Machine with virus causing IE links not to work

[mikehartman]

I'm looking at a friends machine that had a virus and am having issues getting it work properly. He told me he removed a couple of viruses with AVG 8.5 and now the machine is clean according to AVG, but IE and Firefox are acting flaky. If I do a google search and click on one of the links it redirects to windowsclick.com. Attached is a hijacklog from this machine. Thank you for any direction you can point!!!

Mike

 

[mflynn]

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
avg

Most importantly update MalwareBytes (MBAM) and SuperAntiSpyware (SAS)!

Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Mike

 

[Bobbye]

Mike, be sure to have him update both Java and Adobe Reader> they are both way out of date.

 

[mflynn]

10-4

Mike

 

[EndlessDen]

I'm having pretty much the same problem, I already had malwarebytes installed and I changed the file name because the virus wouldn't allow me to open it. It won't let me install SAS, gives me an error saying: The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

How can I get it installed?

 

[EndlessDen]

My logs

Had to remove my logs here to put them in my own thread.

 

[mflynn]

Hi Endless

Download alternate installers (below) for both SAS and MBAM they should install.

MBAM
Here http://malwarebytes.gt500.org/mbam-rules.exe
Or here http://www.malwarebytes.org/mbam/database/mbam-rules.exe

For SAS
Try just this first http://www.superantispyware.com/downloads/RUNSAS.EXE
Then execute Runsas.exe instead of the SAS Icon.

I it don't run get this http://downloads.superantispyware.com/downloads/SAS_FREE.EXE

Create your own post and and post log files to it. I will see it!

You likely did not know jumping into someone elses thread is frowned upon, Thread Hijacking!

Mike

 

[EndlessDen]

Sorry, I just thought it would be less clutter since it seems we're having the same issues. My apologies, friends! I'll create my own post.

 

[Bobbye]

FYI EndlessDen: help is specific to the person who begins the thread.Although you think you have the 'same problem', you may not have the same cause. Your problem would then get 'buries' in the thread of the other person.

Sometimes we forget to do this, but each malware cleaning thread should have this message with the first reply of the helper:

This thread is for the use of (user name) only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

Mike, let's try to remember to include this message with first reply.

 

[mikehartman]

Virus information

Attached is the logs from the machine that was having problems with IE redirects. FYI - the machine seems to be operating a heck of a lot better than before.

Thanks in advance!

 

[mflynn]

The MBAM log required a reboot to finish. So if you have not, reboot!

Then do this....

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del /f /q /s tdss*.*
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del /f /q c:\WINDOWS\system32\ieupdates.exe
del /f /q c:\WINDOWS\system32\scui.cpl
del /f /q c:\WINDOWS\system32\winsrc.dll

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del /f /q c:\program files\xwdxqu.txt
del /f /q c:\windows\x
del /f /q c:\windows\SxsCaPendDel

attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys

del /f /q c:\windows\system32\drivers\qh3s.sys 
del /f /q c:\windows\system32\drivers\jsdpp32.sys
del /f /q c:\windows\system32\drivers\oxauau96.sys

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del /f /q "C:\WINDOWS\system32\svcprs32.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Then do the below..

Update then run MBAM Quick Scan again as it needs to find more or show us a clean log! post log!

Mike

 

[Bobbye]

To "Helper" Mike, you might want to consider the following:

Real Time Protection should be temporarily disabled when scanning:
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

AD-AWARE AD-WATCH
* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

There is one 'left-over' Services running from an earlier version of AVG:

O23 - Service: AVG7 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)
Start> Run> services.msc> right click on AvgAgent> Properties> change Startup to Disabled> Stop the Service.

Consider further checking the system for presence of (Rootkit.TDSS)

1. Open up Device Manager(Start> Control Panel> Hardware tab> Device Manager button)
2. Click 'View' and select 'Show Hidden Devices'
3. Expand the 'Non-Plug and Play' Drivers category
4. Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys (any that are present)
5. Restart computer to Safe Mode
6. After restart, go back to Device Manager and right-click 'Uninstall' the above drivers
7. Navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist (They will be hidden so show hidden files)***
8. Navigate to 'C:\Windows\System32\ directory, Sort By Date, and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.* or any suspicious looking *.exe's/*.dll's modified in the past 24 hours ***
9. Run SDFIX and Combofix in Safe Mode: consider updating and re-scanning with Ad-Watch off.
10. Reboot to Normal mode, install SAS, update, and run a quick scan
12. Run an ESET (NOD32) online scan: http://www.eset.com/onlinescan/
OR F-Secure online malware scan: http://support.f-secure.com/enu/home/ols.shtml
***NOTE: Path for #7 & #8:
Right click on Start> Explore> Windows > System 32

Mike, I don't do the coding, so if any of this is included in what you left, my apology.