Google redirect virus and a series of other problems

[Apples2009]

Hello
I would be really grateful for some help with fixing my computer (I have very limited experience in this area!!)

Okay so I think I started off with the google redirect virus because google searches on firefox suddenly started redirecting to other sites. Then I started getting error messages in the start bar (like around the place where it says the time..) The messages said stuff like files are corrupt, please run chkdsk. I tried to but the computer won't let me. Also it says stuff like waol.exe is a corrupt file.

Then I tried system restore but nothing happens. And then another message kept coming up saying something about a file not being saved and deleted (though that's stopped now).

I then downloaded MBAM and MBAM found a 100 trojan things including a trojan.vundo. I used MBAM to get rid of them and it seemed okay but then the redirecting started happening about 20 minutes later.

I then ran SAS and it found more trojans but the computer closed itself down (blue screen).

So I'm running MBAM again though it hasn't found anything yet. I also used goored but it hasn't really worked, I don't think.

I can't backup because the usb ports do not work (my usb key can't be read and the external hard drive won't start the back up program).

I can't download norton antivirus from the cd either.

I will attach the DDS file and the current goored log.

Sorry that this message is so long - I am feeling a bit helpless with all these problems!

Please tell me if I need to post any other things because I've never done this before so I'm not sure...

Thank you in advance for even reading this message!

xoxo

 

[touch]

Hello Apples2009

You have a large number of infections, I´ll therefore suggest you proceed as follows ->

Please run the steps in this guide:

8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

 

[Apples2009]

Hi touch

Thanks for the quick reply. I'm still in the process of following those steps. I was just wondering if it is okay to do them even though my system is not backed up. I've done step one and am about to the step 2 but I'm not sure whether this is dangerous given that I have no copy of my files...

Also I've attached the Avira Scan log because it identified 30 viruses and although I pressed repair, I'm not sure it worked... Okay, for some reason I can't attach the log so will post it in a new message.

Anyway sorry that I haven't attached the other stuff and that this is taking me so long and once again thank you very much for the help!

---------------------------------------------------------------------------------------------------------

 

[Apples2009]

Avira Log

Okay - managed to attach it!

 

[Bobbye]

If you are uncomfortable running CCleaner, do a disc cleanup. Empty the Recycle Bin when through.

You are also running both McAfee and Norton in addition to Avira. IF you previously had these AV programs, their uninstall wasn't complete and processes from both are loading

Norton removal Tool: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
McAfee Consumer Product Removal tool (MCPR.exe)
:http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

You have a SmitFraud infection. Follow the steps in the URL gave you first and attach the logs for review. Then if needed, he will have you run the SmitFraud fix.

 

[Apples2009]

Hello

My computer now does not let me log on. Everytime I click on the user name it says logging off. A message came up saying the files are unreadable and corrupt. I have tried in safe mode and in last known good configuration and it still does not work. Before this happened I was trying to remove the Norton files and I had to restart the computer. Also before this, Malware doctor downloaded itself to my computer and started running and popping up and I couldn't stop it.

I'm not sure what to do now and would be really grateful for some advice.

Thanks!

 

[Bobbye]

I did not open the Avira file because you did a copy and paste to Word doc. We do not accept that file format. If you had followed the steps we have set up for Virus and Malware Cleaning, you would have had the logs saved in text, not doc.

It would have been in your best interest to follow the steps instead of running random cleaning programs
If you can get int Safe Mode, download the programs to a flash drive, then install and scan on the problem computer.

Backups needs to be done before there is a problem. you can't use your computer like it is so backup is now moot. Additionally, malware has put the following restrictions on:

Policy changes are in effect, most likely caused by malware:
NoFolderOptions >> Removes the Folder Options menu item from the Tools menu..
NoSetActiveDesktop>> remove the Active Desktop options from Settings on the Start Menu.
NoActiveDesktopChanges>> Prohibit changes.
DisableRegistryTools>> = Prevent access to registry editing tools
DisableTaskMgr >> Remove Task Manager.DWORD value need o be reset to 0 to remove the restrictions

and in order the fix them, you need access to regedit which is prohibited.

You need to do a disc cleanup and remove the temp files as well as the temporary internet files. You don't need CCleaner to do this.

IF you have a flash drive and can get your system into Safe Mode:
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report and attach in your next reply.

Please download HijackThis from here.

Save it to a permanent folder (such as C:\HJT).

Next, open HijackThis, and select Do a system scan and save a logfile.

A Notepad document will open. Please post the contents of that document.

 

[Apples2009]

Hello

I was actually in the process of following the virus and malware cleaning steps when I had to restart the computer and it then wouldn't let me log on. I wasn't just running scans of the computer - the Avira scan is step 1 in the malware removal steps. I was actually uninstalling Norton from my computer (as you suggested) because the Norton files were left from an unsuccessful installation. Sorry if I wasn't clear about this before.

Also, the Avira scan could not be saved as a .txt file. Everytime I tried to save it on the desktop or anywhere else, an error kept coming up. The only way was for me to copy it to word. And I definitely followed the steps on the malware removal page up until step 2. I was just about to perform disk cleaning before it happened.

I have tried logging in in safe mode but it doesn't work. I'm not sure how to proceed with the steps you suggested in the last post. Will I be able to back up my files?

Thanks!

 

[Bobbye]

I have tried logging in in safe mode but it doesn't work. I'm not sure how to proceed with the steps you suggested in the last post. Will I be able to back up my files?

Well, the computer isn't much good to you right now. It's too late to worry about backing up your files. Malware cleaning programs remove malware> malware can be in files and folders

Also, the Avira scan could not be saved as a .txt file. Everytime I tried to save it on the desktop or anywhere else, an error kept coming up

1. I look at Avira logs very day in text format.
2. What is the error you're getting when you try to save the Avira log?

To save the log file, Select open and click OK.
Then type: cp /tmp/avlogfile /mnt/hda1/log.txt
This will copy the log file to C:\log.txt.

 

[Apples2009]

Hello

The error I was getting when I tried to save to the desktop was something like desktop cannot be found and this was the same when I tried my documents etc. I could just save it without specifying a location but then I could not find the folder it saved in so this is why I copied and pasted it.

Also, do you want me to save the log file in .txt format from the attachment that I attached in a message?

And if the files delete, will it be possible to ever recover them from the hard drive?

Also, I have 3 disks that I got with the laptop: an Acer System CD Rev 4.0, and 2 Recovery CDs Rev 1.0. Will these be of any help? And is the system CD the same as a boot disk?

Thanks

 

[Bobbye]

It would be a good idea if you stopped worrying about backups and try to solve the problem at hand. Something to consider is that you might backup files or folders that are infected. So concentrate on getting the system running and cleaned up.

Touch would have been pleased if you had followed the malware cleaning steps on the thread he left for you.

Now it sounds like you can't access the system at all. What happens when you try to boot in to Safe Mode? Are you doing this>

Boot into Safe Mode:
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

 

[Apples2009]

Yes I am doing that. When it boots into safe mode the computer starts up. I then click on a user name and it says loading your personal settings and then says logging off and logs off. This is exactly what happens in normal mode and last known good configuration.

Also, I was following the steps that touch sent me. The steps say that every step must be followed completely. This is why I decided to ask about the CCleaner before performing this step and I waited for a response. After I read your response the first thing I did was follow what you said. The problem was that the computer broke down before I could actually perform a disk clean up. Sorry if I was unclear about this before!

Anyway, thanks for you quick responses. It is very much appreciated!

 

[Bobbye]

Are you or can you sign in under the Administrative account?

 

[Apples2009]

No. I can only get the Administrator option when I go into safe mode and when I click it, it just logs me out immediately.

 

[Bobbye]

If you cannot get in long enough to handle what I'm leaving below, you will have to reformat and reinstall.
You got off to a bad start with the program you ran, then ran others on your own, without benefit of our review of the logs.

The description of "stuff like waol.exe is a corrupt file." isn't of much help. Here's info on that dll file from MS:

When you are running America Online (AOL) version 6.0, you may receive the following error message:
Waol.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you view the data that the error report contains, the following error signature information may be listed:

App name App version Module name Module version Offset
-----------------------------------------------------------
Waol.exe 6.0.0.0 various various various

To resolve this issue, please contact AOL to obtain a version of AOL that is designed to work with Windows XP. Go to keyword "6.0" if you want to obtain the latest version of AOL 6.0, and go to keyword "Upgrade" to obtain the latest version of AOL which (as of March 2002) is version 7.0 or later.

So as far as I know, nothing was done to handle that problem.

DDS shows this entry:
C:\Program Files\Common Files\AOL\1227285625\ee\AOLSoftware.exe
It is described as follows:
Description: Added by the W32/Tilebot-CL worm and IRC backdoor. This infection should not be confused with the legitimate AOL file which can be found here: C:\Program Files\Common Files\AOL\1163204658\ee\AOLSoftware.exe

You are also running this:
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
From MSDN:

HTTP Filter is a Web filter that is installed with ISA Server. It can be configured on a per-rule basis to block HTTP requests based on the following:
* Request payload length.
* URL length.
* HTTP request method, such as the POST, GET, or HEAD request method.
* HTTP request file name extension, such as .exe, .asp, or .dll.
* HTTP request or response header.
* Signature or pattern in the request or response header or body.

There is more information here: http://msdn.microsoft.com/en-us/library/ms812595.aspx[/QUOTE]
I am not experienced in writing code, so I can't advise you.

antimalwareguard.com is in Trusted sites x 2. I can't even load the site as my security blocks it as an Attack Site. You need to remove this and put it in Restricted Sites.
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com (also a Trojan)

They put themselves in the Trusted Zone which means they are bypassed with most security settings you have.