I need help with search engine redirect virus

August 1, 2011 at 07:07:35
Specs: Windows 7
I have a search engine redirect virus it is on both firefox and IE and on google and yahoo.
I need help fast. Please advise. I do not have much time to be on computer.
Also, you will have to walk me step by step i am a noob.
Also i tried tdss killer and stuff, did not fix. My host file is clean. i think i scanned with zonealarm and with windows malicious software tool.


See More: I need help with search engine redirect virus

Report •


#1
August 1, 2011 at 07:12:36
Sounds like you're got TDL/Sinowal. I'd suggest using Processhacker and checking the strings in iexplore.exe's stack, look for GLOBALROOT - this is a clear indicator of TDL4.

Report •

#2
August 1, 2011 at 07:39:22
Nope, I checked under iexplore.exe and firefox.exe neither had it...
Here's what happened i downloaded the process hacker then i right clicked and ran as admin and my computer froze up. Rebooted and repeated the process
on the third reboot I got i was able to actually check. But when i googled something it did not redirect me. I am still able to tell that the virus is there because of some minute changes that i noticed (i notice all of the changes in google) so anyways, no the globalroot was not there.
Please advise.
EDIT: I also noticed some random mouse movements as if someone was directly controlling my computer and accidentally moved my mouse. It is really strange.

Report •

#3
August 1, 2011 at 07:49:12
Can you post a dump of Firefox/IE for me? Also, it might be prudent to download Autoruns (Sysinternals) and post a log file for analysis.

Your symptoms sounds like classic TDL, however, it may be something far less nefarious, such as a rogue Toolbar, or similar.


Report •

Related Solutions

#4
August 1, 2011 at 07:50:36
You're going to have to walk me through how to post a dump of firefox/ie i have no clue how to do that. I will post the autoruns log in just a sec.

Report •

#5
August 1, 2011 at 07:54:45
OK here is the autoruns saved file, i couldn't figure out how to post a log this is the closest i could get. Help please.

http://uploading.com/files/m1d22aac...


Report •

#6
August 1, 2011 at 08:18:05
%windir%\system32\gathernetworkinfo.vbs - please post the contents (if it's a resonable size, else upload again, please).

Other than this, there doesn't appear to be much else going on. Check your proxy settings and upload a dump of IE or FF :)


Report •

#7
August 1, 2011 at 08:24:13
OK I did that and it gave me 2 folders and one file
http://uploading.com/files/28249fmd...

You keep saying upload a dump of IE or FF how do I do this and what do I do ?!!?!?!

I also ran hitmanpro it didn't find anything.

Checked my proxy settings and they are fine.

Also it seems like the virus gone, but I really don't believe it is, because there was nothing that I really changed. I'm sure it will come back.


Report •

#8
August 1, 2011 at 08:45:58
My apologies - within the ProcessHacker GUI, when you're analysing a particular thread/process, you can right click --> Dump to disk - this should create a *.dmp file.

You're quite right, there's nothing in particular we've done besides analyse, so, if something untoward was on your machine, it is almost certainly still there. A quick test: Google "Free Antivirus " - Do you see AVG/Avast etc returned as the top results? Do the links look correct? If you follow them through, do you get redirected?


Report •

#9
August 1, 2011 at 08:51:52
Yep it was exactly how you said it should be, also the orangeish ad box at the top was there, it originally wasn't there. the avg link directed me to:
http://free.avg.com/us-en/homepage
avast:
http://www.avast.com/free-antivirus...

So yeah it directed me right.
I will post the dumps, but i might have to manual boot my computer, because last time it froze my computer. will post now.


Report •

#10
August 1, 2011 at 08:54:31
Ok, that sounds good. If this doesn't show anything, we can think about using GMER, but it's a bit intense and will take some work.

Report •

#11
August 1, 2011 at 09:09:21
Umm uploading.com says its taking about half an hour to upload. I need a solution fast. Is there anything I can do in the meantime? I need this resolved quick.
Thanks
BTW im still letting uploading.com upload the file.

Report •

#12
August 1, 2011 at 09:15:44
Well, we can check your MBR for any suspect code, but I'm becoming less convinced this is a bootkit.

While we're waiting for the upload, dump and upload your MBR using a freeware tool, such as:

http://diy-datarecovery-mbrtool.sof...


Report •

#13
August 1, 2011 at 09:21:50
Sorry im going out, i'll do all this when i get back home in 1-2 hours. please dont forget to check back.
Thanks!

Report •

#14
August 1, 2011 at 11:54:17
OK here are the ff and IE dumps. What is next?

Report •

#15
Report •

#16
August 2, 2011 at 05:31:08
I'll run them through a debugger and let you know what I find. It may take a few hours.

Report •

#17
August 2, 2011 at 07:15:55
They look fine to me. Can you try this:

Launch an elevated command prompt | ipconfig /flushdns | hit enter | ipconfig /registerdns | hit enter

Let these complete, then attempt to recreate the redirects.


Report •

#18
August 2, 2011 at 08:35:55
Yeah, I already did that earlier. I guess that might've taken care of it. I'll do some searches and check it out.

Report •

#19
August 2, 2011 at 08:44:04
Keep us posted, Josh! :)

Report •

#20
August 2, 2011 at 09:32:39
joshneedshelp,

Is your problem not solved?

A duplicate post was made:
http://www.computing.net/answers/se...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#21
August 2, 2011 at 16:50:30
Yeah, I guess my problem was solved.
It wasn't at all clear HOW it got solved.
I ran combofix and it found one thing. I don't think it was it though... It was a "data.dat" in my users/Joshua/AppData/Roaming folder.
I'll have to do more searching to be sure it is off.

Report •

#22
August 2, 2011 at 17:07:28
OK, just wanted to make sure, since I saw the other post. However, the time was earlier...

Have a great week.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#23
August 6, 2011 at 14:32:06
I just had this exact same problem start occuring today. Every Google/BING search would redirect me to some different advertising site. I cleared cache/deleted history and temp files. I also verfied I had no virus in the background running. I read on another board where this affected IE8, so I upgraded to FireFox 5.0 and even with FireFox I encountered the same search redirect issues.

I saw the suggestion above to the flush DNS and it corrected my problem for both IE 8 and FireFox. I had already rebooted multiple times and even turned off the PC. Now my question is, what exactly did this command do to fix the issue ?


Report •

#24
August 6, 2011 at 15:32:27
KernelFactory,

To my understanding...

DNS = Domain Name System
It is a database system that translates a computer's domain name into an IP address.
For example, it's easier to remember the domain name www.amazon.com, than it is to remember its corresponding IP address (207.171.166.48).

Malware makers can replace the IP address of a DNS entry with an IP address that is maliciously controlled.

Now, Windows maintains a DNS cache to store the names and IP addresses of systems that you access. If you flush the DNS cache, you’re telling the DNS server to actually check for an updated IP address instead of using the old cache file that may be doing the redirection.

A word of caution, though. Flushing DNS does not always solve redirections. What kind of malware has installed on the computer, and how it has installed plays a part.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#25
August 6, 2011 at 18:33:31
DNS-poisoning is quite a popular attack-vector, but the flush/register commands clears this.

If the redirects are still happening, I'd consider checking, again, for rootkit activity.


Report •

#26
October 16, 2011 at 13:30:59
So I had this exact same problem and did the same solution but it's not working. Ipconfig /flushdns was able to successfully flush the DNS resolved cache but ipconfig /registerdns said "the required operation requires evaluation" and didn't work.

Report •


Ask Question