TechSpot

Google redirect, spyware/malware problem

By gman123
Jan 29, 2009
  1. google redirects me to different unwanted pages such as ebay and connectcurrent. This has only started recently. I have attached the logs from Malwarebytes' Anti-Malware, super anti spyware and Hijack this. I would appreciate any help or advice. cheers.
     

    Attached Files:

  2. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    has anyone got any ideas?...its pretty annoying as i think my computer is going slower aswell. Cheers.
     
  3. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi gman123

    Sorry you got overlooked. Here you go!

    Run HJT Scan only select and remove the below
    O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat

    You ran MBAM but exited without deleting the Malware it found as evidenced by the "No Action taken" in the log.

    So UPDATE MBAM and do a FULL scan, this time remove the found items.

    UPDATE SAS also run another Quick scan and select and remove the tracking cookies.

    Post both logs.

    Mike
     
  4. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    thanks for the reply. I have carried out the updates and searces and enclosed the logs
     
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok looks good but do the below!

    Update then run SAS Quick scan and put a check to remove the tracking cookies

    Then

    Click Preferences-Repairs
    Then counting down from top do the following entries
    Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

    Reboot the test for Google redirecting! let me know!

    Give me a status report on how computer is running

    Mike
     
  6. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    thanks mike.
    I made the repairs and carried out a further scan to which ive added the log. My homepage on the internet has changed to msn and the google redirecting still occuring. For example, if i search for any common internet search the results are described as the page i require but the links send me to BlinkX search and other links.
    cheers for your help
     
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    OK for the last few days it has taken SDFix and ComBoFix to get completely clean so why should you be an exception.

    They don't take nearly as long to do.

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike
     
  8. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    cheers mike.
    I ran the SDFix and have enclosed the log. I also ran hijackthis again and enclosed the log. I was not able to install combofix as each time i tried my antivirus software detected a trojan horse and i got a message from internet explorer.
     
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Just as I thought! more.

    Rt click and disable the Virus scanner to run ComboFix.

    If that don't work ......

    Boot to Safe Mode and run Combofix as it will find more based on what SDFix found.

    Mike
     
  10. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    cheers mike.
    Combofix worked. I have enclosed the log
     

    Attached Files:

  11. mflynn

    mflynn TS Rookie Posts: 2,655

    OK looks good.

    Get me another fresh HJT log.

    Get me a status report on the original problem and how computer is now running in general.

    Mike
     
  12. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    same redirecting issues as before. This happens on all search engines. The computer in general is a bit slow but otherwise ok. All of my anti spyware and anti virus programs were temporarily disabled for the combofix scan...shall i enable them again now? I have enclosed requested Hijackthis log
    Cheers
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    OK

    Boot to Safe Mode and do all below.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.
    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del c:\program files\xwdxqu.txt  /f /q
    del c:\windows\x  /f /q
    del c:\windows\SxsCaPendDel  /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
    del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
    del  /f /q "c:\program files\Common Files\System\u_lehj32.dll"
    
    attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    
    del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
    del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This is a coverall and may give errors as it tries to delete/stop certain Malware files etc that you do not have. This is no problem. The process should run then exit back to desktop.

    Reboot and test for the problem.

    Mike
     
  14. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    Then paste to the black screen of an open command prompt????
    sorry, what do you mean by this....also will i have to copy and paste the commands to a word document before i reboot in safe mode....doesnt it stop you using the internet?
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    No!

    Copy only the text inside the box!

    Command prompt
    Start-Run
    type
    cmd
    click OK

    Command prompt opens

    Past to the c:

    Mike
     
  16. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    I think i have done what you requested. I booted to safe mode and copied the text from the box into the command prompt. It didnt exit back onto desktop when it was done though. It said, a few lines up from the last lines of text "the operation completed successfully". Then nothing happened, so i closed the command prompt and rebooted. The redirecting problems are still there unfortunatley.
    Cheers
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok go back to post #5 above and do it again.

    Make sure to Update SAS first.

    I have edited it and the other things we have run have effected it.

    Mike
     
  18. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    Thanks for your help and im sorry for the hastle. I did post 5 again and rebooted but im still having the redirecting problems,
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    OK no problem some of these can be stuborn but we will get it!

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.txt
    ;Saves ip settings
    netsh interface ip delete arpcache
    ipconfig /flushdns
    ipconfig /release *
    ipconfig /renew *
    ipconfig /registerdns
    nbtstat -RR
    netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
    ;saves log of current settings
    netsh winsock reset catalog
    ;resets Winsock
    netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
    ;winsock after rest
    netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
    ;reset TCP stack
    exit
    exit
    
    Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread.

    And a new status!
    Mike
     
  20. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    thanks very much mike,
    lsp and tcpreset attached
    same issues as before
     
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner.
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "While Cleaning at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    Download: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    Reboot and test.

    Mike
     
  22. gman123

    gman123 TS Rookie Topic Starter Posts: 26

    Hi mike, cheers for the help and sorry bout the delay since my last post.
    I did everything you asked, however, the redirect issues are still evident. Also, i have noticed that the internet pages expire on secure webpages...i am not sure if this is linked or not.
    Thanks, gman123
     
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Gman

    Update but do not run MBAM and SAS! Then unplug network cable or turn off Modem and router if you have one.

    Now

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.txt
    ;Saves ip settings
    netsh interface ip delete arpcache
    ipconfig /flushdns
    ipconfig /release *
    ipconfig /renew *
    ipconfig /registerdns
    nbtstat -RR
    netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
    ;saves log of current settings
    netsh winsock reset catalog
    ;resets Winsock
    netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
    ;winsock after rest
    netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
    ;reset TCP stack
    exit
    exit
    
    Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread when we plug the cable back up but leave unplugged until the entire thread is complete then replug..

    Once the above is complete do the below.

    Run SAS (done before but not with cable unplugged)
    Click Preferences-Repairs
    Then counting down from top do the following entries

    Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

    Then run Quick scan with both MBAM and SAS!

    Plug up and post the last logs run while unplugged.

    In MBAM click logs get me the last one, in SAS Preferences-Statistics/logs. last one.

    Mike
     
  24. scriptordie

    scriptordie TS Rookie

    I haven't seen this mentioned

    Do a search in your %systemroot%\system32 directory for wdmaud.sys if there is one there, delete or rename it. This is a valid file in the %systemroot%\system32\drivers directory, but it shouldn't be in System32. All instances I've found in System32 are the cause of the recent browser redirects in my environment. I had about 4 machines in my network with that problem and deleting that file on the machines in question fixed it.
     
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    Thanks scriptordie excellent!

    I have had it in the sometime past but some other reason and forgot about it.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...