Go Back   AnandTech Forums > Software > Software for Windows

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals
· Free Stuff
· Contests and Sweepstakes
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 08-22-2012, 12:49 AM   #1
ZippyDan
Golden Member
 
ZippyDan's Avatar
 
Join Date: Sep 2001
Posts: 1,996
Default really annoying infection

I have a Windows 7 computer that is getting infected with spyware/malware/ransomware etc.

I keep cleaning the computer using Malwarebytes AND SuperAntispyware AND Avast Boot Time Scan AND Microsoft Security Essentials, but it keeps getting reinfected after a short time.

I don't think the problem is with a specific infection per se, but with some kind of weird redirection happening with all or almost all the browsers. The user almost exclusively uses FireFox, and every time the infection reappears it is when she launches Firefox (but not EVERY time).

I myself have seen my attempts to go to legitimate websites get redirected to strange URLs like

8.26.70.252
click.gethotresults.com
toolbar.inbox.com

The redirects seem random in two ways: 1. they don't always go to the same place, 2. sometimes there is no redirect at all and the page you really wanted works fine.

I'm sure that whatever is doing this is sometimes redirecting her browser to websites that have malware.

What I can't seem to figure out is what is causing this random redirection. It happens in FireFox 14 and IE 10 and Chrome. I know FireFox has its own proxy settings, but I've checked both FireFox and IE for a proxy setting and there is none. I've also checked my hosts file and there is nothing there. I've also checked all three for extensions/add-ons, removed any non-standard search providers, and set all start pages to default.

What else could it be?
ZippyDan is offline   Reply With Quote
Old 08-22-2012, 12:57 AM   #2
Bubbaleone
Golden Member
 
Bubbaleone's Avatar
 
Join Date: Nov 2011
Posts: 1,649
Default

You have a redirect virus that uses rootkit techniques to conceal itself from being detected or removed. Download and run Kaspersky's Anti-rootkit utility: TDSSKiller. And if that doesn't kill it there're bigger guns available. Post back with your results.


.

Last edited by Bubbaleone; 08-22-2012 at 01:02 AM.
Bubbaleone is offline   Reply With Quote
Old 08-22-2012, 01:25 AM   #3
ZippyDan
Golden Member
 
ZippyDan's Avatar
 
Join Date: Sep 2001
Posts: 1,996
Default

thanks! will report back
ZippyDan is offline   Reply With Quote
Old 08-22-2012, 01:53 AM   #4
Bubbaleone
Golden Member
 
Bubbaleone's Avatar
 
Join Date: Nov 2011
Posts: 1,649
Default

I've got to get some shut-eye so I'll leave you with this: Rootkits have become increasingly sophisticated to the point that many are virtually impossible to kill from within the Windows environment (including safe mode) due to their ability to replicate from all the tiny bits of code that they hide in multiple locations. You run your virus/malware scan, your anti-virus or anti-malware product says "I found it, and killed it", then you reboot the computer and it's right back.

The solution is a virus detection and removal tool that can access the infected disk while the disk is unmounted. When the disk is unmounted the rootkit (as well as everything else) is completely deactivated, and any code that it's injected into the MBR, boot sector, system files, and registry can be detected and deleted. It can't replicate.

Here's the "bigger gun": I've tested all of them but the best tool available for killing any rootkit is Kaspersky Rescue Disk 10 which is based on a live Linux disk...and it's free.

On that webpage click on the Knowledge Base tab and read how to use, before you try using it. Also have your internet connection connected, because when you boot from the live CD it will download Kaspersky's latest virus defs to your HDD and use those defs to scan with.


.
Bubbaleone is offline   Reply With Quote
Old 08-22-2012, 01:57 AM   #5
ZippyDan
Golden Member
 
ZippyDan's Avatar
 
Join Date: Sep 2001
Posts: 1,996
Default

yeah my problem now is that the TDSSKiller won't even run (I guess the virus is shutting it down?)

I tried running RKill first and it found a bunch of stuff (including some rootkits) andd supposedly shut them down, but TDSSKiller still won't launch.

I'm working remotely via VNC so I can't try safemode nor the Live CD at this time, but I guess next step will be to get some local help.
ZippyDan is offline   Reply With Quote
Old 08-22-2012, 07:35 AM   #6
beginner99
Platinum Member
 
Join Date: Jun 2009
Posts: 2,114
Default

IMHO there is nothing you can do as with such grade of infection the attacker could have done some many things even to OS files that I would never trust that system again. You can't even be sure your like mp3 files are ok...Still backup personal files and do a full re-install. This mostly is also a lot faster than any other methods and a lot more secure.
beginner99 is offline   Reply With Quote
Old 08-22-2012, 08:12 AM   #7
MadScientist
Golden Member
 
MadScientist's Avatar
 
Join Date: Jul 2001
Location: TN
Posts: 1,857
Default

Try running Rkill under a different filename since some viruses will not let Rkill run unless it has a certain filename. Variants can be found here: http://www.bleepingcomputer.com/download/rkill/

After you get Rkill to run, download and run Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix Follow instructions on how to uninstall Combofix.

If you have to reboot, then run Rkill again and then run TDSSkiller.
Then followup by first updating and running Malawarebytes Anti-malware
__________________
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, MSI GeForce GTX 650 Ti, Samsung SH-S223B, Win 7 Ultimate 64bit
MadScientist is offline   Reply With Quote
Old 08-22-2012, 09:50 AM   #8
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,699
Default

Kaspersky also has a bootable Rescue Disc you can download in .ISO format and make a scanning disc: http://rescuedisk.kaspersky-labs.com..._rescue_10.iso edit: oops, Bubbaleone beat me to it

You can configure it for maximum detection like this:



If it were me, I would save the user's email, contacts, documents/pics/videos, then flatten the drive with DBAN (if it's a HDD) or a secure-erase (if it's SSD) and reinstall Windows. Unless your user has a definite preference for Firefox, switch them to a browser that has working sandbox protection (IE or Chrome), and I have further hardening tips in my signature link.

Also, if the computer's using a wireless connection, ensure that the router is using a password and preferably the strongest encryption it supports. There's malware that will actually inject malicious content into HTTP network traffic on-the-fly, among other shenanigans. Don't leave your wireless access open for just anyone to use.

Last edited by mechBgon; 08-22-2012 at 09:55 AM.
mechBgon is offline   Reply With Quote
Old 08-26-2012, 05:06 AM   #9
dinker99
Member
 
dinker99's Avatar
 
Join Date: Feb 2012
Posts: 71
Default

A waste of time trying to get rid of this stuff - re-install. Hopefully you have an image of your OS plus standard applications somewhere safe.
dinker99 is offline   Reply With Quote
Old 08-29-2012, 06:58 AM   #10
Magellan1
Junior Member
 
Join Date: Aug 2012
Posts: 4
Default

Yes, I agree with dinker99, you need to do a clean install. Once infected it is really difficult to get rid of all traces of the the virus/spyware, Antivirus software is useful for prevention mostly and you need to keep them updated at all times. Also sometimes there would be "zero day" viruses that are not known enough for Antivirus programs to recognize them. So better also be careful about suspicious exe files and websites.
Magellan1 is offline   Reply With Quote
Old 08-29-2012, 07:11 AM   #11
cantholdanymore
Senior Member
 
cantholdanymore's Avatar
 
Join Date: Mar 2011
Posts: 423
Default

Any updates OP?
I also had a rootkit and the only solution was to fresh install. Bubbaleone gave me the same tip but it was too late for me; did it work for you?
__________________
Fractal Design Define Mini using 2 front fans (fractal) and one rear (noctua), Asus Maximus IV gene-z, Intel 2500k, Noctua NH-D14, G.Skill Ripjaws 16GB, Samsung 840 pro 256Gb SSD, NZXT HALE90 750w, Firepro v4900, Asus BD burner, Seagate Barracude 2T.

Switching between 4.0GHz @ 1.2V and 4.6Ghz @1.30v.

4.9 stable using 1.46
cantholdanymore is offline   Reply With Quote
Old 08-29-2012, 08:22 AM   #12
berryracer
Golden Member
 
berryracer's Avatar
 
Join Date: Oct 2006
Location: Dubai
Posts: 1,872
Default

Your system is FUBAR d00d I can't believe you are trying to fix such a messed up / deeply infected system!


F0rm4+ !!!!!!!!!!
__________________
ALIENWARE 18 Laptop
CPU: Intel Core i7-4800MQ CPU @ 3.7 GHz
Memory: 32 GB Kingston HyperX 1866 MHz DDR3 PC3-14900 RAM
GPU: Dual GeForce GTX 770M SLI 6 GB GDDR5 RAM
Storage: 2x Samsung 840 PRO 512GB SSD + Samsung 840 EVO 1TB mSATA SSD
berryracer is offline   Reply With Quote
Old 08-29-2012, 09:33 AM   #13
gitano
Member
 
gitano's Avatar
 
Join Date: Aug 2008
Posts: 93
Default

wipe the disk its the only way to be sure, remember to clean the boot sector also, and if i was you prolly re-flash the bios too, its not uncommon latelly bios infections on those rootkits.
__________________
I5-4440| Gigabyte B85M-D3V | Kingston DDR3-1600 8GB (2x4GB) | Radeon R9 270 | Windows 7 Ultimate 64-bit.
gitano is offline   Reply With Quote
Old 10-02-2012, 11:16 AM   #14
ZippyDan
Golden Member
 
ZippyDan's Avatar
 
Join Date: Sep 2001
Posts: 1,996
Default

the Kaspersky rescue disk did the trick for me ... thanks Bubbaleone for your help

and i'll use the little extra trick mechBgon... thanks
ZippyDan is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:01 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.