My PC woke up with the "Google Redirect" social disease. Ran 8 steps twice. Now what?

By Rwolf01 ยท 28 replies
Nov 26, 2009
  1. Happy Thanksgiving, and a sincere thank you for your kind assistance...

    Here are the details of my system:

    Dell Dimension 8300. (3GHz P4, 2.5GB RAM)
    WD1200 SATA system disk and mirrored WD5000 SATA data disks
    XP Home (SP3 w/ latest updates)
    TrendMicro Office Scan. (current)
    IE 8.0.6001.18702

    My Most Recent Cleaning Activity:

    1: Full Scan With Trend Micro Office Scan (nothing new found)
    2: Ccleaner (including prefetch files)
    3: Killed TrendMicro's ntrtscan, ofcpfwsvc, pccntmon & tmlisten processes.
    (Office Scan wants a password I don't have to unload, so this is the next best thing)
    4: Ran MalwareBytes (log attached)
    5: Ran SuperAntiSpyware (log attached)
    6: Reconfirmed Java is current
    7: Ran Hijack This (log attached)

    Note: These scans find nothing new, but earlier runs did remove some suspect items. I have temporarily disabled TrendMicro's OfcDog.exe to avoid nusiance hits in SAS.

    I eagerly await your wise counsel.

    Best Regards,

  2. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Just to be clear, the redirect problem persists even after the standard scans were run.

    I've looked through older logs where Tmagic650, Bobbye, Kritius & others helped similarly afflicted people. To save them time, I plan to run the ESET and Kaspersky Online Scanners (but not ComboFix) and post the logs.

    I've also backed everything up, just in case things get worse...

    Standing by,

    - Rwolf
  3. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Logs from Kaspersky & ESET Online Scanners

    Here are the logs. Looks like some dubious attachements to old emails, but they are very unlikely to ever get opened, so they are probably not active.

    I just reconfirmed that the search link redirect hack is still active.

    Any advice?

    Hope you had a good thanksgiving.

    - Rwolf
  4. kritius

    kritius TS Guru Posts: 2,084

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.
  5. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Here's what happened.

    Thanks for the prompt reply. I'm documenting from my laptop as I try this...

    random named GMER file downloaded.

    Rebooting directly to safe mode w/o networking. (do it right the 1st time)

    Double clicked on random named file.
    Clciked Run at the security warning.
    GMER window pops up and starts scanning.
    Found a "suspicious midification" of atapi.sys!

    Enabled scanning of my data disk, as well as the system disk, and clicked SCAN.
    10 seconds into the scan I blue screen:

    "A problem has been detected and windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: kxtdrpod.sys. An attempt was made to write to read-only memory.
    Technical information:
    *** STOP: 0x000000BE (0xF747E078, 0X0AB76161, 0XBAFE3B38, 0x0000000B)
    *** kxtdrpod.sys - Address BA6D59DB base at BA6CA000, Datestamp 4b07cc32)"

    I eagerly await further advice. In the mean time, I will attempt to find an appropriate atapi.sys file from another machine and manually replace the modified one.

    - RWOLF
  6. kritius

    kritius TS Guru Posts: 2,084

    Do this in normal mode.

    Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  7. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Sorry for the delay in replying. I got an unmodified atapi.sys, but when I attempted to rename the suspect one, it would succeed, but the unnamed file would reappear before I could copy over the unmolested file!

    Seems like the malware is guarding that file to prevent it from being removed...

    Bounced into command line safemode & I could rename the file. Copied over the unmolested atapi.sys. COMP said they were different. Set the unhacked driver file to be read only.

    Bouncing back into normal mode to check if the good version is still there...
    It lives on, at least for now...

    Killed monitoring programs & network connection.
    Retrying GMER to see if it still bluescreens. Yup, it does.

    Reboot. atapi.sys still the good one.
    Starting ComboFix as instructed:
    monitor SW killed
    combofix started... Accepted disclaimer... Installing Recovery Console... (network reactived)
    Scanning. Stage 1, stage 2, stage 3, 4, 5, 6, 6A, 7... 33,41,48... preparing log report.
    Note: At this point the entire desktop is black, and only the combofix console window exists.
    Log file appears and the desktop returns.
    Log file will be attached in next posting.
  8. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    ComboFix log file.

    Should be attached.

    Note: Internet Explore 8 has started doing a funny thing. In some situations it will go berzerk and start loading multiple copies, as fast as it can spawn them, until there are dozens of IE windows filling the screen and task bar.

    Not sure if that is related or not. Think I'll rerun the 8 basic steps...
  9. kritius

    kritius TS Guru Posts: 2,084

    Ok, lets not try to get ahead of ourselves and potentially mess things up.

    Follow my instructions and we will sort you out.

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Under the Custom Scan box paste this in


    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy both of these files with your next reply.
  10. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Aye Aye C'ptn.

    I ran Trend Micro, CCleaner and MWB before I got your message. Nothing unusual found.

    Disabled all real time monitoring.

    OTL download gives me an "Unsafe Download Security Warning" looks like it's from WIndows Security Center. (captured it as a GIF, let me know if you want to see it)

    Took a leap of faith and downloaded anyway.

    OTL starts. Closed all others. Setup as instructed and starting scan.

    Note: Used COMP.EXE from the command line to confirm that the atapi.sys I manually installed is still in place. The molested version of atapi.sys has been renamed to atapi.sys.spooky.

    Scan completes. Will upload files in next post.
  11. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Requested Files

    Standing by for further instructions.

    - Rwolf
  12. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Redirects fixed! Are we done?

    I almost forgot to check, but now that the atapi.sys file has been restored, the redirects seem to have disappeared.

    The symptoms have resolved... does that mean I'm fully cured?

    If not, why not?

    - Rwolf
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Can you please attach your new current Atapi.sys file
    It should be version: 5.1.2600.5512 (For Windows XP)
  14. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Oops. Still redirecting after all.

    I got one or two searches that went through and thought I was cured, but it's still hacked. I rechecked the atapi.sys and it still appears to be the good one, so there is something else going on.

    As requested, I am uploading the currently installed atapi.sys from C:\windows\system32\drivers.

    I am also attaching the suspect file, which I renamed to a harmless extension, incase someone better than me wants to do forensics on it. (it should NOT be installed, unless you plan to wipe your system afterwards!)

    Note: I get an upload error "Invalid File" when I try to attach. I'm guessing driver files are not allowed to be posted. Will zip it and try to upload that.

    That worked. Download and open with care.
    These files are from a hacked system!

    Attached Files:

  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    The suspect file is not genuine
    The new one is

    No malware found in the suspect one though, but I believe replacing it with the current MS one has fixed it
  16. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    But I'm still getting redirects...

    The atapi.sys problem is now fixed, but something else is still going on....

    My earlier post that the problem was resolved was an overly optimistic interpretation of one or two searches that worked.... once I started using the computer again in earnest I quickly found other searches that were getting hijacked.

    Any advice on how to proceed would be much appreciated...

    At what point does "FORMAT C:" become the right answer? :)
  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,523


    You cannot Format C, as the filesystem is on it
    You must always remove the partition for clean installs (not Format)

    Please wait for kritius support, I have not followed this thread in full
  18. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    it was just a metaphore... I could have just as easily said "rm -rf" but that would be showing my age... :)

    But I'll await captain's orders on whether to forge ahead with salvaging this install or wipe the system disk and rebuild windows. (and all the applications... blerg!)

    Still hoping for a magic bullet!

    - Rwolf
  19. kritius

    kritius TS Guru Posts: 2,084

    Can you attach the screenshot. I would say that atapi.sys is still infected, this infection has a habit of showing virus scanners what they want to see.

    Also, I believe I have what I need to continue.

    Print out these instructions to use while in the Recovery Console:

    1. Restart your computer.
    2. Before Windows loads, you will be prompted to choose which Operating System to start.
    3. Use the up and down arrow key to select Microsoft Windows Recovery Console
    4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
    5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter'(note the spaces):

    cd system32\drivers
    ren atapi.sys atapi.sys.vir
    copy c:\windows\system32\dllcache\atapi.sys c:\windows\system32\drivers

    6. Type y to the prompt and press 'Enter'.

    7. Type exit and press 'Enter'. Your computer should reboot.

    Reboot into Normal mode and run ComboFix and post the log here.
  20. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Here's the screen shot & ComboFixLog you requested.

    Kimsland said atapi.sys was genuine. I'm inclined to agree, given that CMD COMP.EXE says the file is identical with one I pulled from an uninfected system.

    I will never the less follow your instructions to the letter.

    Rerunning combofix:
    monitor programs killed
    combofix is downloading newer version....
    made system restore point & backed up registry

    Logfile is attached.

    You should know that I've installed a new monitor, keyboard and mouse so some driver files will have legitimately changed within the last 48 hours...

    I did 1/2 a dozen google searches after ComboFix finished and did not notice any redirects. Will continue exercising the system before declaring victory.

    Standing by for further instructions....

    Thanks again for your assistance and persistance!

    - Rwolf
  21. kritius

    kritius TS Guru Posts: 2,084

    Run GMER again and post the log.

    Need to check on something.
  22. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    GMERlog from full scan of C: and D:

    I eagerly await your verdict...

    - Rwolf
  23. kritius

    kritius TS Guru Posts: 2,084

    That looks ok, my earlier post about atapi.sys still being infected were inreference to the above post.

    However GMER is showed no more modifications.

    Post a fresh OTL log for me.
  24. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    OTL log attached.

    Fair enough.

    I've done a few more searches now, so my confidence that we've exorcised the daemons is increasing... (pun intended :)

    The OTL log is attached. Absent other instructions I ran it as follows:

    Kill the usual monitoring programs
    close all windows
    Minimal output, +LOP check +Purity Check
    \\ No extras
    Run Scan

    Incidentally, one of the things I googled was OTL. It turns out to be a Korean emoticon for failure and despair. (view it as the side view of a stick figure. He is on hands and knees, hanging his head...)

    Ironic, given that we appear to be close to victory...

    Thanks again for your help!

    - Rwolf
  25. kritius

    kritius TS Guru Posts: 2,084

    Your logs are clean as far as I can see.

    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.
    Upgrading Java:
    • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Make sure the C:\Program Files\JAVA folder is removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...