Google redirect & cmd.exe unusable

By lady25
Apr 4, 2009
  1. Hi, a few days ago some Google search results started taking me to pseudo-random sites. I've since tried a bunch of common fixes found on forums, and have run into other problems. Common anti-virus sites are blocked, winamp has stopped working, automatic updates of anti-virus/spyware software does not work, and cmd.exe simply flashes the screen and does not do anything. However, if I rename cmd.exe to something else it works correctly. I have run Fixwareout, and run through the 8 steps outlined in the forum sticky (manually updating the definitions). Attached are the 3 logs requested. Thanks in advance for any help you can give!

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Lady

    First boot to Safe Mode networking!

    Open SAS and UPDATE then click Preferences then Repairs then do the following fixes.

    Enable Windows Explorer options
    Internet Zone Security Reset
    Local page Reset
    Remove Explorer Policy Restrictions
    Remove Internet Explorer Policy Restrictions
    Remove WinOldApp policy restrictions
    Repair broken Network Connection (WinSock LSP Chain)
    Reset Desktop Componets
    Reset Desktop Policies
    Reset URL PreFixes
    Reset Web Settings
    Reset Winlogon Shell
    Reset ZoneMap Settings
    User Agent Post Platform Reset
    User Agent reset

    See if you can get the below to work

    Go here and download to Desktop:

    Double click Fixer.exe to run it. This will extract a Fixer folder to the desktop.

    Then Dbl Clk to enter the Fixer Folder .

    To run it 1st double click Daft, then click scan and check any found items and click fix and then exit.

    Next dbl click Fixit.cmd to run it.

    Get back to us.

  3. lady25

    lady25 TS Rookie Topic Starter

    Is it normal for SAS to exit after each repair? I wasn't able to run the auto-update on it, also, although I did a manual update last night.

    Ran through the other steps. Daft did not find anything. Rebooted, and still have problems.
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    No it was not supposed to exit!

    OK just to confirm you did run the fixit.cmd inside the Fixer folder?

    Ok do the below...

    Download ComboFix

    Get it here:
    Or here:

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Download SDFix to Desktop.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.


    EDIT: Go here
    Extract zip and run RatsCheddar and Click to enable all!

  5. lady25

    lady25 TS Rookie Topic Starter

    Hi Mike,

    Strangely, after a ton of reboots after I first ran it (I didn't tap F8 at the right time, I guess), fixwareout finally ran something on startup, after which everything seemed to be working. Auto-updates are working again, cmd.exe is working, no more google redirects, etc.

    SDFix did not prompt a reboot (said something about not being able to find files) nor produce a log. I've attached my combofix and hijackthis log in case there's still something lurking.

    Should I run RatsCheddar still?

    Thanks so much for your help!
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Will not hurt anything to run it!

    Rename ComboFix.exe to 12cbf34.exe and run it again under that name. It had one finding so we need to be sure it is clean this time.

    Post the log.

    Looks like you are clean but ....

    The below will finish up hopefully.

    Go here Download DrWeb


    Boot to Safe Mode only! Not with Networking and run...

    DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

    The first Virus it finds select Cure and it will use this as the default automatically for all the rest. What it can't fix will be Quarantined!

    This will take a while based on CPU and HD speed and size, but is worth it!

  7. lady25

    lady25 TS Rookie Topic Starter

    I ran DrWeb, and it came up with a bunch of entries. A lot of them were combofix and sdfix- should I ignore these? The rest were in C:\System Volume Information\restore{insert long number here}.
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes ignore, some of these tools Combofix SDFix look like Malware to other tools.

    Looks like we are clean but my closing contains a deep Temp cleanup and a gentle Registry cleanup.

    Do the closing then reboot and evaluate the system and report back how it runs and anything remaining.

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    Run CCleaner (you should alreay have this from 8 Steps) (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner Temp and Registry, repeatedly until no more found.

    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    Yes! Even if you use system restore and other backups Registry and Images.

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.
    Look at

    Run SpyBot ocassionally and use the Immunize function.

    I highly reccomend Hostman: Hostman

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I would not have closed this thread yet:

    First, AdWatch was running during the scans. Real Time Protection is suppose to be temporarily disabled for the scans, in order to get accurate information:
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

    I would also have stopped this and run LSPFix:
    O20 - AppInit_DLLs: WIKI.DLL
    There is no information available online.

    Regarding the reference to "C:\System Volume Information\restore{insert long number here}."
    When this is seen in a malware cleaning log, it means that the malware has gotten into the restore points. The user should be advised NOT to use System Restore because of it. Old restore points are removed at the END of cleaning.

    Update Adobe: Most current version: Adobe Reader 9.1
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Thanks for the help Bobbye

    All of the major cleanups were done in Safe Mode which negates adwatch and other protections.

    Adobe is not Malware so i was not after that! Would be good to updade it or better uninstall it and install Foxit!

    wiki.dll belongs to CS-Wiki likely unused but legit.

    So comb thu it again because i could have missed something!

  11. nirvana1959

    nirvana1959 TS Rookie


    Thanks a lot MFLYNN!!!

    My symptoms were different (got hit by ROOTKIT) but I followed your steps. Voila! Back to normal now!
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    You are so welcome!

    But I could not have done it without Bobbye!

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Mike, I always throw the Adobe and Java updates in. They aren't technically part of malware cleaning, although Java is one of the steps. But most of the updates are for security vulnerabilities, so I try to keep them current.

    Cutting down on Startup isn't part of malware cleaning either! But I volunteer the time occasionally.
  14. tastywart

    tastywart TS Rookie

    Google Redirect and CMD.exe broken ,Trojan-PWS.Delf!IK...Here is how I fixed this one

    I had the same problem.... I used ALL of the suggestions listed here and many more but none worked (didn't even find one virus).... mainly because cmd.exe and other programs used by the various antispy/virus programs were "broken". This virus runs in safe mode as well so that didn't help. ...So here is what worked...

    Download Process Monitor from microsoft sys internals

    Download Killbox from

    You may need to download to a thumbdrive from a different computer as the redirects are relentless...especially for antivirus related just comes up with blank pages.

    Find the naughty files.......So now run process monitor and then do a google search in your web browser... back in process monitor, scroll to the bottom of the process monitor screen and you will see two files that are open, written, closed over and over, hundreds of times.... click on one of each and write down the name and location. ( you may need to stop process monitor from scanning just to have a chance to read) Mine were c:\windows\system32\sqlsodbc.chm and c:\windows\hpupsuw.uio. These are normal files that have been borrowed and corrupted by the virus. I've also seen references to SYSAUDIO.SYS used in this virus.

    And KILL them!........Now close process monitor and your web browser and run killbox. select "replace on reboot" and "Use Dummy", and click "multiple files". Put the path to the first file you found in "full path of file to delete", (mine was c:\windows\system32\sqlsodbc.chm) then click the red circle with x. A message will say that "the file will be replaced on reboot, reboot now?" say no, and enter your second file into the path box.... (mine was c:\windows\hpupsuw.uio). Then make sure use dummy is clicked and hit the red ex again and this time let it reboot.

    In my case, the virus was then completely disabled, no redirects, and cmd.exe worked. I ran combofix which found 4 numbered DLLs labeled as 161491571.dll and similar, and is called "Trojan-PWS.Delf!IK"

    all other scans afterwards by various products came up clean.

    Hope it works for you... 3days and 15 minutes! for me... what a waste!
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    tastywart- gad what a name! We have a virus and malware cleaning process that we use first. Logs are then reviewed and handled as needed. additional programs are run is appropriate. Understand that each infection is specific to the system it's on and the help we give that person is specific to that person. One thing that is found fairly often is that users run Malwarebytes but don't check for the removal of the entries. So even though he entries were found, if we don't SEE the logs to tell them to go back to remove, they don't get rid of the malware.

    Perhaps that sort of thing is what happened to you.

    No one is advised to run ComboFix unless told to. I will not speak for what was suggested by the other member. But I have a pretty good idea that if you had come here, gone through the steps that we lay out and followed our directions, you might have solved "your" problem in a more timely manner!
  16. jdub1234

    jdub1234 TS Rookie

    RE: Google Redirect and CMD.exe broken ,Trojan-PWS.Delf!IK...Here is how I fixed this

    Hi all,
    With all do respect for the in depth removal process posted on this page, I have to say tastywarts info was fantastic. Resolved within 5 min of my user complaining. :)
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Wow and you didn't even post the question!

    FYI: we follow a process here:
    And assistance is provided specifically for the user with the problem on THEIR system.
    We don't do "group" malware cleaning!
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...