Google redirect, windows updates, standy mode problems

My pc running Windows XP has had many issues and I had been ignoring some until recently. I have had problems with google redirect, though it seems it has went away after following the guide on this site. As for updates, Windows Service Pack 3 locks up at atapi.sys. Also, my pc tends to freeze after being put on standby.

I went through the steps for google redirect issues, but I am currently not able to reset the router to factory settings. Also, another pc I share the network with runs Windows XP without redirect issues. Additionally, I first mistakenly ran TDSS Killer from the Downloads folder.

I then followed steps 2 to step 7 part 3. I could not run Root Repeal and MGTools stopped midway. The logs are all attached.

After this, i re-ran TDSS Killer from the Desktop without different results. I am posting the log from that run.

 

More logs

 

Hi and welcome to Major Geeks! :major

I will be reviewing your logs. Please be patient as there is a lot of information to review.

 

Do you have your Windows XP boot CD? Let's try this.

Then see if you can boot from this CD and get into the Recovery Console. See the second section in the below link where it says "How to use the Recovery Console"

http://support.microsoft.com/kb/307654

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
http://support.microsoft.com/Library/Images/2399081.png
When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

Now type in fixmbr
It will warn you that replacing the MBR can be dangerous.
Press Y to proceed
It should say Operation completed successfully
When you receive the above message, type in map
A list of the devices on your computer is displayed
Take note of which drive letter the CD you inserted is in (It should be either E: or F: since you have 2 CD/DVD-rom devices)
Note: You can also use the dir command to see which drive letter contains the i386 folder we need
Note #2: You can type in E: to change the drive letter to E:. or type in F: to change the drive letter to F:
Use the appropriate drive letter (E: or F: ) when you type in the below command
Type in what is in the code box below (remember, if necessary, replace E: with F: )

Code:

expand E:\i386\atapi.sy_ C:\windows\system32\drivers

Press Y to overwrite to existing file if prompted
Note: There is a space AFTER expand and .sy_
Type exit
This should restart your computer, if it does not, reboot it yourself please, and this time don't boot off of CD (eject your CD)

Once back into Windows..

Goto the below link and follow the instructions for running TDSSKiller by Kaspersky

• 
  TDSSKiller - How to run
  Remember to attach your log from TDSSKiller (How to attach items to your post)

Please also download MBRCheck to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

My PC had Windows XP built in, so I do not have a Windows XP CD. However, the Recovery Console was already built in. I ran the procedure but replaced expand E:\i386\atapi.sy_ C:\windows\system32\drivers with
expand D:\i386\atapi.sy_ C:\windows\system32\drivers, since D is the location of the atapi.sy_ file.

I ran TDSS Killer and atapi.sys is still a suspicious file. Attached are the logs for that and MBRCheck.

 

Please pick only 1 Anti-Virus program to keep and uninstall the other. This was one of the steps in the Read and Run me First - Step 2

• Authentium AntiVirus SDK - 2
• Avira AntiVir Personal - Free Antivirus

Please reboot your computer after uninstalling 1 of the above.

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

I had no idea I had another antivirus program installed:confused. I found the installer for Authentium AntiVirus SDK - 2 and got rid of it. I rebooted and ran the Combo Fix script. I then ran GetLogs.Bat which again was interrupted midway through by an error. Here are the logs.

 

Thanks for being so patient. I haven't forgotten about you

There is still a potential problem with your atapi.sys file. I'd like you to do the following:

Completely uninstall any type of Disk Emulation software such as Daemon Tools then reboot your PC.
Rerun ComboFix.exe. Let ComboFix update.
Attach C:\ComboFix.txt (How to attach items to your post)

Go to the below link and follow the instructions for running TDSSKiller by Kaspersky

• 
  TDSSKiller - How to run
  Remember to select CURE if possible!!!
  Remember to attach your log from TDSSKiller (How to attach items to your post)

Please also rerun MBRCheck and attach its latest log (How to attach items to your post)

 

I un-installed all disc emulation software that I was aware of before my first post, but then I ran DeFogger in case the software was still around. After re-enabling disc emulation with DeFogger, it seems I still have some mounted dvd drives. I tried uninstalling their drivers, but they reappear when the pc restarts. They do not show up when they are disabled, but they are still not fully uninstalled. I am not sure if there is a leftover program causing this.

 

I will give you a fix for removing the remnants of Daemon Tools. Follow these steps:

1. Uninstall any Daemon Tools applications that you can (if you can't find anymore, don't worry about them for now)
2. Run Defogger.exe , make sure to disable Disk Emulation software again.

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Go to the below link and follow the instructions for running TDSSKiller by Kaspersky

• 
  TDSSKiller - How to run
  Remember to select CURE if possible!!!
  Remember to attach your log from TDSSKiller (How to attach items to your post)

Please also rerun MBRCheck and attach its latest log (How to attach items to your post)

 

I ran the CFScript and the other programs. It looks like TDSS Killer no longer detects atapi.sys as suspicious. Attached are the logs.

 

Your logs are looking better now. How is the PC running?

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

The pc seems to be running better now. Standby mode works well(though hibernate, which had problems before, still causes problems) and google redirect has went away. MGLogs once again had an error and gave me the message which I am attaching as a picture. The logs are also attached.

 

From Add/Remove Programs (via Control Panel), please uninstall the following:

• Java(TM) 6 Update 26 <-- old

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download and install Sun Java Runtime Environment 7
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

Sorry for the late reply. I updated Java and ran the Combo Fix script and then GetLogs.bat. GetLogs.bat gave me the same error #5 message. Attached are the logs.

 

Do you mean message #13?

What is this file on your desktop? 99.bin
Also, this file in the root of C: lqlurj.gqe
If you do not know, go to VirusTotal and upload these files for analysis.
Let me know the results!

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
DirLook::
C:\abyk
FileLook::
c:\lqlurj.gqe
c:\windows\system32\dllhost.exe
c:\windows\system32\drivers\atapi.sys
C:\Documents and Settings\Owner\Desktop\99.bin
Folder::
C:\temp
C:\temp3
File::
C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc(3).dll
C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc(4).dll
C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc(5).dll
C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc(6).dll
C:\WINDOWS\PCHealth\HelpCtr\Binaries\SET61C.tmp
C:\WINDOWS\PCHealth\HelpCtr\Binaries\SET6EB.tmp
C:\WINDOWS\PCHealth\HelpCtr\Binaries\SET7BF.tmp
C:\WINDOWS\PCHealth\HelpCtr\Binaries\SET8AB.tmp

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

The two messages I got, which were also the same when I ran getlogs.bat this time, are attached. Getlogs.bat was still interrupted. My logs for MGTools and ComboFix are also attached.

I think 99.bin was some unused file I created with autohotkey. I checked it with Virus Total and only one out of all the scanners considered it suspicious. The file lqlurj.gqe was not considered suspicious by any scanners, but I deleted that file and 99.bin anyway.

The pc is running ok overall. It runs pretty consistently well, and freezing after standby rarely happens now.

 

I'm not 100% positive but I think the errors you are getting from MGtools are due to your PC not having the .NET Framework 3.5 or higher installed. I say this because procdll.txt depends on this, and there is no procdll.txt in your logs.

Your latest logs are clean.
The standby issue would go away if you simply did not use the standby or hibernate feature by Windows. Some systems just don't like it in my experience. Most of the time, it's perfectly OK, but sometimes, you try to exit out of Standby or hibernation only to realize that the PC has locked up. Then you are forced to improperly shutdown which leads to data corruption. :-D

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

This is a belated message, but it looks like everything is fine now. I just want to say that I really appreciate all the help I got. You guys are terrific! :-D

 

How could I forget that name? :-D

Hi Snow Bro,

Glad to hear the PC is still running well.

Regards,
thisisu