Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect/Pop-up Malware


  • Please log in to reply
8 replies to this topic

#1 Noahjp

Noahjp

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 19 November 2010 - 02:29 AM

Background InformationI recently got a new job. The computer at my place of business is public access (hotel business center). I was told when I was hired there were many issues with it, and I was confident that I could work them out. I got the job and within a week I was able to fix everything, or so I thought. The first issue was the printer giving back error messages. Every board I looked at told me that if updating drivers didn't work, then scrap the printer. It turned out to be a bad USB cord! The other issue was the screen had a black bar on the left and some of the dispaly was in imagination land off to the right. That was easy, new drivers directly from the NVIDIA site (NOT the auto driver look-up that came with Windows 7 ... useless). The last issue was "Security Tools." Which leads me to the real issue of this post.

My work computer did not have any anti-virus software running when I was hired. I use a combo pack that runs well together (I know "they" say don't have more than one, but this is a good combo). The first thing I did was delete security tools (I have a handy little fix for that, it takes about 2 minutes and no need to go into safe mode or download anything... if anyone is interested). Then I installed Symantec Endpoint (11.0.5002.333) and ran a scan. The first scan found Security Tools in my recycle bin, a trojan (gyovo107_2185[1].exe) and a tracking cookie. Then I installed AdAware only found cookies. Then AVG (for the combo to work, Endpoint needs to be installed first THEN AVG). None of my anti-virus/malware software is detecting this redirect issue.

Symptoms:Visit any search engine and type in search parameters. Normal return for results. Click on a result and either get numerous pop-ups or redirect to "30 second scan" (or similar) or both. I'm thinking this is where Security Tools came from.

Things I've tried:Disable toolbars, enhance security settings, set pop-up blocker to max (requires ctrl+alt and click to open pop up). This last one actually stopped the popups but I still get 50 messages per minute about pop-ups being blocked.
I've searched forums and decided the issue is beyond my skill set. I probably need someone to analyze a report (hijack this or malwarebytes etc.) for me and walk me through the steps.

Interesting Note:If at google, I search and click to find a redirect. If I refresh (F5) the search result page, the redirect issue stops.

Edit: Moved topic from Win 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 booterbotter

booterbotter

  • Members
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pearl of the Orient
  • Local time:11:21 PM

Posted 19 November 2010 - 02:53 AM

Hi,
try running the computer in safe mode w/ networking.
download rkill then after that download mbam (make sure you rename both files to like eXplorer.exe and for mbam, cmd.exe,)

mbam + rkill combo should fix the issue, if not you can try to see if there is a unusual process running using procexp and autoruns.
Just to add up if its a root kit issue, use gmer to scan for rootkits, for links for those to download.. You can find them all here in bleepingcomputer.

Patience is a true virtue. Never give up, never surrender.
BleepingComputer.com Message Board Rules


#3 Noahjp

Noahjp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 24 November 2010 - 12:37 AM

Ok, New information on the Google (and others) Redirect Issue. Since Noobie up there probably made the moderators think I was being helped, I'm probably not going to get any real help. I've been trying my damnedest to figure this one out and I think I'm on to something.

First let me describe the computer I'm working with, this was originally posted in the Windows 7 forum because I didn't understand the issue as I do now, and I'm new to bleeping computer.

Compaq Presario
Windows 7 Home Premium 64bit OS
AMD Sempron LE-1300 2.3GHz
2GB RAM

That should be sufficient. Now the issue:

"Google Redirect" It's really just about any search engine, but that's what people seem to be calling it. When I use the address bar to go to google (i.e. typing in http://www.google.com) all of my search results have an r3.google prefix. If I refresh the search results (F5), the r3.google prefix goes away and I can use the search results as normal. Also, if I use google toolbar to perform my search, the results are legitimate (i.e. no redirect issue with toolbar search). Epoclick and other sites are the most common along with "Security Tools" downloads. These also appear as pop-ups.

Things I've tried:
Running every virus scan I can think of. No luck, it is not visible from normal mode or safe mode. I tried modifying security settings in IE and Firefox (issue appears in both browsers), no results. I set the pop-up blocker settings to their maximum so I need to ctrl+alt+click to open a pop-up, this got rid of the pop-ups (but of course not the redirect issue). Refresh search results page, this worked too; the redirect issue is gone until I use the address bar again to go to google (or other search engine). This last led me to a new idea... Watch for process memory commit when I type a seach engine into the adress bar. The moment I hit "enter" to go to google, a process lit up!

Csrss.exe is running without a user name, it will not let me go to properties (right click process name --> properties) and it will not let me go to the file path (right click process name --> Open File Location). I find this to be very peculiar behavior. I've done some searches (after refreshing the google search result page) to see what this process is intended to do. Well, according to Process library it is a trojan that steals passwords and things. So I tried to end the process and I got the "access is denied, operation could not be completed" message. But I know I'm on the right path. I'm going to be updating here to let people know what I find. I'm not a bleeping computer expert, but I know how to troubleshoot, I think I can kill it.

p.s. due to the nature of this business computer, I am not authorized to provide detailed reports from hijackthis or other similar tools. If you feel like helping me, it will have to be a more manual assistance. Thanks for your understanding.

#4 Noahjp

Noahjp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 26 November 2010 - 11:46 PM

Well... maybe not. There are actually a few process that exhibit the same behavior. I think I read somewhere that Administrator isn't the top level of authority in Windows 7... I think the process issue was a dead end. The process that is actually running this virus is most likely hidden. Ah well, back to the drawing board.

#5 Noahjp

Noahjp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 27 November 2010 - 01:03 AM

Brighthub.com has a walkthrough for ridding the system of the "Google Redirect" Virus. It did not work. I did a vidual check and I don't have a TDSSserv.sys in my "non-plug and play drivers." I went ahead and ran the TDSSKiller too just to be sure, and the results came back clean. So much for that route.

Microsoft offers an online scanner that supposedly will find and fix the issue, but the scan has yet to be made available for Windows 7 64bit (as far as I can tell). So that is useless as well.

E-how has the same directions as Brighthub. I don't have anything on this computer that resembles TDSS. Unless it has a new name (which I thin is highly likely) or is hiding in a new spot (which I'm sure is also likely), then my google redirect issue is unrelated to TDSS.

The Symantec Website claims to have a fix for this by manually deleting certain registry values. Those values did not exist on my machine, therefore, my problem persists.

PC Mag has some good information about this, but directed me to Symantec and again, it was no help.

I'm starting to think maybe I have either a very new version of the virus or a very old version of the virus. I'm definitly being redirected to r3.google stuff... I'll continue to search and keep people updated. Also, if you know anything about this, or if a moderator decides it's worth helping me out, I'd really appreciate it.

#6 Noahjp

Noahjp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 04 December 2010 - 04:48 AM

Well... I just got off-line with HP Live Support. I think those guys are just reading scripts and have limited knowledge of computers. But of course, I have limited knowledge too. :) The final result is a system recovery. Being a public access work computer, it's probably not the worst thing to do, but it will take a few hours. AND, it will completely erradicate all possibility of finding out what's actually going on with my computer thus removing the opportunity to increase the knowledge base regarding this virus and how to properly remove it. At the risk of upsetting the Moderators, I'm going to start a new topic regarding this same issue. Hopefully someone like Nwb doesn't bump that topic too.

#7 Noahjp

Noahjp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 14 December 2010 - 01:53 AM

OK! I came up with a new idea. Originally I was going to re-install IE Explorer, but because I'm running Windows7 64 bit, there seems to be no download available. Another reason to dislike Microsoft, they don't even offer support for their newest stuff. In addition, my boss couldn't find the original install disk for the computer. I thought maybe I would be able to do it from the Virtual drive with the recovery data, but that was a dead end. So, since this is a work computer and most people using it are computer illiterate, I deleted the shortcuts from the desktop, unpinned it from the start bar and removed IE explorer from the start menu list! There. No more redirects and no more virus downloads. The guests here will just have to get used to Mozilla (unaffected by this malware). Oh, I also made the folder for IE explorer a hidden folder so they would have to change the view in windows explorer to even see the folder containing the .exe. It's not 100% secure, but it's probably close to 90% secure.

I decided no to make a second post regarding this issue, and this will probably be my last reply to my this post. If anyone ever reads this and decides they think they know what the real issue is and how to truly fix it (not just my jury rig), then please let me know. It would be much appreciated. Thanks.

#8 Noahjp

Noahjp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 15 December 2010 - 12:32 AM

Well it seems people with limited computer knowledge are not familiar with Mozilla Firefox. Even though I called it "Mozilla Firefox - Internet Access" Stupid Windows7 truncated the name and gave it an ellipsis. Unless you actually highlighted it, you couldn't see the full name. AND it seems I left hidden files viewable and people found IE explorer and put the launch icon (for the 32-bit version which crashes on the 64-bit OS) back on the desktop. So, I got trickier. I changed the view settings to hide hidden folders (duh.) and altered the Icon for Mozilla Firefox to look like it's IE explorer and renamed the shortcut "Internet." I tried to change the icon that is "pinned" to the start bar, but that doesn't seem possible. I decided to leave it there though. So to summarize. I did not get rid of the virus, but I've hidden the program from people's view. I renamed Internet Explorer to "Exp" ("Exp 64" for the 64-bit version) and changed that icon to look like a globe... that should prevent people from trying to open it (it apparently still shows up if you click "all programs" in the start menu). I changed the Icon of Mozilla to look like the E with the halo for IE explorer. If people still try to access IE explorer from this computer, I'll just have to come up with something else.

#9 Noahjp

Noahjp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 02 January 2011 - 01:04 AM

This is my last post on this topic.

I found a different forum here on bleepingcomputer in which to post regarding this issue. And I was certainly barking up the wrong tree. Gringo Helped me out and the problem is solved! I encourage anyone viewing this to read through that posting too. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users