TechSpot

Machine with virus causing IE links not to work

By mikehartman
Mar 14, 2009
  1. I'm looking at a friends machine that had a virus and am having issues getting it work properly. He told me he removed a couple of viruses with AVG 8.5 and now the machine is clean according to AVG, but IE and Firefox are acting flaky. If I do a google search and click on one of the links it redirects to windowsclick.com. Attached is a hijacklog from this machine. Thank you for any direction you can point!!!

    Mike
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
    avg

    Most importantly update MalwareBytes (MBAM) and SuperAntiSpyware (SAS)!

    Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

    SuperAntispyware extra config

    After installed double-click the icon on your desktop to run it.

    Update the program definitions.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    MalwareBytes extra config

    After update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and attach their logs.

    Mike
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Mike, be sure to have him update both Java and Adobe Reader> they are both way out of date.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    10-4

    Mike
     
  5. EndlessDen

    EndlessDen TS Rookie

    I'm having pretty much the same problem, I already had malwarebytes installed and I changed the file name because the virus wouldn't allow me to open it. It won't let me install SAS, gives me an error saying: The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

    How can I get it installed?
     
  6. EndlessDen

    EndlessDen TS Rookie

    My logs

    Had to remove my logs here to put them in my own thread.
     
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Endless

    Download alternate installers (below) for both SAS and MBAM they should install.

    MBAM
    Here http://malwarebytes.gt500.org/mbam-rules.exe
    Or here http://www.malwarebytes.org/mbam/database/mbam-rules.exe

    For SAS
    Try just this first http://www.superantispyware.com/downloads/RUNSAS.EXE
    Then execute Runsas.exe instead of the SAS Icon.

    I it don't run get this http://downloads.superantispyware.com/downloads/SAS_FREE.EXE

    Create your own post and and post log files to it. I will see it!

    You likely did not know jumping into someone elses thread is frowned upon, Thread Hijacking!

    Mike
     
  8. EndlessDen

    EndlessDen TS Rookie

    Sorry, I just thought it would be less clutter since it seems we're having the same issues. My apologies, friends! I'll create my own post.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    FYI EndlessDen: help is specific to the person who begins the thread.Although you think you have the 'same problem', you may not have the same cause. Your problem would then get 'buries' in the thread of the other person.

    Sometimes we forget to do this, but each malware cleaning thread should have this message with the first reply of the helper:

    Mike, let's try to remember to include this message with first reply.
     
  10. mikehartman

    mikehartman TS Rookie Topic Starter

    Virus information

    Attached is the logs from the machine that was having problems with IE redirects. FYI - the machine seems to be operating a heck of a lot better than before.

    Thanks in advance!
     
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    The MBAM log required a reboot to finish. So if you have not, reboot!

    Then do this....

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del /f /q /s tdss*.*
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
    del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del /f /q c:\WINDOWS\system32\ieupdates.exe
    del /f /q c:\WINDOWS\system32\scui.cpl
    del /f /q c:\WINDOWS\system32\winsrc.dll
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del /f /q c:\program files\xwdxqu.txt
    del /f /q c:\windows\x
    del /f /q c:\windows\SxsCaPendDel
    
    attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
    attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
    attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys
    
    del /f /q c:\windows\system32\drivers\qh3s.sys 
    del /f /q c:\windows\system32\drivers\jsdpp32.sys
    del /f /q c:\windows\system32\drivers\oxauau96.sys
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
    del /f /q "c:\program files\Common Files\System\u_lehj32.dll"
    
    attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    
    del /f /q "C:\WINDOWS\system32\svcprs32.exe"
    del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Then do the below..

    Update then run MBAM Quick Scan again as it needs to find more or show us a clean log! post log!

    Mike
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To "Helper" Mike, you might want to consider the following:

    Real Time Protection should be temporarily disabled when scanning:
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    There is one 'left-over' Services running from an earlier version of AVG:
    Consider further checking the system for presence of (Rootkit.TDSS)
    Mike, I don't do the coding, so if any of this is included in what you left, my apology.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...