Task manager and other admin stuff blocked, and occasional web site re-direction

[watty]

hello all,

I'm new to this, and don't really know what I'm doing, but I am desperate to fix this thing.

A little over a month ago I got a virus called Windows Protection Suite. I surfed around a bit and found Malwarebytes Anit-Malware was recommended and that fixed most of the big problems with that virus. I was using NOD 32 at the time, that expired and I'm now on AVG Free 9.0.

Last few days I've tried several programs to fix this and came across your 8 step program....so....

I still have two really problematic syptoms
1) Certain administrator functions that would seem to be helpful in the removal of this thing are blocked. I don't get a message or anything, I just try to start task manager and it doesn't happen. It seems like it tries to start and gets killed. Other admin problems that I know of include blocked from editing hosts list and blocked from initiallizing Spyware Doctor (although other programs haven't posed this problem). I was also blocked from updating Superantivirus database, I don't know if that is related. I can change date/time, so I am still the administrator...

2) There's some redirecting when I try to go to sites via Google search results. Most are fine, and it seems random which sites get hijacked, but the AVG knows and doesn't give a green check to those listings. Redirection goes to Gala search engine and other bogus shopping directory type search lists.

I am attaching the Hijack This log and the SuperAntivirus scan log and the most recent Malwarebytes log. The Hijack This log clearly has some issues I need help with. The others are only finding cookies at this point.

Help?!?
And thanks in advance for your time!

PS I put on the COMODO firewall as part of step one and so far it is really annoying with permissions and seems to have really slowed things down...is there a better option?

 

[kimsland]

Yes I see you have tried a few tools, all of the following are installed:

Ad-Aware
AVG9
COMODO Internet Security
IObit Security 360
Malwarebytes
Spyware Doctor
SUPERAntiSpyware
Symantec

Your HJT log shows redirect of your Hosts file (01 Entries - all of them)
But any amount of the above programs could be stopping any change to your Hosts file

I would suggest that you run HJT scan only and place a tick against every 01 entry then select fix
Then Restart and start uninstalling the above programs
Note: does your "COMODO Internet Security" also come with Antivirus scanning? If so then you need to uninstall AVG and then run the >> Remover Tool

I think its just one of your installed programs stopping these changes
I also note that Malwarebytes was not updated. If after removing the above not required programs (the ones you don't want anymore) You can then update Malwarebytes and run a Quick scan only. Removing any found Malwares at the end of the scan

Then restart, and post another HJT log (ie hopefully its cleaner )

 

[watty]

Thanks for quick reply kimsland,

Well, I got rid of everything that was extra....there shouldn't be any symantec, that was uninstalled years ago. What's left is what was recommended on this site, except I kept the AVG as anti-virus because the COMODO is only the firewall.

I rebooted and I ran CCleaner again after all the removals.

I did get Superantispyware to update, and ran a full scan and it found absolutely nothing.

I can't update Malwarebyte's, I get an error code 732 (0, 0)

And hijack this can't fix the hosts problem because that's part of the administrators rights that I'm locked out of...a big part of my infection problem.

So I reran the scan, and am attaching the most recent log...but I don't think there is too much difference. Still have all the same problems.

 

[kimsland]

Restart your computer to Safe Mode with Networking
By pressing F8 key, before Windows starts loading, then selecting Safe Mode with Networking
Download Combofix from HERE
Run it, accepting any prompts along the way
Combofix will scan your system for some known Malwares and then remove them for you

Restart back to Normal mode (Combofix may have done this automatically for you)
Then locate and run Combofix again
Save the logfile to be attached to a new reply

You can also download the manual update file for Malwarebytes HERE
Download; Run it; then open Malwarebytes and run a quick scan
Remove all found Malwares at the end of the scan

Uninstall SuperAntispyware from Add/Remove Programs in Control Panel

Run CCleaner once more
Then, still in CCleaner, click on the "Registry" button, and scan/fix all issues (you may need to run this a few times until all issues are fixed - no backup required)

Download and run Startup Control Panel
Unzip and run
Click on each Tab , and deselect any known startups that you don't want starting with Windows
I've mentioned this one, only because you have quite a few automatic startups, I presently have one.

Restart

Run another HJT scan and logfile and attach it to a new reply
I'm hoping things may seem a bit better after this as well (but not finalized yet )

 

[watty]

Finally! some evidence of healing! Task manager is back in business anyways
Thank you!

I'm not sure if that means all my administrator privileges are back, I'm not sure how to test that. Perhaps we'll find out as we try to fix the host file!

So, still have the google results re-direct problem. Ran HJT again and attached the log below. Doesn't look any cleaner to me! Hope it does to you. When HJT runs the scan it suggests that it may not be able to fix the hosts problem and then it suggests deleting the host file...don't know what that means...

Thanks again,
I hope we're almost there!

 

[kimsland]

Please disable AVG Watchdog service by clicking Start > Run > Services.msc > ok
Locate: "AVG Free9 Watchdog" service > Double click on it:
> "Stop" it
> Change "Automatic" to "Disable"
> Apply
> Ok
Close Services Window

Open "COMODO Internet Security" and disable the protection in there as well
Note: You may be able to right click on the tray icon to do this.

Right click on AVG icon and select Disable (or close or exit - basically I don't use or like AVG, so a little unsure)

Run Combofix again
Save the log file to be included in your next reply

Restart



Download this > Hosts file
Unzip it
Run "mvps.bat"
click on Start > Run > Services.msc > ok
Locate: "AVG Free9 Watchdog" service > Double click on it:
> Change "Disable" to "Automatic"
> "Start" it
> Apply
> Ok

Still in Services Window:
Locate: "DNS Client" service > Double click on it:
> Change "Automatic" to "Manual"
> Apply
> Ok
Close Services Window

Run a HJT Scan only
Place a tick next to the following entries and select Fix:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

Restart again



Run a HJT scan and log file
Attach this log file and the Combofix log to a new reply

 

[watty]

OK...I'm a little freaked out at the moment, cause internet explorer is suddenly getting stalled on opening, considers that last session ended unexpectedly...although I closed it normally...and then goes 'not responsive', needs to be stopped...did I screw something up?

Anyways, following your info, here we are..looks to me like there is still a hosts issue and still a redirect problem in google.

 

[kimsland]

Are you running "Systems Management Server" http://technet.microsoft.com/en-us/library/cc723572.aspx

Within the last 30 days a file was installed: c:\windows\_MSRSTRT.EXE that states you are.
Here's another: c:\windows\system32\deploytk.dll


You have: c:\program files\BitComet installed
This is a P2P file sharing program, that needs to be fully uninstalled

You have Windows Media Player streaming videos installed
You need to install this security update to stop remote code execution: http://support.microsoft.com/kb/974112

You have WiseCustomCalla1. in Windows, looks like to be Malware that should have been picked up by Malwarebytes or your Antivirus

----------

I tell you what, do this:

Go to Add/Remove Programs, and uninstall:

Systems Management Server (you may need to search through the installed list for this)
BitComet (obviously )
AVG9 (you can re-install it later if you like, although it hasn't protected you here)

Then before restarting run the AVG Remover: http://www.avg.com/filedir/util/support/avgremover_en.exe

Restart

Download and run Avira free Antivirus: http://www.free-av.com/
Update it and run a full scan
Provide this log file (of Avira) in a new reply

 

[watty]

I look everywhere I could to uninstall this SMS thing, it's not in the list, unless it goes by another name. I certainly didn't intentionally install it. A quick google search suggests that some virus is using this name as an alias...? does that make sense?

I did uninstall Bit comet as part of my 8 steps before posting, I swear
I guess it left some files behind, can I just delete those program files?

I don't seem to know how to get the actual update for media player from that link...do I need to be installing the Microsoft Updater program it refers to? doesn't Microsoft already automatically install it's updates?

Anways, I did my best to remove AVG. To be fair it was Nod 32 that let me down intially here...I just switched it for AVG last week because it was recommended and I liked the way it checks search engine results for safe passage.

Now...I got Avira...but I can't update it either! I'm banging my head against the table as we speak. I'm attaching both the avira scan log and the failed update log in case there's anything there you can see.

Thanks again for you time...I can't believe what a mess I've made of this.

 

[kimsland]

The issue is (as you know) the hosts file entries
And whats stopping it from being cleaned

Programs that can stop this are:
Your Comodo Internet Security
Windows Defender
Spybots S&D
Other live protecting softwares (not Avira though)

What I'd like you to do is uninstall any/all of these programs in add/emove programs (note: we have already tried disable - it didn't work!)

Uninstall Comodo and any others
Restart
Then run HJT scan only
Tick every "01" entry, and select Fix
Restart

Run HJT Scan only, and they should be removed (I expect)
If so, then update Avira (note the first update is slow and big - just like all other programs that update for the first time)

Please try that

 

[kritius]

Hi Kimsland,

Sorry to butt in.

The problem is not the resident protection, the hosts file is completely corrupt.

Best bet would be to completely remove it, reboot and then install the new one.

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\windows\System32\drivers\etc\hosts

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Post a new HijackThis log after.

 

[kimsland]

Oh, I knew that we could just delete the file
But I thought that the backup of Hosts file would just come back, or that possibly one of the resident protection programs had secured it somehow

If its just the easy process of deleting the hosts file, that will be good
Note: I did get the OP to replace and install a new one already with mvps.bat, why didn't that just do it?

kritius, what is this symbol in you post? (in the word: "Avenger s")

After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt

 

[kritius]

Only shows up on this forum, everywhere else is fine. (vbforum software, go figure, patchy at best)

This infection is a sticky one, it may well be that it is blocking the hosts file from being changed at all. Key thing is after this to see if the redirects are happening, not just if it is still showing in the logs.

 

[watty]

I am going to try kritius's avenger thing. This problem with not being able to affect the host file was definitly a key part of this infection, it was there before all these attempts at security and removal began.

Wish me luck.

 

[watty]

pasting avenger results now...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\windows\System32\drivers\etc\hosts" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



The redirects don't seem to be happening from the google homepage anymore (YAY) but oddly still get sent to awful Gala search engine shopping results when I use the little google search bar the explorer has up beside the address bar!?!

 

[watty]

don't abandon me now guys!

Don't i need a host file? if i just deleted it do i need to put something back in its place?

 

[kritius]

Redo the hosts file install that kimsland asked earlier