Google redirect geyekr files seen

Dell / Dimension e521
July 22, 2009 at 19:35:59
Specs: Microsoft Windows XP Home Edition, 1.904 GHz / 3070 MB
Have been seeing the same issues as others on this board have been seeing with google and other major search engines redirecting me to ad sites when i click on search results.

AVG has found nothing.
Adaware has found nothing.
Spybot S&D has found nothing.
Sophos has revealed several files with "geyekr" in start of file name. I did not delete.

I have seen people with similar problems solved. Can someone help me?

Thanks in advance for your help!


See More: Google redirect geyekr files seen

Report •


#1
July 22, 2009 at 20:32:31

Report •

#2
July 23, 2009 at 04:05:35
Thanks for your reply; Sophos would be able to remove some DLLs and some hidden files, but was unable to remove some registry files. I wasn't sure if this was the right thing to do or not- please advise.

http://rapidshare.com/files/2590615... is the sophos log (JPG)

A GMER log is at this link:
http://rapidshare.com/files/2590620...

with prog name = ex1yk1ft.exe
Please advise if i should use SOPHOS to delete what I can or move forward with other methods

-lazybum234


Report •

#3
July 23, 2009 at 06:02:14
You can use sophos to try and delete all of them except sptd.sys. Make sure you rescan to see if was able to delete them sucessfully.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
July 23, 2009 at 07:10:51
Hi,

there are couple easy steps to solve less complex problems. Make sure to check these things:
http://www.2-viruses.com/how-to-fix...

Otherwise, your PC is probably infected with a Trojan virus or similar parasite. In such case, scan your computer with Spyware Doctor.


Report •

#5
July 23, 2009 at 18:28:15
jdk:

Thank you for your help!!!!

I cleaned the "geyekr" files with sophos. The problem has stopped.

Upon rescan with Sophos- I am finding numerous entries of programs that I do not believe exist or are needed. What should I do from here?

Sophos log link:
http://rapidshare.com/files/2593249...

What other steps do I need to take to ensure my computer is clean of "geyekr" infection and is safe?

ignys- I checked the files in your link, they are fine. thank you for your help.


Report •

#6
Report •

#7
July 23, 2009 at 18:54:14
Gmer log from 7-23 PM here:
http://rapidshare.com/files/2593308...

prog name was: ex1yk1ft.exe

It said there was root activity and i said "no" to full system scan

Thank you for your help. I will be able to respond quickly for a couple hours. Thank you again.


Report •

#8
July 23, 2009 at 18:57:23
Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
July 23, 2009 at 20:50:46
Sorry about previous GMER file. This one was done correctly

http://rapidshare.com/files/2593555...

filename was "bqk6k34l.exe"

Took a while with all the files it went through.

Thank you again!


Report •

#10
July 23, 2009 at 20:58:03
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

2) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
July 23, 2009 at 21:20:38
Combofix log:
http://rapidshare.com/files/2593611...

Quarintine zip:
link sent to your PM

Thank you again for your help


Report •

#12
July 23, 2009 at 21:29:21
Follow:

1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
July 24, 2009 at 04:30:32
Thanks again for the help:

malware file:
http://rapidshare.com/files/2594771...

SuperAntifreeware:
http://rapidshare.com/files/2594772...


Report •

#14
July 24, 2009 at 04:47:32
Problem seems fixed any more problems? Follow:

Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#15
July 24, 2009 at 04:52:04
The redirect problem seems to be gone. I will rescan with GMER to see if anything comes up.

In response number 9, i posted my older GMER log and there were some flagged entries related to svchost.exe and several registry entries refering to "yejfie". Is this problem removed as well? Is it a false negative?

Thanks again for your help. If you can provide any best tips on what active softwares I should be running to prevent this in future, any help is appreciated.

Thanks again.


Report •

#16
July 24, 2009 at 05:00:56
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connect to internet. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#17
July 24, 2009 at 05:20:34
AVZ log:
http://rapidshare.com/files/2594912...
DDS log:
http://rapidshare.com/files/2594913...
Attach log:
http://rapidshare.com/files/2594914...

Thank you again. I will not be able to respond until the PM. Meanwhile i will do another GREM scan.


Report •

#18
July 24, 2009 at 05:37:55
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 StopService('MEMSWEEP2');
 DeleteService('MEMSWEEP2');
 QuarantineFile('C:\WINDOWS\system32\1.tmp','');
 QuarantineFile('c:\windows\system32\oegzygyc.dll','');
 DeleteFile('c:\windows\system32\oegzygyc.dll');
 DeleteFile('C:\WINDOWS\system32\1.tmp');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

3) Redo Response Number 16.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#19
Report •

#20
July 24, 2009 at 15:33:31
I did things in this order: (step16 redo, cleanup, tuneup)

1) Did AVZ scan/reboot. virusinfo zip
http://rapidshare.com/files/2596726...

2) Did DDS

DDS:
http://rapidshare.com/files/2596728...
Attach:
http://rapidshare.com/files/2596729...

3) currently doing cleanup and tuneup. Will followup with you after cleanup and tuneup


Report •

#21
July 24, 2009 at 15:46:23
Did cleanup.

Cleaned couple MB of temporary files. "fixed" 33 registry errors.

Did tuneup.

No defrag necessary, nothing new.

Did Cleanup again.

Cleaned 0MB temporary files. found 1 registry item, but could not clean it.

Thank you for your help. I will reboot now to see if new hardware is still there. Please let me know what scans to run next.

Thanks again.



Report •

#22
July 24, 2009 at 15:58:38
Rebooted, still getting "found new hardware" for two devices named "unknown" with root descriptors that described in PM. Just seeking to make sure computer is clean of previously seen bugs.

Let me know if you need more info and what scan to do.

Thank you.


Report •

#23
July 24, 2009 at 16:06:05
Yes its clean. I didn't find anything more. I suggest you download ccleaner and run its registry cleaner. Can you give me the info for net hardware again the one you private messaged me.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#24
July 24, 2009 at 16:26:05
In device manager, I see:

"Other devices" (With yellow question mark)

and under it...

2x "unknown devices"

Info available (in "Details" tab) is as follows:

Device Instance Id =
"ROOT\LEGACY_UTM3NJA5\0000"
and other one is
"ROOT\LEGACY_UZM3NJA5\0000

Enumerator for both=
"ROOT"

Devnode Flags=
"DN_ROOT_ENUMERATED
DN_HAS_PROBLEM
DN_DISABLEABLE
DN_NT_ENUMERATOR
DN_NT_DRIVER"

Current Power State=
"D3"

Power Capabilities=
"PDCAP_D0_SUPPORTED
PDCAP_D3_SUPPORTED"

Power State Mappings=
"S0 -> D0
S1 -> D3
S2 -> D3
S3 -> D3
S4 -> D3
S5 -> D3"

All other fields have no value.

I have not tried anything in the realm of disabling them or uninstalling them.


Report •

#25
July 24, 2009 at 16:45:03
Try this:

1) Start > run > regedit, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UTM3NJA5
On the left side right click the "LEGACY_UTM3NJA5" key (looks like a folder) and select export. Give the output file a name. Afterward right click it again and select "permissions", click "everyone" and check full control below (under the allow column). Press ok and attempt to delete the LEGACY_UTM3NJA5 key. To do that click it on the left side and press delete on your keyboard, confirm the prompt and reboot the PC.

2) Start > run > regedit, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UZM3NJA5
On the left side right click the "LEGACY_UZM3NJA5" key (looks like a folder) and select export. Give the output file a name. Afterward right click it again and select "permissions", click "everyone" and check full control below (under the allow column). Press ok and attempt to delete the LEGACY_UZM3NJA5 key. To do that click it on the left side and press delete on your keyboard, confirm the prompt and reboot the PC.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#26
July 24, 2009 at 17:40:38
This worked without any bad effects. Yet.

I have no more symptoms to bring up, so I believe I am in the clear for now.

0) Can i reply if symptoms come back?
1) Can i delete those 2 registry export/backup files?
2) What should I scan with regularly to know what is on my system?
3) Should I "toggle" my system restore?

THANK YOU FOR YOUR HELP!!!


Report •

#27
July 24, 2009 at 18:57:41
0) Private message me
1) yes if problem is fixed
2) Buy antivirus kaspersky/norton/eset/bitdefender/avira/mcafee or switch to free avira.
3) yes toggle to purge old restore points.

No problem :)

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#28
July 26, 2009 at 07:03:45
Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Report tab at the bottom of the program window
* Click the Scan button
* In the Select Scan dialog, check:

    * Drivers
    * Processes
    * SSDT
    * Hidden Services

* Click the OK button
* In the next dialog, select all drives showing
* Click OK to start the scan
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Upload rootrepeal.txt to rapidshare.com and post the download link in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#29
July 26, 2009 at 07:27:43
Root repeal report:
http://rapidshare.com/files/2602472...

Thank you again.


Report •

#30
July 26, 2009 at 09:00:49
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\26.tmp','');
 QuarantineFile('c:\windows\system32\svchost.exe','');
QuarantineFile('c:\windows\system32\oegzygyc.dll','');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine.zip');    
end.


A file called quarantine.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#31
July 26, 2009 at 10:59:30
Do you have your windows installation discs?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#32
July 26, 2009 at 16:01:29
The machine came pre-loaded (Dell), so I have a OS reinstallation CD, but not original window CDs.

Is formatting the only way out?

Is this even a threat or am I being overly picky?

Thanks for the help.


Report •

#33
July 26, 2009 at 17:10:13
No need to format its just left over registry stuff nothing harmful. Follow:
Download: http://www.ccleaner.com/download/bu... and clean your registry and temp files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#34
July 26, 2009 at 17:40:19
So is it ok to go into regedit and delete instances of "yejfie" ? I assume that the suspect DLL is gone (is there someway to search deeper or something?)

I'm thinking of deleting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yejfie

When i try to export it it says "The selected branch does not exist. Make sure that the correct path is given"

Ccleaner doesn't seem to find or clean it. (does it make a difference if i use full version vs slim version?)

Thanks


Report •

#35
July 26, 2009 at 17:52:42
No it doesn't. You can delete that key. Make sure you back it up.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#36
July 26, 2009 at 19:12:28
When I tried to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yejfie

It said "Cannot delete yejfie : error while deleting key"

I did find a Legacy_yejfie key in the same places i found the legacy_U... keys when I was correcting those hardware issues. Backed those up and deleted, will see what happens.

Anyway, i was pretty sure i was fussing over nothing - thanks for your help in all this!


Report •

#37
July 26, 2009 at 19:22:45
No problem its nothing harmfully or necessary to reformat.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question