Nasty suite of malware

By buddhasmash
Apr 18, 2009
  1. My browser is constantly redirecting to ad and fake spyware removal sites. I can't access most anti-spyware application sites, assumably because whatever malware I have is blocking them. I followed the Malware removal instructions on this board, all except steps 4 (can't access the download webpage) and 5 (the installation file won't load). I'll post the logs I have. Someone please help.
  2. buddhasmash

    buddhasmash TS Rookie Topic Starter

    Why am I getting no responses? Did I do something wrong?
  3. captaincranky

    captaincranky TechSpot Addict Posts: 11,462   +1,760

    Well, obviously not. But this is Saturday, be patient.

    >> Maybe the anti-malware guys union won't let them work on the weekend! <<
    (Just kidding here)
  4. buddhasmash

    buddhasmash TS Rookie Topic Starter

    Did another Avira scan. Only three viruses found this time, but I'm still getting redirected and I still can't open most malware removal programs. New log is attached.
  5. touch

    touch TS Rookie Posts: 978

    The virus Avira found are a rootkit, you also have a wareout infection.

    Try Malwarebyte again, slightly different ->

    Reboot to safe mode with network.

    Download malwarebyte;pop&cdlPid=10878968

    Save the file as setup.exe

    Run the setup.exe file
    When it gets to the final step of the installation it will seem like it hasn't but it will take anywhere from 15 mins. to an hour to get through that step so just let it do its thing.

    Go into the Malware folder in through Program Files
    Rename the mbam.exe to mab.exe and run it.
    Do a full computer scan
    Check all and remove/fix/delete them.

    Restart your computer and attach the log
  6. buddhasmash

    buddhasmash TS Rookie Topic Starter

    I followed every single step you gave me, to the letter. I still can't run the (newly renamed) Malwarebytes app. I double click the icon, nothing happens. I was still in safe mode while trying to run the file. Should I be?

    Edit: There is also a file named mbamgui. Should I rename it to mabgui? It may be worth noting that the installation didn't take long at all.

    Further Edit: Nevermind, got the file to run. Proceeding as instructed.
  7. buddhasmash

    buddhasmash TS Rookie Topic Starter

    Followed your instructions. Spybot loaded when I started up the computer, but Google links are still redirecting and I can't actually open the Spybot GUI. I'll post the logs.

    Edit: Another item worthy of note - A seemingly new drive has appeared on my PC. It appears in My Computer as "Recovery (D:)". When I double click on the drive an Internet Explorer window pops up containing this warning:

    "Protected by PC Angel
    Recovery Partition
    This area of your hard disk
    (or partition) contains files used
    for your system recovery.
    Do not delete or alter these files.
    Any change to this partition could
    prevent any recovery later."

    When this window opens, Internet Explorer automatically blocks an ActiveX control. Don't know if that's relevant.

    I don't remember ever partitioning my hard drive, and as far as I know Windows System Restore doesn't create a separate partition, so I thought this looked suspicious.
  8. touch

    touch TS Rookie Posts: 978

    Ok. Let´s try next step -

    Rigthclick here -> << Save as

    Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    NB. It is possible you´ll have to the above from safe mode network
  9. buddhasmash

    buddhasmash TS Rookie Topic Starter

    I think the problem may be resolved. Google isn't redirecting anymore. Attaching the logs. Thanks so much for the help.
  10. touch

    touch TS Rookie Posts: 978

    P2P software/programs are a major contributor to infections. I see you have uTorrent and Limewire. Not passing judgment on file-sharing, However will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

    Since we find the nature of P2P programs counter productive to restoring your PC to a healthy state, we ask that you remove P2P file sharing programs prior to our providing you with malware removal assistance.

    c:\program files\LimeWire
    c:\documents and settings\Owner.Zack\Application Data\uTorrent

    Reboot, attach fresh combofix log
  11. captaincranky

    captaincranky TechSpot Addict Posts: 11,462   +1,760

    If you have an Emachines then the "PC Angel" files should be valid. This is the partition created by the Windows restore discs. I >>>THINK<<<< that the original restore discs rebuild this partition on a "full" destructive restore (with reformat) With what is similar to a "repair installation", the restore discs load a fresh copy of Windows fron the "D:/" partition. I am not certain which other manufacturers use "PC Angel" to set up their recovery protocols, but these files should be viewed as valid until you can definitely prove otherwise.

    Keep in mind that the "Windows restore discs" provided by manufacturers are not actually "Windows Discs" per se, but rather installers written to lock the OEM copy of the OS to a password protected BIOS. Windows is on the disc for sure, you're just not putting it on another machine without cracking or decompiling it. These discs WILL work between the exact same models of OEM computers. In other words, any Emachine T-5026 restore disc, should restore any other Emachine T-5026.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...