Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Search Redirect Virus/Malware Issue


  • Please log in to reply
1 reply to this topic

#1 Professor235

Professor235

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 29 November 2009 - 08:15 PM

Greetings. I've been having a problem that unfortunately I have been unable to resolve myself.

On Thanksgiving evening, I realized that my computer had been behaving strangely and most likely was infected by a virus. I was using AVG Free 8.5 at the time and it had not updated normally. Long story short - I was infected and after upgrading to AVG Free 9.0 most of the wonky behavior was addressed with the exception of one last extremely annoying problem.

When using IE8 and entering searches into Google.com things look normal but clicking on one of the links leads to unrelated sites and occasionally browser windows open to junk sites. After 18 hours of trying to eradicate this last problem I've run across this site. I hope folks here can help me fix this.

I own an Asus eeePc, am running XP and was using IE8. Some of the sites that I get redirected to are:

hxxp://pataskalaohio.com/search.php]http://pataskalaohio.com/search.php

hxxp://online-scanner-free.info/secure1/?id=259b4c25aa08557e7c8892c5d64253db

hxxp://www.thetop10.com/search/]http://www.thetop10.com/search/

hxxp://kburnsportfolio.com/search.php]http://kburnsportfolio.com/search.php

hxxp://r9237242.cn/UA63XbXx5o6xHso6240ad7f76ece901b1cf3a71d7bfee3b406g

(This last one is what lead me here.)

So far all attempts at anti-virus/anti-malware has not lead to successfully removing the redirect problem.

I have tried Spybot, Malwarebytes, AVG Free 9.0, TFC, CCleaner, SuperAntiSpyware, as well as crawling through registry entries to see if anything looked obviously wrong (I have changed nothing manually).

Any help would be greatly appreciated.

--Professor235

EDIT: Disabled links so that people don't accidentally go there.

Edited by Professor235, 29 November 2009 - 09:07 PM.


BC AdBot (Login to Remove)

 


#2 johnnyzero

johnnyzero

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 December 2009 - 09:54 AM

Professor,

It sure sounds like the same malware I recently had the pleasure of dealing with (TDSS.y Rootkit). I was getting redirected via the same server you mentioned, r9237242.cn. In my case, it turned out to be a single infected driver file, ATAPI.SYS.

(Note: several other users have reported that this rootkit is capable of infecting different low-level storage drivers as well: IASTOR.SYS, NVATA.SYS, etc.)

After trying at least 25 different malware solutions over several hellish days with no success, here's how I finally got rid of it:

* Download Esage Labs' Rootkit.Win32.TDSS remover from here and run it.

* The program should detect the infected ATAPI.SYS file, and will then offer to let you restore the file from the \i386 folder of your original Windows CD.

Unfortunately, when I tried to do this last step, I kept getting a "file version" error - probably because I'm running SP3 and my original CD is SP2. If you're running XP and you encounter the same problem (or you don't have access to your original CD) , here's the workaround for that:

1) Your WINDOWS\ServicePackFiles\i386 folder should contain a clean (uninfected) copy of ATAPI.SYS. Copy this clean version of ATAPI.SYS to both \system32\drivers and \system32\dllcache (overwriting the infected ones).

2) Before rebooting, probably a good idea to check your Hosts file & clean it out if necessary. Also, probably a good idea to clear your DNS cache.

3) Reboot & you should be good to go: hopefully no more redirects!

Let me know if this works for you.

JohnB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users