I need help getting rid of the redirect virus

October 17, 2011 at 09:57:52
Specs: Windows Vista
Every time I search for something on google, yahoo or bing, I get redirected anytime I try to click on a link. When I try to run anti-virus programs, something always goes wrong with them. I get all sorts of error messages.

See More: I need help getting rid of the redirect virus

Report •


#1
October 17, 2011 at 14:31:44
golfpro1982,

In order to help identify the malware issue with your system, please do the following:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...

http://download.bleepingcomputer.co...

Save it to your Desktop

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the programs we are about to run.

If you wish to look at information on how to disable these programs, please refer to the information available through this link:
http://www.bleepingcomputer.com/for...

XP: Double-click the DDS file to run the program
Vista/Windows Seven: Right-click DDS and select: Run as Administrator

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Is minimized - will show on the TaskBar)

Save both reports to your Desktop, and post them in your reply.

However, since these reports can be large, please upload them to Megaupload:
http://www.megaupload.com/

It is very easy to use:
Click: Browse
Select a file to upload
Upload the file
To the right of 'Send', enter a file description:
Click 'Send'
Copy the link provided, and post it in your reply.


Also download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

XP: Double-click the file to run the program
Vista/Windows Seven: Right-click the file and select: Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the log produced by 'aswMBR' in your reply.
This is a shorter report, and you do not need to upload it.


You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, and do not do anything with it.
This is important, just in case we need to have access to the Master Boot Record (MBR) information.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
October 17, 2011 at 17:38:46
After posting my first post, I downloaded hitman pro and it found 4 trojans and 1 malware that it cleaned up. Since then I haven't had the redirect problem, but I was hoping you could still look at the logs and see if there is anything else on my computer.

Here are the urls for the .txt files from dds.

http://www.megaupload.com/?d=H3XZ41A6

http://www.megaupload.com/?d=LQ8YWH3V

and here is my aswMBR.txt log

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-17 18:33:51
-----------------------------
18:33:51.791 OS Version: Windows 6.0.6002 Service Pack 2
18:33:51.791 Number of processors: 2 586 0x6802
18:33:51.792 ComputerName: TARA-PC UserName: Tara
18:33:54.617 Initialize success
18:34:33.917 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
18:34:33.925 Disk 0 Vendor: Hitachi_HTS542525K9SA00 BBFOC32P Size: 238475MB BusType: 3
18:34:35.969 Disk 0 MBR read successfully
18:34:35.989 Disk 0 MBR scan
18:34:36.000 Disk 0 unknown MBR code
18:34:36.030 Disk 0 scanning sectors +488392065
18:34:36.132 Disk 0 scanning C:\Windows\system32\drivers
18:34:48.290 Service scanning
18:34:50.295 Modules scanning
18:35:13.880 Disk 0 trace - called modules:
18:35:13.917 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
18:35:13.922 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d5bac8]
18:35:13.929 3 CLASSPNP.SYS[8a5b18b3] -> nt!IofCallDriver -> [0x854ab3f8]
18:35:13.935 5 acpi.sys[806136bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x8549f030]
18:35:13.944 Scan finished successfully
18:35:36.457 Disk 0 MBR has been saved successfully to "C:\Users\Tara\Desktop\MBR.dat"
18:35:36.466 The log file has been saved successfully to "C:\Users\Tara\Desktop\aswMBR.txt"


Report •

#3
October 18, 2011 at 14:30:55
golfpro,

My apology fot the delay. Rather busy these days...

What browser do you normally use, Internet Explorer, FireFox, other...?

When you ran HitmanPro, did it provide a report with the malware found? If so, can you post the results?

Also, when you ran aswMBR, another file was created on the Desktop: MBR.dat

Please submit 'MBR.dat' for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.

Click on the file

Then, click the 'Open' button.
The file is now displayed in the 'Submit' Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'
Once scanned, please provide the link to the results page in your reply.

If you cannot do this from the infected computer, move the mbr.dat file to a USB flash drive, and the go to a clean computer and submit it from there.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
October 19, 2011 at 08:51:59
First of all, never apologize for taking a long time when you are a volunteer. I appreciate the fact that you are willing to help people with their computer problems. Without you, I would have to send this to someone who would charge me an arm and a leg......so thank you. I greatly appreciate your help.

I couldn't get the website to scan the file, but I did get it done through e-mail. So I am copying and pasting the results here. Let me know if there is anything else I need to do.

<?xml version="1.0" encoding="iso-8859-1"?>
<_root_>
<_metadata_>
<_filename_>MBR.dat</_filename_>
<_internalname_>MBR.dat</_internalname_>
<_filesize_>512</_filesize_>
<_md5_>4a22a9b7877b270108643096aa91912a</_md5_>
<_sha1_>f2aaf60252cee949336d8595b0b6eafc8bbfd27e</_sha1_>
<_sha256_>087f14f6fb24f08d2af62c5b50eb748c375ca40983cbeff6479c75b286f0b6d9</_sha256_>
<_ssdeep_>12:bkArd1nWME7nQHg7yXxMHLWYQNZuP9hKZlyb2cX2a/BTBm9R:r3WlnQ1XKlIGhKub2choP</_ssdeep_>
<_goodware_>-</_goodware_>
<_pdfid_>-</_pdfid_>
<_date_>10/19/2011 15:02:48 (CET)</_date_>
<_peid_>-</_peid_>
<_peinfo_>-</_peinfo_>
<_sigcheck_>publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
</_sigcheck_>
<_exiftool_>file metadata
Error: Unknown file type
FileSize: 512 bytes
</_exiftool_>
</_metadata_>
<_result_>
<_scan_>
<_engine_>nProtect</_engine_>
<_version_>2011-10-19.02</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>CAT-QuickHeal</_engine_>
<_version_>11.00</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>McAfee</_engine_>
<_version_>5.400.0.1158</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>TheHacker</_engine_>
<_version_>6.7.0.1.325</_version_>
<_date_>20111018</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>K7AntiVirus</_engine_>
<_version_>9.115.5307</_version_>
<_date_>20111018</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>VirusBuster</_engine_>
<_version_>14.1.19.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>NOD32</_engine_>
<_version_>6556</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>F-Prot</_engine_>
<_version_>4.6.5.141</_version_>
<_date_>20111018</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Symantec</_engine_>
<_version_>20111.2.0.82</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Norman</_engine_>
<_version_>6.07.11</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>ByteHero</_engine_>
<_version_>1.0.0.1</_version_>
<_date_>20110923</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>TrendMicro-HouseCall</_engine_>
<_version_>9.500.0.1008</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Avast</_engine_>
<_version_>6.0.1289.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>eSafe</_engine_>
<_version_>7.0.17.0</_version_>
<_date_>20111017</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>ClamAV</_engine_>
<_version_>0.97.0.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Kaspersky</_engine_>
<_version_>9.0.0.837</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>BitDefender</_engine_>
<_version_>7.2</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>SUPERAntiSpyware</_engine_>
<_version_>4.40.0.1006</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Emsisoft</_engine_>
<_version_>5.1.0.11</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Comodo</_engine_>
<_version_>10489</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>F-Secure</_engine_>
<_version_>9.0.16440.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>DrWeb</_engine_>
<_version_>5.0.2.03300</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>VIPRE</_engine_>
<_version_>10808</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>AntiVir</_engine_>
<_version_>7.11.16.64</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>TrendMicro</_engine_>
<_version_>9.500.0.1008</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>McAfee-GW-Edition</_engine_>
<_version_>2010.1D</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Sophos</_engine_>
<_version_>4.70.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>eTrust-Vet</_engine_>
<_version_>36.1.8627</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Jiangmin</_engine_>
<_version_>13.0.900</_version_>
<_date_>20111018</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Antiy-AVL</_engine_>
<_version_>2.0.3.7</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Microsoft</_engine_>
<_version_>1.7801</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>ViRobot</_engine_>
<_version_>2011.10.19.4727</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Prevx</_engine_>
<_version_>3.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>GData</_engine_>
<_version_>22</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Commtouch</_engine_>
<_version_>5.3.2.6</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>AhnLab-V3</_engine_>
<_version_>2011.10.18.00</_version_>
<_date_>20111018</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>PCTools</_engine_>
<_version_>8.0.0.5</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Rising</_engine_>
<_version_>23.80.02.03</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Ikarus</_engine_>
<_version_>T3.1.1.107.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Fortinet</_engine_>
<_version_>4.3.370.0</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>AVG</_engine_>
<_version_>10.0.0.1190</_version_>
<_date_>20111018</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
<_scan_>
<_engine_>Panda</_engine_>
<_version_>10.0.3.5</_version_>
<_date_>20111019</_date_>
<_response_>-</_response_>
<_notes_>None</_notes_>
</_scan_>
</_result_>
</_root_>


Report •

#5
October 23, 2011 at 23:05:58
I was just wondering if you saw anything wrong with the logs, or if my system seems to be clean

Report •

#6
October 24, 2011 at 18:54:43
golfpro1982,

HitmanPro has not made it to the big leagues, so, let's press on with the following:

If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version:

http://download.bleepingcomputer.co...


Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:
http://www.bleepingcomputer.com/for...

Vista: Right-click and select: Run as Administrator

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it to Megauploads, as you did previously.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


~~~~
Now, please remove any previous download of TDSSKiller (if used) and download the latest version:
http://support.kaspersky.com/downlo...

Execute the file:
Vista: Right-click and select: Run as Administrator

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection. Please reboot.


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please post the TDSSKiller log in your reply, by uploading it also.

Please copy the 'Download link', and provide it in your reply for each of the reports.


Need to see the following uploads in your reply:
**The 'ComboFix log'
**The 'TDSSKiller' log

Also need to know whether 'TDSSKiller' needed a reboot

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#7
October 26, 2011 at 19:19:38
Again, thanks for your help.

Here are the links to the uploads

http://www.megaupload.com/?d=IQ8I6MJL

http://www.megaupload.com/?d=VQZ1W9W0

Also, the tdsskiller did not find anything and did not have to reboot.


Report •

#8
October 26, 2011 at 21:25:12
Are the redirections still happening?

When the redirections occur, is it when you are using Internet Explorer, FireFox, something else, or any browser you use?


In any event...

Continue to disable your AntiVirus program and any AntiSpyware programs while performing the scan. It will preclude conflicts, and will speed up scan time.

Since you are using Windows Vista to perform this scan, go to Start button, look for the browser icon, right-click it and select: 'Run as administrator.

In the browser address bar, copy paste the following:

http://www.eset.com/us/online-scanner


Press the 'ESET Online Scanner' download button
-In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
-Allow the ActiveX to download, and click: Install
http://www.eset.com/us/online-scann...

Click: Start
-Make sure that the option 'Remove found threats' is unticked/unchecked.
-Click: 'Scan', and wait for the scan to finish
-If any threats are found, click the 'List of found threats', then click 'Export to text file...'
-Save the file to your Desktop as: 'ESET Scan'.

Please provide the contents of 'ESET Scan' in your reply. Just post it here, unless the report is very large, then, upload it.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#9
October 27, 2011 at 07:56:55
The browser is not redirecting anymore. I just wanted to make sure that the rest of my system is clean. Did the logs show anything else that needs to be taken care of? My computer is actually running better than I can ever remember.

Thanks for all your help!


Report •

#10
October 27, 2011 at 17:20:16
Good!! Glad the PC is doing well!

Do run the ESET Scanner (Post #8).

It will show any leftovers, if you have them.

Make sure that the option 'Remove found threats' is ticked/checked.

Please post its report.


Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •


Ask Question