Google Redirection and Malware Detection Problem

Do the following:

Start > run > inetcpl.cpl
Internet options opens.

Go to Advanced Tab
Click the Reset... button
Press OK to any prompts
http://www.bunkerhollow.com/blogs/matt/ResetIeSettings.PNG
Click Close.

IE working now?

 

Also, what happens if you go into the command prompt (Start > run > cmd)
and type the following:

ipconfig /release
ipconfig /renew

 

It says: An internal error occurred: The request is not supported.
Correct? (when you type those 2 commands)

Lets use systemlook again:

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  ipsec.sys
  tcpip.sys
  ipnat.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

 

I get an error. Screenshot attached.

 

log file attached

 

can you retry the systemlook steps here http://forums.majorgeeks.com/showpost.php?p=1660231&postcount=53

 

Attached

 

You're not copying the Code: word too are you?

This is all that should be in the text-field:

:filefind
ipsec.sys
tcpip.sys
ipnat.sys


Also, please delete any previous Systemlook.txt on your desktop and try again.

 

I am using the exact 4 lines

:filefind
ipsec.sys
tcpip.sys
ipnat.sys

Also, I made sure I deleted the previous log before running it.

 

Let's try to do this another way.
Make sure OTL.exe is on your desktop before doing this:

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  /md5start
  ipsec.sys
  tcpip.sys
  ipnat.sys
  /md5stop
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

When the scan is complete, a log entitled OTL.txt will be created on your desktop.
Attach this log to your next message. (How to attach items to your post)

 

Attached is the log. Is there any hope for my laptop? Is there still a long way to go?

 

Hi thisisu,
I just happened to open up the SystemLook.txt and OTL.txt that I uploaded earlier. Looks like something happened and they got corrupted when I copied them to my thumb drive. I will try uploading them again once I reach home. I apologize for the inconvinience.

 

Yes, this was the problem. Once you attach readable logs I have a good idea of what needs to be replaced.

 

I again apologize for the inconvenience. I am not sure why this is happening. When I try to copy the files to a USB drive, it gets corrupted. Anyways, I copy pasted the content and saved the files again.

 

It's quite alright

Now we need to make use of OTL by Old Timer

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :files
  C:\WINDOWS\System32\drivers\ipsec.sys|C:\WINDOWS\ServicePackFiles\i386\ipsec.sys /replace
  :commands
  [purity]
  [createrestorepoint]
  [emptytemp]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Let me know if your Internet connection is restored after doing this.

 

Still does not work. log file attached

 

Can you do the steps outlined here again: http://forums.majorgeeks.com/showpost.php?p=1660290&postcount=60

Also what happens when you go into command prompt and type: ipconfig

 

OTL log and ipconfig screenshot attached.

 

Let's try this again with a few more files included.

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :files
  C:\WINDOWS\System32\drivers\ipsec.sys|C:\WINDOWS\ServicePackFiles\i386\ipsec.sys /replace
  C:\WINDOWS\system32\drivers\ipnat.sys|C:\WINDOWS\ServicePackFiles\i386\ipnat.sys /replace
  C:\WINDOWS\system32\drivers\tcpip.sys|C:\WINDOWS\system32\dllcache\tcpip.sys /replace
  :commands
  [createrestorepoint]
  [emptytemp]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

Can you also take a screenshot of your Device Manager with Hidden Devices shown again?

Other than your Internet not working, are you experiencing any other problems?

 

Logs and screenshot attached. Apart from the internet not working, I really have not observed anything out of the ordinary

 

At this point, this appears to be a software related issue. Your latest logs are clean, however, having a ComboFix log would help. I'll try to help you restore your Internet, but this may just be due to CA not working / is corrupt. I see a little exclamation point where the CA icon is in the system tray. Why is it requesting your attention?

Let's try the following first:

Back in the Device Manager with Hidden Devices toggled on.
Right mouse click the following from this list and select Uninstall

• IP Network Address Translator
• IPSEC Driver
• TCP/IP Protocol Driver

You should be asked to reboot your PC for these changes to take effect. Please do so now.

Once you have rebooted:

Go back into Device Manager and click the Scan for hardware changes button
http://www.olympus.co.jp/en/support/imsg/digicamera/qa/contents/03b/image/di100003_09.gif

Does the Internet work now?

If not, reboot and test your Internet again.

If the Internet still does not work.

Go into command prompt (Start > run > cmd)
and type the following: sfc /scannow
If it prompts you for your Windows XP CD, please insert it and click Retry

 

If none of the above works, I want you to go back into the Device Manager.

Then uninstall these Network Adapters: (by right-mouse clicking and selecting Uninstall)

• Intel(R) PRO/Wireless 2200BG Network Connection
• Realtek RTL8139/810x Family Fast Ethernet NIC

Once you have done this and they are gone from the list.
>> Press the Scan for hardware changes button.
Note: They should automatically reappear in the Network Adapter list -- This is what we want.

 

I will try this later on today. I tried the rest of the stuff you mentioned in the previous thread and it did not work. When I ran sfc /scannow, it just compelted scanning and did not report anything. Is there a log that gets created somewhere?

 

CBS.log @ c:\windows\Logs\CBS

then most likely it did not find anything that needed to be corrected.

OK

 

It still does not work. Just for your record, the TCP/IP Protocol Driver keeps saying that "This device is not present, not working properly, or does not have all its drivers installed". Could this be the underlying problem? I tried unistalling it and then scan for hardware changes as mentioned in one of your previous posts. After I reboot and check the device manager again with hidden devices, I sse an exclamation mark against this driver and when I click on it, it shows the above message.

Also, the reason CA is screaming for attention is because the virus definition file is old and I had also disabled the personal firewall.

 

Go into the C:\Windows\system32\drivers folder

Tell me whether or not tcpip.sys is present in this folder.
Note: You may not see the .sys part if you have hidden file extensions.

 

Yes, as chaslang mentioned, I see the tcpip.sys in the folder you mentioned

 

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  :files
  C:\WINDOWS\system32\drivers\tcpip.sys|C:\WINDOWS\ServicePackFiles\i386\tcpip.sys /replace
  :commands
  [createrestorepoint]
  [emptytemp]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

After doing this, does Device Manager still show an exclamation point at TCP/IP Protocol Driver?

Does your Internet work now?

If not, redo the steps here: http://forums.majorgeeks.com/showpost.php?p=1660935&postcount=72

Does your Internet work now?

 

After running OTL and MGTools, there is still an exclamation mark in the device manager. I then tried following instructions in post 72, but still have the same issue. Sigh! :cry I have attached the logs

 

I have exerted every effort to restore your connection. Further reading suggests that you have a dead TCP/IP stack. Here are the 3 options I see to finally restore your connection.

1. Repair Windows XP Home using Windows XP Home CD -- Easy -- Recommended
2. Expand tcpip.sys from recovery console or from command prompt -- Intermediate
3. Delete the corrupted registry keys, and then reinstall the TCP/IP protocol. -- Advanced

Alternatively, you can seek help in our Software forum.

Keep me posted on what happens.

 

Thanks so much for your help. I followed your option 3 and the internet seems to be working as of now. What is the next step you want me to do?

 

Excellent news!
Well your OTL and MGlogs are clean. ComboFix has been updated a few days ago to also detect and remove this new globalroot infection you had so I would like to get a log from that and make sure nothing else is detected before I say you are completely clean. However, I realize that uninstalling and reinstalling CA AV might not be something you want to do. So I leave this option up to you.

• How is the PC running now?
• Anything out of the ordinary?
• Is the redirection gone?
• Are you able to open all of your programs without getting the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access". message?

 

The PC seems to be working fine as of now. Nothing seems to be out of ordinary. Also, appears that the google redirection is no longer appearing. I could still try unistalling CA and running Combofix just to make sure.

 

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access". message still seems to persist

 

Is this the message you get when trying to run ComboFix?

• If so, delete ComboFix.exe
• Empty the Recycle Bin
• Download a NEW ComboFix.exe to your desktop.
• Attempt to run this one; Same message?

Note: We may end up having to delete all traces of ComboFix before you able to run it. The infection probably already blocked it in the past. I'll give you a fix for this if the above does not work.

 

Attached is the combofix log. Is there still any infection left?

 

I don't want to get your hopes up but I think we are almost finished.

Please note in the fix below, I am deleting junction and w32diag. The infection you had may have blocked them from running before. I want to try to get new logs from them so you will need to download them again in the upcoming steps.

If something here does not run properly, make a note of it and proceed to the next step.

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
File::
C:\junction.exe
C:\Win32kDiag.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"=-
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"=-
Folder::
c:\windows\rnapxs
c:\documents and settings\mkpchandra\Local Settings\Application Data\ApplicationHistory
FileLook::
c:\windows\system32\dllcache\ovca.sys
c:\windows\iwlandrvxpver.dll
c:\windows\system32\wuauclt.exe.vet
c:\program files\WordWeb\wweb32.exe
c:\program files\HPQ\Default Settings\cpqset.exe
c:\program files\wordweb5 (2).exe
c:\windows\QTFont.for
DirLook::
c:\windows\system32\DRVSTORE

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log (How to attach items to your post)

C:\win32kdiag.exe -f -r


Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I was able to run all the steps you outlined. The computer seems to be working fine (at least the internet connection is up and google redirection does not seem to be occurring). Please find the log files attached

 

Everything looks great!
I'm glad I was able to help you with this infection.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I really mean it when I say this....Thanks a ton! I had lost all hope at one point. But, you really helped me through the entire process. Thanks for your patience in answering all my silly questions...Hats off to you and your team at majorgeeks! You are the best!

 

You're welcome. That's what we are here for. Surf safely!