Spread the love! TechSpot Tech Gift Shortlist 2017

Google Redirect - Fixed

By gmpederson · 34 replies
Nov 27, 2008
  1. I have spent the last two days trying to get rid of the TDSSserv Rootkit that redirects all links to Antivirus websites to the localhost. This completely stopped me from performing most of the 8-Step Removal Instructions. I had to use an uninfected laptop to download the installs for all of the programs listed in 8-Step and then transfer them to the infected computer. No installs worked until I found a thread here to disable TDSSserv.sys using device manager. When I disabled this driver, rebooted, and logged in I was able to briefly access the desired websites but Windows then locked up. I finally had to use safe mode to install Malwarebytes' Anti-Malware program which found some of the problem. Thereafter I was able to launch Windows and carry out each of the 8-Steps.

    I think this board, TechSpot, is fantastic. I would not have been able to get this far without it. Thanks to all of you.

    Now, I would appreciate it if you would review the attached logs to see if there are any remaining problems and thanks in advance.
  2. rf6647

    rf6647 TS Maniac Posts: 829

    Welcome to TS. That’s progress. Your logs show found and removed items. We will proceed along a typical path.

    Update both MBAM & SAS. Rerun them both.

    This effort is complete when logs report NO infections/threats, or reporting something it can not clean.

    Restart the computer. Scan with HJT.

    Posts logs. Report progress & what changes are observed.

    Further discussion
    Thanks for the feedback regarding this post. In that thread, message #3 link to 'fixit download' is being developed as a more comprehensive tool. Your reported difficulty reveals how quickly threats evolve.

    The MBAM version used for the scan is 'ancient' when judged by the multi-updates made daily to that tool.

    Attempt to follow the typical path. In case of difficulties due to resurgence of the infection, then visit message #3.
  3. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    I updated MBAM and SAS and reran them. I've attached the appropriate log files for your review.

    It seems that SAS always finds registry traces of Rootkit TDSSserv so I think it is being reinstalled. Also TDSSserv.sys is still showing up in Device Manager although it is still disabled. Should I uninstall this driver?

    I have a few additional questions that I'd like your advice on:

    1. What Antivirus program would you recommend? I have gone from AVG, to Avast!, and now I'm using Avira AntiVir Personal as my sole antivirus program.
    2. I'm using ZoneAlarm for my firewall. Would you recommend anything else in it's place?
    3. I have Windows Defender and Lavasoft Ad-Aware installed prior to my problems. Should I uninstall them since I'm now using MBAM and SAS?
    4. For your information, I've installed SpywareBlaster, CCleaner, and WinPatrol based on recommendations made on this forum. Not really sure what WinPatrol is doing since I haven't had time to review the documentation yet.

    Again, thanks for your continued help.
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Your SAS log shows it may still be there.

    Do this..


    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Then update SAS and scan again but with the changes below:

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore are checked.

  5. rf6647

    rf6647 TS Maniac Posts: 829

    Mflynn – Combofix is a good call on this. It will be a speedy route to a clean computer.

    I believe this case proves the need to develop your instructions into a procedure. The ‘disable tdssserv’ procedure was developed with the belief that installation of another tool could be avoided. However, several cases following your instructions permit MBAM & SAS to run clean. It’s difficult to comprehend how a ‘disabled trojan’ escapes full treatment from MBAM & SAS.

    While I was considering asking gmpederson to conduct an experiment to prove my observation, the effect would have distrupted the flow of the 8-step guide that is preached here.
  6. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Okay....I've run ComboFix and it deleted ODCTOOLS files and folder as well as C:\windows\system32\TDSSitpe.dat. Everything else appears to be clean. Here are the logs you requested.
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    OK but I require a clean Combofix log, just because it shows removed deleted items does not mean it is clean until log says so, so run it again and post new log

    Run HJT Scan only Select and remove the below.

    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    You have evidence that you once had Norton/Symantec. It is not completely gone.

    To remove it do this..

    OK lets see if we can't get rid of norton (Norton/Symantec is extremely hard to eradicate)

    Drag mouse copy for pasting all inside the box below


    @echo off
    attrib  -h -s -r norton*.* /s  /d >"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
    echo ...............................................
    dir /b /s norton*.* >>"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
    echo ................................................
    del /s norton*.* /f /q >>"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
    rd /s /q norton*.*
    attrib  -h -s -r syman*.* /s /d >"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
    echo .................................................
    dir /b /s syman*.* >>"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
    echo ..................................................
    del /s syman*.* /f /q >>"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
    rd /s /q synan*.*
    Then open the command prompt and paste directly to the Black screen.

    Attach the norton and symantec files created on the desktop.

    Then go here do all in this post except the registry editing we will do that differently and deeper.

    Note when you run rnav2003 do all versions but decline to reboot until the last one (no need to reboot 4 times)

    SYMMSICLEANUP.reg ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg
    Save the file to the Windows desktop.
    If using Firefox. Right-click the following link and then click Save Link As to download the file.

    On the Windows desktop, double-click SYMMSICLEANUP.reg,
    Click Yes when prompted, and then click OK.

    Download RegSeeker http://www.hoverdesk.net/dl/en/RegSeeker.zip

    Unzip install and run.

    Click Find in Registry
    delete all it finds

    do same process with Symantec

    You are finally clean of Norton/Symantec.

    Now post ne HJT log. We may be finished!

  8. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Alright Mike. I tried following your instructions but I did run into problems with the Symantec instructions:

    * When running SYMNRT.exe a message is displayed that the tool has expired and cannot run Norton_removal_tool.exe
    * Received a download error for SYMMSICLEANUP.reg (using FireFox Save Link As): \englis...MSICLEANUP.reg could not be saved, because the source file could not be read. Couldn't run this.
    * Access denied when trying to delete: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine folder.

    I was able to do everything else so here are the files you requested. Let me know what to do next. (BTW I hate Norton and Symantec - I hope I'm rid of it forever).
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok good job, Combofix looks good

    Download the MSICleanup with Internet Explorer and execute it approve all prompts.

    Get the Norton Removal tool from her http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    But don't run.

    Boot to Safe mode and rerun all the Norton processes again and that should do it.

    Boot back to normal mode and send the norto and symantec files from desktop again.

  10. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47


    Where is "Download the MSICleanup". Do I need to use MS IE or can I use Firefox. I tried downloading MSICleanup before and was unsuccessful. I end up at a Symantec FTP site based on your prior link but then I don't know what to do next.

    Forget about this post. I googled it and found the path to the file. I'll run everything and get back to you shortly.

    Well I ran the SYMMSICleanup.reg and rebooted to safe mode to do the Norton removal tool and Windows will no longer start.

    Error message is: "Windows could not start because the following file is missing or corrupt: \Windows\System32\Config\System. You can attempt to repari this file by starting Windows Setup using the original Setup CD-ROM. Select 'r' at the first screen to start repair. "

    What next. I'm tired tonight so let me know if you have any suggestions and I'll review tomorrow night. It looks like I need to reload Windows.
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi GM

    That was a bad link don't know why, had used it before tested when posted.

    I have edited and posted a new address.

    Do not install but lets us do a Repair/Overlay install.

    Boot from your Windows CD and proceed to install. You will get a prompt to Hit R to use Recovery console. Do not chose that one, continue until Windows finds an Existing Installation and offers R to Repair the existing installation. Chose this R. and from there it will look like a normal install.

    The Repair of existing installation will fix only the Windows Folder and keep all your data. Everything should be normal when you get back up.

    A link to follow: https://www.techspot.com/vb/topic8356.html

    Another one for insight: http://pcsupport.about.com/od/operatingsystems/ss/instxprepair1.htm

    The only issue is your HJT log shows you have SP3. You should use the same SP level you have on the HD.

    Did you make a SP3 CD by slipstreaming or install SP3 from downloading the full SP3 or from Windows update.

    I am going to assume you only have the SP1 or 2 disk.

    So here is steps to slipstream, from a working computer with CD burner, this can be done from Vista
    Download Autostreamer http://majorgeeks.com/download4444.html
    Download the full SP3 package: http://www.microsoft.com/downloads/...A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

    Once you have both of the above it is simple.

    With your older XP CD in the CD drive run AutoStreamer and it will ask for the location of the original Windows install CD any version SP1 Sp2

    It will ask for the location of the SP3 file and offer to burn to CD.

  12. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Hi Mike,

    Windows XP Pro came with the HP computer that's in trouble. I have CDs of all programs loaded on the original computer so I'll have to figure out which ones are the OS with my work laptop. I'm pretty sure it will be SP1 or SP2. SP3 was loaded via Windows Update.

    I'll follow your instructions tonight and let you know the results. The OS on my work laptop is XP Pro. The only thing I'm a little confused on is your last statement
    "It will ask for the location of the SP3 file and offer to burn to CD." What do you mean by this? I understand now what is meant. The Autosteaming program will create a new install CD with SP3 on it. So I'll give it a try.

  13. mflynn

    mflynn TS Rookie Posts: 2,655

    Uhh oh sounds like you do not have a Microsoft XP Pro install CD.

    The restore disks that come with some of these have been modified and may not produce a usable Slipstreamed CD.

    Yet some when booted offer to repair windows while retaining your data. If unsure post names of the disks you have.

    Worst case if you can get a successful repair you will need to install SP3 again.

    Don't know what happened, but the repair install can, I say can delete some malware but the process needs to be run again.

    Sorry late getting back but had to travel to a clients office today. I have a busy day tomorrow but will try to check in.

  14. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Well here's the sad story.

    My HP sytem recovery disks consist of 8 CDs. I was able to restore Windows with CD #1. When I checked DM/ System, XP did not have an SP (ii.e. SP=0).

    I tried to use Windows Update but ended up in an endless loop of "Files required to use Windows Update are no loner registered or installed on you computer. To continue:

    ( ) Register or reinstall all the files for me now (Recommended)
    ( ) Let me read about more steps that might be required to solve the problem

    The first choice resumes the loop the second choice is an absolute dead end.

    My computer is almost 7 years old. What do you think about deep sixing this guy and getting an i7 Core CPU based new computer running Vista Home Premium 64 bit (ugh).

    I did download SP3 to my work laptop. Is there any way to use it to update the old beast?

  15. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Gary

    Sorry so long getting back. Had to leave early and work out of town today.

    OK confirm you did a non destructive repair that kept all your data, documents and Email?

    Oh yeah! But what to do till then?
    OK to prep for SP3.

    Do the below:

    Download Dial-A-Fix (DAF)

    Have XP CD available in case DAF needs a file.

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When finished click Flush Software Distribution and answer no.

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here 1 at a time do the below

    Reinstall Automatic Updates service
    Reinstall BITS
    Reinstall Windows Firewall
    Repair Permissions
    Reset WMI/WBEM

    Watch for any File not found or other errors and make note as this may lead to the fix!


    Run CCleaner Temp and Registry (both until clean) may get a lot here since we reverted from SP3.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.


    Do not try Winupdate until after SP3 if possible.

    Now run the SP3 file on your DeskTop. We may need to do a couple more things first but try.

    Your Ball!

  16. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Hi Mike,

    Thanks for the reply. I got to thinking about my predicament last night and remembered that I created a full Acronis backup on 10/2/2008 (also have one in 8/08) to an external USB drive. Since I have Windows somewhat functional again, I think I can just restore that image and then run through the cleaning procedures again. I'm pretty sure I was not having the redirection problems until near the end of Oct. What do you think about that plan?

  17. mflynn

    mflynn TS Rookie Posts: 2,655

    That is good glad you have that backup.

    Restore and bring it forward with the scans in this thread afterwords

    Just get any documents, emails, favorites and address books backed up before the restore.

  18. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Mike....Just an update. I successfully restored the system this morning. I will start Windows update (must be 15 updates since 10/3...insane) and will start the cleaning process tonight. I'll post the logs as soon as I can get everything run. Thanks for hanging in there.

  19. mflynn

    mflynn TS Rookie Posts: 2,655

    Actually you shouldn't install anything until you are clean.

    Malware could cause issues with the updates installing at all or correctly and could get infected as soon as they hit the computer!

  20. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Okay....I'll hold off on Windows Update and just install the 8-Step stuff.

  21. mflynn

    mflynn TS Rookie Posts: 2,655

    OK that will be much safer.

  22. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Hello All -- Especially Mike,

    I've restored the system via a full backup of 10/3/08 or thereabouts. No Google Redirect Detected so my problems started within about 30 days of the backup. I've compeleted the first scan using MBAM and SAS with logs from HJT. Please review the attached logs and advise the next steps.

    Thanks in advance.........Gary
  23. mflynn

    mflynn TS Rookie Posts: 2,655


    All looks good. You picked a time before the infection.

    You have residues of Norton below .

    HJT Scan only and remove these below.

    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    Then do the Norton Cleanup post above again.

    And just to be sure do the Combofix and SDFix posts also.

    If they come up clean then do the updates.

  24. gmpederson

    gmpederson TS Enthusiast Topic Starter Posts: 47

    Okay Mike...Eliminated the HJT items. Just to be sure please issue the Norton removal instructions again. This is where things went deep south before. I want to be sure I understand what is next. Also, not sure what SDFix is,,,can you clarfy?

  25. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Gary

    Sorry late getting back been busy at work and out of office a lot the past 3 days.

    OK reference to SDFix was for another person. So forget that for now.

    After all we have done and after restoring it behooves me to ask that you scan once more to be sure.

    1. Update combofix run and post log.
    2. Update mbam run and post log.
    3. Update SAS run and post log.
    Last new HJT log.

    I think you are OK but lets be sure. Take your time scan when you go to work bed or etc.

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...