Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Kasper333

Kasper333

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 02 February 2011 - 08:27 PM

I have been infected by the redirect virus. While minding my own business on the internet I all of a sudden get switched to another site. Sometimes it is just a harmless looking site but sometimes it is a very real looking alert saying Windows has detected this list of viruses and to click her right away to fix things. But I am smarter than that!

I am running Norton Security Suite, have run Norton Power Eraser, Malwarebytes, Hitman Pro and have also read other posts from your site and did exactly what it said to remove the Antimalware (which by the way was mysteriously installed on my computer) but nothings has worked. Malwarebytes did detect the Antimalware program and removed it but I am still getting redirected.

Please Help!!!

Edited by Budapest, 02 February 2011 - 08:40 PM.
Moved from AntiVirus, Firewall and Privacy Products and Protection Methods ~BP


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 02 February 2011 - 08:57 PM

Hi please try this and post the logs.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kasper333

Kasper333
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 04 February 2011 - 12:31 PM

I ran the TDSSKiller and it found nothing.

I updated and reran Malwarebytes and it found nothing. Here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5677

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/4/2011 12:22:35 PM
mbam-log-2011-02-04 (12-22-35).txt

Scan type: Quick scan
Objects scanned: 175367
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And, by the way I got redirected again when trying to reply to your post the first time.

Please offer anymore advise to kill this darn thing. Another note - I think it may have did something to my system restore because I can only restore back about two months and every time I try to run it I get a msg saying it was unable to restore my system to that point. I am really trying to avoid doing a total restore.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 04 February 2011 - 03:12 PM

OK, let's try one more scan here. The malware may be blocking the System Restore. Do not use it yet as it may restore the infections.

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Kasper333

Kasper333
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 04 February 2011 - 07:14 PM

Here is the log. It took a long time and I went out to dinner while it was still running.


C:\Documents and Settings\Guy\Application Data\8B69FF15DDB340A30955B0FA078A12BA\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Documents and Settings\Guy\Application Data\8B69FF15DDB340A30955B0FA078A12BA\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Documents and Settings\Guy\Application Data\Mozilla\Firefox\Profiles\qzdhkoqq.default\prefs.js Win32/Agent.RQD.Gen trojan cleaned by deleting - quarantined

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 04 February 2011 - 07:36 PM

Hi, some are quick and sometimes they are long. Looks like we got it here .. Hpw is it now?

This infection,Win32/Agent.RQD.Gen , allows hackers to remotely control your computer, steal critical system information and download and execute files.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Kasper333

Kasper333
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 04 February 2011 - 07:37 PM

Well I guess that didn't work because I was just checking back here to see if I got any replies and Google opened a new tab to another site! GRRRRRRR!!!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 04 February 2011 - 07:44 PM

Rats!! It must be being protected so we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Kasper333

Kasper333
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 04 February 2011 - 08:07 PM

I just read your latest post. Actually, I looked back thru my Norton log and every day lately it has said "Unauthorized Access Logged" and several times it has said "An intrusion atempt was blocked" It is always the same intrusion address. The Attacker URL is bkt2.co.cc/index.php?tp=eb79cfe8ca9316d5. Is there any way I can find out who this is since I have their address? It also says the Risk Name is: HTTP Java Obe Toolkit Activity 1.

I went back thru my Norton log about 6 months and I noticed right around the time all my problems started I had the following High Risk Alerts detected:

Backdoor.Cycbot!gen2
Trojan.Maljava
Backdoor.Trojan
Backdoor.Cycbot
W32.Spybot.Worm
Bloodhound.MaIPE
Trojan.FakeAV
Trojan Horse
Trojan.Gen.2
Packed.Mystic!gen6
Downloader
Trojan.Gen

Not sure if this will help you figure things out.

Edited by Kasper333, 04 February 2011 - 08:59 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 04 February 2011 - 08:49 PM

Hello again. As you have a backdoor bot the 2 options really are post i the new forum and have them get it out or reformat.
I do not know wgere you are but the IP 194.247.58.90 is from England.
http://ip-address-lookup-v4.com/lookup.php?ip=194.247.58.90

These all are info stealers and backdoor or bot infections
Backdoor.Cycbot!gen2
Trojan.Maljava
Backdoor.Trojan
Backdoor.Cycbot
W32.Spybot.Worm
Bloodhound.MaIPE
Trojan.FakeAV
Trojan Horse
Trojan.Gen.2
Packed.Mystic!gen6
Downloader
Trojan.Gen

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Kasper333

Kasper333
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 04 February 2011 - 09:14 PM

I am still working on your previous instructions but from your last post I fear I will have to do a total restore. I was trying to avoid that as I have a lot of programs and data installed but I guess that would be the safest thing. I will go ahead and at least finish doing the last instructions you gave (steps 6-9, etc). Will it be safe to change my passwords, etc from a computer that is remotely connected thru my router? I asked Cisco if this virus could be transported thru my router but they said no because of the firewall.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 04 February 2011 - 09:25 PM

Yes you can change them there. I agree to follow thru and have them see what you actually have in there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:03 PM

Posted 06 February 2011 - 03:33 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic377965.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users