Hi, I really need some help - I’m trying to get rid of some kind of malware that causes Google searches to randomly redirect. I am running Avast and have run scans with it and also Malwarenytes and also the Kaspersy virus removal tool and OTL. I see a lot of infections that it says it’s removing, but I don’t seem to be making any headway and assume there is a registry fix that needs to be made, but I don’t know what to look for.
I’ve been working on it for three days, but I’m not making progress,any assistance would be appreciated.
Bill
Ok, I ran into an additional problem - I ran OTL (before posting here so without any custom scan instructions), after the scan it asked for a restart of the computer. Now I can only get Windows to load in safe mode. I just re-ran Malwarebytes, but wasn’t sure I should do OTL again?
I have attached all the scan logs I got from Malwarebytes just now and the ones from OTL before the blue-screen problem cropped up. If I need to re-run OTL again in safe mode, let me know.
Thanks,
Bill
Our corporate server has Symantec enterprise software, but we no longer run the client version on individual desktops.
I overlooked the Kapersky log…it’s attached.
OTL does not ask to restart the computer after a scan as there is no requirement for that - all it is doing at this stage is analysing
When you try to restart normally do you get a blue screen with some data on it ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Download the attached Fix.txt
Run OTL
Press the run fix button
In the dialogue that comes up navigate to the fix.txt and select it
Press run fix again
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Yes, I do - a blue screen with data flashes for a second but not quickly enough to read…so I’m stuck in safe mode, which does work.
So i assume I can run this fix in safe mode ok?
Thanks!
Ok, did as instructed - still only comes up in safe mode for now.
Attached is the log file from the OTL scan after the fix.
Also, I looked and there are about 10 minidumps, the latest from August 2011.
Thanks!
Attached are the system event logs, in order, relative to my last attempt to startup Windows normally and then fall back to safe mode. I thought I’d send it in case it shows something that’s causing the problem…
Thanks!
It definitely claimed to be OTL asking to reboot the computer. It was right after I ran the fix. I expected to have to manually reboot it based on your instructions, but it popped up and asked for a restart, so…
Here is the Farbar log: (and THANK YOU so much for helping me with this - I am so grateful)
Farbar Service Scanner Version: 01-03-2012
Ran by billmcclain (administrator) on 07-03-2012 at 17:06:52
Running from “C:\Documents and Settings\billmcclain.FLAGLER\Desktop”
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Nerwork
Internet Services:
Connection Status:
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
Firewall Disabled Policy:
System Restore:
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: “C:\WINDOWS\system32\srsvc.dll”.
sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: “\SystemRoot\system32\DRIVERS\sr.sys”.
System Restore Disabled Policy:
Security Center:
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: “C:\WINDOWS\system32\wuauserv.dll”.
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: “C:\WINDOWS\system32\qmgr.dll”.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: “C:\WINDOWS\system32\svchost.exe -k netsvcs”.
The ServiceDll of EventSystem: “C:\WINDOWS\system32\es.dll”.
File Check:
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000090000000600000007000000
IpSec Tag value is correct.
I ran OTL (before posting here so without any custom scan instructions), after the scan it asked for a restart of the computer. This is the bit I was enquiring after- as a standard scan will never ask for a reboot
Did you run the AVP tool ?
If so and you still have it
Upload the entire zip file to mediafire and post the sharing link please
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
Ok, I found the zip file and I’ve uploaded it to mediafire, but it’s taking a long time to verify. It’s also in my Google docs (public link below). I’ll keep waiting for mediafire to verify, if Google docs doesn’t work for you.
I’ve looked everywhere I can think of to try to figure out what’s wrong with my startup process…perhaps the virus changed some key files? Before closing down for the night, however, I decided to work on capturing the screen message that pops up so quickly when I try to start Windows normally. I used my iPhone to take a movie of the moment and look back frame by frame - here is what the message says:
“A problem has been detected and Windows has been shut down to prevent damage to your computer If this is the first time you’ve seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.
Check with your hardware vendor for any bios updates. Disable bios memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced startup options, and then select safe mode.
Technical information:
***STOP: 0x000000”
Any ideas? Thanks very much for all your help,
Bill
Ok, sorry for the delay. I have the Windows CD and have the machine booting from CD now. Shall I just run the repair program? As I remember, that won’t impact my document files and things…