[not2creative]

Ok, I have tried everything I can think of. My computer got infected yesterday. When using ask or google and clicking the link it redirects you to an ad sight. At the bottom of the screen I can see it start to redirect and has the name noblesearchsystem. If I click the X to stop the page from loading before it kicks in and then go back to the URL I can get to the website. UGH. This virus will not let me execute any scanning software. After I tried the first time my pc rebooted and my wireless mouse and keyboard no longer worked. I got this message before my pc restarted: you have been infected with rootkit.zeroaccess in the tcp/ip stack

I have both Emisisoft and Malwarebytes installed on this PC. I also have a pocket drive so I downloaded the Malwarebytes to that to attempt to run. When I attempt to run the Malwarebytes I get an error that the google installer has stopped working. The Emisisoft give this error: A major problem prevents application start. Anti-Malware can't connect to the service application. Please reboot your pc.

Please help! I can't run any of the programs so I don't have any logs to attach.

[Advertisements]

Hi lets start with the heavyweight tool first and then look for remnants after

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Essexboy]

Hi lets start with the heavyweight tool first and then look for remnants after

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[not2creative]

I downloaded ComboFix to the desktop as requested and ran it. It came up with a message you have been infected with rootkit.zeroaccess and ComboFix needs to restart your computer do not turn off your computer let ComboFix restart (paraphrased). Then I went back to check on the pc and it said your computer was unable to start. I am now letting windows restore my computer to a time when it worked properly. If it restarts I will check to see if the redirect virus is still active and repost.

[not2creative]

My PC will not start. I have accessed it as Administrator and have the options in the second screen shot to start it. Haven't attempted to restart.

Attached Thumbnails

• 
• 

[not2creative]

I went over to the computer won't boot forum and decided to select system restore. ComboFix had a restore point so I attempted to restore to that. It failed so I selected the only other restore point. It also failed and my computer was looping through attempts to boot dumping a log file, blue screen of death. Read the "Unbootable system tutorial" and created the AVG boot disk. The program is running now and has identified a ton of virus infected files. Interestingly it appears that the virus infected Emisoft executable. The virus name is Win32/Katusha.A That virus appears to have attacked many of the executable files in my computer including GoogleUpdate.exe and HP Health Check.

I sure hope this works. When it is done scanning, I will repost the findings.

[Essexboy]

Hmm that looks like a multiple infection in addition to zero access

Keep me informed of the progress and we will go from there

[not2creative]

The PC is still scanning - over three hours now. Showing a lot of infected files I will post again when I have more information. Thanks for your help!

[Essexboy]

Do they all have the same name ?

[not2creative]

It just finished scanning so I went back to the previous instructions and I am at the view log... 33 files are infected. At first it said all had the Win32/Katusha.A now I see Trojan horse downloader.zlob and trojan horse Generic18 and trojan horse java/downloader

[not2creative]

OK I followed the instructions and renamed the files. I got a message that there are no more infected files. Then I ejected CD and rebooted using the commands on the screen. Windows can not start up and the restore is not working either. I took a photo of the log as there wasn't a way to download it. There were actually 33 files, this photo only shows the first 28

[not2creative]

Couldn't attach photo to the last post as I used the quick reply feature

Attached Thumbnails

• 

[Essexboy]

From the repair my computer section

First select start up repair

If that fails then then select command prompt and type in sfc /scannow

On completion then try a reboot

[not2creative]

I tried the repair and it failed. I typed the sfc /scannow and it came back with There is a system repair pending which requires a reboot to complete. Restart windows and run sfc again.

Attempting to restart in safe mode with command prompt - - ended up at the Recovery Manager and selected MicroSoft Startup Repair Tool and I am now back to the screen that says windows cannot repair this computer automatically. Trying to get back to a command prompt but stuck in a vicious circle

Trying the option of last known good configuration from the advanced boot options menu.

OK THAT WORKED??? Now what? Windows is starting up!

[not2creative]

Hesitantly, I started a browser and the virus appears to have gone. I then decided to uninstall a ton of unused progams as well as the malware programs and plan to reinstall them. I re-installed malwarebytes and I am scanning the system now.

What am I supposed to do with the infected files?

[not2creative]

The scan finished and showed three infected files. I have successfully quarantined and deleted them. Wondering what I am supposed to do with the ones that were renamed.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7962

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

10/16/2011 9:53:00 PM
mbam-log-2011-10-16 (21-53-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 532384
Time elapsed: 1 hour(s), 36 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\common files\Intel\IntelDH\NMS\adpplugins\dqlwinservice.exe_1318783991.arl (Trojan.PatchLoad) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\Local\d550f951\U\80000000.@_1318783991.arl (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\Roaming\wshark.exe_1318783991.arl (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.