SERIOUS BUSINESS issues, please help!!!

[wyrmrider]

slow down a little
did the SAS boot time scan find anything- what exactly
avast scan?
still unable to download anything?
do you have a pen drive or a spare hard drive you could download files to at a buddies?
here is a write up from threat net
http://www.threatexpert.com/report.aspx?uid=92ecfbb6-1a1b-42c5-94ac-da1b72596eab
so a hand removal could be attempted
(at the end see an example on how a hosts file or outbound firewall would have prevented this infection from phoning home)
however (If Polonous or other experts are away for the weekend)

If we do not make any progress here I would suggest that you post over in the Malware Bytes Forum
Jean In Montana is an expert on this infection
http://www.malwarebytes.org/forums/index.php?s=45dddb9fa76cce9f6b2dafdfec641a8d&showforum=7
However if you post there be sure to read all the stickies and do everything exactly- they are busy and tend to not have much patience
post a link to this thread tell Jean "Theolona Ranger says howdy"
please report back how you do
good luck

[Spiritsongs]

   Hi :

 There is a very good Chance that IF you could run a fully Updated, "Full Scan"
 of Malwarebytes' Anti-Malware, the problem MAY be resolved. Since you cannot
 download anything, try and use a Friend ( not the Idiot who referred you to that
 Site ) who has an uninfected computer or perhaps a local library to "burn" that
 program onto a CD for future installation into your computer . IF this and/or IF
 an experienced "Malware-Fighter" like "JeaninMontana" cannot help, the only
 recource seems to be reformatting and reinstallation of your Operating System !?

 By the way, malware is getting so bad that just visiting an infected Site can
 infect a person's computer .

[DavidR]

Way back in reply #3 Jtaylor83 suggested the two programs most likely to resolve the avxp-2008 issue, see below. I can only assume that you didn't run them as a) there was no mention of having run them, b) the topic is still on-going.

I suggest MalwareByte's Anti-Malware or RogueRemover.

[wyrmrider]

DavidR
He can't download anything
he does have SAS installed and Avast
any ideas?

InazumaRaijin
did you get either or both of the SAS and AVAST boot time or safe mode scans to run?

[DavidR]

He is going to have to get creative then, use a friend, etc. download the files save to CD/flash drive, etc. and transfer to his system. How is he posting here or is it just downloads that are restricted.

[wyrmrider]

hard to tell but see his post 4
clue?

[DavidR]

Well although I believe it may have been suggested (haven't read the whole topic) HOSTS file is the usual redirect point.

Even if it isn't using the HOSTS file to do this then it is probably doing the same thing, elsewhere and it is looking for the domain name, so we could try the IP address and see if that bypasses the redirect.

http://72.233.79.2/mbam.php tried that didn't work, probably blocked by malwarebytes.

So it looks like find a friend to download them.

[InazumaRaijin]

Not at my home computer right now, at a friend's house, but the avast boot scan did find something, yeah. Said a file was corrupted in a folder called "SoftwareDistribution" or something like that. Didn't run a SAS boot scan yet, I'll do that when my comp boots back up when I get home (doing another avast scan when it boots up though). As it stands right now, yes, I still have no luck accessing the internet, with constant redirects and everything as though nothing has even happened. Have you looked at the links I provided to see what files keep reappearing? I'm pretty sure the issue is somewhere in there but I can't get right of the stupid things for some reason. I'll update more when I get home and can check things out

[wyrmrider]

What DavidR was implying is to look at C:\windows\hosts with wordpad and see if there are
redirects in there for malwarebytes and other AV and Antispyapps

If you have to edit Hosts remember that there is NO suffix NO   .txt or .doc  nothing
if a suffix gets saved rename the file to just plain HOSTS


if you do find some funny redirects just but a # at the beginning of the line turning it into a comment

[DavidR]

There are different locations for the HOSTS file depending on your OS.

HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file

I have had a look at the images and I really don't know what it is that you were searching for, not to mention with the exception of the prefetch folder, the path is incomplete. For the most part they look like firefox browser cache files for a lot of them. But as I said I don't know what you were looking for in the search as the results don't seem to have a common theme.

[InazumaRaijin]

The reason I put those screenshots up is because most of the files there have one major similarity - a large majority of them were created at the exact point in time that I got this malware issue. When I deleted them, they all came right back when I rebooted, so I figure there's some sort of issue there. Also, if I can't even access any sites really, how are these cache files appearing? Avast is doing another boot scan right now, hoping it re-catches the same file it did last time (since I couldn't help but notice it reappeared when I did my C:/ scan, though I can't remember the exact file name off the top of my head). When it's done, I'll check the HOSTS information and try to take care of any redirects that might be there.

As for how I'm posting this, I'm on my mom's business laptop. The virus is on my desktop PC. Hopefully I can move back to my PC soon haha.

Edit: Did my scan and found a new corrupted file, it's called (can't post the full path, it's got a bunch of random letters/numbers, but I have the file name): igfxrfin.lrc, found in the same Software Distribution folder as the other file was. Is this folder supposed to even be there, or could it all be infected/corrupted?

[wyrmrider]

DavidR is correct
HOSTS is in a different Place for Different OS

WHAT DID YOU FIND
If it is a simple HOSTS redirect your life will be much simpler

DID MY SCAN??  WHICH SCAN WITH WHAT???   SAS or AVAST?

can you go to virus total and upload the file with the search function?
there IS a legitimate file by that name so we gotta check it out
?whose software distribution folder is this? can you check properties?

[InazumaRaijin]

Checked my HOSTS file, it's completely fine, nothing out of the ordinary. As for scan, I did an avast boot scan to find that file. Can't seem to schedule an SAS scan since I use free and not pro. As for the software distribution file, I don't know anything about it. The entire path of the file was:

C:\WINDOWS\SoftwareDistribution\Download\b4cd5479e6b7c7d72dc9d60bcb26917f\BIT39.tmp\igsxrfin.lrc

It says Error 42127 {CAB archive is corrupted.} so something seems to be wrong with that. I asked avast to repair any infected files found, but I don't knwo if it did anything to this file since it didn't tell me anything else.

A strange update though, pretty sure I still have the malware issue because everything is horribly slow but I find myself able to access some sites right now, and the avxp redirect doesn't seem to be coming up at the moment. Still can't access anything through google and I can't get to sites like forum.avast.com for some reason, I'm guessing the malware is preventing me from accessing known antivirus sites, but I do find myself able to access the internet somewhat (though it doesn't really do much good since I'm afraid to enter in any personal information, lest it be taken, haha).

One last strange thing I'd like to add, my homepage is set to MySpace but for some reason it slows down horribly and basically stops loading the home page when it tries to load the file analitic-checks.google.com. I don't remember ever seeing this in the past, and some of my problems are revolving around google searches right now, could there be something strange with that? I didn't think MySpace would use anything google on their homepage...

Okay, NOW one last strange thing that I forgot to bring up. When I first got this issue, the first thing I noticed is that somehow my Windows Firewall was disabled. Now it seems to be that my firewall is blocking certain things, like SAS or avast when I check for updates. Any chance there could be some sort of infection in my firewall?

[wyrmrider]

C:\WINDOWS\SoftwareDistribution\Download\b4cd5479e6b7c7d72dc9d60bcb26917f\BIT39.tmp\igsxrfin.lrc

try this SDFix
print the instructions
http://www.bleepingcomputer.com/forums/topic131299.html
you will have to dl and transfer to your machine

no warranty- your mileage may vary

http://download.bleepingcomputer.com/andymanchesta/SDFix_ReadMe.htm

[InazumaRaijin]

Running SDFix right now, it says grep: isq: No such file or directory first off, so woohoo it seems to be catching some weird stuff! Anyway, forgot to mention one thing that I saw recently. I went into my temp folder and there was a folder for avast in it, so randomly I went in to check it. Inside was a .txt file, so I tried to open it. The file was empty, and for some reason it said that the file was still in use by another program. Strange indeed... haha, but anyway, yeah, running SDFix right now and praying it works. I miss my computer so much haha