New Thread, Same Old Redirect Problem

[Limnologist]

I have the same problem everyone else is havnig. It started with fake security alerts, progressed to google, then yahoo search redirects (almost always to triplexfeed.com), and now computer is super-slow.

Does this thing have a name yet? I asked Spybot about it and they didn't seem to know.

Have you all come upon one method that works for most people that you could post like you did the 8 steps?

I've updated Windows, Java, Flash, Adobe and some other things as others recommended. I've run AVG, Spybot, some others, and the three you include in 8 Steps, a couple of them several times. Almost all found some problems, fixed them, but nothing has fixed the redirect problem.

Now the computer is super-slow and I'm not sure what the heck is running at any one time.

I haven't run Combofix or the something-flush, as I know nothing about computers and need virtual hand-holding for this. (I'm a computer-fixing virgin so you really have to explain things as basically and completely as possible.)

Thanks in advance . I've attached the three logs you need--hope I did them right. Let me know what else you need.

Carol in Carolina

 

[Limnologist]

Am I supposed to be doing something now? I am afraid to do something else that I've read in the other threads without express direction. Thanks.

 

[Broni]

Which browser is getting redirected?

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Limnologist]

Its my google search engine and yahoo search engine. I can get to Google and put in search keywords, then get the results, but if I click on results it's redirected. Same with Yahoo. Google News works ok except the photos in results don't show anymore, don't know why. I'm also starting to get pop-ups which haven't been a problem.

 

[Broni]

No, no, I'm asking about browser, Internet Explorer, Firefox, Opera, etc....

 

[Limnologist]

oh, I use Internet Explorer, Firefox REALLY messes everything up so I don't use it.

 

[Broni]

OK. Proceed with Combofix then.

 

[Limnologist]

I don't know if I have script-blocking--how would I find out? I know I have Zone Alarm and AVG--turn off both? Don't know if the Windows firewall is up or not. How do I know what I have? (I know that sounds lame but Others have used the computer on occassion, and I just don't know much)

 

[Broni]

I don't know if I have script-blocking--how would I find out?

In your case, only Spybot is involved:
Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.

I know I have Zone Alarm and AVG--turn off both?

Yes.

Don't know if the Windows firewall is up or not.

To check if the Windows Firewall is turned on or off, go to Start > Run and type: firewall.cpl
press Ok

 

[Limnologist]

I ran Combofix twice. Is it supposed to shut down teh computer when it does it? because it did, which relaunched zone alarm and avg...except now avg isn't showing up in the bottom icon tray, don't know why. And I still have the redirect problem.

 

[Broni]

We'll see about AVG icon later. For now, we have more important things to worry about.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\drivers\4DW4R3OVqtJAMuGX.sys 
c:\windows\system32\drivers\4DW4R3QkLPMLpQxD.sys 
c:\windows\system32\drivers\4DW4R3qMkqQxLkLb.sys 
c:\windows\system32\drivers\4DW4R3rQHdBcRQbt.sys 
c:\windows\system32\drivers\4DW4R3XtEbOkMVIx.sys 
c:\windows\system32\drivers\4DW4R3OMDeBesYCq.sys 
c:\windows\system32\drivers\4DW4R3BgegiUdrms.sys 
c:\windows\system32\drivers\4DW4R3cnTwpTIvyT.sys 
c:\windows\system32\drivers\4DW4R3DWcWNiEXPP.sys 
c:\windows\system32\drivers\4DW4R3iCreWUHWGb.sys 
c:\windows\system32\drivers\4DW4R3LiJKnslVtt.sys 
c:\windows\system32\drivers\4DW4R3LvDTrcfXVv.sys 
c:\windows\system32\drivers\4DW4R3mnBXqRvuTh.sys 
c:\windows\system32\drivers\4DW4R3MPJqxbuXKI.sys 
c:\windows\system32\drivers\4DW4R3NSuclTeFTj.sys 
c:\windows\system32\4DW4R3c.dll 
c:\windows\system32\4DW4R3CiUGwbCMJg.dll 
c:\windows\system32\4DW4R3fbAuhMqtid.dll 
c:\windows\system32\4DW4R3gUujptEAKQ.dll 
c:\windows\system32\4DW4R3oGwnvBiEeO.dll 
c:\windows\system32\4DW4R3SnxmleqyUa.dll 
c:\windows\system32\4DW4R3sv.dat 
c:\windows\system32\4DW4R3UJNmOxsnxX.dll 
c:\windows\system32\4DW4R3vhAMLcNOAd.dll 
c:\windows\system32\4DW4R3wtMYnASxMl.dll 
c:\windows\system32\4DW4R3XiccYwhybH.dll

Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Limnologist]

OK, did it...still have problem....

I noticed this in one of the logs--what does it mean--is it fake avg?

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/6/2010 12:08 AM 360584]

 

[Broni]

Let's re-run Combofix with little bit different code...

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

Folder::

Driver::
4DW4R3OVqtJAMuGX
DW4R3QkLPMLpQxD
4DW4R3qMkqQxLkLb
4DW4R3rQHdBcRQbt
4DW4R3XtEbOkMVIx
4DW4R3OMDeBesYCq
4DW4R3BgegiUdrms
4DW4R3cnTwpTIvyT
4DW4R3DWcWNiEXPP
4DW4R3iCreWUHWGb
4DW4R3LiJKnslVtt
4DW4R3LvDTrcfXVv
4DW4R3mnBXqRvuTh
4DW4R3MPJqxbuXKI
4DW4R3NSuclTeFTj

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Limnologist]

Ok, I did it--but still have the redirect problem. (This time, though I did a search on Google Redirect and found more sites addressing it--can't get to them, but maybe someone--maybe someone from google?-- has developed a specific fix now?

BTW I forgot to disable avg, but Combofix told me it was still connected, so I guess it wasn't the other times.

Thanks for your on-going help.

Patiently Waiting,

Carol

 

[Limnologist]

Broni, you probably have access to way more sites than I do but this one seemed to have some new information, such as the thing about re-infecting through hosts. I have NOT made any of the changes it recommends yet although think I'll look at that SpyBot one.

http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en

 

[Limnologist]

Here are some things I pulled off that other site. Many people said the Hitman program was good, but since those could all be fake comments, I wanted to get the blessing of this board before doing it.

~~~~~~~~
the cause is a TDSS trojan. search google for TDSS killer and download the zip file to your desktop. i found a dns server in my LAN adapter settings and removed it.
~~~~~~~~~
Only Gmer reported a suspicious atapi.sys file in c:\windows\system32\drivers. The other programs found nothing that would solve this problem.
I copied the atapi.sys file to the computer with the Google redirect problem. The file date (on the problem computer) kept changing automatically to today's date (from 04/13/2008) within seconds after I copied the file. So, I ran the "attrib +r atapi.sys" command to make the file read-only on the good networked computer. Then I copied the read-only file again to the problem computer. Since then, the file date has not changed, and I've had NO redirect problems when searching at Google.
~~~~~~~~~~
Many people were having to manually identify and remove the offending file(s) from their systems, as it reached a point where most of the currently available products were not able to keep up with the changes to the malware. The malware can change multiple times a day, making it difficult for security vendors to be able to provide a solution
~~~~~~~~~~~
For those who would like to protect their Hosts file from unauthorized changes, you may want to consider using SpyBot Search and Destroy to lock the Hosts file. This Hosts file option can be found through the Advanced Settings Mode under the [Tools | IE Tweaks | Lock Hosts file read-only as protection against hijackers ] section.
Spybot Search & Destroy http://www.safer-networking.org/en/download/index.html While I do not use the TeaTimer resident protection (I only run manual scans when needed) I do use the immunize feature of SpyBot Search and Destroy to minimize exposure to bad sites, as well as use the option to lock my Hosts file from unauthorized changes. There are probably other ways to do this as well, this is just the one that I have used successfully for years.
~~~~~~~~~~~
viruses sometimes will alter your "hosts" file, which is basically a file that controls the redirecting for your browsers (specifically, this file makes it faster for your computer to convert URLs into the relevant IP addresses by having a shortcut list of IP addresses instead of having to look them up when you type in the URL). Anyway, here's what you need to do to fix: (1) Click START > RUN > and type in "C:\windows\system32\drivers\etc\hosts" (2) When prompted, open the HOSTS file in either Notepad or Wordpad (3) Delete all the lines of IP addresses in the text document except for "127.0.0.1 localhost". If you find several lines of IP numbers other than localhost in your hosts file, then this is almost definitely your problem and will be fixed right away. If not, then this probably isn't the issue, but it's worth a look.
~~~~~~~~~~~~
think atapi.sys file is the culprit while I use XdelScan to remove google redirect virus you can download it here: http://www.xdelbox.com/xdelbox-1-0-beta-release/
~~~~~~~~~~~~~~
The software I use to remove this rootkit is called Hitman Pro 3.5 http://www.hitmanpro.com It scans your PC in just 2-3 minutes and successfully cures the atapi.sys / Google redirect infection.

 

[Limnologist]

The SpyBot Tech told me to run GMER. It shut off the computer twice, so I broke up the scan into pieces, which I'm attaching. When I tried to do D drive it just froze up and I gave up. But it did seem to come up with something, see part two. I don't think that program removes it, though, does it?

Spybot also recommended running RootRepeal http://ad13.geekstogo.com/RootRepeal.zip but that froze up the computer, too and I haven't had any luck running it.

And now, for some weird reason, I have a new Outlook Express Icon on the desktop and lots of popups when I go to news stories...

 

[Broni]

Run GMER one more time.
Right click on:
Service C:\WINDOWS\system32\drivers\4DW4R3jNFoCjjUtI.sys (*** hidden *** )
Click "Delete the service" and answer YES to all questions.
Restart computer, post fresh GMER log, along with new HJT log.

 

[Limnologist]

That GMER really messed up the computer, was hard to get to run at all but for you, Broni, I'll try. : ) Might take awhile.

 

[Broni]

OK ......

 

[Limnologist]

Ran GMER, deleted, but it came right back. Haven't run GMER again yet, or maybe I did and just can't remember....Spybot person had suggested running Killbox to remove that one thing, which I did, and now it says it can't find it on computer--but I STILL have the redirect problem. They also told me to run RootRepeal but the computer just can't do it--freezes up completely each time, even worse than GMER.

I'm losing hope....

What about using that hitman program? is that safe?

 

[Limnologist]

Started GMER. That thing comes up, I delted. Run scan. Right as it was done it crapped out (sorry, don't know the correct term) and computer had to restart. When comes back it says "computer has recovered from a serious error". I've been getting that a lot with all these scans and things. Go to do GMER again, and that thing is BACK. I had not gone to google or on the internet or anything. Tried to run GMER again but computer froze up.

So clearly it's re-infecting, possibly when restarting the computer--which it seems to shut down on its own.

A friend thinks it's time to wipe the harddrive clean but this is a really bad time for that for me (may have a new job that requires THIS computer by Sunday--keep fingers crossed) plus I don't like the thought of the bad guys winning....

 

[Broni]

Please download Sophos Anti-rootkit & save it to your desktop.

IMPORTANT!

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  
  • Running processes
  • Windows Registry
  • Local Hard Drives
  
  
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  
  
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\

 

[Limnologist]

Hey, I couldn't get back this site yesterday, today I have the flu or something. I'll wait till someone can help me with your last set of instructions, so I don't mess it up....will be back...

 

[Broni]

No problem