Search Engine Redirecting Virus

Averatec N3440th1e-1 notebook
June 14, 2010 at 10:06:10
Specs: Windows XP, 1.658 GHz / 479 MB
I am having the same issue as the individual describes in the following thread.

http://www.computing.net/answers/se...

My issue is that this is a sensitive work laptop and I am unable (by contract) to do ANY work on it until the issue is resolved.

I have already downloaded and renamed Malwarebyte's Anti-Malware, installed it and am now running a quick scan.

I would rather get some help than try to copy what has been done with someone else... I can't take the chance that something will get screwed up.

Thank you


See More: Search Engine Redirecting Virus

Report •


#1
June 14, 2010 at 13:36:16
As I suggested with someone else, try changing your DNS servers by doing the following:

How to configure TCP/IP
To configure TCP/IP, follow these steps:

1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
2. Right-click the network connection that you want to configure, and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
4. If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically.
5. If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server and alternate DNS server IP addresses in the Preferred DNS server and Alternate DNS server boxes.

For Preferred DNS server, type in "208.67.222.222",
and for Alternative DNS server in "208.67.220.220".

Also, before doing that, if you are running Firefox, please disable Javascript, as the Google Redirect Virus exploits this.

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#2
June 14, 2010 at 13:45:10
What is changing the DNS information going to do to remedy the situation?

Report •

#3
June 14, 2010 at 13:55:26
The virus usually messes with the default DNS settings and redirects your searches, and switching to a static IP (OpenDNS) seemed to have worked before. A user had a similar situation, where not even resetting his router would work, as he was still being redirected.

You could also try running Hitman Pro 3.5.: http://download.cnet.com/Hitman-Pro...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

Related Solutions

#4
June 14, 2010 at 13:58:54
The problem that I am having now is that as soon as I open a browser window I immediately start getting pop-up baloon icons from the icon tray telling me that I have infected programs, and "AV Security Suite" keeps trying to get me to use their package. I can no longer access any web pages.

Report •

#5
June 14, 2010 at 14:04:56
Try following these steps here: http://www.bleepingcomputer.com/vir...

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#6
June 14, 2010 at 14:13:32
I cannot open malwarebytes. I get the rogue "security notice" that mbam.exe is infected.

Report •

#7
June 14, 2010 at 14:22:13
Running Malwarebytes in Safe Mode....

Report •

#8
June 14, 2010 at 14:22:49
Were you able to run Rkill?.. and did you follow said steps in Safe Mode?..

Edit: Sorry, didn't see that you said you were running Malware Bytes in safe mode.

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#9
June 14, 2010 at 14:25:42
What is Rkill?


Also, Malwarebytes Full Scan or Quickscan?

(Last time I did a full scan (three days ago) it took over 4.5 hours...


Report •

#10
June 14, 2010 at 14:34:47
It's a Rootkit Remover. I'm guessing you didn't see the link to the post on bleepingcomputer.com?..

(This will help you remove the "Antivirus Security Suite" virus): http://www.bleepingcomputer.com/vir...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#11
June 14, 2010 at 14:37:34
<sheepish grin> yea, I just did. Doing that now.


Report •

#12
June 14, 2010 at 14:39:35
Lol, *chuckles*, Tis quite alright.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#13
June 14, 2010 at 14:43:55
still getting "Internet Explorer cannot display selected webpage."

Just downloaded rkill from another PC and about to install.


Report •

#14
June 14, 2010 at 14:45:57
Okay, please follow those instructions carefully.

Edit: Rkill is actually a process killer (for malware and viruses)

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#15
June 14, 2010 at 14:51:41
message from rkill:

"Run as (My name) on 06/14/2010 at 17:44:31

Processes terminated by rkill or while it was running:

rkill completed on 06/14/2010 at 17:44:34"


Report •

#16
June 14, 2010 at 14:57:43
Okay, now Do NOT reboot your computer, just like the instructions tell you not to. Now, please re-run Malware Bytes and do a full scan, then after it's finished, click on "Ok" which should bring up a "Show Results" section, click on "Remove Selected", and if it prompts you to reboot, please do so.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#17
June 14, 2010 at 15:00:10
Ok... I cancelled the quick scan and started the full scan.

Once this is done, then I should (hopefully) be able to deal with the browser redirect issue.

Will you be checking messages this evening?


Report •

#18
June 14, 2010 at 15:04:43
Yes sir, I'll be on these forums until Midnight.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#19
June 14, 2010 at 17:24:11
ok... Malwarebytes finished runing in safe mode... here are the results.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4198

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/14/2010 8:18:55 PM
mbam-log-2010-06-14 (20-18-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 292944
Time elapsed: 2 hour(s), 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Now what? Am I finished with this matter?

I still have the search engine redirectors to deal with.


Report •

#20
June 14, 2010 at 17:44:38
Are you still being directed, or can you only not get on the internet?..

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#21
June 14, 2010 at 17:46:57
im still sitting in safe mode awaiting further instruction.

Report •

#22
June 14, 2010 at 18:21:15
I restarted in normal mode and the damn AV Suite is back.


Report •

#23
June 14, 2010 at 18:24:45
See if Trojan Remover can get the job done, http://www.simplysup.com/tremover/d...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#24
June 14, 2010 at 18:28:19
from safe mode or normal mode?

Report •

#25
June 14, 2010 at 18:36:07
When Trojan Remover is installed, it says that the program is expired, and it cannot reach the server to update itself with the most recent version.

Report •

#26
June 14, 2010 at 18:38:24
Try installing the update found here, but make sure the program is closed: http://www.simplysup.com/tremover/u...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#27
June 14, 2010 at 18:44:12
Other threads that I 've read have suggested running DDS and GMER. Should I do this as well? And from normal mode or safe mode?

With the Trojan Remover, I keep getting the error message, "Cannot access Download Server."


Report •

#28
June 14, 2010 at 18:58:36
Gmer..I'm honestly not that familiar with, and from what I've read, can carry the same risks as Combo Fix, and since that is a sensitive laptop, and I don't want you to lose any data, I would try this: http://support.kaspersky.com/viruse... (Download the one that says Tdss) and try running it in safe mode, if at all possible.


However, we can try Gmer as a last resort.

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#29
June 14, 2010 at 19:15:30
ok. Results of Kapersky are:

c:\windows\system32\drivers\amdk7.sys was infected by a TDSS rootkit.

I am currently rebooting the system in safemode.

Then what?


Report •

#30
June 14, 2010 at 19:27:55
Boot into your normal user account and see if that fixed the problem.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#31
June 14, 2010 at 19:29:49
Do I need to re-scan with malwarebytes for the four rogues that it found previously and seemingly re-installed when I rebooted or will the TDSS killer have taken care of them?

Report •

#32
June 14, 2010 at 19:39:24
it SHOULD have taken care of them, but it won't hurt to do another full scan with Malware Bytes in safe mode.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#33
June 14, 2010 at 19:41:33
OK.... let's ASSUME that it took care of them.

Now what about the browser re-directors?


Report •

#34
June 14, 2010 at 19:59:43
That TDSS Killer should have taken care of it. But, if you're not being redirected, yet, still can't get on the internet, I would check your Hosts file, and try resetting it back to the default: http://support.microsoft.com/kb/972034

If you're still being redirected, you can try running Combo Fix, found here, please follow the instructions very carefully, as it is a powerful program: http://www.bleepingcomputer.com/com...

Another option to stop the redirects, is to change your DNS Servers, if you haven't done so already.

Also, I would check your proxy server settings in Internet Explorer, by going to Tools > Options > Connections > LAN settings and untick any box that says to use a proxy server.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#35
June 14, 2010 at 20:04:18
While I was waiting for your response I quick scanned in safe mode and the four rogues came up again.

I'll delete those and try from there.


Report •

#36
June 14, 2010 at 20:09:21
I need a little more in depth help here.

I have been dicking around with this for the past TEN hours.

If you can't help me with the in-depth answers that I am seeing on other threads, then please pass me to someone who can.

I don't want to seem unappreciative, but I'm starting to lose patience.


Report •

#37
June 14, 2010 at 20:10:01
Whoops. Didn't see you replied. Anyway, I've pretty much suggested all that I can think of, to be honest. I'm assuming you've tried combo fix, and that hasn't helped. I would try www.bleepingcomputer.com, or sending a private message to Websfty001 (Ian), even though I don't believe he was on today, or Emmit6378. You could also try www.geekstogo.com

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#38
June 14, 2010 at 20:45:28
The DNS Servers were already set to obtain DNS server addresses from a DHCP server.

I did uncheck the box that asked to use a proxy server.

IE8 opened without incident, and upon searching for different site through Google it appears as though the problem has (for now) been fixed.

Is this a temp fix or is there something else I need to do to ensure that this doesn't happen again?


Report •

#39
June 14, 2010 at 20:55:16
You should be all set. If you were allowed to, which you probably aren't... You could look into using Virtual Box, which creates a virtual hard drive on your computer and allows you to run an operating system of your choice (Linux would be preferred in this case, because it's immune to Windows viruses, as it's a different type of file system), you could browse the web and check email and etc, using that Linux installation, and be virus free.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •


Ask Question