Thread: Google redirect & cmd.exe unusable
View Single Post
  #14  
Old 04-13-2009
Newcomer, in training
  
Member since: Apr 2009, 1 posts
Google Redirect and CMD.exe broken ,Trojan-PWS.Delf!IK...Here is how I fixed this one
I had the same problem.... I used ALL of the suggestions listed here and many more but none worked (didn't even find one virus).... mainly because cmd.exe and other programs used by the various antispy/virus programs were "broken". This virus runs in safe mode as well so that didn't help. ...So here is what worked...

Download Process Monitor from microsoft sys internals

Download Killbox from killbox.net

You may need to download to a thumbdrive from a different computer as the redirects are relentless...especially for antivirus related sites...bleepingcomputer.com just comes up with blank pages.

Find the naughty files.......So now run process monitor and then do a google search in your web browser... back in process monitor, scroll to the bottom of the process monitor screen and you will see two files that are open, written, closed over and over, hundreds of times.... click on one of each and write down the name and location. ( you may need to stop process monitor from scanning just to have a chance to read) Mine were c:\windows\system32\sqlsodbc.chm and c:\windows\hpupsuw.uio. These are normal files that have been borrowed and corrupted by the virus. I've also seen references to SYSAUDIO.SYS used in this virus.

And KILL them!........Now close process monitor and your web browser and run killbox. select "replace on reboot" and "Use Dummy", and click "multiple files". Put the path to the first file you found in "full path of file to delete", (mine was c:\windows\system32\sqlsodbc.chm) then click the red circle with x. A message will say that "the file will be replaced on reboot, reboot now?" say no, and enter your second file into the path box.... (mine was c:\windows\hpupsuw.uio). Then make sure use dummy is clicked and hit the red ex again and this time let it reboot.

In my case, the virus was then completely disabled, no redirects, and cmd.exe worked. I ran combofix which found 4 numbered DLLs labeled as 161491571.dll and similar, and is called "Trojan-PWS.Delf!IK"

all other scans afterwards by various products came up clean.

Hope it works for you... 3days and 15 minutes! for me... what a waste!