Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 12-11-2012, 11:14 AM   #1
BlueWeasel
Lifer
 
BlueWeasel's Avatar
 
Join Date: Jun 2000
Location: Tupelo
Posts: 15,380
Default Need help removing browser redirect malware/virus.

I've got a single system here at the office that has been compromised with redirect malware. Not sure exactly which one it is, but most of the redirects point to "The Click Check" site. The browser is Firefox and I'm not sure if the problem exists in IE.

So far, I've done the following:
  • Scanned with Malwarebytes Anti-Malware and SuperAntiSpyware
  • Scanned for virus with AVG and Kaspersky rescue CDs (no virus found)
  • Used RKill, Combofix, and TDSSkiller
  • Checked all proxy, DNS, etc. settings
  • Checked the windows host file for bad entries

Even after all that, the redirects are still occurring. My next step may be to completely remove Firefox, delete the user profile, and reinstall. I don't see any FF add-ons/extensions that could be the cause.

I've had systems loaded with tons of viruses that are easier to clean than this.

Any suggestions?
__________________
Desktop:: 2500K@4.7Ghz/ 7950/16GB RAM/CM690/120GB SSD/3.0TB Storage/Win8.1
Laptop:: Macbook Air (2012)/128GB SSD/8GB RAM
Heatware 158-0-0

Last edited by BlueWeasel; 12-11-2012 at 11:26 AM.
BlueWeasel is online now   Reply With Quote
Old 12-11-2012, 11:19 AM   #2
mikeymikec
Diamond Member
 
mikeymikec's Avatar
 
Join Date: May 2011
Location: UK
Posts: 4,292
Default

What is the product "Anti-Malware"? I've never heard of it I'm afraid. Try MalwareBytes (free, no trial)?

Confirm whether the redirect occurs with IE, then you know whether your efforts regarding a Firefox-specific problem are completely pointless or not

You could also confirm whether it happens with a different user on the same machine, then you know whether the infection is at the user-level or higher.

Can you take the disk out and scan it connected to another machine externally?

TBH I've tried an AVG Rescue CD (up-to-date of course) several times and it hasn't ever turned up a result.
mikeymikec is offline   Reply With Quote
Old 12-11-2012, 11:27 AM   #3
BlueWeasel
Lifer
 
BlueWeasel's Avatar
 
Join Date: Jun 2000
Location: Tupelo
Posts: 15,380
Default

Quote:
Originally Posted by mikeymikec View Post
What is the product "Anti-Malware"? I've never heard of it I'm afraid. Try MalwareBytes (free, no trial)?
Anti-Malware is one and the same.
__________________
Desktop:: 2500K@4.7Ghz/ 7950/16GB RAM/CM690/120GB SSD/3.0TB Storage/Win8.1
Laptop:: Macbook Air (2012)/128GB SSD/8GB RAM
Heatware 158-0-0
BlueWeasel is online now   Reply With Quote
Old 12-12-2012, 05:19 PM   #4
Danimal1209
Senior Member
 
Join Date: Nov 2011
Posts: 345
Default

I would suggest to uninstall, then install to a different directory.
Danimal1209 is online now   Reply With Quote
Old 12-12-2012, 06:34 PM   #5
AdvancedSetup
Junior Member
 
Join Date: Dec 2012
Location: USA
Posts: 9
Default

I'm not sure of the rules for posting links to routines or other websites so I won't do that for now but basically there are a few sites that provide dedicated malware detection and removal. Malwarebytes is one of them, there is also Bleepingcomputer and TechSupportForum

These sites have trained members that can help you to clean your system.
AdvancedSetup is offline   Reply With Quote
Old 12-13-2012, 06:55 PM   #6
MadScientist
Golden Member
 
MadScientist's Avatar
 
Join Date: Jul 2001
Location: TN
Posts: 1,865
Default

OP,
Looks like you ran almost all the correct av programs.
1. Did you try a System Restore?
2. Did you boot into Safe Mode with Networking and run Rkill first before running any AV program? After each reboot Rkill must be run again.
3. Did you try running Task Manager (Ctrl-Alt-Del) and check under processes for anything suspicious like Click Check running? If you find something suspicious running End the process.

After running Rkill, run TDSSkiller, then MBAM, then HitmanPro, then Combofix. Then run HijackThis and post the log here or copy and paste the log here http://www.hijackthis.de/ and click on Analyze.

If all this does not work you can try manually removing Click Check. Do a search of your local drives for Click Check and delete any files it finds. Run Ccleaner. Backup your registry file. Open your registry file, regedit.exe, under Edit, Find, type in Click Check, Find Next, right click on entries, Delete, hit F3, and repeat until all Click Check entries are deleted.
__________________
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, MSI GeForce GTX 650 Ti, Samsung SH-S223B, Win 7 Ultimate 64bit
MadScientist is offline   Reply With Quote
Old 12-13-2012, 07:02 PM   #7
KeithP
Diamond Member
 
KeithP's Avatar
 
Join Date: Jun 2000
Location: Sacramento
Posts: 4,200
Default

You may want to look around in about:config and check for changed settings, or just reset it altogether.

http://kb.mozillazine.org/Resetting_...n_about:config

-KeithP
__________________
Heat 64-0-0

Hoodies don't have zippers, chili doesn't have beans, the plane won't take off...deal with it.
KeithP is offline   Reply With Quote
Old 12-14-2012, 05:19 AM   #8
AdvancedSetup
Junior Member
 
Join Date: Dec 2012
Location: USA
Posts: 9
Default

Indiscriminately running anti-malware and antivirus tools can actually make it more difficult to clean the computer from an infection. There are also infections that running the wrong tool will almost guarantee that without a lot more work you'll end up needing to format the drive and reinstall Windows.

In most cases these items are simply JavaScript or XML redirect tricks and AdwCleaner or JunkRemovalTool can clear them up.

However sometimes when these redirects have been on the system for a while sooner or later you'll hit some site with a drive-by and end up with a real infection.

You should NEVER use a temporary file cleaner until you've ascertained which infection you have. Doing so will cause you to lose data that cannot easily be recovered.

Don't forget you should also have an external backup of all important data. Hardware failure can potentially cause more harm than a serious infection if you end up losing all your data.
AdvancedSetup is offline   Reply With Quote
Old 12-14-2012, 11:02 AM   #9
MadScientist
Golden Member
 
MadScientist's Avatar
 
Join Date: Jul 2001
Location: TN
Posts: 1,865
Default

Quote:
Originally Posted by AdvancedSetup View Post
Indiscriminately running anti-malware and antivirus tools can actually make it more difficult to clean the computer from an infection. There are also infections that running the wrong tool will almost guarantee that without a lot more work you'll end up needing to format the drive and reinstall Windows.

In most cases these items are simply JavaScript or XML redirect tricks and AdwCleaner or JunkRemovalTool can clear them up.

However sometimes when these redirects have been on the system for a while sooner or later you'll hit some site with a drive-by and end up with a real infection.

You should NEVER use a temporary file cleaner until you've ascertained which infection you have. Doing so will cause you to lose data that cannot easily be recovered.

Don't forget you should also have an external backup of all important data. Hardware failure can potentially cause more harm than a serious infection if you end up losing all your data.
I do not agree with your first statement. I have never had an AV/AM program itself do harm to a computer. Itís the fallout damage from the viruses they remove thatís a PITA; i.e., no Startup Program or desktop shortcuts, empty Administrative Tools folders, cannot turn the Windows Firewall on, or no internet access.

I have never had any data loss after using Ccleaner as a temp file cleaner. I do recommend to run Ccleaner last if you have a virus. Some viruses when removed will delete your shortcuts. Before running Ccleaner check your shortcuts. Running Ccleaner deletes the %Temp%\smtmp folder making it harder to restore the shortcuts.

The Click Check virus may or may not be a simple browser hijacker. I have used AdwCleaner before. It will clean out some adware and leftover toolbar files, but it will also delete your browser homepage. I have not used it on a browser hijacker virus.
__________________
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, MSI GeForce GTX 650 Ti, Samsung SH-S223B, Win 7 Ultimate 64bit
MadScientist is offline   Reply With Quote
Old 12-14-2012, 09:22 PM   #10
AdvancedSetup
Junior Member
 
Join Date: Dec 2012
Location: USA
Posts: 9
Default

No problem. Everyone is welcome to their own opinions. I'm not here to argue with or upset anyone over it.

Groups authorized to help with HJT logs
AdvancedSetup is offline   Reply With Quote
Old 12-16-2012, 09:34 AM   #11
MadScientist
Golden Member
 
MadScientist's Avatar
 
Join Date: Jul 2001
Location: TN
Posts: 1,865
Default

Quote:
Originally Posted by AdvancedSetup View Post
No problem. Everyone is welcome to their own opinions. I'm not here to argue with or upset anyone over it.

Groups authorized to help with HJT logs
That's what a tech forum is all about, an exchange of experiences, opinions, and knowledge.
__________________
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, MSI GeForce GTX 650 Ti, Samsung SH-S223B, Win 7 Ultimate 64bit
MadScientist is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:20 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.