Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

McAfee sites blocked, redirected websites, help!


  • Please log in to reply
15 replies to this topic

#1 wuchdawg

wuchdawg

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 04 May 2009 - 10:07 PM

Hi I'm new to this forum (actually new to forums in general) and I'm in need of some help.

I've been fighting a virus/malware/trojan/etc for a few days now and feel like I'm stuck.

System Info:
Windows XP Pro Service Pack 3
Internet Explorer 7

Here's the symptoms:
-Cannot update McAfee Suite (the free version for Comcast subscribers)
-Cannot visit any McAfee website ("The website is unable to display the webpage")
-Occasionally when I click on a link I'm redirected to a random other site (usually businesses)
-When redirected, I've seen web addresses such as "www.abcsearch.com", "redirect.clicksheild.net"
-When typing CMD or REGEDIT into the Run dialog box, the screen flashes and the Windows icons reload, the black command box dissappears instantly

Here's what I've done:
-AdAware - updated and ran - found a few things, all removed
-SuperAntiSpyware - installed, updated and ran - found a few things, all removed
-MalwareBytes - installed and ran - could not update ("update failed") - found a few things, all removed
-McAfee - ran - hasn't found anything
-Norton Online Scan - ran - didn't find anything
I've run all the programs multiple times, in Safe Mode and under normal startup

I'm starting to get very frustrated and contemplating a hard drive format unless someone can help me out.

Thank you so much!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 06 May 2009 - 12:54 AM

Try this scan - you can copy it over from another computer on a CD or pen drive if you need to.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 wuchdawg

wuchdawg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 06 May 2009 - 09:22 PM

Thanks so much for replying.

I followed your instructions and Dr Web CureIt found 1 virus. Here is the contents of the DrWeb.csv file:

dqtscd.qtu;C:\WINDOWS;Trojan.DownLoad.36204;Deleted.;

The problems listed above still remain though.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 06 May 2009 - 10:15 PM

Run a full-scan with SUPERAntiSpyware in Safe Mode and post the log.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 wuchdawg

wuchdawg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 07 May 2009 - 08:05 PM

Ok I ran SuperAntiSpyware in safe mode and here is the log file. The same thing keeps getting detected.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2009 at 07:27 PM

Application Version : 4.26.1002

Core Rules Database Version : 3875
Trace Rules Database Version: 1823

Scan type : Complete Scan
Total Scan Time : 00:54:27

Memory items scanned : 285
Memory threats detected : 0
Registry items scanned : 5549
Registry threats detected : 8
File items scanned : 78870
File threats detected : 6

Adware.Tracking Cookie
C:\Documents and Settings\Dave\Cookies\dave@insightexpressai[2].txt
C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt
C:\Documents and Settings\Dave\Cookies\dave@revsci[2].txt
C:\Documents and Settings\Dave\Cookies\dave@doubleclick[1].txt
C:\Documents and Settings\Dave\Cookies\dave@mediaplex[2].txt
C:\Documents and Settings\Dave\Cookies\dave@apmebf[1].txt

Adware.MyWebSearch/FunWebProducts
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 07 May 2009 - 09:44 PM

Are you now able to update Malwarebytes?

If so, run a qucik-scan in normal-mode and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 wuchdawg

wuchdawg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 08 May 2009 - 06:32 PM

I still cannot update MalwareBytes. I even made sure my firewall was shut off. I did a scan anyway but it didn't find anything. Here is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/8/2009 7:30:57 PM
mbam-log-2009-05-08 (19-30-57).txt

Scan type: Quick Scan
Objects scanned: 103600
Time elapsed: 19 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 09 May 2009 - 04:00 PM

Try this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 wuchdawg

wuchdawg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 10 May 2009 - 09:27 PM

I tried the SDFix you recommended and I can't get it to work at all. I followed all of the troubleshooting steps but when it is run (in safe mode), the screen flashed and the window that asks you if you want to be in safe mode comes up (just like you first started Windows). When you click yes (for yes to start in safe mode) it returns to Windows.

Appears to me that I am completely locked out of any command screen.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 10 May 2009 - 09:50 PM

How is your computer running now? Any more signs of infection?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 wuchdawg

wuchdawg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 10 May 2009 - 10:03 PM

Yes all of the original symptoms are still there (can't get into McAfee websites, can't use CMD, can't update McAfee, etc).

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 10 May 2009 - 10:07 PM

Try running RRT (Remove Restrictions Tool):

http://www.majorgeeks.com/RRT_Remove_Restr...Tool_d5635.html

And then try SDFix again.

Edited by Budapest, 10 May 2009 - 10:08 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 wuchdawg

wuchdawg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 10 May 2009 - 10:15 PM

Just tried it. SDFix still doesn't work. I also still cannot get into regedit or cmd.

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 10 May 2009 - 10:31 PM

Try the fix at Kelly's Korner.

Lift Restrictions - TM, Regedit and CMD - #275 on the left.

Right click on it and save the .vbs file to your desktop. Then, double click on the file icon (on your desktop) to run the script. You may need to reboot your computer for the changes to take affect.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 wuchdawg

wuchdawg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 11 May 2009 - 05:20 PM

I ran the program you recommended from Kelly's Korner but I still can't run SDFix or get into CMD or REGEDIT.

I can't wait any longer knowing something is still in here so I will be formatting the whole system and starting from scratch.

I truly appreciate the time you spent trying to help me. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users