Inactive Google redirects, command prompt closes but scans show nothing

[DGW]

Hello,

I noticed that my AVG would not update ("Access is forbidden) and that I was getting google redirects. I am also unable to open command prompt as it closes immediately - even in Safe Mode with Command Prompt.

I've done various scans through Malwarebytes, AVG, SAS, AVG Rescue CD, and made sure to do them in Safe Mode and after running CCleaner and ATF Cleaner. This cleaned out a few trojans and now when I run these scans, nothing shows up, yet I still have problems with google redirects and command prompt.

Going through the 8 steps, gmer gives me the BSOD when run normally, but is ok in safe mode. I am unable to run the dds.scr.

Thanks!

 

[Broni]

Welcome aboard

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[DGW]

When I run ComboFix, a status bar shows up and completes then I get a popup "Freeware implementation of REG.EXE has encountered a problem and needs to close." There are 2 of these messages as well as one for XCACLS.

This is run on normal Windows mode. Should I try it in Safe mode?

 

[Broni]

Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

• 
  * Double-click on the Rkill desktop icon to run the tool.
  * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  * If not, delete the file, then download and use the one provided in Link 2.
  * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  * Do not reboot until instructed.
  * If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

• 
  * Please download exeHelper from Raktor to your desktop.
  * Double-click on exeHelper.com to run the fix.
  * A black window should pop up, press any key to close once the fix is completed.
  * A log file named log.txt will be created in the directory where you ran exeHelper.com
  * Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now, run broni.exe

 

[DGW]

I get a few DOS windows popping up and closing immediately and then a message appears.

Rkill.com - "Windows cannot find 'C:\rkill.log'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search"

Same thing happened for Rkill.scr. The link for Rkill.pif does not download properly. Rkill.exe gives the same error message as the first 2 links.

I am using XP.

 

[Broni]

Restart in Safe Mode.
Try all 3 tools again.

 

[DGW]

Same error message from Safe Mode for the rkill applications.

 

[Broni]

Skip rKill.
Will broni.exe run in safe mode?

 

[DGW]

Nope, same error message about the rkill log.

 

[Broni]

No, I said skip rKill.
Restart in safe mode one more time and try to run broni.exe only.

 

[DGW]

Sorry, my mistake.

When I ran broni.exe in safe mode, I get the same error message about REG.EXE and XCACLS.

I never did run exehelper, should I try that?

 

[Broni]

No.
Restart in normal mode and see, if you can run these tools...

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=================================================================

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[DGW]

Attached is the log for MBRCheck.exe.

THe link for TDSSKiller isn't working, so I'm unable to download it and run it.

 

[Broni]

TDSSKiller link works for me, but we'll wait with that, because your MBR is infected.

Rerun MBRCheck.
Enter 'Y' and hit ENTER for more options and select option "2".
When asked for physical disk number, enter 0 (zero).
Next, enter 1 (Windows XP) for MBR code.
Post resulting log.

 

[DGW]

With MBRCheck, when I double click on it, a DOS window flashes open then disappears. After 20 seconds, the log gets produced. Thus, I've never been able to enter anything. Here's the log for the 2nd run.

 

[Broni]

OK. We'll have approach this in a different way.

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

exit

Reboot computer.

Post fresh MBRCheck log.

 

[DGW]

Attached is the fresh MBRCheck after running the fixmbr in the recovery console. Again, the DOS window disappears immediately after I double click on MBRCheck.exe

 

[Broni]

It looks good now

See, if broni.exe will run now (normal, or safe mode).

 

[DGW]

Same error messages as before - REG.EXE and XCACLS. Both in normal and safe mode

 

[Broni]

OK.

I uploaded TDSSKiller for you here: http://www.filedropper.com/tdsskiller_1

Download it and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[DGW]

Found 2 suspicious files that were skipped. Did not need to reboot.

 

[Broni]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[DGW]

Only OTL.Txt was produced.

The text is too long to copy and paste, so I made it an attachment.

 

[Broni]

Disable your AV program.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
  O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
  O4 - HKLM..\Run: [UserFaultCheck] File not found
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
  O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Reg Error: Key error.)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O29 - HKLM SecurityProviders - (mcenspc.dll) - File not found
  O33 - MountPoints2\{423c93ca-7d37-11df-8a72-0015000965d9}\Shell - "" = AutoRun
  O33 - MountPoints2\{423c93ca-7d37-11df-8a72-0015000965d9}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{423c93ca-7d37-11df-8a72-0015000965d9}\Shell\AutoRun\command - "" = G:\DTVP_Launcher.exe -- File not found
  O33 - MountPoints2\{d7a37ae2-9e83-11db-90ae-00c09fce0b1e}\Shell\AutoRun\command - "" = Launch.exe
  [2010/07/26 06:33:01 | 000,000,000 | ---D | C] -- C:\AVGTemp
  [2006/08/23 19:01:48 | 000,098,304 | ---- | C] ( ) -- C:\WINDOWS\System32\Uwimm.dll
  [6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
  [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [18 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[DGW]

Here you go.