google redirect

Before we start:

Please put this machine into normal start up mode if you haven't done so already by using MSConfig.

Please ensure that MGTools.exe is indeed sitting right on your c drive and not anywhere else like below:

C:\Users\Renny\Desktop\MGtools.exe


1. GMER's MBR.exe

• Double click on the MBR.exe file to run it.
• A log will be produced & saved to the desktop, called MBR.log.
• Attach this log to your next message.

Now delete the current mbr.log file and then run the below instructions.
Click Start > Run and copy & paste the following text in the code box into the Run box and then click OK. You must copy and paste or type in this exactly. The quotes must be exactly as shown and there is a space before the -f

Code:

     "%userprofile%\desktop\mbr.exe" -f

Now double click on the mbr.exe file and attach the new mbr.log


2.

• Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop
• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive called "TDSSKiller.txt" please attach this log to your next reply.

 

1. And how is the machine behaving now?

2. Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

3. Run the new MGTools.exe and attach the C:\Mglogs.zip into your next reply here.

 

1. I see you ran combofix on the 19th december, the log from this exists on your c drive. I would like to take a look at that if you do not mind. Attach it into your next reply please.

2. Download the MBR Rootkit Detector to your desktop.

• Doubleclick mbr.exe and follow prompts.
• A black DOS window will quickly appear then disappear.
• When mbr.exe is finished it will create a log on your desktop.
• Copy and paste contents of that log file to your next reply.

3. Delete the following folder from the beta version of combofix also on your c drive:

C:\KittyFix

4. Now download the current non beta version of combofix

5. Run it as per the instruuctions in the below link and attach the log it generates into your next reply here.

Vista Cleaning Procedure

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. And attach the log from running the combofix beta, and the log from MBR Rootkit Detector.

7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Thanks
Kes13!

 

Hi

Did you do my step #2 post #7? If so please attach the log from doing so.

 

Almost there just a little way to go

1. We need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

FCopy::
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

2. Could you please get this: tsk_atapi.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following: be sure to scroll all away across the code box

Code:

%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" c:\windows\system32\drivers\tsk_atapi.sys

log retrievable @ C:\collect.zip

3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and the C:\collect.zip

4. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Thanks
Kes13!

 

Hi ya. Let's see what Jotti says about it.

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\windows\system32\drivers\tsk_atapi.sys

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

 

You're welcome

edit: do not use my last CF script that i just deleted from this post. I need to speak to chaslang. Thanks
If you already ran it let me know.

 

I won't keep you waiting long, but I really would rather ask Chas about that file we uploaded to jotti for scanning before I have you do anything with it.
Thanks for your patience.

Kes13!

 

The file is just something from TDSSKiller

You can safely delete it:

Your logs are clean!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I assume you have already uninstalled MGtools? Is the collect.zip file still in your root folder? Also after deleting the tsk_atapi.sys file, had you emptied the Recycle Bin. If not, perhaps there is a way to copy the file out.

 

From the command prompt enter the below black bold print commands. The purple text is informational and questions

cd C:\$*

There is a space after the cd. And yes that is a slash, dollar sign followed by an asterik. Does the prompt change to C:\$Recycle.Bin>
If yes, do the below.

dir /s

Do you see a list of folders and files and does one of them end with a .SYS and is it 21,584 bytes in size? If yes, what is the filename and what folder is it in?

 

Darn!!! I forgot you had Vista. Vista compresses the files into the Recycle bin so it will not be 21,584 bytes. It will be something like 544 and it will be a random name followed by the .sys and it should have the date from yesterday ( 12/21/2009) when you did the delete.

 

I'm sorry!!! It seems that Vista actually creates two files for each one deleted. So one of the .sys file will be 544 bytes and the other will still be 21,584 bytes which is the one we want.

 

Since you have not answered for over 30 minutes I will have to assume you have gone offline or you had a problem.

 

Ah!! How far is this?

Since there are so many files in the Recycle Bin, it would seem likely that you have not emptied it in a while and I would expect the file to be there. There should be folders for each user and the one with the most recent date is where I would expect to find the file. Try the below.

First get back to the C:\$Recycle.Bin folder if not still at that prompt. Then enter the below command which should show some folder names:

dir /as

This should show some folder names like S-1-5-21-xxxxx....etc where the xxxxx is variable. Find the one with the most current date and tell me what the first 8 characters of the xxxxxx area are.

What you will be trying to do is a cd into this folder and a command like the below would do this. The * allows you to not have to type in the full folder name which is very long. You just need enough xxxxx characters to distinguish the correct folder name from others. Obiously the xxxxx has to be substituted with the correct numbers.

cd S-1-5-21-xxxxx*

Once you get into this next level folder, your prompt will now change to show it. Like C:\$Recycle.Bin\S-1-5-21-xxxxx >

Then you can do the below command to see only sys files:

dir *.sys

 

And I'm betting that your Recycle bin folder for your user account would be the below

C:\$Recycle.bin\S-1-5-21-720296051-3918678802-2006979960-1001


And something else just occurred to me that may work since it is a command prompt! At the C:\$Recycle.bin> prompt. Just type the below.

dir /s *.sys

This may show the correct 21,584 byte .sys file

 

Since it takes you a long time to go to go back and forth from your house to your friends, I will try to stay ahead of you and give you what may be the next steps. Also if this does not work out tonight, perhaps it would be easier to just bring your PC to your friends house to work thru steps like this. I could save a bunch of time.

NEXT POSSIBLE STEPS,

If my assumptions are correct about your account's Recycle bin folder name and you locate the .sys file then the below copy command should be able to restore the file:

copy C:\$Recycle.bin\S-1-5-21-720296051-3918678802-2006979960-1001\$RGTPOEL.sys c:\windows\system32\drivers\tsk_atapi.sys

You should get a 1 file(s) copied message if it gets copied. Note that I just assumed a filename ( the $RGTPOEL.sys ) yours will be different but the file size should be 21,584 bytes and the date should be from when you deleted it.

Then you need to do the below to verify you really got it copied to the correct folder with the correct file name.

dir c:\windows\system32\drivers\tsk_atapi.sys

Does it show up? If yes, then see ifyou can reboot normally.

 

Okay we will have to continue later since it is heading towards 3 AM my time and I need some sleep.

See how far you can get with my previous messages.

 

Those are not the commands I gave which is why they are not showing anything. In fact they are not even valid commands. You have to enter the commands exactly as I gave them. You first have to change directories into the c:\$recycle.bin folder like I previously instructed you using

cd c:\$recycle.bin

The prompt would then change to c:\$Recycle.bin> and now you could just do the below command.

dir /s *.sys

This would show all .sys files in all folders under the $recycle.bin folder.
Once you find the correct file name, you can substitute it into the command below which was what I gave in my last message last night:

copy C:\$Recycle.bin\S-1-5-21-720296051-3918678802-2006979960-1001\$RGTPOEL.sys c:\windows\system32\drivers\tsk_atapi.sys

Then you would do the below to see if really copied. Notice the exact command!!!!!! There is another \ before the tsk_atapi.sys which you did not enter in your above stated examples.

dir c:\windows\system32\drivers\tsk_atapi.sys

You can do this if you wish but it would only be necessary if you cannot find the file. Since you have not run the commands properly yet, we don't know if the file is there or not. Also note that you would have to download the collection.zip file to your friends computer and then extract the tsk_atapi.sys file from the collection.zip file. Then you would have to copy or move the tsk_atapi.sys file into the x:\windows\system32\drivers folder. I say x: because the driver letter of your hard disk slaved in another computer would not be the C drive. It would be the next available driver letter so it could be anything.

 

If x is your drive letter than you need to replace the c with x. Thus, cd x:\$recycle.bin

But I would expect it to be drive c not x

 

I just checked back thru your logs. Apparently you are using Windows 7 not Windows Vista. There could be major differences to the file system just like Vista changed from XP. Thus I'm not exactly sure what it calls the Recycle Bin now. However if you first just change to the root ( the highest level folder ) using the below:

cd \

The prompt should change to c:\> assuming drive c
Then run the below command to see system folders

dir /as

This should list all the system folders. One of them should be the Recycle Bin so we can see what it is named. In Vista you would see the $Recycle.Bin folder spelled exactly like this. You would see a <DIR> to the left of it. The <DIR> means directory which is the same as a folder.

 

If you still have to go to your friends house to communicate, you should pack up your PC and take it there or you should try to borrow a PC to use to work this out. It is taking to long for us to communicate this way. And if I don't notice you online, you would be waiting 2 to 3 days in normal queue time just to get one reply from me every time I need to reply.

The other alternative which could prove faster for you if you can do it, is to remove the hard disk and get the file copied back properly using another PC with your hard disk mounted as a slave.

 

If the command prompt window is really showing x:\windows\system32> for your prompt and not c:\windows\system32> then you need to use x whereever I used c.

 

You're welcome.

Okay so is your computer booting up okay now?

 

You're welcome. Surf safely!