Search Engine Redirecting can't open programs

August 10, 2009 at 14:13:45
Specs: Windows XP SP 2
I have a virus that does not allow me to open certain
Anti-spyware programs such as Malwarebytes,
XoftSpyeSe, combofix. Also, the virus redirects my
searches on all search engines to shady looking sites
that try to download things. I have ran Ad-Aware and it
has gotten rid of some things but has not fixed
anything. I have tried running my computer in
safemode and I am still unable to run certain
programs. Also, the virus makes my computer run
unreasonable slow and sometimes crashes my
computer. I have ran a few registry cleaners but
nothing seems to work. I cannot run a system restore
because I stupid-idly left the delete system restore
points check and they got deleted. I have thought
about running a Windows Repair Install but I am
hoping I could find some answers here.

See More: Search Engine Redirecting cant open programs

Report •


#1
August 10, 2009 at 17:18:08
Follow:
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
August 10, 2009 at 17:30:51
I can't run either of the programs listed. I think somehow the
virus isn't letting me run certain programs.

Report •

#3
August 10, 2009 at 18:28:47
Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
August 10, 2009 at 19:54:08
When I try to run my computer in safemode, my internet
doesn't work and the resolution makes everything really big x.x
I'm a complete noob with computers (obviously because I have
a virus) and don't know what to do.

Report •

#5
August 10, 2009 at 20:31:10
Yes that is normal you can start safe mode with networking for your internet to work in safe mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
August 10, 2009 at 21:35:31
Ohh ok. Thank you.
I will run this scan overnight and hopefully get some results in
the morning.
Thank you for your help :)

Report •

#7
August 11, 2009 at 17:30:32
So I ran it overnight and it's at 97%
It's been running for about 22 hours and has only found 1 thing.
.__. I really hope it fixes something.

Report •

#8
August 11, 2009 at 17:39:50
What did it find?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
August 11, 2009 at 17:47:10
Some trojan in my temporary files.

detected: Trojan program Trojan.Win32.TDSS.ambt


if that helps at all.


Report •

#10
August 11, 2009 at 19:24:27
Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
August 12, 2009 at 12:20:05
Well I think I got rid of the redirecting virus in the last scan but
I'll run this one too just to be safe.
I didn't run it last night because my computer is in my room and
I have trouble sleeping with my computer on.

Thank you for all the help!
I'll see what this virus scan finds.


Edit:
Here is the gmer file:
http://rapidshare.com/files/2666843...
and this is the name of the version I downloaded:
o36zh011.exe


Report •

#12
August 12, 2009 at 13:59:41
My searches are no longer redirected but my computer still
runs a bit slower and I am still unable to uninstall and run some
programs.

Report •

#13
August 12, 2009 at 14:18:24
Its still there traces of it. Try to follow: Response Number 1

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#14
August 12, 2009 at 15:08:25
When I try to run Malwarebytes, it doesn't open.
I've tried re-installing it but it just won't work.
When I try installing SuperAntiSpyware, I get an error and it
won't install.
I tried both of these in safemode with no avail.

Report •

#15
August 12, 2009 at 16:18:48
Follow these steps in order numbered:

1) Open Gmer like before.
2) Click on the >>> tab. This will open up the rest of the tabs for you.
3) Click on the CMD tab and make sure CMD.EXE is selected.
4) Now highlight the contents of the below codebox and copy it to the clipboard by pressing ctrl+c

o36zh011.exe -killall
o36zh011.exe -del service UACd.sys
o36zh011.exe -del reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
o36zh011.exe -del reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys
o36zh011.exe -del reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys
o36zh011.exe -del reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
o36zh011.exe -killfile C:\WINDOWS\system32\drivers\UACndoyqqujvr.sys
o36zh011.exe -del file C:\WINDOWS\system32\drivers\UACndoyqqujvr.sys
o36zh011.exe -del file C:\WINDOWS\system32\UACuiynipulqg.dll
o36zh011.exe -del file C:\WINDOWS\system32\UACovyirtbijn.dll
o36zh011.exe -del file C:\WINDOWS\system32\UACswwyltewpr.dat
o36zh011.exe -del file C:\WINDOWS\system32\UACqlthfafdmt.db
o36zh011.exe -del file C:\WINDOWS\system32\UACnosbjhqhtk.dll
o36zh011.exe -del file C:\WINDOWS\system32\UACbmgcyuprbj.dll
o36zh011.exe -del file C:\WINDOWS\system32\UACikpabfqogb.dll
o36zh011.exe -reboot


5) Now paste the contents into the top black box in GMER by using ctrl+v.
6) Click Run, the script will run and then your PC will be rebooted.
7) After rebooted, rerun GMER like before and attach the new log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
August 12, 2009 at 19:27:54
http://rapidshare.com/files/2667775...

Report •

#17
August 12, 2009 at 19:39:47
Can you run Response Number 1 now?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
August 12, 2009 at 21:26:34
Yes.
I'll run this one tomorrow and post my results.

Report •

#19
August 13, 2009 at 14:49:10
Malwarebytes log:
http://rapidshare.com/files/2670824...

SuperAntiSpyware log:
http://rapidshare.com/files/2670824...


Report •

#20
August 13, 2009 at 16:45:26
Update virus database for both malwarebytes and superantispyware and run full scan again.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#21
August 13, 2009 at 23:18:50
Updated Malwarebytes' scan:
http://rapidshare.com/files/2671866...

Updated SuperAntiSpyware scan:
http://rapidshare.com/files/2671866...


Report •

#22
August 14, 2009 at 06:09:52
Please post one more gmer log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#23
August 14, 2009 at 20:28:36
I'm unsure of where my original gmer client went so I had to download another one.
This one is version
gpvoyw1t.exe
Hopefully that doesn't change anything.

http://rapidshare.com/files/2675200...


Report •

#24
August 14, 2009 at 22:14:43
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

2) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#25
August 14, 2009 at 22:46:47
you should try browser hijacker removal.because it is a browser hijacker infecteion that hijacks and redirects google and other search engine results to other sites (possible spam sites). for more information, see http://darfuns.com/remove-google-se...

Report •


Ask Question