Search Engines Hijacked, unable to run any antispyware

This one has got me stumped so bad I don't have any idea what to do... I hope someone can help.

If I go to Google, I can search for things. But when I try to follow links, they take me to "Shopica.com" or somewhere similar that's just another spam site search engine.

If I try to go to a local newspaper webpage, kansas.com, I get popups from 555casino popping up only slightly slower than the PC is able to let me close them. I would say probably 1 every second. The only way to make it stop is close all of them out.

I am completely unable to visit majorgeeks from the infected computer at all. That includes ComboFix and MGTools. ComboFix is a different site, but it won't go there either.

ComboFix: Page cannot be displayed
MGtools.exe: Page Cannot Be Displayed

Because I am unable to visit this site on the infected PC, I had to download all the applications from download.com...
Also, I could not visit safer-networking.org. All I get are "the page cannot be displayed" errors in both IE and FireFox.

I can PING from the command prompt ("ping www.safer-networking.org") and I get a good connection. The site itself is being blocked.

Nothing actually works.

SuperAntiSpyware installs, but when run, the message "SUPERAntiSpyware Application has encountered a problem and neds to close. We are sorry for the inconvenience. Send error report, etc..."

SpybotSD.exe *runs* but does not have any kind of interface. It's simply running in "processes" in the task manager. No further use can be achieved. Also, if you double click the program 5 times, it will run 5 times in "processes."
Tried RE-NAMING to asdf.exe, but with the same effect. Shows up as asdf.exe in "processes" tab of task manager ONLY, and does not have any type of user interface. Not even a visual cue that it's even running. Nothing.

Malewarebytes also installs (as mb.exe), but with the same effect as Spybot SD. Nothing actually happens. I also can't figure out if it's running in the "Processes" tab. It appears to do absolutely nothing. I had selected to update/run after install, but it did nothing. Just exit to desktop as SpyBot does.

NONE of them have ANY logs that I can post, or I would.

Nothing changes at all in Safe Mode. The programs all do the same thing. However, I did notice that Malwarebytes let me send an error report with the internet disconnected. This tells me that it's already hijacked Malwarebytes to the point where its error message is caused by the problem instead of an actual error.

I have ESET NOD32 antivirus installed as of last night. Until then, the pc had no antivirus.

I am lost. Normally I can get these issues sorted through with a spybot scan and a free trial from an antivirus software. This is a first.

ANYTHING would be good. I'm very stuck here.

Thanks in advance,

-Eric

 

I suppose this will get me moved back a bit, but I actually managed to convince MGTools to run.

ComboFix won't run, and neither will ANY other spyware tools provided (or from anywhere else for that matter).

Thanks again in advance. Hopefully this helps.

-Eric

 

Yet another advancement...

If I get into the Device Manager, I have a AUFADU2D IDE Controller

I uninstalled it and scanned for hardware changes, and now in place of that, I have an AZWBE28U IDE Controller.

This mysterious device appears under "SCSI and RAID controllers."

After uninstalling/re-searching for hardware changes twice, it still finds the same AZWBE28U IDE Controller. Weird?

-Eric

 

Alright! 1 at a time I suppose...

1. I got a success message from the registry update.

2. I searched for C:\DOCUME~1\MOM\LOCALS~1\Temp\csrssc.exe

I'm not familiar with the ~1 notation, I assume that's just shorthand for DOCUMENTS AND SETTINGS? If so, it's not there. I have show hidden files checked, and the other 2 unchecked (known file types and system files or w/e it is). I just don't see it in the temp file. Is this good or bad? Or am I going to the wrong place entirely?

Log is attached.

Thanks for the help!

Also, I didn't try using anything on the computer for fear of it coming back up until I hear back from you.

-Eric

 

Bad news... I just tried to get on spybot's site. Nothing. Google, still being hijacked.

Someone at my job suggested it may be a problem with the master boot record? He said something about typing "fix mbr" into the command prompt, but don't want to try anything until I hear from a second source.

Is there anything else I can do?

-Eric

 

Alright, here's the log

Thanks again for the help. I hope we can get this thing beaten. LOL

-Eric

 

Anything that does not work in normal boot will not run in safe mode. It's all still dysfunctional.

I did not have TDSServ.sys. I tried that before I posted if I remember right.

I don't know what this is that's causing my problems, but it's nastier than anything I've ever seen before. I normally do a bit of malware removal for friends of mine, which usually just entails using spybot or a fix online, since I can usually discover the name of the program causing problems. But this one has me completely stumped.

-Eric

 

Run the below, after the reboot, try again to run the scans. (SAS, MBAM & ComboFix).

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop up for you to view when you login after reboot. Please attach this log to your next post.

 

I can't do a system restore. I get to the last step and click "next" and the button acts like it's been clicked, but NOTHING happens. It just sits there. I can go back and Cancel out of it though...

bjgarrick, I ran the program, the log is attached.

I'm not entirely sure what it does, but it certainly didn't get SpyBot working, and the site is still blocked. I didn't try any of the other programs since there's pretty much no chance they'll work either. I might not get to mess with it much tonight, got a bit of studying to do. Tomorrow in the mid-day though, I will have a bit of free time to hopefully get something figured out. I'm about to the point of just reinstalling windows.

Thanks again for all the help

Edit: I just noticed that log has a "hidden driver UACd.sys" in it. That appears to be causing my problems according to google. I'll not try to remove it until I get a reply from you guys though... I'll probably screw it up.

-Eric

 

Well, being me, I got impatient.

I found an Avenger Script on Google (some random website that looked at least 80% legitimate... lol)

safer-networking.org works.

MalWareBytes is running

AVG pops up periodically with freshly-found infected files.

I'm on the right track I think... Will update when available.

-Eric

 

Just got done running MalwareBytes. I have the log file.

Spybot was updated, and is running right now.

I should have a log from Avenger and Malwarebytes.

I actually ran the script that I showed in my previous post. Didn't get a chance to try the one you posted. I've heard that the last digits after UAC are randomly generated, and appear to update on occasion. Apparently that's how it keeps itself hidden.

Thanks a bunch. I think we may have actually beat it. I'll have to check tonight for sure, bu whatever happens I'll be sure to update.

Again, thanks a lot. Without you guys, I would have wound up reinstalling windows.

-Eric

 

I'll have to do it tomorrow. Busy with school crap right now. I'll run it tomorrow morning after my exam.

I do see the potential issue though. Looks like there may be one file lingering.

-Eric

 

Never mind. Here goes.

It didn't find the file. I think it got it all already.

For some reason, I can't attach the log... It's pretty short. Here goes...

I can't do the zip file from mgtools for some reason. That'll have to wait till tomorrow.

-Eric

 

Try to download ComboFix and attach a log.

Also, let me say, it's not a good idea to follow fixes from other threads as every fix is different just as every infection is different. Running fixes from another persons infection could harm your computer if something is removed that doesn't need to be. Remember, not everyone is a malware expert so you can't know for sure what you're removing unless one of us request it.

 

Here's the ComboFix log and the MGTools log.

Also, I didn't really mean to go behind you guys' backs but the script I found through Google looked like it should do what I needed it to. I should have been more patient but hopefully I didn't break anything.

Thanks again!

-Eric

 

All I have left in those two folders is in the C:\Windows\Temp\Perflib_Perfdata_7b8.dat

Everything else is gone, and it *seems* to be clean.

I ran CCleaner and found neither of the two files you mentioned, nor any apparent re-names of those files. Even a search for uac601c.tmp came up empty (including system files and hidden files/folders).

Everything *seems* to function now. We were having printer issues with IE last night and I haven't quite figured that one out yet. But otherwise it seems to be normal.

-Eric

 

Is there anything wrong with leaving all the programs on there... "for next time?" lol

I uninstalled ComboFix, but everything else will probably stay on there. I'll try to run MalwareBytes on occasion, as well as SpyBot. MalwareBytes is a new one for me, and aa good find. Wish I knew about it sooner.

Thanks again for all the help. I really do appreciate it (and so do the less-than-computer-literate people who use the thing on a daily basis).

-Eric

 

I figure they all change often, but if it comes back and I have no internet, at least I can hopefully run some scans.

Thanks again! If I have any more issues, I'll be sure to bug y'all again.

You are very good at what you do.

Later,

-Eric