0

The problem started with getting redirected when we searched with Google. So we tried other search engines which worked for a little while but now it doesn't matter which search engine we use. If you go back to the original search after you are redirected a time or two you can finally get to the website you want. But now also when we try to go to the Google website it pops up: "Unable to connect: Firefox can't establish a connection to the server at www.google.com. The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer's network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web."

I have downloaded and run Malwarebytes Anti-Malware which helped another issue we had with windows opening up whenever you clicked on a link but we still have the redirect virus (or whatever it is) and can't access Google.

Your help would be greatly appreciated!

3
Contributors
14
Replies
71
Views
4 Years
Discussion Span
Last Post by gerbil
0

Thank you so much for your help! I ran RKill and ADWCleaner and then Malwarebytes and it took care of the redirect issue but I still can't access Google. I don't know if this goes along with it or not but I can't get "Automatic Updates" turned on or run the updates manually on the Microsoft website. I click "Check for the latest updates from Windows updates." When I get to the Update window I click "Express" and I get the message "The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem." What should I go now? I appreciate your help!

0

Could you post those logs from ADWCleaner and MWB? Those should give me a clue as to where next.
Being blocked from Google may be as simple as a malware entry in your Hosts file; you can clear it manually by deleting the Google entry and saving the file. Your hosts file is in system32\drivers\etc; drag it into a notepad to edit. To save you may first need to uncheck the Read Only box in hosts' properties.
As a blind first try to enable autoupdates, you might try this: open a cmd window, and paste in...
net stop wuauserv && regsvr32 %windir%\system32\wups2.dll && net start wuauserv
... and hit Enter. Please post a copy of the screen [rclick, select all, copy with Ctrl-C].

Edited by gerbil

0
Here are the logs from MWB and AdwCleaner and the copy of the screen of the cmd window. Thank you for taking the time to help me! 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.29.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Crystal :: CRYSTAL-449506D [administrator]

7/4/2013 9:51:46 AM
mbam-log-2013-07-04 (09-51-46).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 313104
Time elapsed: 2 hour(s), 8 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\CCE_Quarantine\{14DBBA45-5127-493D-B290-350E79141CAA} (PUP.IBryte) -> Quarantined and deleted successfully.
C:\CCE_Quarantine\{B7116049-35B8-4E8C-947A-22296A745FD8} (PUP.IBryte) -> Quarantined and deleted successfully.

(end)


# AdwCleaner v2.304 - Logfile created 07/06/2013 at 11:35:05
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Crystal - CRYSTAL-449506D
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Crystal\My Documents\Downloads\AdwCleaner(2).exe
# Option [Search]


***** [Services] *****

Found : CltMngSvc

***** [Files / Folders] *****

File Found : C:\WINDOWS\Tasks\AmiUpdXp.job
Folder Found : C:\DOCUME~1\Crystal\LOCALS~1\Temp\CT3289847
Folder Found : C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\uj248e5o.default\CT3289847
Folder Found : C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\uj248e5o.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
Folder Found : C:\Documents and Settings\Crystal\Application Data\SearchProtect
Folder Found : C:\Documents and Settings\Crystal\Application Data\SwvUpdater
Folder Found : C:\Documents and Settings\Crystal\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\Crystal\Local Settings\Application Data\getsavin
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\SearchProtect

***** [Registry] *****

Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\ConduitSearchScopes
Key Found : HKCU\Software\SearchProtect
Key Found : HKCU\Software\SmartBar
Key Found : HKLM\Software\AVG Secure Search
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Found : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Found : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Found : HKLM\Software\SearchProtect
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchprotect]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com/?ctid=CT3289847&octid=CT3289847&SearchSource=61&CUI=UN21407989616657278&UM=2&UP=SP513CBCA2-991F-4E82-A58C-E0C102DADD23

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\uj248e5o.default\prefs.js

Found : user_pref("CT3289847.FF19Solved", "true");
Found : user_pref("CT3289847.UserID", "UN32251928772634115");
Found : user_pref("CT3289847.browser.search.defaultthis.engineName", "true");
Found : user_pref("CT3289847.fullUserID", "UN32251928772634115.IN.20130706112431");
Found : user_pref("CT3289847.installDate", "06/07/2013 11:24:31");
Found : user_pref("CT3289847.installSessionId", "{A93FDA67-83CC-4624-87BF-A8FE4D8A5077}");
Found : user_pref("CT3289847.installSp", "false");
Found : user_pref("CT3289847.keyword", "true");
Found : user_pref("CT3289847.originalHomepage", "hxxp://www.intellicast.com/Local/Weather.aspx?location=USIN[...]
Found : user_pref("CT3289847.originalSearchAddressUrl", "hxxp://mysearch.avg.com/search?cid={83D8B78E-C46D-4[...]
Found : user_pref("CT3289847.originalSearchEngine", "");
Found : user_pref("CT3289847.searchRevert", "true");
Found : user_pref("CT3289847.searchUserMode", "2");
Found : user_pref("CT3289847.smartbar.homepage", "true");
Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN32251928[...]
Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://mysearch.avg.com/search?cid={83D8B78E-C46[...]
Found : user_pref("browser.search.defaultthis.engineName", "WhiteSmoke New Customized Web Search");
Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI[...]
Found : user_pref("browser.search.selectedEngine", "WhiteSmoke New Customized Web Search");
Found : user_pref("extensions.DivXWebPlayer@divx.com.install-event-fired", true);
Found : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7Bdc572301-7619-498c-a57d[...]
Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CU[...]
Found : user_pref("smartbar.addressBarOwnerCTID", "CT3289847");
Found : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3289847&CUI=UN322519287[...]
Found : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]
Found : user_pref("smartbar.defaultSearchOwnerCTID", "CT3289847");
Found : user_pref("smartbar.homePageOwnerCTID", "CT3289847");

*************************

AdwCleaner[R1].txt - [25859 octets] - [04/07/2013 09:43:30]
AdwCleaner[R2].txt - [5444 octets] - [06/07/2013 11:35:05]
AdwCleaner[S1].txt - [26382 octets] - [04/07/2013 09:44:20]

########## EOF - C:\AdwCleaner[R2].txt - [5565 octets] ##########


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Crystal>
C:\Documents and Settings\Crystal>net stop wuauserv && regsvr32 %windir%\system3
2\wups2.dll && net start wuauserv
System error 1060 has occurred.

The specified service does not exist as an installed service.


C:\Documents and Settings\Crystal>

Edited by wmc1956

0

Hi again.
I think you can safely delete all those adware related issues that ADWCleaner found - run it again, and press Delete button.
The bat command - net stop wuauserv && regsvr32 %windir%\system32\wups2.dll && net start wuauserv - it looks like wuauserv is not installed [the .bat failed on the first part]. M$ have an automated troubleshooter/Fixit at http://go.microsoft.com/?linkid=9830262
You could first check in Services that Automatic Updates [common name wuauserv exists].
If you paste this URL into IE, does it not offer to repair or install the update service?
http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

0

If not, you could just download the installer for your x86 SP3 system:
http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.4.7600.226/WindowsUpdateAgent30-x86.exe
Open the download folder; open a cmd window, and drag the file into the cmd window. Add the parameter /wuforce, so: [below is a copy of my cmd window]; it will self extract, and run the installer. Finally, reattempt to update your system.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Don>D:\Downloads\WindowsUpdateAgent30-x86.exe /wuforce

Edited by gerbil

0

Here are the things you said to and the logs, reports, ETC.

FIX IT:

"We detected some problems with your system. However we were unable to successfully apply all the fixes. Click Next for other opteions you can try to troubleshoot the problem. Issues found: Windows update components must be repaired. Fix status: not fixed.


WINDOWS UPDATE AGENT:

http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.4.7600.226/WindowsUpdateAgent30-x86.exe

"install is not need since Windows update agent is already installed"



when I run this http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us I get this: 

"The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. [Error number: 0x80070424]."

MALWAREBYTES:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.29.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Crystal :: CRYSTAL-449506D [administrator]

7/4/2013 9:51:46 AM
mbam-log-2013-07-04 (09-51-46).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 313104
Time elapsed: 2 hour(s), 8 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\CCE_Quarantine\{14DBBA45-5127-493D-B290-350E79141CAA} (PUP.IBryte) -> Quarantined and deleted successfully.
C:\CCE_Quarantine\{B7116049-35B8-4E8C-947A-22296A745FD8} (PUP.IBryte) -> Quarantined and deleted successfully.

(end)



ADWCLEANER: 

# AdwCleaner v2.304 - Logfile created 07/08/2013 at 08:42:47
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Crystal - CRYSTAL-449506D
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Crystal\My Documents\Downloads\AdwCleaner(4).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\uj248e5o.default\prefs.js

Deleted : user_pref("extensions.DivXWebPlayer@divx.com.install-event-fired", true);

*************************

AdwCleaner[R1].txt - [25859 octets] - [04/07/2013 09:43:30]
AdwCleaner[R2].txt - [5634 octets] - [06/07/2013 11:35:05]
AdwCleaner[R3].txt - [5601 octets] - [08/07/2013 08:10:17]
AdwCleaner[R4].txt - [5701 octets] - [08/07/2013 08:29:19]
AdwCleaner[R5].txt - [5820 octets] - [08/07/2013 08:35:16]
AdwCleaner[R6].txt - [1462 octets] - [08/07/2013 08:42:29]
AdwCleaner[S1].txt - [26382 octets] - [04/07/2013 09:44:20]
AdwCleaner[S2].txt - [393 octets] - [08/07/2013 08:16:43]
AdwCleaner[S3].txt - [362 octets] - [08/07/2013 08:33:28]
AdwCleaner[S4].txt - [6031 octets] - [08/07/2013 08:35:33]
AdwCleaner[S5].txt - [1395 octets] - [08/07/2013 08:42:47]

########## EOF - C:\AdwCleaner[S5].txt - [1455 octets] ##########
0

Cool, you're clear of adwares.
"install is not need since Windows update agent is already installed"
If you used the /wuforce parameter it should have over-ridden that "already installed" condition. Did you use that in the command line, like...
C:\some download folder:\WindowsUpdateAgent30-x86.exe /wuforce <=that /wuforce is necessary!
...and that should have forced it to reinstall. Don't run it from the website, rather download and save it, then run from that folder.
Okay, if trying that again does not work, then try this...
Paste this into the Run box:
%systemdrive%\Windows\inf ..and press OK
Scroll down to au.inf and upon rclick choose Install.
Browse to your \ServicePackFiles\i386 folder below the inf folder, and OK.
After it finishes restart your system andtry the updates site again.

Edited by gerbil

0

I finally figured out to download the update file and drag it into cmd and add /wuforce and it worked wonderfully. I was elated! It downloaded and installed the updates and then it wanted me to shut down the computer, so I did and it installed 22 files. When it restarted it said there was an infection so it started a scan. It found 1 infection and continued scanning. Then after a little while this screen popped up and scared the wits out of me. It showed a window with the background looking like a cmd window and then there was a box on top that had an emblem "United States Court" and said "All activities of this computer has been (grammatical error there) recorded. All your files are encrypted. Don't try to unlock your computer. This computer (Windows XP 32 bit) has been locked for violating the laws of the United States of America." Then is had some more lines of writing but it was hard to read because there was writing on top of writing and in the middle of the screen there was a big barcode. It said to go and buy a MoneyPak and load money onto it and then bring it back and fill in the barcode number and the amount of money. It said it had to be done in 72 hrs or I would be under criminal investigation. It was saying the computer contained images of child pornography. At first I thought it was real and it scared me to death. The more I looked at it however the more I began to suspect it was a virus. The computer wouldn't do anything so I held the power button in to shut it down. Now when you start the computer it starts up Windows and the wallpaper comes up and then it goes to that screen again. When you push the power button to shut it down, you don't have to hold it in. It shuts down on the first click. However, before it shuts down, that screen will go off and you get about a second's glance and desktop is there and Security Center is trying to do a scan. It says there are threats and you can see it scanning. Then it shuts down. I don't know if it is running a scan all the time in the background or if it justs scans for that second or two.

I tried starting the computer in Safe Mode with Networking and it starts up fine although you have to choose if you want "Administrator" or my account. In "Administrator" I tried loading updates again because I don't know how to get it back to that scan and it does the same old thing with not wanting to load updates. So I forced it to run the update with /wuforce. It acts like it's working and then in the end it says "Install failed with error number 0x8007043c." If I start the computer it in my account it loads for a second or two then shuts down and the screen is black put the power doesn't shut totally off.

So now I'm really in a pickle! Do you have any ideas of what to do now? I really appreciate your help! This website is my lifeline! Thank you!

0

:)... it is a bogus threat, and your files are safe. Let's see, because you can boot into safe mode you have a couple of simple coihces to start with. First off, see if it launches from your startup folder...
In safe mode, go to C:\Docs n Setts\your account\Start menu\Programs\Startup. Look there, and see if there is a link [shortcut] to a program that you do not recognise; if you see one then rename it with an X in front and try to restart in Normal mode. Post the links here if you wish me to look at them.
In Safe Mode, if you do not see any such link, then Run...
msconfig
Go to Startup tab, and check there for unknown entries, uncheck them, Apply n OK, and restart.
Once you can restart OK, update and run Malwarebytes.
As far as how you actually newly got the trojan [it obviously only just came in], by any chance do you have a torrent program installed and running?

Edited by gerbil

0

And this... " In "Administrator" I tried loading updates again because I don't know how to get it back to that scan and it does the same old thing with not wanting to load updates. So I forced it to run the update with /wuforce. It acts like it's working and then in the end it says "Install failed with error number 0x8007043c."
Windows update cannot function in Safe Mode [this is quite normal] because some services are not loaded in Safe Mode, hence that error message. Your update service is quite likely ok still in Normal mode.
Looking around, it seems that a simple system restore to a date previous to your infection will stop the threat locking your PC, and allow you to run Malwarebytes, which program is up to date with this particular threat.
Good luck.

0

Finally this problem is solved and Windows Update works, the Internet Security virus is gone and Google is back to working correctly. What solved the Update issue was dragging the file into cmd and adding /wuforc. This article http://malwaretips.com/blogs/internet-security-designed-to-protect-removal/ helped solve the virus and Google issue. First, Malwarebytes Chameleon and then Hitman Pro finished off the viruses. Oh yes, and Internet Explorer is not opening windows in the background either!

Thank you all so much for your help! You are the best!

Edited by wmc1956: Forgot to add

0

I'm not sure you needed to run Chameleon because MBAM itself was running. Typically, the rootkits block MBAM's executable completely. But anyway, you got there.
You picked up all that stuff yourself, via an email or some download you opened. I'm not sure your AV service is performing as well as one could hope. What is it?

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.