Can't run TDSS Fixers

I downloaded both the tdsskiller and FixTDSS onto a flash drive from a public computer, then copied them from the flash drive to the desktop of the infected computer. Neither will run either as Admin or with a double-click. All that happens is a pause (denoted by the blue circle) and then that stops and I'm back to where I was. Nothing opens, nothing appears to run, nothing....

What am I doing wrong? Do I have to be on the Internet for these to work?

Win 7
HP Pavilion dv6

Problem: bts.scour redirect issues

 

I do have the log from MBR Check. Is that helpful yet at this point?

 

I've attached it.

I am on a public computer and some of the download websites you provide links to are blocked. For example, the Rogue Killer(?) download site is blocked for 'malicious content.'

I am attempting to follow all your instructions in the "READ AND RUN ME FIRST" post, and I've completed the first three steps (except I don't have Firefox). I've been foiled at Step 4 and don't know if I should attempt to move forward, because your instructions clearly say not to skip steps.

 

Correction: I clicked the link in the "READ AND RUN ME FIRST" and made it through the first three steps of the "Fixing Google Redirection/hijacking..." instructions.

 

I was fooled by the part of the step that said "See this first" and it sent me to the Google Redirect Problems.

When I got to the final step, "Windows 7 Malware Removal...." things started going haywire starting with Step 3. RogueKiller and MalwareBytes seemed to do as they should, however the TDSSKiller still didn't run. HitmanPro also didn't run as described. When trying to run as Admin, a window popped up that said that the program didn't run as expected, and that Windows applied some changes. It said to try again, When I did, the program opened, and I clicked the Settings button, but got a blank blue window without the tabs that you showed.

It seems I am doomed.

 

Logs are attached. I still could not get the TDSSKiller to run. All I got was the blue circle, but nothing opened. HitmanPro also still didn't have the tabs after I clicked the 'Settings' button.

Win 7 64bit
HP Pavilion

suspect bts.scour, and received the FBI lockout screen

 

Uh oh. That doesn't work. When I select "Repair Computer" I get a black screen. I let it sit for 15 minutes, and it never came off the black screen. It will boot up otherwise.

????

 

....and, I got the FBI lockout again. The only way I know how to get past this is to do a system restore, so I did so to yesterday, at a Windows Defender restore point.

This is just FYI just in case you'll need me to repeat any of the steps I've already completed.

 

Done. At least I was able to complete all those things. Do I attempt to return to the former instructions on System Recovery? I've stopped with only the instructions in your last post.

Also, does this mean I could be clean now? I'm almost afraid of going to the Internet with that computer, except when the public computers don't allow me to go to a site that I have to go to.

 

I do apologize. I had the wrong path.

When I got my laptop home, I found it had rebooted on its own because it was giving me the "shut down improperly" message. It seems I can browse to the website I want only if I know the address. If I type in words that aren't an address, IE invokes Bing (which I normally do not use) to search, and then I get redirected to someplace I didn't ask for. It did this once and when I saw where it was going, I immediately killed IE and tried again, using only my browsing History or known addresses in full.

 

In addition, I am getting a Windows Defencer Alert. It says it has detected Trojan:Win32/Sirefef.AN and wants me to allow it to remove this. I believe it did so by itself once. To my knowledge, I don't have Windows Defender, so I am a bit leary about doing anything with this.

 

Done.

I just noticed you are from NJ. Are you floating in a raft with wireless electricity to be able to post to the forums?

 

Good to hear.

Here is what I've done this session, in order:
0. I previously re-enabled UAC through the Control Panel.
1. Replaced the Java.
2. Downloaded and ran the Defogger.
3. Attempted to uninstall HijackThis via Add/Remove, but it was not there.
4. Ran the EnableUAC from MG Tools (for good measure, I hope).
5. Deleted all the files for the tools we've been using, which were on the Desktop.
6. Ran MGClean.bat.
7. Went to Add/Remove to uninstall what I could find, and uninstalled CCleaner only. All others were not present, except Malwarebytes, which I opted to keep.
8. Flushed the Restore Points, with reboot. Now it has been re-enabled.

I am possibly noticing an uptick in the speed of IE loading webpages. Before all this, it was noticeably slower than typical, and my battery was being heavily taxed. I also hear my fan running a lot, which is not typical. I've not tried using any search engines - I still go only to pages through their full addresses.

Should I be good to go?

 

OOPS! I still have redirect issues. I accidentally typed in an inaccurate address and Bing searched it. I thought I should just try the link to the correct site to see what happens, and I went to a different site. When I look at the browser back button, I see a list of about six redirects between Bing and where I actually went.

 

I did the download, unzip, run, and reboot. Here is what happens:

I put in the IP for yahoo and it first went to a Yahoo page that said that the page could not be found, however after a few seconds I ended up on http://failsafe.fp.yahoo.com/

I put "Google" into the Bing box, and when I clicked on the link, I got to Google. I did this two separate times.

I put "Facebook" into the Bing box, and when I clicked on the link, I went through several redirect pages and ended up on "Daily Freshies." Among the links is bts.scour.com/index.html?3 Another one was mayoclnict.com..... There's more to it, but I didn't catch it all.

 

And yes, this morning Windows Defender found the Sirefef trojan again. I'm still ignoring it until you tell me otherwise.

 

I've opened WD and clicked the first entry. A screenshot is on the attached document, zipped to fit the file size limit. It shows that the problem was removed, however this was done by WD, not me.

UPDATE: While writing this, a new warning showed up, so I clicked on details and took another screenshot. It is on the second page of the attached document.

My computer runs extremely slow, and web pages often time out. When I look at my browsing history, I see pages that I didn't request, such as menshealthbase, womenshealthbase, and if.

 

Downloaded new MGTools, saved to desktop, disabled UAC, ran as Admin, attached zip file.

Notes:
1. When the SteelWerX error came up, it not only said it quit working, but a second window came up that asked me did I want to send info to Microsoft, to which I answered yes. A second window came up asking did I want to send additional info, and I again answered yes. These two additional windows did not come up the last time I ran MGTools.
2. When it was doing the DNS server test with nslookup, I got an error "Ordinal 1108 could not be located in dynamic link library WSOCK32.dll". I had to click OK to allow the script to proceed.

I hope you find my problem in this attachment..... You are the greatest!

 

I believe I ran the MGTools with the wireless turned on, in a public library. I can run it again and assure I have an Internet connection at the time if you need me to.

My recycle bin (from my desktop) has only these files in it at this time:
CCleaner shortcut
CCleaner exe
FixTDSS exe
Malwarebytes shortcut
Malwarebytes exe (mbam-setup-1.65.1.1000.exe)
A pptx that I recently tossed

I have also these other unusual things happening:
1. I cannot eject my flashdrives the usual way. One has the U3 lauchpad that it prefers I use, and the other I eject via the USB link in the tray. In all cases I have to go the Windows Explorer and eject.
2. IE routinely (2-3x/week) says it has stopped working, however none of my windows close. When I would get this message in the past, I'd lose at least one session of IE. Now everything freezes, but if I just leave it alone for a minute or two, I'm ready to go. Nothing ever closed or reopened.

I don't know if these last little tidbits help any, but maybe they are clues for you. I figured (hoped) they'd go away once I am clean.

 

Thanks, I will do that next.

I hate to tell you, but I am still having IE redirect issues. For example, I go to google.com and get Google. I search for "weather" and get expected results. I click on the title of the first one, with address "www.weather.com" which is an expected result. Here is where my browser goes:
1. www.bacotreaent.com/go.php?id=a05a7821fed1fc8027abc939....
2. http://distributorovernight.net/?a=YWZmaWQ9MDU1ODg=

It never actually gets to weather.com. It stopped on a blank page at the address given in #2.

Most of the time, it just times out, which is what happens when I try to go to the download link you provided in your last post. I'll keep trying.

I hope you are staying warm and dry up there in Jersey. Sandy is still getting top billing in the news down here on most days.

 

Glad you asked! I ran it last night, so here is the file..... uh oh. I notice the date on this file is 11/1, and yesterday is 11/3. I don't recall it asking me if I wanted to overwrite or not.... I probably assumed it just would. I do remember that it found 9 things, and most of them were "0Access" and several others were a Trojan. I also remember the "C:\$recycle..." location. I had it fix everything, so if I run it now, it probably won't find anything, right?

And no, sorry, I tested only IE. When I've tried Chrome the computer becomes so slow that everything just times out, but I do have IE open at the same time. I'll close out my IE and test Chrome next.

Sorry I am being such a pain! I wandered out on my own and that was a mistake! I should've waited for your instructions. I was frustrated with the long waits and locked up computer, and I'm in a class, so really need the Internet to just work! So sorry!!

 

Oh, my brain is so fried from studying all day!!! I meant that I ran Malwarebytes last night. I'm downloading the latest MGTools now, and will disable UAC and reboot before running it, then will send results. I'll be sure I have Internet access during the run as well.

BTW, I went to Chrome and first I had to click on the Google Search icon, and when I, I saw in the bottom left 'youtube.com' - I'm not a youtube person, so I'm thinking that is a redirect. I then typed "weather" in the search and it returned the expected results with weather.com on top. I clicked on that and watched the lower left corner. It first went to "click.searchwebresults.com...." and then "adconversation.com...send request..." and then landed on "63.209.69.107...." which shows another set of search results for 'weather' in a very crude format. I dare not click on any of those.....

Will check back in a minute with my MGTools results.....

 

Attached is the lastest MGTools log. I will also attach the Malwarebytes from yesterday for good measure, but have to go back through the forums to get the path correct.

I hope running Malwarebyes doesn't mess up the MGTools results.

 

Here is the Malwarebytes log from yesterday.

Thanks again for your patience with me!!

 

I still get a black screen. I've tried it both with the "Restart" option from the start button and also by turning off the computer and booting it up cold. I get the F8 menu but when I select Repair Computer (which is the default) I get the black screen. I waited about 5 minutes each time.

Sounds like this guy is messed up good, huh? I really haven't had trouble with it up until the initial 'FBI' screen. Once I had it telling me that my hard drive was bad, but the results that whatever tool I was using were conflicting (such as some parameter was too high and too low).... I installed and ran SeaTools, and all has been good. That was over a year ago. That's the only trouble I've had since this thing was new.

 

I do apologize. No, I do not. However, my computer came with a partitioned hard drive. Drive D is labelled 'Recovery' and Drive E is labelled 'HP Tools.' I've screenshot the the file folder tree so you can see what it there. I expanded it as much as possible. Some of the folders I can't expand; they shouldn't be hidden because I've taken off the 'Hide system folders.' Not sure why I can expand it any more than that.

I don't know how to use either of these drives to do anything for me. Let me know if this could be a solution.

 

The Norton that came with the computer does not allow me to uninstall it. I've not used it past the 90-day free term, and have not renewed it, so hopefully it didn't cause any problems with the Combofix.

Before I got your email, my computer became so slow that I couldn't get anything via the Internet. I ran a Malwarebytes scan last night. That will usually speed things up a little bit, and it did. Then I got your response and followed your instructions for Combofix.

Both the Malwarebytes and Combofix logs are attached.

 

The computer is still running slow. This was a well-oiled and quick Internet machine before all this started. Just to bring up the Reply-Manage Attachments box took about 2 minutes.

Google searches in IE still redirect. I did a search for "weather" and got the expected results. I clicked on the first result, 'weather.com' and watched the lower left corner. Here is what I saw (incomplete addresses, sorry):
1. copytech.....
2. bacotreaent.....
3. click.livesearhcnow.com/ads-clicktrack/click/jump2.do?affiliateid.....
4. I end up on the funky-looking search results page I mentioned before, addy: http://63.209.69.107/search/web/weather/a22/47539-525-direc47/v5

I did the same search in Chrome, and got this:
1. protection-searcher.com.....
2. answers.nixxie.com/s.php?k=weather....3. I end up on Nixxie Answers with another funky-looking search results page. addy: http://answers.nixxie.com/s.php?k=w...tection-searcher.com/index.php?search=weather

Oh, woe!

 

When I try to uninstall the factory Norton, I'm doing it via 'Uninstall or change a program' in the Control Panel. I right-click on the program and choose "Uninstall/Change" and then nothing happens. It just returns to where I was. When I uninstalled other programs (Norton Online Backup, for example), it opened a progress box.

I'm still looking for somebody with a Win7 disk, but no luck yet. It seems everybody gets their computers without disks these days, as was the case when I purchased this computer.

I've been using random library Internet connections, so I don't believe it is a router issue. When I am at home, I am tethered to my smartphone for Internet access, but since I am up against my data plan limit, I'm not really using it much lately.

I'm using a library computer to be able to reach you now, and will attach the logs when I get them.

Thanks for your continued patience. Hope you are staying warm and dry up there. It looks devastating by what they show on the news.

 

Update on Hitman Pro. I copied the downloaded file to the desktop, then right-click 'Run as Administrator.' I get a popup that says:

"Windows has detected that this program did not run correctly. To try and fix the problem, Windows has applied compatibility settings to this program. Windows will use these settings the next time you run the program. If you noticed that this program didn't run correctly, try running the program again. Program: HitmanPro 3.6 Publisher: SurfRight B.V. Location C:\Users\Tiger\Des...\HitmanPro36_x64.exe"

This is what happened last time as well. When I close the window (the only option) and try again to Run as Admin, I get the green frontscreen. I click the 'Settings' button and again get the blue window. I tried holding the LEFT CTRL button as instructed. After the second try I get the Force Breach message at the bottom: "HitmanPro terminaged 19 processes." Now I can continue.

I am doing this offline, so I clicked the "I'm an expert...." box on the Advanced tab, as instructed. I then selected EWS, and then "No...one-time scan."

It is running now, so PROGRESS!!! Yeah! I will IGNORE all detections when it is complete.....