Hi, a few days ago some Google search results started taking me to pseudo-random sites. I've since tried a bunch of common fixes found on forums, and have run into other problems. Common anti-virus sites are blocked, winamp has stopped working, automatic updates of anti-virus/spyware software does not work, and cmd.exe simply flashes the screen and does not do anything. However, if I rename cmd.exe to something else it works correctly. I have run Fixwareout, and run through the 8 steps outlined in the forum sticky (manually updating the definitions). Attached are the 3 logs requested. Thanks in advance for any help you can give!
Google redirect & cmd.exe unusable
- Thread starter lady25
- Start date
- Status
Hi Lady
First boot to Safe Mode networking!
Open SAS and UPDATE then click Preferences then Repairs then do the following fixes.
Enable Windows Explorer options
Internet Zone Security Reset
Local page Reset
Remove Explorer Policy Restrictions
Remove Internet Explorer Policy Restrictions
Remove WinOldApp policy restrictions
Repair broken Network Connection (WinSock LSP Chain)
Reset Desktop Componets
Reset Desktop Policies
Reset URL PreFixes
Reset Web Settings
Reset Winlogon Shell
Reset ZoneMap Settings
User Agent Post Platform Reset
User Agent reset
See if you can get the below to work
Go here and download to Desktop: http://www.adrive.com/public/97c4357781f45c7e443061094b8cfaff3836f57446eb242ab2ee0b6cd68a0107.html
Double click Fixer.exe to run it. This will extract a Fixer folder to the desktop.
Then Dbl Clk to enter the Fixer Folder .
To run it 1st double click Daft, then click scan and check any found items and click fix and then exit.
Next dbl click Fixit.cmd to run it.
Get back to us.
Mike
First boot to Safe Mode networking!
Open SAS and UPDATE then click Preferences then Repairs then do the following fixes.
Enable Windows Explorer options
Internet Zone Security Reset
Local page Reset
Remove Explorer Policy Restrictions
Remove Internet Explorer Policy Restrictions
Remove WinOldApp policy restrictions
Repair broken Network Connection (WinSock LSP Chain)
Reset Desktop Componets
Reset Desktop Policies
Reset URL PreFixes
Reset Web Settings
Reset Winlogon Shell
Reset ZoneMap Settings
User Agent Post Platform Reset
User Agent reset
See if you can get the below to work
Go here and download to Desktop: http://www.adrive.com/public/97c4357781f45c7e443061094b8cfaff3836f57446eb242ab2ee0b6cd68a0107.html
Double click Fixer.exe to run it. This will extract a Fixer folder to the desktop.
Then Dbl Clk to enter the Fixer Folder .
To run it 1st double click Daft, then click scan and check any found items and click fix and then exit.
Next dbl click Fixit.cmd to run it.
Get back to us.
Mike
No it was not supposed to exit!
OK just to confirm you did run the fixit.cmd inside the Fixer folder?
Ok do the below...
Download ComboFix
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================
Download SDFix to Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
Mike
EDIT: Go here http://www.4shared.com/get/75127413/a257d490/RatsCheddar.html
Extract zip and run RatsCheddar and Click to enable all!
Mike
OK just to confirm you did run the fixit.cmd inside the Fixer folder?
Ok do the below...
Download ComboFix
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
Install Recovery Console if connected to the Internet!
When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================
Download SDFix to Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-click to RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
Mike
EDIT: Go here http://www.4shared.com/get/75127413/a257d490/RatsCheddar.html
Extract zip and run RatsCheddar and Click to enable all!
Mike
Hi Mike,
Strangely, after a ton of reboots after I first ran it (I didn't tap F8 at the right time, I guess), fixwareout finally ran something on startup, after which everything seemed to be working. Auto-updates are working again, cmd.exe is working, no more google redirects, etc.
SDFix did not prompt a reboot (said something about not being able to find files) nor produce a log. I've attached my combofix and hijackthis log in case there's still something lurking.
Should I run RatsCheddar still?
Thanks so much for your help!
Strangely, after a ton of reboots after I first ran it (I didn't tap F8 at the right time, I guess), fixwareout finally ran something on startup, after which everything seemed to be working. Auto-updates are working again, cmd.exe is working, no more google redirects, etc.
SDFix did not prompt a reboot (said something about not being able to find files) nor produce a log. I've attached my combofix and hijackthis log in case there's still something lurking.
Should I run RatsCheddar still?
Thanks so much for your help!
Will not hurt anything to run it!
Rename ComboFix.exe to 12cbf34.exe and run it again under that name. It had one finding so we need to be sure it is clean this time.
Post the log.
Looks like you are clean but ....
The below will finish up hopefully.
Go here Download DrWeb https://www.techspot.com/vb/post724044-3.html
Then....
Boot to Safe Mode only! Not with Networking and run...
DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.
The first Virus it finds select Cure and it will use this as the default automatically for all the rest. What it can't fix will be Quarantined!
This will take a while based on CPU and HD speed and size, but is worth it!
Mike
Rename ComboFix.exe to 12cbf34.exe and run it again under that name. It had one finding so we need to be sure it is clean this time.
Post the log.
Looks like you are clean but ....
The below will finish up hopefully.
Go here Download DrWeb https://www.techspot.com/vb/post724044-3.html
Then....
Boot to Safe Mode only! Not with Networking and run...
DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.
The first Virus it finds select Cure and it will use this as the default automatically for all the rest. What it can't fix will be Quarantined!
This will take a while based on CPU and HD speed and size, but is worth it!
Mike
Yes ignore, some of these tools Combofix SDFix look like Malware to other tools.
Looks like we are clean but my closing contains a deep Temp cleanup and a gentle Registry cleanup.
Do the closing then reboot and evaluate the system and report back how it runs and anything remaining.
Thread Closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner (you should alreay have this from 8 Steps)
http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.
ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
Looks like we are clean but my closing contains a deep Temp cleanup and a gentle Registry cleanup.
Do the closing then reboot and evaluate the system and report back how it runs and anything remaining.
Thread Closing-------------------------------------------------------------------
Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.
Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Save to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"
Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.
If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.
-------------------------------------------------------------------------------------
Run CCleaner (you should alreay have this from 8 Steps)
http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.
Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.
KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below
Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".
Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.
As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.
It clears what is known as Shadow copies which are used by specialized back up programs.
This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.
ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.
They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.
If they find something they can not clean, then get back to us.
Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.
It was designed to be used with and to co-exist with other Virus scanners.
Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.
It's like looking at it with 2 sets of eyes and from a different angle.
It works like some Firewalls do to learn what is good/bad.
After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.
As it queries you about the prompt to help you determine to approve or not you can google it with one click.
http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html
Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/
I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html
Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.
A Disk Scan (chkdsk) and Defrag are in order.
Mike
Bobbye
Posts: 16,313 +36
I would not have closed this thread yet:
First, AdWatch was running during the scans. Real Time Protection is suppose to be temporarily disabled for the scans, in order to get accurate information:
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
AD-AWARE AD-WATCH
O20 - AppInit_DLLs: WIKI.DLL
There is no information available online.
FYI:
Regarding the reference to "C:\System Volume Information\restore{insert long number here}."
When this is seen in a malware cleaning log, it means that the malware has gotten into the restore points. The user should be advised NOT to use System Restore because of it. Old restore points are removed at the END of cleaning.
Update Adobe: Most current version: Adobe Reader 9.1
First, AdWatch was running during the scans. Real Time Protection is suppose to be temporarily disabled for the scans, in order to get accurate information:
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
AD-AWARE AD-WATCH
I would also have stopped this and run LSPFix:
O20 - AppInit_DLLs: WIKI.DLL
There is no information available online.
FYI:
Regarding the reference to "C:\System Volume Information\restore{insert long number here}."
When this is seen in a malware cleaning log, it means that the malware has gotten into the restore points. The user should be advised NOT to use System Restore because of it. Old restore points are removed at the END of cleaning.
Update Adobe: Most current version: Adobe Reader 9.1
Thanks for the help Bobbye
All of the major cleanups were done in Safe Mode which negates adwatch and other protections.
Adobe is not Malware so i was not after that! Would be good to updade it or better uninstall it and install Foxit!
wiki.dll belongs to CS-Wiki likely unused but legit.
So comb thu it again because i could have missed something!
Mike
All of the major cleanups were done in Safe Mode which negates adwatch and other protections.
Adobe is not Malware so i was not after that! Would be good to updade it or better uninstall it and install Foxit!
wiki.dll belongs to CS-Wiki likely unused but legit.
So comb thu it again because i could have missed something!
Mike
Amazing!!!!
Thanks a lot MFLYNN!!!
My symptoms were different (got hit by ROOTKIT) but I followed your steps. Voila! Back to normal now!
Thanks a lot MFLYNN!!!
My symptoms were different (got hit by ROOTKIT) but I followed your steps. Voila! Back to normal now!
Bobbye
Posts: 16,313 +36
Mike, I always throw the Adobe and Java updates in. They aren't technically part of malware cleaning, although Java is one of the steps. But most of the updates are for security vulnerabilities, so I try to keep them current.
Cutting down on Startup isn't part of malware cleaning either! But I volunteer the time occasionally.
Cutting down on Startup isn't part of malware cleaning either! But I volunteer the time occasionally.
Google Redirect and CMD.exe broken ,Trojan-PWS.Delf!IK...Here is how I fixed this one
I had the same problem.... I used ALL of the suggestions listed here and many more but none worked (didn't even find one virus).... mainly because cmd.exe and other programs used by the various antispy/virus programs were "broken". This virus runs in safe mode as well so that didn't help. ...So here is what worked...
Download Process Monitor from microsoft sys internals
Download Killbox from killbox.net
You may need to download to a thumbdrive from a different computer as the redirects are relentless...especially for antivirus related sites...bleepingcomputer.com just comes up with blank pages.
Find the naughty files.......So now run process monitor and then do a google search in your web browser... back in process monitor, scroll to the bottom of the process monitor screen and you will see two files that are open, written, closed over and over, hundreds of times.... click on one of each and write down the name and location. ( you may need to stop process monitor from scanning just to have a chance to read) Mine were c:\windows\system32\sqlsodbc.chm and c:\windows\hpupsuw.uio. These are normal files that have been borrowed and corrupted by the virus. I've also seen references to SYSAUDIO.SYS used in this virus.
And KILL them!........Now close process monitor and your web browser and run killbox. select "replace on reboot" and "Use Dummy", and click "multiple files". Put the path to the first file you found in "full path of file to delete", (mine was c:\windows\system32\sqlsodbc.chm) then click the red circle with x. A message will say that "the file will be replaced on reboot, reboot now?" say no, and enter your second file into the path box.... (mine was c:\windows\hpupsuw.uio). Then make sure use dummy is clicked and hit the red ex again and this time let it reboot.
In my case, the virus was then completely disabled, no redirects, and cmd.exe worked. I ran combofix which found 4 numbered DLLs labeled as 161491571.dll and similar, and is called "Trojan-PWS.Delf!IK"
all other scans afterwards by various products came up clean.
Hope it works for you... 3days and 15 minutes! for me... what a waste!
I had the same problem.... I used ALL of the suggestions listed here and many more but none worked (didn't even find one virus).... mainly because cmd.exe and other programs used by the various antispy/virus programs were "broken". This virus runs in safe mode as well so that didn't help. ...So here is what worked...
Download Process Monitor from microsoft sys internals
Download Killbox from killbox.net
You may need to download to a thumbdrive from a different computer as the redirects are relentless...especially for antivirus related sites...bleepingcomputer.com just comes up with blank pages.
Find the naughty files.......So now run process monitor and then do a google search in your web browser... back in process monitor, scroll to the bottom of the process monitor screen and you will see two files that are open, written, closed over and over, hundreds of times.... click on one of each and write down the name and location. ( you may need to stop process monitor from scanning just to have a chance to read) Mine were c:\windows\system32\sqlsodbc.chm and c:\windows\hpupsuw.uio. These are normal files that have been borrowed and corrupted by the virus. I've also seen references to SYSAUDIO.SYS used in this virus.
And KILL them!........Now close process monitor and your web browser and run killbox. select "replace on reboot" and "Use Dummy", and click "multiple files". Put the path to the first file you found in "full path of file to delete", (mine was c:\windows\system32\sqlsodbc.chm) then click the red circle with x. A message will say that "the file will be replaced on reboot, reboot now?" say no, and enter your second file into the path box.... (mine was c:\windows\hpupsuw.uio). Then make sure use dummy is clicked and hit the red ex again and this time let it reboot.
In my case, the virus was then completely disabled, no redirects, and cmd.exe worked. I ran combofix which found 4 numbered DLLs labeled as 161491571.dll and similar, and is called "Trojan-PWS.Delf!IK"
all other scans afterwards by various products came up clean.
Hope it works for you... 3days and 15 minutes! for me... what a waste!
Bobbye
Posts: 16,313 +36
tastywart- gad what a name! We have a virus and malware cleaning process that we use first. Logs are then reviewed and handled as needed. additional programs are run is appropriate. Understand that each infection is specific to the system it's on and the help we give that person is specific to that person. One thing that is found fairly often is that users run Malwarebytes but don't check for the removal of the entries. So even though he entries were found, if we don't SEE the logs to tell them to go back to remove, they don't get rid of the malware.
Perhaps that sort of thing is what happened to you.
No one is advised to run ComboFix unless told to. I will not speak for what was suggested by the other member. But I have a pretty good idea that if you had come here, gone through the steps that we lay out and followed our directions, you might have solved "your" problem in a more timely manner!
Perhaps that sort of thing is what happened to you.
No one is advised to run ComboFix unless told to. I will not speak for what was suggested by the other member. But I have a pretty good idea that if you had come here, gone through the steps that we lay out and followed our directions, you might have solved "your" problem in a more timely manner!
- Status
