Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor, Google Hijack and a Strange (and Tragic) relationship with the Internet


  • Please log in to reply
5 replies to this topic

#1 jamonit

jamonit

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 13 July 2010 - 01:30 AM

I've been battling with my sister's computer for a couple of days now and I think I need help. It's difficult to remember all the exact steps I've taken to date, but I will try my best.

This is a home computer and I run Windows XP on a Dell Desktop. I was running AVG (but it had since been uninstalled, read below) at the time of the initial problem, and I don't see any evidence that the firewall was compromised (though I'm not positive).

Initially I was hit by a virus that launched several frightening windows, told me how infected I was and to buy some bogus antivirus. I tried to end as many unfamiliar processes as I could and disconnected from the internet.

The symptoms left behind were:
1) Computer was insistent that I was infected (which I believed) and that I should buy Antimalware Doctor (which I didn't believe)
2) Being redirected when I click on a link in Google to an advertising site.
3) Disallowing AVG and Spyware Doctor (which I had just downloaded for the purpose) to update.
4) Preventing Spybot to launch (but it does work in Safe mode)

Furthermore I was saddled with programs called "Antimalware Doctor", "Sky Banners Browser Enhancer" and "Street Ads Browser Enhancer" all which were unfamiliar and suspicious.

I'll do my best to remember exactly what steps I took. I tried following this thread (http://www.bleepingcomputer.com/virus-removal/remove-antimalware-doctor) but found that the only process Rkill would terminate is Rkill itself. I did manage to use MalwareBytes and I believe that it mostly solved the Antimalware Doctor problem. I can post that log (or any of the subsequent 6 logs, some of which found problems.)

But symptoms 2, 3 and 4 were still a problem.

I tried to follow directions other people had taken about Google Hijack viruses, but I was always hampered by my inability to launch certain programs and others unable to access the internet.

I first started by trying to Uninstall then Reinstall AVG. But, when AVG couldn't access the internet, it couldn't reinstall. So, I started scouring the internet for solutions on how to start these things up. I ended up trying to uninstall Sky Banners and Street Ads but of course they would just say they've already been uninstalled. Malwarebytes was pointing to problems in the registry like HKEY_Local_Machine\system\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{eadd9937-214b-40ce-8fb5-e589eabb6a8c} which would keep coming back so I went in and deleted anything that looked like that in there.

So where it stands now is that the computer cannot at all access the internet ("network cable is unplugged" even though its not) and though I can't confirm this (because I can't access the internet) I'm pretty sure the virus is still on there (because SpyBot will only launch in Safe Mode; otherwise it terminates before it starts to load). I've been all over Microsoft's website and different forums looking for TCPIP and Winsock fixes hoping they might be able to get me back on the internet. I've tried various Registry fixes that I've found online, but none seem to help at all. Basically I have no idea what I'm doing and need help.

I've tried to be as clear as I can but I'm aware that I've done a bad job of it. For any logs (Malwarebytes, Hijack This, or anything else) or clarifications that might help find a solution just ask. I would guess that there's about a million karma points up for grabs on this one.

Edited by Budapest, 13 July 2010 - 01:42 AM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 13 July 2010 - 01:42 AM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 jamonit

jamonit
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 13 July 2010 - 04:19 AM

Hey Budapest, thanks a lot!

I ran the tdss killer and it did indeed find a TDSS rootkit which it (I think) flushed out. I rebooted the computer and then ran MalwareBytes, which found the same 4 files that it seems to find every time. I fixed them and restarted the computer. I ran the TDSS Killer again for good measure and it came out clean.

But the symptoms still persist with no change: Windows won't recognize an internet connection, and SpyBot won't launch.

I went ahead and created GMER and DDS logs which I can post if that'll be helpful. The forum description says to not post DDS logs, so I'll stick to that unless I hear otherwise. I'm not really sure where to go from here though.

Cheers.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 13 July 2010 - 04:56 AM

The rootkit might have changed your proxy settings, which would cause this problem. See this:

http://forums.majorgeeks.com/showthread.php?t=207357
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 jamonit

jamonit
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 17 July 2010 - 01:44 AM

Thanks Budapest!

I ended up doing a couple of other things and resolved the problem, but I think that TDSS killer was the turning point. Just thought that I'd make sure to say thanks without running away on you.

And as I promised, here you are: A million karma points. Spend them wisely.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 PM

Posted 17 July 2010 - 02:46 AM

:thumbsup:
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users