Search re-direct completely removed? logs attached

By BuddyBoy
Jun 15, 2009
  1. Prior to finding this forum, I ran MBAM, renamed as 123, as well as Kaspersky to try to clean out a redirect. The redirect was affecting access to YouTube files, redirecting to bogus search sites. I think I picked up the problem when trying to install an add-on to Firefox, which I should have paid closer attention to, as it was probably bogus. I thought I had it cleaned, but a couple of boot ups later, it reappeared.

    At any rate, I've run the 8 steps a couple of times, and the logs are now clean. Firefox is running fine (faster) and YouTube works again. Because this thing has re-infected in the past, I'm worried about doing a backup and saving it permanently. I do have the option of restoring a system backup, with relatively little software re-install, should I have to.

    I'm attaching the logs from MBAM, SASWare, and HijackThis, both from the initial run when stuff was found, as well as from a later "clean" run.

    If someone could verify them and advise on whether this thing is likely removed or dormant I would be very appreciative.

    Thank you.
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Buddy

    You did a great job! Glad you posted the before logs of MBAM and SAS!

    You are well covered with Comodo.

    But because you had tdss do the following....

    Turn off Comodo only while running the below!

    Download ComboFix

    Get it here:
    Or here:

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Attach log and then do the below!

    Download SDFix to Desktop.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

  3. BuddyBoy

    BuddyBoy TS Rookie Topic Starter

    First of all, Mike, thanks for your time.

    Ran everything and must say all went smoothly. The only glitch was COMODO and Kaspersky autorunning on the re-boots. Not sure if it messed up Combofix, but it didn't complain and seemed to finish normally.

    Also ran HJT twice, after Combofix and after SDFix.

    Logs attached.
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    As Jed Clampett used to say "Whee doggie!

    Run HJT Scan only and select to Fix the following!
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Games\QTTask.exe" -atboottime
    O23 - Service: 123avp - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\123avp.exe (file missing)
    O23 - Service: 123pva - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\123pva.exe (file missing)
    O23 - Service: avp1 - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp1.exe (file missing)
    O23 - Service: avp123 - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp123.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)


    Update but not run, MBAM and SAS!

    Download DrWeb Curit from here

    Now do the below before booting to Safe Mode with Networking

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.
    @echo off
    attrib -h -s -r /s c:\SKYNET*.*
    del /f /q /s c:\SKYNET*.*
    Once in Safe Mode networking do the copy paste operation above again! Then run MBAM Quickscan and post log if not clean. If not clean run MBAM again until clean.

    Then same with SAS!

    Then run Cureit.

    If a reboot is required do not go back to normal but back to Safe Mode!

    Finally rename ComboFix to 1cfix and run 1cfix post that log and a new HJT log!

  5. BuddyBoy

    BuddyBoy TS Rookie Topic Starter

    Hi Mike:

    Managed all of the steps successfully. Inadvertently ran the attrib and del command script twice, prior to booting in safe mode. I didn't realize it was actually executing after the paste, and only saw the attrib command on the screen. By the time I repeated the paste, I realized that the rest of the script comes up as the commands are called. At any rate, also ran it after safe mode boot-up, as per your instructions.

    I logged on as administrator in safe mode. MBAM ran clean the first time. SAS found an adware cookie, then ran clean the second time.

    Cureit ran clean. "No viruses found"

    Combofix ran clean, though it warned about Kspersky running. I couldn't find the Kas icon, so started the .exe, then paused protection. Another Combofix warning message, so exited Kas and OK'd Combofix to continue. Seemed to run OK.

    Logs attached.

    One strange thing. On the Administrator desktop there is a text file named CATCHME, dated yesterday. I haven't done anything other than look at the file properties. Can't remember seeing it get created.

    Thanks again

    PS As Tintin used to say, "Oui, Doggie"
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    All looks good! But Attach the carchme text file!

    How is it running now?

  7. BuddyBoy

    BuddyBoy TS Rookie Topic Starter

    Everything is running fine. Internet sites are much faster, no re-directs of any kind. Comodo picking up all sorts of activity, which is reassuring.

    Are there any tests I should do (surfing specific sites, trying various connections or searches) given whatever I was infected with? Is there something specific I should watch out for?

    I'm still a bit leary about using PayPal, for example.

    Any cleanup steps necessary?

    Attaching the CATCHME.


  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok you may delete the catchme log!

    I feel you are clean but if you are Paranoid then you can do one more scan from another highly rated Scanner.

    If this comes up clean then you can become unparinoid!
    Additionally the protections I advise in my closing will protect you even more!

    So here is my closing, do these steps after the above and you will be well covered. Tho this is my closing get back to me with a final status report!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    Run CCleaner (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

    Run ATF-Cleaner Temp and Registry, repeatedly until no more found.

    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    Yes! Even if you use system restore and other backups Registry and Images.

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.
    Look at

    Run SpyBot ocassionally and use the Immunize function.

    I highly reccomend Hostman: Hostman

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

  9. BuddyBoy

    BuddyBoy TS Rookie Topic Starter

    Hi Mike:

    I have Kaspersky installed and updated as my main AVP. I downloaded the virus scan from the link you provided anyway. It installed, but would not run, detecting an application still running, according to the error window. I was in safe mode, and could not see any applications running. When i re-booted, is-G7CDE.EXE was still running in the background and had to be terminated. Tried a couple of times (in SAFE mode, Kaspersky doesn't autorun, so shouldn't have been conflicting?). At any rate, I ran my Kas (AVP.EXE) in safe mode and did complete scan. It detected a rootkit, I think the same one we were attacking. I've attached the Kas report, and will await your comment before proceeding.

    Thanks again.
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    If you already had Kaspersky that would do the same.

    So you uninstalled Comodo?

    Uninstall the KAV cleaner I had you to download.

    Ok since you ran the full KAV in Safe Mode run it in Normal Mode again to confirm it detects nothing else and that it did in fact fix the RootKit!

  11. BuddyBoy

    BuddyBoy TS Rookie Topic Starter


    KAV ran clean in normal mode.

    I still have Comodo installed. Am only using the firewall. It is running concurrently with KAV, which I have had all along.

    Have uninstalled the KAV cleaner.

    Will await further instructions before proceeding.

  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok looks good then, post a final HJT log and do my closing in post #8 and get all those steps and let me know the results.

  13. BuddyBoy

    BuddyBoy TS Rookie Topic Starter

    Oops, first snag.

    The OTCleanIt Oldtimer download server at Bleeping Computer cannot be found. I'm getting Error 404 from Firefox browser. Tried it from several other links in other posts with same result.

    Maybe they are down temporarily? Will try later unless you say otherwise.

    Attaching HJT log.

  14. BuddyBoy

    BuddyBoy TS Rookie Topic Starter

    OK. So OTCleanIt is still not accessible. Went ahead with the other steps anyway, after downloading and running TFC from Oldtimer as well.

    All stages clean except for SPYBOT. It detected the TDSS.RTK again in 5 or 6 registry entries. All named GAOPDX*.* Did the remove and saved the log. Oops, it saves as an .XPS.

    Ran HJT afterwards.

    Log attached.

    Still concerned given the SpyBot result.


Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...