Solved Google redirection, cmd.exe, regedit.exe not working

[FlyerPhil]

Hi,

Hopefully somebody here will be able to help me sort the problems I'm having on a laptop.
Browsing to google redirects to another IP address (infected hosts file?) and cmd and regedit executables don't run.

I've attached the relevant log files (pasting caused the message to be too long!) as requested in the preliminary removal instructions post.

Thanks for any help you can give me!

Phil

 

[Bobbye]

Phil, Both McAfee and Avast are loading in the system. Please remove one of them. Here are tools to help- download only the one for the program you are not going to keep:
Avast Removal
McAfee Removal
=========================
At the top of the DDS log, it shows what security is running and what has been disabled. Your report has the following:
AV: Windows System Suite *On-access scanning enabled* (Updated) {2B9C6ABA-FBC3-45BE-862C-74DD8F5D4A41}
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Windows System Suite *enabled* {EACCD1F1-868E-4E5F-A4A1-7E8110FF165E}

Windows System Suite is a rogue program. Windows System Suite will also hijack the Internet Explorer and Firefox search functions so that instead of searching with your normal search engine, it will instead search using the Search-gala.com site.

You can view the images of this program HERE. Malwarebytes has removed many of the entries for this..
=================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==================
Download HijackThis HERE and save it.

• Double-click on the saved file.
• When it runs it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis.
• When the installation has finished. HijackThis will automatically launch.
• When the license agreement appears, select I accept and then click on the Do a system scan only button.
• When the scan is complete, click on the Save Log button to create a log of your information.
• Paste the log into your next reply.

=========================
Both the Java and the Adobe Reader are way out of date. Most of the update cause vulnerabilities, so download and install the latest updates, then uninstall the older versions in Add/Remove Programs:

• Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities. Current version is v9.xx. You have both v6.1 and v6.2.
• Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions. Current is v6u14. You have Java 2 Runtime Environment, SE v1.4.2_03. You should have Java v6u20.

 

[FlyerPhil]

Hi Bobbye,

I've removed McAfee and run ComboFix and HijackThis as per your instructions (see the attached logfiles).

Thanks for the continued help.

Phil

 

[Bobbye]

Please disable RegCure- even better, uninstall it. Most of us do not recommend any Registry cleaning programs. and you have it set to run about every 3 days. That means that your system will change every time it runs. It is best I work with a system as stable as possible while trying to find and remove all the malware.
================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
C:\Documents and Settings\All Users\Application Data\WSYSSSys\wsyss.cfg
Folder::
C:\Documents and Settings\All Users\Application Data\WSYSSSys
DirLook::
C:\7a439d257b455aea9109ee
C:\ae9eaef4aab727830c2e066264f8ca
C:\95290a549c448f1c8c48ed1207f5
C:\f6fd69f80dc373a71ceb50b3939d73
C:\533b3bb12c9885a5d8bb1b39
C:\60ca9d2f01bdd64eab
C:\16eed420b6ab04fccceaafd768d1cf
C:\0b1b6181454363b7712993f4
C:\14d37985443da0a20f40b09424
C:\abcab659bab348e2f95dad59

Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please reopen HijackThis to 'do system scan only.' Check each of the following entries if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
Close all Windows except HijackThis and click on "Fix Checked."
=========================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=====================
Please include all logs with next reply.

 

[FlyerPhil]

Hi,

I've uninstalled RegCure, ran the supplied CFscript.txt using ComboFix, ran HijackThis and removed the 5 listed entries and ran the NOD32 online scanner.

The logfiles from ComboFix and NOD32 are attached as requested.

Thanks for your continued help!

Regards

Phil

 

[Bobbye]

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Folders
  C:\0b1b6181454363b7712993f4
  C:\14d37985443da0a20f40b09424
  C:\16eed420b6ab04fccceaafd768d1cf
  C:\533b3bb12c9885a5d8bb1b39 
  C:\60ca9d2f01bdd64eab
  C:\7a439d257b455aea9109ee
  C:\95290a549c448f1c8c48ed1207f5
  C:\abcab659bab348e2f95dad59
  C:\ae9eaef4aab727830c2e066264f8ca
  C:\f6fd69f80dc373a71ceb50b3939d73
  
  :Services
  
  :Reg
  
  :Files 
  C:\i386\GTDownDE_87.ocx
  C:\WINDOWS\system32\drivers\etcold\hosts
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I'm not sure I can move all those folder in this program, but give it a try. It will show in the logs it produces. If they don't move, I'll set them up in a different program.

Most of them are folders containing error reporting files from MS Office. The system gathers each error and sends it to Microsoft. But you can disable this sp these folders don't build up:

Click on Start> Run> type in services.msc> Double click on Microsoft Application Error Reporting Service> change the Startup type to Disabled> Sop the Service> Close Services

 

[FlyerPhil]

Hi Bobbye,

Ran OTMoveit with you script, here's the log :

-------------------------

All processes killed
========== PROCESSES ==========
Error: Unable to interpret <:Folders> in the current context!
Error: Unable to interpret <C:\0b1b6181454363b7712993f4> in the current context!
Error: Unable to interpret <C:\14d37985443da0a20f40b09424> in the current context!
Error: Unable to interpret <C:\16eed420b6ab04fccceaafd768d1cf> in the current context!
Error: Unable to interpret <C:\533b3bb12c9885a5d8bb1b39 > in the current context!
Error: Unable to interpret <C:\60ca9d2f01bdd64eab> in the current context!
Error: Unable to interpret <C:\7a439d257b455aea9109ee> in the current context!
Error: Unable to interpret <C:\95290a549c448f1c8c48ed1207f5> in the current context!
Error: Unable to interpret <C:\abcab659bab348e2f95dad59> in the current context!
Error: Unable to interpret <C:\ae9eaef4aab727830c2e066264f8ca> in the current context!
Error: Unable to interpret <C:\f6fd69f80dc373a71ceb50b3939d73> in the current context!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\i386\GTDownDE_87.ocx moved successfully.
C:\WINDOWS\system32\drivers\etcold\hosts moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Jon Jerrard-Dinn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Sally Jerrard-Dinn
->Temp folder emptied: 1230 bytes
->Temporary Internet Files folder emptied: 7988610 bytes
->Java cache emptied: 2027 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 42247 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3227072 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 11.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05082010_164720

Files moved on Reboot...
C:\Documents and Settings\Sally Jerrard-Dinn\Local Settings\Temporary Internet Files\Content.IE5\UVDV5E6W\sh16[1].htm moved successfully.
C:\Documents and Settings\Sally Jerrard-Dinn\Local Settings\Temporary Internet Files\Content.IE5\DFC7OZ83\topic146742[1].htm moved successfully.
C:\Documents and Settings\Sally Jerrard-Dinn\Local Settings\Temporary Internet Files\Content.IE5\9J5HQTMW\ads[1].htm moved successfully.
C:\Documents and Settings\Sally Jerrard-Dinn\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\dd_NET_Framework30_Setup2A92.txt moved successfully.
C:\WINDOWS\temp\dd_wcf_retCA665F.txt moved successfully.

Registry entries deleted on Reboot...

-------------------------

It looks like it didn't like the :Folders section.

I looked for the service "Microsoft Application Error Reporting Service" but it doesn't exist so I couldn't disable it.

Thanks for the continued instructions!

Phil

 

[Bobbye]

Sorry Phil, I wasn't thinking! The name of the Service is just Error Reporting. That's the one to disable and stop.

To remove the folders:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\mcafee\siteadvisor\McSACore.exe 
c:\progra~1\mcafee\viruss~1\mcshield.exe 

Folder::
C:\14d37985443da0a20f40b09424
C:\16eed420b6ab04fccceaafd768d1cf
C:\533b3bb12c9885a5d8bb1b39 
C:\7a439d257b455aea9109ee
C:\95290a549c448f1c8c48ed1207f5
Registry::

DDS::
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

Driver::
McAfee SiteAdvisor Service
McShield

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
I left out the folders that have the NET Framework files. As far as I could find, the download have both 64 and 32 bit files, plus different OS. I don't know how to edit the files to remove the particular ones you don't need, so I'm going to leave them- the others though can be removed and the Service stopped without problems.

How is the system running now? Are there any remaining malware related issues?

 

[FlyerPhil]

Hi Bobbye,

I've disabled that service now!

Ran the script with ComboFix. It warned me that "Windows System Suite" was running, so I still think there are some issues. The logfile attached also references "Windows System Suite" at the top.

The good news is that the hosts file hasn't been changed to include rogue entries and I can currently run cmd and regedit ok. I also got some windows update notifications that are over a week old (my other PC had the updates last week), so I think this wasn't working correctly before we started either.

Looks like we're getting there!

Cheers

Phil

 

[Bobbye]

Phil, I'd like you to run Malwarebytes again, but this time, it will be a Full Scan instead of Quick Scan:

You've done the first 5, so pick up with #6

1. Download Malwarebytes' Anti-Malware and save to your desktop.
2. Double-click mbam-setup.exe and follow the prompts to install the program.
3. At the end, be sure a checkmark is placed next to
   [o] Update Malwarebytes' Anti-Malware
   [o] Launch Malwarebytes' Anti-Malware
4. then click Finish.
5. If an update is found, it will download and install the latest version.
   ===================================
   NOTE: Before you start the new scan: Open the Task Manager (Ctrl/Alt/Del) and look for this entry in Processes: WI345d.exe If there, highlight and End Task before starting Mbam.
   [*] Once the program has loaded, select Perform Full scan, then click Scan.
6. When the scan is complete, click OK, then Show Results to view the results.
   You should be seeing something similar to this:
   
   
   
   (Courtesy BleepingComputer)
7. Be sure that everything is checked, and click Remove Selected.
8. When completed, a log will open in Notepad. and you may be prompted to Restart.(See Extra Note)
9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

IF you do get similar entries and have them removed, rescan with Mbam to make sure they're all got found and removed.

Let me see this log please.

 

[FlyerPhil]

Hi Bobbye,

I ran mbam and it picked up 1 infected file. I cleaned it as per the instructions and rebooted.

I ran mbam again and it picked up another infected file which I cleaned again and rebooted again.

I've attached both logfiles.

Cheers

Phil

Edit: I ran mbam a third time which was clear. I've also run dds again to see whether "Windows System Suite" is still installed. The logfiles (attached) show that it still is.

 

[Bobbye]

About the 2 Mbam scans: one show files in OTMovIt. We've handled that. The other shows file in System Restore. It's off the system. I'll have you remove the old restore points when we finish. In the meantime, don't do a system Restore because it could reinfect the system.

So basically the Mbam logs are clean! And nothing show other entries associated with this rogue. I'm beginning to wonder if it's really there! I found a removal download, but I'm ot familiar with the download- there is a manual instruction but I need to go over it and set it up.

Give me some time- it might be tomorrow AM, okay?

 

[FlyerPhil]

Hi Bobbye,

Whenever you've got the time, better to get it sorted properly

Cheers

Phil

 

[Bobbye]

Thanks for you patience. I'd rather delay that have you do anything that could harm the system.

 

[Bobbye]

Broni has helped me out with a feature I wasn't aware of. This should do it:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

SecCenter::
{2B9C6ABA-FBC3-45BE-862C-74DD8F5D4A41}
{EACCD1F1-868E-4E5F-A4A1-7E8110FF165E}

Folder::
Registry::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
If this handles it and the original problems have been resolved, I'll have you remove the cleaning tools and old restore points.

 

[FlyerPhil]

Hi Bobbye,

Great news, I ran the script supplied (log file attached) rebooted and ran the DDS script again. It no longer warns that Windows System Suite is installed so I think you may have got the laptop clean!

I look forward to your final instructions to remove the cleaning tools and old restore points.

Many thanks for all your hard work on this, it is really appreciated.

Phil

 

[Bobbye]

Yeah! That is great! There aren't any other problems are there? I owe Broni one for that feature-didn't know I could do that! And you're welcome for the help. You did a nice job following the instructions.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if you need help in the future.

 

[FlyerPhil]

Hi Bobbye,

I've removed all the software used, created a new restore point and deleted all older ones.

A double check on all the problems I was having show that everything is now working as expected.

Many thanks for all your help in sorting out the laptop, it's really appreciated.

Best regards

Phil

 

[Bobbye]

It was my pleasure Phil. I'll close the thread now but will leave some tips for you:

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free Google toolbar to help stop pop up windows.