boot
07:53:10.0446 0x0a14 ============================================================
07:53:10.0480 0x0a14 BG loaded
07:53:11.0427 0x0a14 System UUID: {194FA38B-265B-4870-C9CD-C74953E85AB9}
07:53:14.0130 0x0a14 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x50C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type ‘K0’, Flags 0x00000050
07:53:14.0237 0x0a14 ============================================================
07:53:14.0238 0x0a14 \Device\Harddisk0\DR0:
07:53:14.0244 0x0a14 MBR partitions:
07:53:14.0244 0x0a14 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x11845D91
07:53:14.0244 0x0a14 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x11845DD0, BlocksNum 0x11D2940
07:53:14.0244 0x0a14 ============================================================
07:53:14.0310 0x0a14 C: ↔ \Device\Harddisk0\DR0\Partition1
07:53:14.0435 0x0a14 D: ↔ \Device\Harddisk0\DR0\Partition2
07:53:14.0435 0x0a14 ============================================================
07:53:14.0435 0x0a14 Initialize success
07:53:14.0435 0x0a14 ============================================================

The report log will be at C:\Tdsskiller date time and be the larger of the reports

Found it. Attaching to this message.

Thanks!!

OK it was an infected system file … But intriguingly not one I would have suspected. Looks like you had something new. A new area now to keep my eye on.

07:46:42.0825 0x0c84 [ DEA0BF2354EB609C33F5F1BED41FD0E4, F2F1C87E8D2A052F0992B514D17A6ED9C682FB067A9E99CF18918938B6D75651 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys 07:46:42.0916 0x0c84 Suspicious file ( Forged ): C:\Windows\system32\drivers\Wdf01000.sys. Real md5: DEA0BF2354EB609C33F5F1BED41FD0E4, sha256: F2F1C87E8D2A052F0992B514D17A6ED9C682FB067A9E99CF18918938B6D75651, fake md5: 7B5F66E4A2219C7D9DAF9E738480E534, fake sha256: ED8D421591D693F2C0DB55B319A05E7E63241A66399CB7CE0C574B14138D8CC0 07:46:42.0922 0x0c84 Wdf01000 - detected Virus.Win32.Rloader.a ( 0 ) 07:46:45.0690 0x0c84 Wdf01000 ( Virus.Win32.Rloader.a ) - infected 07:46:45.0690 0x0c84 Force sending object to P2P due to detect: C:\Windows\system32\drivers\Wdf01000.sys 07:46:59.0629 0x0c84 Object send P2P result: true

Any further problems ?

I don’t seem to be having any further problems in I.E. or chrome. I’m going to try to update the operating system and I.E. and will report back how that goes.

Thanks

My attempt to install SP1 failed again with the same error as before. After everything that we have run on this system, I’m not sure that it malware related or caused, but I am including a screen capture to show the error.

Thanks again for the continued help!

OK could you run chkdsk /r
Once done then temporarily disable Avast shields and try to install again

Chkdsk completed successfully. It did find some errors, but all seemed to be fixed or moved without any problem.
Tried the SP1 install again - same result. :-\

Using a little google-fu, I found several instances where this issue was resolved via regedit, and the removal of
PendingXmlIdentifier
NextQueueEntryIndex and
AdvancedInstallersNeedResolving

My Components registry had just the first and last entries, which I deleted (after making a backup!).
Tried the SP1 install again, and it went much longer (15 minutes or so, compared to 1 minute before) before it errored out referencing #80073712.
Went back in and downloaded Stand alone installer KB947821, unplugged the ethernet cable, disabled Avast, then ran it. After 15 minutes it was to about 60% according to the progress bar. After 2 hours, it was still at the same point.
I enabled Avast and plugged the ethernet cable back in, and it finished installing in about 5 minutes.
Rebooted and launched the SP1 installer. It took a while, but it finally installed, rebooted, and finished with no drama.
Launched SP2 installer - all went smoothly.
Launched I.E. 9 upgrade and it went smoothly also.

By all appearances, it looks like I’m going to be able to give him back a viable system - thanks to your help!!

Grand :slight_smile:

Any other problems prior to me tidying up ?

I still have a bothersome little issue, with not being able to change the wallpaper, but I think I can figure it out and I am pretty sure that it isn’t due to any resident malware.
So I guess we are good to go, after a little clean up!

Thank you very much for all of your help. It’s greatly appreciated!!

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleaner and select Uninstall

Delete JRT from the desktop

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Howdy again!

His system seems to be running smoothly, and I can see no more problems.
The wallpaper problem was caused by a setting in “Ease of Access Center”. The “Remove background images” setting, was checked. As soon as I unchecked that, the problem was solved.
Windows has been automatically updating with no additional issues.

Thank you very much for all of your help, it is very greatly appreciated!!!

My pleasure, and thank you for the update

Keep safe :slight_smile: