# Google Redirection, BSODs on some full system scans

Jan 20, 2011
1. Hey there everyone! Boy am I getting tired of these insidious viruses. Remember when virus removal was as simple as running Norton or McAfee? Now it seems like everything you get requires expert help. Fortunately, there are indeed experts, like all of you! Consider this my thanks in advance for whoever can help me get rid of this one.

I've run an AVG antivirus scan, MBAM scan, and an AdAware scan on my machine prior to coming here for help. That cleaned up a lot of sludge - about 18 infections that MBAM found over the past 3 scans - but I'm still having redirection from Google. When I tried to run full system scans, 3 out of 4 times the scan would complete halfway, then result in a BSOD - either "MEMORY_MANAGEMENT" or "IRQL_NOT_LESS_OR_EQUAL". This has occurred in both normal mode and Safe mode. The full MBAM scan was finally completed in safe mode; I have not been able to successfully complete a full AdAware scan, only a quick scan. The AVG scan does not even complete a "Scan specific files or folders" scan, so I do not have an antivirus log. Seems like this little bug will go to some extreme lengths to keep itself from being found.

Anyway, before I post the logs, here's the checklist I followed from the stickied thread - I did have one question to clear up meaning I may have done one of the scans wrong.

1. 1. Antivirus Software - Check!*
2. 2. TFC - Check!
3. 3. MBAM - Check!**
4. 4. GMER - ????
5. 5. DDS - Check!

*I'm using AVG but can switch to Avira or Avast if those are more highly recommended. Cannot complete a scan but have tried in normal and safe modes.
**My log since starting the 8-step process on this forum had nothing in it. However, I had run MBAM previously the last couple of days in order to try to clear this up on my own, so I will attach those logs at the end of this post.
***I disabled protection from AdAware, and followed these instructions to disable AVG: http://www.ehow.com/how_5052104_disable-avg-antivirus.html. However, my log is quite short and references AVG, so I may have done this incorrectly. My apologies if that is the case.

Here are the requested logs.
MBAM:
GMER:
DDS Attach:
DDS:
And as promised, my MBAM logs that actually removed things.

Earlier today:

2. ### AlexG2490TS RookieTopic StarterPosts: 18

And two MBAM logs from yesterday:

Yesterday night:
Yesterday Morning:

3. ### BroniMalware AnnihilatorPosts: 52,895   +344

Welcome aboard

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=======================================================================

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

4. ### AlexG2490TS RookieTopic StarterPosts: 18

I did the scan twice. The first time it found an infection but the computer bluescreened when I clicked the "Restart Now" button. This was not an issue the second time. Both logs are below. Google is still redirecting.

EDIT: I meant to ask... your instructions say to avoid running any tools or updates other than those you suggest; does that mean I need to disable automatic Windows Updates for now? Do I need to go a step further still and cease use of my computer until we have it cleaned? Should it be disconnected from the network when not in use?

First Scan

Second Scan:

6. ### BroniMalware AnnihilatorPosts: 52,895   +344

Yes to the 1st question. No to the others.

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop

======================================================================

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

7. ### AlexG2490TS RookieTopic StarterPosts: 18

How long should AppRemover take to kill AVG? I tried to run it before bed the last few nights, but it only ever got to about 10% through the removal. Today I left the machine all day - 12 hours - and it only reached 60%. Tomorrow when I go to work and am not using the machine I will try to let it run for 24 hours if it needs to but geez, that seems like a long time to remove one program. I just wondered if something else was amiss here.

9. ### AlexG2490TS RookieTopic StarterPosts: 18

I had a couple problems with these.

1. MBRCheck froze up the whole system when I tried to use it. If left for a few hours, when I came back the machine had bluescreened. Logs were still created, so I will post what I had.
2. ComboFix - I ran AVG remover successfully and disabled AdWatch live before starting ComboFix. Nonetheless, it said these two were still running, so I clicked OK, believing that the program would quit and I could verify that these were uninstalled. But instead of closing, a second dialog box appeared that again said both services were running, and that I was therefore running ComboFix "at my own risk". If there had been a cancel button on that dialog I would have stopped the process and asked before running it, but I never got the chance to change my mind. Hopefully that didn't hose the scan. Logs are below.

EDIT: Google redirection appears to have stopped. However, I'm still concerned by the bluescreening that happens when I run MBRCheck. I don't know the exact error reported by the bluescreen since my only indication when I return is the dialog that says "Windows recovered from a serious error."

MBRCheck:
ComboFix:
Rkill:

10. ### BroniMalware AnnihilatorPosts: 52,895   +344

You did fine, however MBRCheck log is incomplete.
It may be due to a fact, that your MBR is possibly infected.

Let's double check....

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

11. ### AlexG2490TS RookieTopic StarterPosts: 18

OK, that seems to have completed OK. I did get an error in a dialog box:

Once I clicked OK, however, the scan completed without an issue. Here is the output:

12. ### BroniMalware AnnihilatorPosts: 52,895   +344

MBR looks fine.

If you're planning on reinstalling AVG, you have to uninstall Lavasoft Ad-Watch Live! Anti-Virus.
You can't be running two AV programs.

Combofix log looks good too.

How is redirection?

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

13. ### AlexG2490TS RookieTopic StarterPosts: 18

The redirection appears to have stopped. Here are my OTL and Extras files. Once we have everything cleaned, I want to talk to you about an ideal antivirus/anti-malware solution. I've tried a lot of the "big name" antivirus solutions - Norton, McAfee, AVG - but none of them have ever stopped anything like this latest adventure. They seem to pick up only the most basic viruses... anything with any stopping power gets right through, usually without even triggering the antivirus. I've heard really good things about Nod32 from Leo Laporte's TWiT podcast... does anyone have any experience (good or bad) with that product?

As to installing more than one AV, I know it's not recommended, but I haven't found anything as good as AdAware for getting rid of spyware, adware, and malware, an area that a lot of antivirus programs don't touch. However, I wouldn't trust AdAware as a complete security solution either. Is there a way to run AdAware only when I need, disabling its active scanning component to avoid the conflict? Thanks for any advice you can give me... your help has already been invaluable!

Logs in the next two posts...

Extras:

15. ### AlexG2490TS RookieTopic StarterPosts: 18

Extras Continued from above

OTL:

17. ### AlexG2490TS RookieTopic StarterPosts: 18

OTL Continued from above:

18. ### BroniMalware AnnihilatorPosts: 52,895   +344

Good news

A very simple answer. It doesn't exist
A human at the keyboard creates the biggest danger to the computer.
If the computer's operator habits are bad, nothing will protect you.
At the end of this topic I'll present you with some security hints.

Regarding Ad-aware...forget it. It's a tool of the past.

19. ### BroniMalware AnnihilatorPosts: 52,895   +344

You're free to reinstall your AVG now.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

====================================================================

Run OTL
• Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:
:OTL
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
@Alternate Data Stream - 64 bytes -> C:\Users\Alex\Desktop\mypart2.mp3:TOC.WMV
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 1287 bytes -> C:\ProgramData\Microsoft:RwdTX1KUFp8aKUKOQThggRpKf
@Alternate Data Stream - 1241 bytes -> C:\ProgramData\Microsoft:FepSSYbZS47pD8gU2Vu8Q4tvDno
@Alternate Data Stream - 1181 bytes -> C:\ProgramData\Microsoft:CGIW1c8jY6NsClmT81j23Lm
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:0A8E2C33

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

=======================================================================

Last scans....

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Click Start
• IMPORTANT! UN-check Remove found threats
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• When the scan completes, push List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

20. ### AlexG2490TS RookieTopic StarterPosts: 18

I need a couple more days to get these scans and updates done. I've been working double shifts running tax forms for shareholders. Yaaaay tax season!

21. ### BroniMalware AnnihilatorPosts: 52,895   +344

No problem.
Thanks for letting me know

22. ### AlexG2490TS RookieTopic StarterPosts: 18

I'll get these done tomorrow during the day, I promise. Thanks for your patience.

23. ### BroniMalware AnnihilatorPosts: 52,895   +344

OK..............

24. ### AlexG2490TS RookieTopic StarterPosts: 18

OK, it's evening, not afternoon, but at least it's still today... for a whole 38 minutes more!

Checkup.txt:
OTL Log:
And ESET is running as I speak.

25. ### BroniMalware AnnihilatorPosts: 52,895   +344

You need to reinstall AVG.

Update Firefox to the latest 3.6.13 version.

Topic Status:
Not open for further replies.