Inactive Another Google redirect virus, MBAM crashes during all scans

[bsithil]

Hi!

Unfortunately I am also facing a redirect virus/malware issue that seems to be plaguing these boards. Google links will redirect to ads/other sites, but typing sites into the address bar or bookmarked sites load fine.

I have AVG antivirus, Spybot S&D, and Malwarebytes, but none of these programs find any infections. Malwarebytes will crash during any scan, whether it be a quick scan or a full scan.

Any help or advice would be appreciated, thanks in advance!

 

[crunchie]

Hi and welcome to TechSpot forums .

====

Please read the directions given here and when done, post the requested logs.
Please do not attach the logs unless requested, or unless they are to large to paste.

 

[bsithil]

Hi Crunchie,

Thank you for helping. I will follow the steps and post the logs by tomorrow.

Note: Malwarebytes still crashes during scans, but I will attempt to try it again while moving through the steps.

 

[crunchie]

If it will not run, just get what logs you can and post them .

 

[bsithil]

Here are the logs.

Unfortunately malwarebytes still crashes so I couldn't get a log for that.

Thanks again!

 

[crunchie]

Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

Next, open JavaRa.exe again, and select Search For Updates.

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

In Vista and Windows 7 run the tool as Administrator.

=============

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[bsithil]

I followed the Java steps with no issue, but after running combofix my computer seems to be in a worse situation.

The scan went smoothly until it found and infection and automatically rebooted. I did not do anything as instructed, but upon reboot, I receive a blue screen of death message,

"STOP: c000021a Fatal System Error
The windows logon Process system terminated unexpectedly with a status of 0xc0000005 (0x0000000 0x00000000).
The system has been shut down."

After manual reboots, the computer will load the desktop, then reboot itself and give the same blue screen.


Please advise!

 

[bsithil]

Also, forgot to mention that combofix asked me to download/install recovery console. I followed the prompt and it downloaded and installed.

I have the computer off as it will boot up normally then crash after loading.

Currently posting from another computer.

 

[crunchie]

When you attempt to boot, go to selective startup and see if it will boot ok from 'Use the last known good configuration.'

If it will not do so, try booting to safe mode and do a system restore.

Report back how you went please.

 

[bsithil]

I loaded last known good configuration.

Windows loaded fine, but it gave me a winlogon.exe stop working (probably because it was deleted?). But, no reboots or blue screens.

Also, redirect seems to be gone. Unfortunately there was no log produced from combofix as it was giving me blue screens.

I have attached the JavaRa log as well.

Thanks again crunchie

 

[bsithil]

Ok so, now the comp wont start up again, having same issues. After i loaded last known good config it was working fine, after i turned off comp and turned it on again, it started giving me the same error and would give me a blue screen after loading.

thanks

 

[crunchie]

Can you try rolling back by using system restore please and we will see where we go after that .

 

[bsithil]

Sorry, I've never performed a system restore, could you guide me as to how to go about doing this?

thanks!

 

[bsithil]

Sorry crunchie, disregard that last post.

I figured it out but, this looks like it wont work either, before loading the system restore box, the comp crashes with the same blue screen error

 

[crunchie]

Go to Start | Run and type in msconfig and hit OK. Select the Launch System Restore button.
The radio button for Restore my computer to an earlier time should be selected then go next.
Select a date that you wish to restore to and select next.

 

[bsithil]

Crunchie,

the system restore fixed the crashing, but the virus is back ;(

 

[crunchie]

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[bsithil]

Here are the bootkit results

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`3ec10000
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[crunchie]

That looks ok.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner ​

• Panda Active Scan​

• Trend Micro HouseCall​

• F-Secure Online Virus Scanner​

 

[bsithil]

ESET would not run, and Kaspersky required a java framework download, so I am currently running a panda active scan.

Will post results when finished

 

[bsithil]

Here is the active scan results

 

[crunchie]

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt
Please post the contents of that document in your next reply.

 

[bsithil]

Here is the checkup log

 

[crunchie]

Please update Adobe Reader.

Download random's system information tool (RSIT) by random/random from >>here<< and save it to your desktop.

• Double click on RSIT.exe to launch program.
• Click Continue at the disclaimer screen.
• Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
• Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized.

 

[bsithil]

Here are the logs