Google redirect, spyware/malware problem

[gman123]

Google redirects me to different unwanted pages such as ebay and connectcurrent. This has only started recently. I have attached the logs from Malwarebytes' Anti-Malware, super anti spyware and Hijack this. I would appreciate any help or advice. cheers.

 

[gman123]

has anyone got any ideas?...its pretty annoying as i think my computer is going slower aswell. Cheers.

 

[mflynn]

Hi gman123

Sorry you got overlooked. Here you go!

Run HJT Scan only select and remove the below
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat

You ran MBAM but exited without deleting the Malware it found as evidenced by the "No Action taken" in the log.

So UPDATE MBAM and do a FULL scan, this time remove the found items.

UPDATE SAS also run another Quick scan and select and remove the tracking cookies.

Post both logs.

Mike

 

[gman123]

thanks for the reply. I have carried out the updates and searces and enclosed the logs

 

[mflynn]

Ok looks good but do the below!

Update then run SAS Quick scan and put a check to remove the tracking cookies

Then

Click Preferences-Repairs
Then counting down from top do the following entries
Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Reboot the test for Google redirecting! let me know!

Give me a status report on how computer is running

Mike

 

[gman123]

thanks mike.
I made the repairs and carried out a further scan to which ive added the log. My homepage on the internet has changed to msn and the google redirecting still occuring. For example, if i search for any common internet search the results are described as the page i require but the links send me to BlinkX search and other links.
cheers for your help

 

[mflynn]

OK for the last few days it has taken SDFix and ComBoFix to get completely clean so why should you be an exception.

They don't take nearly as long to do.

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike

 

[gman123]

cheers mike.
I ran the SDFix and have enclosed the log. I also ran hijackthis again and enclosed the log. I was not able to install combofix as each time i tried my antivirus software detected a trojan horse and i got a message from internet explorer.

 

[mflynn]

Just as I thought! more.

Rt click and disable the Virus scanner to run ComboFix.

If that don't work ......

Boot to Safe Mode and run Combofix as it will find more based on what SDFix found.

Mike

 

[gman123]

Cheers mike.
Combofix worked. I have enclosed the log

 

[mflynn]

OK looks good.

Get me another fresh HJT log.

Get me a status report on the original problem and how computer is now running in general.

Mike

 

[gman123]

same redirecting issues as before. This happens on all search engines. The computer in general is a bit slow but otherwise ok. All of my anti spyware and anti virus programs were temporarily disabled for the combofix scan...shall i enable them again now? I have enclosed requested Hijackthis log
Cheers

 

[mflynn]

OK

Boot to Safe Mode and do all below.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del  /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This is a coverall and may give errors as it tries to delete/stop certain Malware files etc that you do not have. This is no problem. The process should run then exit back to desktop.

Reboot and test for the problem.

Mike

 

[gman123]

Then paste to the black screen of an open command prompt????
sorry, what do you mean by this....also will i have to copy and paste the commands to a word document before i reboot in safe mode....doesnt it stop you using the internet?

 

[mflynn]

No!

Copy only the text inside the box!

Command prompt
Start-Run
type
cmd
click OK

Command prompt opens

Past to the c:

Mike

 

[gman123]

I think i have done what you requested. I booted to safe mode and copied the text from the box into the command prompt. It didnt exit back onto desktop when it was done though. It said, a few lines up from the last lines of text "the operation completed successfully". Then nothing happened, so i closed the command prompt and rebooted. The redirecting problems are still there unfortunatley.
Cheers

 

[mflynn]

Ok go back to post #5 above and do it again.

Make sure to Update SAS first.

I have edited it and the other things we have run have effected it.

Mike

 

[gman123]

Thanks for your help and im sorry for the hastle. I did post 5 again and rebooted but im still having the redirecting problems,

 

[mflynn]

OK no problem some of these can be stuborn but we will get it!

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.

@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.txt
;Saves ip settings
netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
;saves log of current settings
netsh winsock reset catalog
;resets Winsock
netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
;winsock after rest
netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
;reset TCP stack
exit
exit

Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread.

And a new status!
Mike

 

[gman123]

thanks very much mike,
lsp and tcpreset attached
same issues as before

 

[mflynn]

Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "While Cleaning at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Download: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

Reboot and test.

Mike

 

[gman123]

Hi mike, cheers for the help and sorry bout the delay since my last post.
I did everything you asked, however, the redirect issues are still evident. Also, i have noticed that the internet pages expire on secure webpages...i am not sure if this is linked or not.
Thanks, gman123

 

[mflynn]

Hi Gman

Update but do not run MBAM and SAS! Then unplug network cable or turn off Modem and router if you have one.

Now

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.

@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.txt
;Saves ip settings
netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
;saves log of current settings
netsh winsock reset catalog
;resets Winsock
netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
;winsock after rest
netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
;reset TCP stack
exit
exit

Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread when we plug the cable back up but leave unplugged until the entire thread is complete then replug..

Once the above is complete do the below.

Run SAS (done before but not with cable unplugged)
Click Preferences-Repairs
Then counting down from top do the following entries

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Then run Quick scan with both MBAM and SAS!

Plug up and post the last logs run while unplugged.

In MBAM click logs get me the last one, in SAS Preferences-Statistics/logs. last one.

Mike

 

[scriptordie]

I haven't seen this mentioned

Do a search in your %systemroot%\system32 directory for wdmaud.sys if there is one there, delete or rename it. This is a valid file in the %systemroot%\system32\drivers directory, but it shouldn't be in System32. All instances I've found in System32 are the cause of the recent browser redirects in my environment. I had about 4 machines in my network with that problem and deleting that file on the machines in question fixed it.

 

[mflynn]

Thanks scriptordie excellent!

I have had it in the sometime past but some other reason and forgot about it.

Mike