Nasty suite of malware

[buddhasmash]

My browser is constantly redirecting to ad and fake spyware removal sites. I can't access most anti-spyware application sites, assumably because whatever malware I have is blocking them. I followed the Malware removal instructions on this board, all except steps 4 (can't access the download webpage) and 5 (the installation file won't load). I'll post the logs I have. Someone please help.

 

[buddhasmash]

Why am I getting no responses? Did I do something wrong?

 

[captaincranky]

Well, obviously not. But this is Saturday, be patient.

>> Maybe the anti-malware guys union won't let them work on the weekend! <<
(Just kidding here)

 

[buddhasmash]

Did another Avira scan. Only three viruses found this time, but I'm still getting redirected and I still can't open most malware removal programs. New log is attached.

 

[touch]

The virus Avira found are a rootkit, you also have a wareout infection.

Try Malwarebyte again, slightly different ->

Reboot to safe mode with network.

Download malwarebyte
http://www.download.com/Malwarebyte...4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15 mins. to an hour to get through that step so just let it do its thing.

Go into the Malware folder in through Program Files
Rename the mbam.exe to mab.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.

Restart your computer and attach the log

 

[buddhasmash]

I followed every single step you gave me, to the letter. I still can't run the (newly renamed) Malwarebytes app. I double click the icon, nothing happens. I was still in safe mode while trying to run the file. Should I be?

Edit: There is also a file named mbamgui. Should I rename it to mabgui? It may be worth noting that the installation didn't take long at all.

Further Edit: Nevermind, got the file to run. Proceeding as instructed.

 

[buddhasmash]

Followed your instructions. Spybot loaded when I started up the computer, but Google links are still redirecting and I can't actually open the Spybot GUI. I'll post the logs.

Edit: Another item worthy of note - A seemingly new drive has appeared on my PC. It appears in My Computer as "Recovery (D". When I double click on the drive an Internet Explorer window pops up containing this warning:

"Protected by PC Angel
Recovery Partition
Warning!
This area of your hard disk
(or partition) contains files used
for your system recovery.
Do not delete or alter these files.
Any change to this partition could
prevent any recovery later."

When this window opens, Internet Explorer automatically blocks an ActiveX control. Don't know if that's relevant.

I don't remember ever partitioning my hard drive, and as far as I know Windows System Restore doesn't create a separate partition, so I thought this looked suspicious.

 

[touch]

Ok. Let´s try next step -

Rigthclick here -> https://www.techspot.com/downloads/5587-combofix.html << Save as

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

NB. It is possible you´ll have to the above from safe mode network

 

[buddhasmash]

I think the problem may be resolved. Google isn't redirecting anymore. Attaching the logs. Thanks so much for the help.

 

[touch]

P2P software/programs are a major contributor to infections. I see you have uTorrent and Limewire. Not passing judgment on file-sharing, However will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Since we find the nature of P2P programs counter productive to restoring your PC to a healthy state, we ask that you remove P2P file sharing programs prior to our providing you with malware removal assistance.


Uninstall:
c:\program files\LimeWire
c:\documents and settings\Owner.Zack\Application Data\uTorrent

Reboot, attach fresh combofix log

 

[captaincranky]

Followed your instructions. Spybot loaded when I started up the computer, but Google links are still redirecting and I can't actually open the Spybot GUI. I'll post the logs.

Edit: Another item worthy of note - A seemingly new drive has appeared on my PC. It appears in My Computer as "Recovery (D". When I double click on the drive an Internet Explorer window pops up containing this warning:

"Protected by PC Angel
Recovery Partition
Warning!
This area of your hard disk
(or partition) contains files used
for your system recovery.
Do not delete or alter these files.
Any change to this partition could
prevent any recovery later."

When this window opens, Internet Explorer automatically blocks an ActiveX control. Don't know if that's relevant.

I don't remember ever partitioning my hard drive, and as far as I know Windows System Restore doesn't create a separate partition, so I thought this looked suspicious.

If you have an Emachines then the "PC Angel" files should be valid. This is the partition created by the Windows restore discs. I >>>THINK<<<< that the original restore discs rebuild this partition on a "full" destructive restore (with reformat) With what is similar to a "repair installation", the restore discs load a fresh copy of Windows fron the "D:/" partition. I am not certain which other manufacturers use "PC Angel" to set up their recovery protocols, but these files should be viewed as valid until you can definitely prove otherwise.

Keep in mind that the "Windows restore discs" provided by manufacturers are not actually "Windows Discs" per se, but rather installers written to lock the OEM copy of the OS to a password protected BIOS. Windows is on the disc for sure, you're just not putting it on another machine without cracking or decompiling it. These discs WILL work between the exact same models of OEM computers. In other words, any Emachine T-5026 restore disc, should restore any other Emachine T-5026.