Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have the "redirect virus"


  • Please log in to reply
19 replies to this topic

#1 NightGoat

NightGoat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 August 2010 - 09:36 PM

When I click on search results in Google it often directs me to a random site or strange search engine. This is a new occurrence. Occasionally a new tab will open by itself, and be at Google or sometimes other strange pages, usually search engines. I have tried AVG, MalwareBytes, Ad-Aware and Spybot S&D to no avail.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 AM

Posted 19 August 2010 - 11:13 PM

This may just be in your router.
Download and update MBAM (below) Do not run yet.

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you donít know the router's default password, you can look it up HERE.

However, if there are other infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site HERE for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 20 August 2010 - 06:48 PM

I did exactly as you said. The problem still exists.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 AM

Posted 20 August 2010 - 08:43 PM

If still redirecting>>>
Change your DNS Servers:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.
If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address,
then you may proceed.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 21 August 2010 - 04:37 PM

All done. Still no change. I'm sorry for leaving this out but I am running Windows XP and using Firefox as my browser.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 AM

Posted 21 August 2010 - 04:46 PM

Ok ,one more try here and then we will move if no luck.

Please read and follow all these instructions.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


This one is LONG. DrWeb-CureIt
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 21 August 2010 - 05:21 PM

Thank you, I will do these steps when I get home this evening.
Running Spybot S&D gets me this also:

Spywareinfo.TrafficZ: Bookmark (Firefox: Scott (default)) (Bookmark, fixed)

It seems to come back even after I fix and immunize.
I thought this could be useful info, as I just ran S&D today and it was there again.
I will take the aforementioned steps tonight.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 AM

Posted 21 August 2010 - 07:22 PM

1. Close Spybot and open Firefox
2. In Firefox, open "Bookmarks" and select "Organize Bookmarks"
3. In the right hand panel, right click the narrow bar at the top and make sure "Location" is checked
4. In the left panel, under "Bookmarks Menu" select each bookmark (or folder) one at a time, and check its location for "spywareinfo.com"
5. Each time it shows up, delete it....this is in case you have multiple bookmarks pointing to the offending domain
6. When you're finished, close Firefox, run a Spybot scan, and hopefully it's clean scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 August 2010 - 12:37 AM

Yes, there was an instance of it in my bookmarks. Deleted and Spybot ran clean. Previously mentioned steps to be taken in the a.m.

#10 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 August 2010 - 11:42 AM

First part, GooredFix log:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 12:40 on 22/08/2010 (Scott)
Firefox version 3.6.8 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{53BF2FE4-5EA0-4129-958C-4CC8B2B6653F} -> Success!
Deleting C:\Documents and Settings\Scott\Local Settings\Application Data\{53BF2FE4-5EA0-4129-958C-4CC8B2B6653F} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:49 22/10/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [06:05 24/10/2009]

C:\Documents and Settings\Scott\Application Data\Mozilla\Firefox\Profiles\lnpalisa.default\extensions\
personas@christopher.beard [05:01 14/04/2010]
tineye@ideeinc.com [20:36 02/08/2010]
{20a82645-c095-46ed-80e3-08825760534b} [00:33 29/04/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [16:54 18/08/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [21:55 22/10/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:06 23/10/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [06:05 24/10/2009]

-=E.O.F=-

#11 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 August 2010 - 11:55 AM

MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4462

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/22/2010 12:53:29 PM
mbam-log-2010-08-22 (12-53-29).txt

Scan type: Quick scan
Objects scanned: 132969
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\0.966399228576896.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 AM

Posted 22 August 2010 - 02:02 PM

OK, let's run FakeAlert Stinger.

Do an online scam with
ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.

I think we should have it now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 August 2010 - 04:53 PM

Here is the requested DrWeb.csv:
Process in memory: C:\WINDOWS\system32\svchost.exe:804;;BackDoor.Tdss.565;Eradicated.;
dmio.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:07 AM

Posted 22 August 2010 - 05:02 PM

This was a good find.. Do run the ESET and see if there are any more issues.
Also that infection loos to steal passwords,so please change yours especially if you do financials.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 NightGoat

NightGoat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 August 2010 - 06:54 PM

The ESET scan reported no threats, so gave me no button for "list of found threats". It appears that I may be clean! However, I ran AVG after that and found this:

"C:\WINDOWS\system32\wuauclt.exe (2760):\memory_001b0000";"Trojan horse Adload_r.AKC";"Object is inaccessible."
"C:\WINDOWS\system32\wuauclt.exe (2760)";"Trojan horse Adload_r.AKC";""
"C:\WINDOWS\System32\svchost.exe (1204):\memory_001a0000";"Trojan horse Adload_r.AKC";"Object is inaccessible."
"C:\WINDOWS\System32\svchost.exe (1204)";"Trojan horse Adload_r.AKC";""
"C:\WINDOWS\system32\csrss.exe (732):\memory_00270000";"Trojan horse Adload_r.AKC";"Object is inaccessible."
"C:\WINDOWS\system32\csrss.exe (732)";"Trojan horse Adload_r.AKC";""
"C:\WINDOWS\Explorer.EXE (548):\memory_001a0000";"Trojan horse Adload_r.AKC";"Object is inaccessible."
"C:\WINDOWS\Explorer.EXE (548)";"Trojan horse Adload_r.AKC";""

I did notice that Ad-Watch Live (AdAware) was running at the time of the scan, if that means anything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users