Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another redirect infection / safe mode BSOD


  • Please log in to reply
8 replies to this topic

#1 musicman8

musicman8

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 04 January 2010 - 03:13 AM

Hello
I see on here that a lot of people have this problem also, seems to be a very well hidden virus/malware. Basically every so often my browser (firefox) gets hijacked and redirected to some random websites, usually thewebsitesurevey.com, directv.com or something like that. I'm usually pretty good with computers and finding these buggers but I'm having no luck on this one at all. Here's a list of things I've tried:

Gmer: looks clean to me
Spybot: clean
Malwarebytes: clean
Vundofix: clean
pctools: clean
Xoftspy: clean
Hijackthis: looking clean and lean
SUPERantispyware: clean
Dr.Web: clean
RootRepeal: CRASHES (on 'report', scan, select all, select drive -> bsod)
combofix: done twice
Smithfraudfix: clean
Hsfix: fine
Rkill: fine
Avenger: don't know how to use
ATFcleaner: fine
Also udated to latest Java

I've also loaded up UltimateBootCD and manually cleaned out all local/temp files, any suspicious files etc. and ran some cleaning tools there, also to no avail.

Any help would be greatly appreciated. Thanks!

Edit: also wanted to mention this hijack sometimes maximizes Firefox, which is very annoying. Here are some of the redirect url's, I'll post more as I get them:

http://www.thewebsitesurvey.com/?c=13371&a...701643602176%3F

http://www.local-news-online.com/?t202id=6...ok.com/home.php?

Edited by musicman8, 04 January 2010 - 03:55 PM.


BC AdBot (Login to Remove)

 


#2 musicman8

musicman8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 05 January 2010 - 01:02 PM

anyone?

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 05 January 2010 - 02:50 PM

Your Malwarebytes logs were alll clean ,or are clean now?
Try this..
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 musicman8

musicman8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 05 January 2010 - 06:32 PM

Wow I can't believe you found something! here's what happens when I run TDSSKiller, it runs and says 'viamraid lrp handler infected by TDSS rootkit... cured.....'. And then the system freezes completely and I have to hard reboot. I tried this 3 times and it's the same every time, so the rootkit is still there. The log file is just an empty file. Now, I can't do safe mode, I get BSOD there too and I tried running TDSSkiller from ultimatebootCD but it won't work. Any ideas?

Also I have to say I've been getting viamraid BSOD's every once in a while for the last 2 years, so this looks like the likely cause. The Firefox redirect problem however only started about a week ago, so I'm not sure these two things are related.

thanks so much for you help!

And yes, Malwarebytes WERE clean.

thx

Edited by musicman8, 05 January 2010 - 06:34 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 05 January 2010 - 09:58 PM

Ok, this is Xp? Iwould say based on safe mode issues and the resurrecting that reformatting is probably the smartest thing.
our decision as to what action to take should be made by reading and asking yourself the questions presented in "When Should I Format, How Should I Reinstall?" In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

We can alos post an HJT log in that forum for them to review.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 musicman8

musicman8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 05 January 2010 - 10:28 PM

Yes this is on XP. Formatting is not an option. The Safe Mode BSOD only just occured when I started using all these different kinds of malware/spyware programs in the last week.

So at this point, all I'm trying to get rid of is the TDSS infection of Viamraid LRP Handler. There has to be a way to do that right? I tried to reinstall/update viamraid.sys but that didn't do it. Is this a service I need to stop? If you could point me in the right direction, that would be great.

I appreciate your help very much! Thank you

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 05 January 2010 - 10:41 PM

Ok, then the safest way so we do not lose functionality of the PC is to have athe HJT team find it.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 musicman8

musicman8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 07 January 2010 - 02:40 AM

ok so just want to give a quick update as to what happend: last 24hrs were a nightmare as I couldn't log in anymore with a persistent 0x00000050, so I figured it must be quite a virus and I'll have to bite the bullet and re-install fresh. As a last hail mary I did want to try a windows repair installation though, and low and behold this fixed everything. TDSS scan now comes up clean (I assume the infected viamraid got overwritten), Safemode is back and most scanners are giving a pretty clean bill of health. So far no google redirects but I've only been online a short while, so if it does happen again I will go thru the steps you suggested. For now I think the Windows repair has somehow solved this.

Wanna give you a big thank you for your time and help, you guys take donations or anything like that? Let me know, thank you.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 07 January 2010 - 11:47 AM

Well let's hope thet happened. usuually only a reformat will the malware. Hope for the best. Thanks for letting us know..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users