Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirects on Windows XP


  • Please log in to reply
3 replies to this topic

#1 shriekz

shriekz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 18 January 2010 - 09:12 AM

Hello,

I need help!!

Search on google, bing etc redirects to a wierd site. I can see that it always seems to be going to a rle822x.cn site from where it goes to many other sites. I also see that many people have reported the same problem but with no response.

Please let me know on what information you would need to help me solve this problem.

McAfee is installed and so is a ton of other spyware/anti-malware, all of them report problems, claim to removed cookies or files, but i suspect the root cause of the problem still remains. Rootkitrevealer reveals a ton of files as hiddenfromwindowsapi, but i dont know what needs to be done based on this.

Any help will be appreciated.

Thanks
Shriekz

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:14 AM

Posted 18 January 2010 - 06:38 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 shriekz

shriekz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 18 January 2010 - 06:43 PM

I dont know what the forum change means, hopefully it will help in solving the problem faster.

I def. do know that i am infected and have all sorts of logs as well. I did not post it since it was recommended not to post it without anyone asking.

#4 shriekz

shriekz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 19 January 2010 - 08:50 PM

I am finally cured!!!!! For all of you redirect virus affected folks, here is how i did it.

I had done multiple rounds of running all sorts of anti-virus scans, you name it i would have done it. I had run, McAfee Enterprise, Dr. Webb, Ad-aware, MBAM, Microsoft Anti-malware....None of them even reported issues. McAfee would tell me that a cookie virus was there every page click and would delete the cookie, but not solve the root cause.

Rootrepeal and Rootkitrevealer showed that some files had been created which were invisible to API were not on disk (or something like that). This however did not tell me what needed to be done next. I was able to delete/wipe a lot of the files with rootrepeat but that was not solving the problem still. The next time i browsed in IE, all issues came back. Strangely i noticed that sometimes it did not happen and sometimes it happened.

On detailed inspection, what i found was that this was not really associated with google or any search engine. A click to any page that is hosted outside of the domain seemed to be causing the issue and given that this was a pattern that occurred when we clicked search results this was occurring constantly. This was really the clue..Something was definitely not ok with how the dns was operating. The roundabout way to get over the problem was to add filters in the hosts file, but that does not take out the virus from the machine and if you are like me, that always gives a vulnerable feeling.

Finally, i used the one and only rootkit detecter, combofix and rightfully so it detected the problem to be the dns dll (i dont recollect the name, it was something like atapi.dll or something). After fixing it with combofix, i booted winXP in safe mode and ran SAS (another good antivirus that came close to solving) and that wiped out the remaining files (after two attempts). Post this, i have not found any issues at all.

The guy who created this virus should absolutely be lynched and jailed and dont know what sadistic pleasure he gets in doing this.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users