google redirects and programs that won't run

physiojim · Oct 8, 2010

my computer became infected about 2 weeks ago. I only noticed that the virus was there when I when to a bookmarked site (streaming radio). have tried adaware and a number of different things, but without success.

I have read and followed the read me first post and followed all of the steps. I have noted the following during the process:

On "step 5" I have noted there is "Antivirus 2010" that I cannot remove with this message attached; "An error occurred while trying to remove Antivirus 2010. You do not have access to \\.\globalroot\systemroot\system32\userinit.exe . You can specify the new uninstall program below."

The scanning software downloaded without issue, but SUPERAntiSpyware, Malwarebytes, ComboFix would not run (I click on the icon then, nothing happens)

I could not access the rootrepeal website as I was redirected.

MGtools seemed to run without issue.

I have only the MGlogs to attach. the are below.

thank you in advance for any help that you can provide.

TimW · Oct 8, 2010

Have you tried running SAS, MBAM and Combo on any of the other user accounts?

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [rundll32] C:\WINDOWS\system32\ntload.exe
O4 - HKCU\..\Run: [rundll32] C:\Documents and Settings\BM\rundll32.exe
O23 - Service: Antivirus 2010 (userinit) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\us?rinit.exe (file missing)
Click to expand...

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"rundll32"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"rundll32"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"NameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]
"NameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset003\services\tcpip\parameters]
"NameServer"=""

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{b3385494-2969-48db-af65-f1a288980b50}]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{ec000968-7571-400a-a4a1-ffba02acf712}]

[-HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters\interfaces\{b3385494-2969-48db-af65-f1a288980b50}]

[-HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters\interfaces\{ec000968-7571-400a-a4a1-ffba02acf712}]

[-HKEY_LOCAL_MACHINE\system\controlset003\services\tcpip\parameters\interfaces\{b3385494-2969-48db-af65-f1a288980b50}]

[-HKEY_LOCAL_MACHINE\system\controlset003\services\tcpip\parameters\interfaces\{ec000968-7571-400a-a4a1-ffba02acf712}]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now use windows explorer to find and delete:
C:\Documents and Settings\BM\rundll32.exe
C:\WINDOWS\system32\ntload.exe

Now see if you can't run the other scans and attach them to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

physiojim · Oct 13, 2010

Sorry for the delay in the response.

I tried to run SAS, etc... in other accounts without success.

I then disabled anti-spyware software, ran MGtools, closed browser and "fixed" the lines that you indicated.

copied the text to the file and double clicked it. there was confirmation that it was added to the registry successfully.

I used "my computer" rather than "windows explorer" to delete the files that you requested.

I attempted to run the scans again. there was no change. no success. before I ran MG tools I noted that my internet connection was down.

I have checked with my isp and everything is fine from their end. my computer says that my ethernet card is working correctly, but there is no way to connect to the internet. (computer connected directly to modem... via cat5 cable. no router)

so I am now unable to connect to the net (hence the long time between request and reply) and am writing you from a friend's computer.

any suggestions?

should I just get a nice fresh start with the system recovery software?

thanks in advance,

Jim

TimW · Oct 13, 2010

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip
Click to expand...

That is what I need.

Log in or Sign up

google redirects and programs that won't run

physiojim Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

physiojim Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member