Adware Blocks System Restore

[Jim]

I have an XP computer that is infected with adware. The adware redirects
search results that are clicked on to ad sites. The adware also blocks
access to computer security web sites (URLs) that are entered into the IE
browser URL box by either blocking them (site cannot be found) or capturing
them and presenting the results as search results, which, when clicked on
bring up ads. For confirmation of this by another person see "Browser
hijack, blocked from security sites" at
http://www.spywareinfoforum.com/lofiversio...hp/t121380.html . The adware
also apparently blocks system restore, even when antivius is turned off and
system is restarted in safe mode. I can select a date for the restore point
but when I get to the Confirm Restore Point Selection and press "Next"
nothing happens. This problem is confirmed by another user at
http://forums.techarena.in/windows-xp-support/1051204.htm (Thread: System
Restore does not work). Can anything be done short of professional repair,
as response to that post indicate?

Thanks.

 

[Leonard Grey]

I always recommend users call a professional for virus removal /unless/
someone understands the inner workings of a computer well enough to
correctly follow technical instructions. There's no shame in calling for
help, especially against todays malware, which can be very sophisticated.

 

[nass]

I have an XP computer that is infected with adware. The adware redirects
search results that are clicked on to ad sites. The adware also blocks
access to computer security web sites (URLs) that are entered into the IE
browser URL box by either blocking them (site cannot be found) or capturing
them and presenting the results as search results, which, when clicked on
bring up ads. For confirmation of this by another person see "Browser
hijack, blocked from security sites" at
http://www.spywareinfoforum.com/lofiversio...hp/t121380.html . The adware
also apparently blocks system restore, even when antivius is turned off and
system is restarted in safe mode. I can select a date for the restore point
but when I get to the Confirm Restore Point Selection and press "Next"
nothing happens. This problem is confirmed by another user at
http://forums.techarena.in/windows-xp-support/1051204.htm (Thread: System
Restore does not work). Can anything be done short of professional repair,
as response to that post indicate?

Thanks.

Hi Jim,
Without knowing what type of Viral Malware you have we cann't help you?
You can either try to lossen the grip of the Viral infection on your Machine
by disbaling the services running and deleting the folders for it manually!
what Anti-virus you did run to disinfect your machine?
Download Avast Cleaner (offline scanner) and also Avast home ant-virus and
configure a boot scan from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html

If you wish to send me your Hijackthis log I will be happy to help you
further or send to one of many forums on the internet!
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
my address is : to_you_ross(at remove this and repalce with the
obvious)yahoo.co.uk ( _ is underscore)

 

[Jim]

nass;

Thanks for the offer and help. My system has had Avast home version
installed for some time, with automatic updates, but it did not block this.
When I discoverd this problem I ran an Avast home version anti-virus scan,
but that did not fix the problem. However, it was not a boot scan, so I'll
do that. I also was able to install Threatfire and ran a scan with that, but
it did not fix the problem either. Based on your advice I have also
downloaded Avast Cleaner and I'm running that now. (I'm thinking now that
it's probably the same as the Avast home version anti-virus scan, but I'll
let it finish.) I also downloaded Comodo BOClean and I will run that as well.

Yesterday I started a topic at BleepingComputer.com > Security > HijackThis
Logs and Malware Removal under the subject " Antiviral URLs blocked and
Search Results Redirected." I posted a HijackThis log there. I've replied
to my own posting twice to add further info, but I haven't had any offers for
help from others there, so I really appreciate your offer.

As you know, these scans take a long time to run, but when they are finished
I'll send you the logs. Then, when you have time to look into this and to
prevent duplication of people's efforts I suggest you check my post at
BleepingComputer.com to see if anyone else is working on this. I don't want
to waste anyone's time with a duplicaiton of effort.

Thanks again for your offer.

 

[Mick Murphy]

Jim, try the 2 Programs below.
And scan with them, and Avast in Safe mode, or SM with Networking; whichever
way is appropriate for your problems.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

If unable to install above Programs in Normal Mode:
Sometimes Trojans, Viruses, Malware, etc stop you installing and/or updating
Programs to remove them.
If that happens, reboot into Safe Mode with Networking, and install, update
and scan from there.

 

[Jim]

Thanks, Leonard.

ANYONE WITH THIS PROBLEM NEEDS TO PROCEED WITH EXTREME CAUTION.

Your point is underscored by the link at
http://boards.cexx.org/index.php?topic=17973.msg76664 (Topic posted November
28, 2008 : "redirected hosts = anti malware tools offline + nasty scumware
trickery a foot!") This person ending up killing his computer trying to fix
the problem.

My concern is that the person at the above link seems to be very
knowledgeable and was working with a person who sees to be very
knowledgeable. Even with that they destroyed the OS.

I don't know how to find an expert that could reliably be counted on to fix
the problem. This seems to be a fairly new virus, so I'm thinking I'll live
with it for a while and keep checking to see if anyone finds a path to a
solution.

 

[nass]

Jim,
I cann't download the log, because I don't have an account on
BleepingComputer.com!
They seem to me very busy and you can appreciate with the amount of logs
they have.

Can you please send me the log that if you feel comfy with that, if not then
wait for help from Bleepingcomputer helper. But don't live with it as your
response to "Leo".
Regards,
nass

 

[JR]

Similair problem: Defender found "Trojan:32/FakeXPA",Mirar and Winweb
Security and removed some of them, but ignored 5 of them. I can't seem to
access many types of help sites. But, not all: I've run Onecare.live and
NoAdware. Cleaners fromm "bleeping.." won't run. I think I've removed the
malware, but my problems still exist. No defrag or check disc and frequently
redirects from Google. Is "go google" a malware issue? Can't Restore either
of course. I can still access other secure sites etc., but anything to do
with malware problems or some updates are often redirected. Strange. Sorry if
this posts twice

 

[Jim]

Thanks for the suggestions, Mick Murphy. The problem is that to run spybot
(the one of the two programs that you list that I've already tried) I have to
down load the software on another computer because the malware blocks access
to spybot's web site. Then I have to zip the .exe file to e-mail it to the
infected computer. OK so far, but then when I un-zip and run the program, it
immediately wants to update the virus detection sofware on line - but the
malware also blocks that access. So the program sits there and does nothing
(apparently repeatedly trying to phone home).

I can only use programs like HijackThis that can be ported (e.g., by e-mail
or copying to a CD) to my infected computer and run without needing to update
themselves over the network. In my post on www.bleepingcomputer.com I
indicated that I ran Fixwareout.exe; I could do that because it does not
update over the web. When it ran, it reported, "Successfully flushed the DNS
Resolver Cache." After that, the browser search worked one time, but then
the system reinfected itself. The virus seems to be messing with the DNS
function or the Hosts file or both.

I can run Avast, which is installed and seems to be able to get through the
blockage to update itself, but I'm not totally sure that is happening.

For some reason I was able to port Threatfire to the infected computer and
run it. (Maybe the malware doesn't block access to their web site or maybe
Threatfire runs without updating itself the first time.) In any case,
Threatfire found some viruses that Avast did not, but quarantining them did
not solve this problem.

I will try porting malwarebytes to the infected computer to see if it will
run, but I'm doing some other scans before that. For example, a boot scan
with Avast.

Thanks again for your suggestions. I'll report back in due course.

 

[Mick Murphy]

Jim, as you are denied web access, do the work in Safe Mode with Networking.
You can save the Programs .exe to a flash Drive, and install them in the
infected computer that way.
Then update them in SM with Networking.

 

[thehman]

Check yur hosts file in the system32 folder.

C:\windows\system32\drivers\etc\hosts the file has no extention open with
notpad but should only have one entry after the example and the entry is
127.0.0.1
If there is anything else change the entry to the one listed above.