Hello,

I recently (past 2 days) have become infected from a virus from an online "download" site.

I was looking for a program for my class at school and downloaded a program that apparently housed a virus.

Now the problem:
I can access any website by typing in the exact URL, and the website will work fine - however use of google, yahoo, or any search engine for that matter brings up irrelevant ads, i.e. searching "Hello" on google will bring up thousands of pages, yet if I click on any one of them, I will be redirected to irrelevant ad pages.

Nothing else seems to be crucially wrong except:

I have downloaded Hijackthis, MBAM, and have tried ETES online scanner, as well as several other virus and malicious software removal tools with all of them simply shutting off after about one minute of runtime, with the exception of windows defender - which will run a full scan completely and will find nothing.

After the first use of any virus scanner besides windows defender, the second use will come up with "Windows cannot open the specified path, you may not have privelage" - This has nothing to do with "Run as administrator" - I have tried that, and I am on the admin account of the computer.

Secondly - Windows defender has found Win32/Renos.(string) multpile times, and deleted it multiple times. When I realized it was not going away I found the path of it's origin and deleted "B.Exe", "A.Exe", "A.log" And one other program ... I can't remember.

Now the program appears to have stopped interfering with windows defender - I don't get "Trojan found" anymore, yet the ads and the problem with virus scanners still exist.

Note: I CANNOT GET A LOG as of right now. Hijackthis will not stay open long enough to finish a scan and create a log, nor will any others!

If you can help - Thanks.

Try this suggestion from the MBA-M forums;
If you already have MBAM installed on your computer.
Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Full Scan.

At the end of the scan allow MBAM to remove what it had found then reboot.

Post the log here. If you cannot do this either then try running MBA-M in Safe Mode. It IS meant to be run in normal mode since it won't load all of it's drivers in safe mode but if all else fails then this would be the next best thing to try.
Of course have it remove all if you are able to run it in safe mode.
Then reboot to Normal mode and attempt to run another full scan with it. If it works then of course have it remove all it finds and reboot.
Rename HiJackThis to analyze.exe and run the system scan and save the log. Post back here with both logs.
Judy

Hey unfortunate news:
Booting in safe mode, and renaming the file both did nothing. Same problem:
I installed the program, renamed it, and I set all the permissions of the .dll's and the .exe to NOT be able to be read or written. Only "SYSTEM" could read the file, but still could not write it. I allowed however, all users and SYSTEM to execute the file, yet still:
After one use of the program (the program would last ~7 seconds and shut off) the MBAM or HJT icon would turn into a generic windows .exe icon, and trying to open the file a second time results in:
"D:\...\Winlogon.exe path was unable to be found or executed. You may not have enough permission to view the file." Or something along those lines.

So: No logs, no scans yet. Computer seems to be getting slower and slower. Also, now new problem: after a restard, the first bootup in normal mode usually encounters:
Windows has encountered a critical problem and will reboot in one minute, please save everything now.
This luckily only happens once, and the reboot I am fine.

Have asked PhilliePhan to take a look at his one and see what he thinks.

Let's try this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/comb...o-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let us know how you fare.

PP

Hi, the combofix ran, and unfortunately I had my screensaver set to about 2minutes. The screensaver turned on, (all black) and i decided to press an arrow key to see what was happening with combofix.

All I saw was "Warning: do not attempt to reboot the computer manually"
After the computer rebooted itself, it was a black screen for >2minutes, I CTRL+ALT+DELETED and log offed, logged back on.

Combofix gave me a log report and said it had deleted an infected file "C:\...syskey?" or maybe it was "32key"

But new problem: No programs will open, the error is new, and it states "Illegal operation attempted on a registry key that has been marked for deletion"
This happens when I try to open ANY file or ANY program.
Note: I cannot access the internet, or any program. I cannot load anything from a thumbdrive either...
I am wondering if I should attempt to reboot the system, or if that will be fatal...

EDIT Combofix had started, and after a few seconds - not even scanning had begun - Combofix had stated "Rootkit activity was detected on your computer, automatic restart in 5 seconds" or something.

Thats it for editing.

Thanks.

Well . . . That puts a wrinkle in things.

-- Did you install the recovery console?

It really does - and yes I apparently had it previously - it didn't ask to download it. ... Do you think I should restart?

-- What OS?
-- Do you have your Windows OS disk?

-- You should know if recovery console is installed because it will give you that option on reboot. Have you seen that option?

Windows vista,
You think it's that bad huh?
I'm going to restart... I don't think that will make it worse. I will look for the recovery.