Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apparently have the TCP / Google redirect virus/ Moved


  • Please log in to reply
27 replies to this topic

#1 pizzapie

pizzapie

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 28 February 2009 - 01:07 PM

I have run many virus scanners but none have fixed this problem. Web pages are corurpt or not displayed at all. Bugzilla says when I try to do a google search that it is redirecting to stableclick.com. It seems like the combofix would be appropriate but I saw a warning in one message to not run without direction. So here I am! FYI - this all started with the system locking up hard and having to boot in safe mode. I actually had McAfee running but it didn't stop this. I had to uninstall it to boot at all. Also, this is WinXP, sp2.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:09 AM

Posted 01 March 2009 - 02:21 AM

As no logs are posted, I am shifting this topic from the HiJack This forum to the Am I Infected forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 01 March 2009 - 02:51 AM

I had the same experience with McAfee when trying to clean a badly infected computer.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#4 pizzapie

pizzapie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 March 2009 - 10:46 AM

I was able to run the clean software but then the other one wouldn't execute. So, I hard rebooted. Then it wouldn't boot all the way. So, I restarted but now can't log in even if I hard restart. So now I am trying safe mode with networking. Should this happen? Not sure I should continue in this state with the instructions.

#5 pizzapie

pizzapie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 March 2009 - 10:59 AM

It won't execute in safe mode either. Even though the executable didn't look corrupted I redownloaded it (doing the downloading on my laptop and taking it over on a flashdrive since I can't browse to anything). The only thing running in safe mode is PC Tools Spyware w/antivirus which I got in an attempt to fix this problem. It apparen't has no way to exit so I haven't tried without it. I would have to uninstall this if you think it is causing the anti-Malware software to not run.

Removed the spyware via the taskmanager but no luck.

Edited by pizzapie, 01 March 2009 - 11:06 AM.


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 01 March 2009 - 11:05 AM

Trying to install and run MBAM and it's failure tells me this is propbably a newer very nasty infection.

Your choices are limited

I would reccomend a clean install or posting in the HJT forum and waiting for assistance there.

We can try and patch you up a little here and maybe isolate what the infection was.

Even after waiting for the HJT forum, some infections are incurable.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Did McAfee give you any clues as to what was infecting your computer?
Chewy

No. Try not. Do... or do not. There is no try.

#7 pizzapie

pizzapie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 March 2009 - 11:08 AM

I posted to the other forum and they sent me over here and said I didn't have logs though the instructions on the site said don't get logs without direction! I'm worried if I back up my data so I can reformat the virus with come with. Please advise.

Re McAfee - they wanted to charge me for getting a virus while their program was running and said it was my fault! I haven't had the time or energy to find a forum where I can get some attention about this problem with them.

Edited by pizzapie, 01 March 2009 - 11:15 AM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 01 March 2009 - 11:28 AM

OK let's try to get you back up to a point where we can at least see what's infecting you

On the clean computer run this file and follow directions for inserting the flash drive

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Redownload MBAM, but this time rename it to something like pizza.com before transferring
Grab the new definitions off the clean computer, I would scan any computer that has seen that usb drive.

Hopefully it will install from normal mode

If it won't run then we need to rename the executable in it's program folder and try to start it from there

Edited by DaChew, 01 March 2009 - 11:29 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#9 pizzapie

pizzapie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 March 2009 - 11:31 AM

On this computer when I tried to download McAfee said it had a trojan and I got a message that it was right-protected and could not be downloaded.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 01 March 2009 - 11:34 AM

On this computer


The infected one?

It needs to stay disconnected from the internet
Chewy

No. Try not. Do... or do not. There is no try.

#11 pizzapie

pizzapie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 March 2009 - 11:35 AM

That's the message I get on the non-infected one.

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 01 March 2009 - 11:38 AM

That's the message I get on the non-infected one.


I was afaid of that, it sounds like it's infected also, try to download MBAM again after downloading and running flashdisinfector
Chewy

No. Try not. Do... or do not. There is no try.

#13 pizzapie

pizzapie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 March 2009 - 11:41 AM

What if I can't download it? Can you email it to me?

New: I am 80% through a scan on my "clean" laptop and nothing has been found though maybe McAfee wouldn't. There aren't any of the same symptoms as on the other machine though.

Edited by pizzapie, 01 March 2009 - 12:31 PM.


#14 pizzapie

pizzapie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 March 2009 - 04:19 PM

Update: ran a Malwarebytes Anti-Malware scan on my laptop and found nothing. I don't know why I can't download the file. I am running Microsoft's Malicious Software Removal Tool on the infected computer since it would run.

I could really use some help to know what to do next. I tried copying over the installed files from Malwarebytes and running it with the same result - nothing. I am running the MS app from the CD instead of copying it over which I hadn't tried with the other. FYI- I'm now transfering files on CD instead of using the flashdrive. Thank you in advance (and for the help so far).

Additional update: the MS scan is still running - going on 4 hours. It hasn't found anything.

Edited by pizzapie, 01 March 2009 - 07:19 PM.


#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 01 March 2009 - 07:19 PM

On the clean? computer download the installer for MBAM, before burning to a cd-r rename it pizza.com

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.
Also grab the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' from the clean computer

You will have to copy it to the same location on the infected computer

See if it will install on the infected computer

If it does go to program folder and rename the executable to pizza.com, right click on it and send to desktop/create shorcut

Edited by DaChew, 01 March 2009 - 07:20 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users