Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirections


  • Please log in to reply
20 replies to this topic

#1 yellowcherry

yellowcherry

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:16 PM

Posted 18 August 2011 - 12:14 AM

I have thoroughly read through this thread several times and would like to jump in on the discussion.

I have the search engine redirect trojan/virus as well - which redirects me through 100ksearches or 3dayoftheweek or 4dayoftheweek or 5dayoftheweek.com.

I've tried everything from AVG (which failed to install), Ad-Aware Free, Norton Power Eraser, Malwarebytes, and Spy Bot Search and Destroy. The latter four all ran but failed to clean up the consrv.dll file which seems to be the offender.

I tried Commodo Anti-virus which found 25 infections and Hit-man Pro - but I came across the rebooting problem after deleting the files.

So, I've downloaded Kaspersky as Budapest recommended. It detected consrv.dll and deleted it and I was able to restart my machine (but barely...I had to shut off a black screen with just my mouse on it and restart it with my fingers crossed) and I was clear of the file. However, I let it continue scanning and then when I tried to shut the computer down - it froze again. Alas, I had to do a system restore so I have the virus once again.

I also tried the registry edit, but like Breadman, it won't allow the winsrv edit to stick. Any advice on getting it to stay? I did give myself full control permission.

I'm currently allowing the Kaspersky Virus Removal Tool run one more time in hopes of successfully deleting the file without screwing up my boot.
I'm actually female, but I don't see the 'Change Gender' option. Nevermind, there it is.

BC AdBot (Login to Remove)

 


#2 yellowcherry

yellowcherry
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:16 PM

Posted 18 August 2011 - 12:30 AM

I've become aware of a topic below on the search engine redirection problem. Once I have this Kaspersky scan finished (takes forever) I'll be sure to attempt the solutions that Broni has outlined if this fails.
I'm actually female, but I don't see the 'Change Gender' option. Nevermind, there it is.

#3 yellowcherry

yellowcherry
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:16 PM

Posted 18 August 2011 - 12:17 PM

Hours later, I'm running Windows Vista (sucks, I know) without the redirect virus - but I'll have to reboot and see if my computer turns on. Kaspersky has deleted consrv.dll as it is nowhere to be found on my system now and the registry now reflects winsrv instead of consrv. Be back in a few minutes if all is successful - if not, it means my computer failed to reboot and I'll have to deal with it in the evening...
I'm actually female, but I don't see the 'Change Gender' option. Nevermind, there it is.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:16 PM

Posted 18 August 2011 - 09:42 PM

Hello, if you still redirect...

Please follow our Removal Guide here How to remove Google Redirects. You will move to the Automated Removal Instructions

If it finds something make sure Cure is selected
Next click Continue then Reboot now
A log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 yellowcherry

yellowcherry
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:16 PM

Posted 19 August 2011 - 01:53 AM

Thanks for the reply. Actually, the Kaspersky Virus Removal method seems to have worked with me, though there were some hairy moments when I didn't know if my computer would shut down properly or not. Seems the redirecting has stopped simply after using Kaspersky.

I'm still going to run some other anti-virus/malware programs to continue the computer clean-up. Hopefully I won't end up destroying the whole system.
I'm actually female, but I don't see the 'Change Gender' option. Nevermind, there it is.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:16 PM

Posted 19 August 2011 - 09:52 AM

Ok ,thank you!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 RDettwyler

RDettwyler

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 23 August 2011 - 12:19 PM

I just took care of this problem. Kaspersky didn't resolve it completely, although it did find many of the files infected by the trojan. 1) Boot into Safe Mode. 2) Find the executable by running taskmgr.exe and see it listed first under processes. In my case, the file was 414628332:1933958408.exe 3) Open registry editor (regedit.exe). Backup your registry. Find and remove all entries, not just keys but the subject folder as well, with that number (you only need to search for the first part - 414628332). If you find WOW with that entry, remove it, as it stands for "World of Warcraft" and is a part of the trojan. 4). Reboot into Safe Mode and run Kaspersky. 5) Reboot into normal mode. 6) Remove file Windows\414628332:1933958408.exe. 7) Sigh a big sigh of relief.

I hope this helps. It worked for me, exactly as I have written.

Rick

#8 SuperFeisty

SuperFeisty

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 29 August 2011 - 11:33 PM

Hey all,

I am still having problems with the 3dayoftheweek virus. I tried using the Kaspersky method, but when I scanned, it found no errors. But, I KNOW there is a problem: every site wants to be routed to 3dayoftheweek.com... I've tried using Rkill and malawarebytes to remove, but it seems ineffective. Because I'm on the free trial for malawarebytes, it shows every 1-2 minutes, a little popup saying malawarebytes has blocked something. Can you guys give me some help?

Thanks so much,
K

#9 yellowcherry

yellowcherry
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:16 PM

Posted 30 August 2011 - 01:09 AM

What other methods or programs have you tried using? Perhaps you can take a look at the link boopme provided in the reply several posts above.
Also, I believe site moderators want everyone to post a new topic for his or her respective problem, just so no one gets confused.
I'm actually female, but I don't see the 'Change Gender' option. Nevermind, there it is.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:16 PM

Posted 30 August 2011 - 09:02 AM

hello, Are you on a router? Are other machines on it,if so are they redirecting?

Do you use Firefox?

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.




Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 SuperFeisty

SuperFeisty

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 30 August 2011 - 11:21 AM

Below is my checkup.txt

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.2.152.26
Adobe Reader 9.3 MUI
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.20)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Malwarebytes' Anti-Malware mbamgui.exe
Symantec Norton Online Backup NOBuAgent.exe
``````````End of Log````````````



I think fixing the HOSTS file fixed the problem. My question is, will fixing it have any sort of ill effects on my computer? aka will I lose any sort of information I've stored? I apologize if the question appears very dumb, but I'm not especially savvy with computers or virus removal.

Thanks so much for all your help,
K

Edited by SuperFeisty, 30 August 2011 - 11:25 AM.


#12 SuperFeisty

SuperFeisty

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 30 August 2011 - 01:02 PM

Never mind... I thought it was fixed, but now the link is starting to pop up again on select sites :(

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:16 PM

Posted 30 August 2011 - 03:38 PM

Hello, The Hosts file is like the PC's address or phone book. Only the sites (your allowed addresses ) are stored there. We cleaned in case a prank caller gets in. We did not changed any of your stored info. More info here

http://www.bleepingcomputer.com/forums/tutorial51.html

If still redirecting>>>
Change your DNS Servers:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.
If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address,
then you may proceed.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 SuperFeisty

SuperFeisty

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 30 August 2011 - 04:16 PM

Argh... Sorry to take your time once again, but when I ran both what you suggested, I now have "connecting to 4dayoftheweek"

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:16 PM

Posted 30 August 2011 - 08:35 PM

SuperFeisty

Are you on a router? Are other machines on it,if so are they redirecting?

Do you use Firefox?


Did you look in the Task manager as derweiller mentioned in post for a random numbered .exe file?


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users