Need help removing browser redirect malware/virus.

BlueWeasel · 12-11-2012, 11:14 AM

I've got a single system here at the office that has been compromised with redirect malware. Not sure exactly which one it is, but most of the redirects point to "The Click Check" site. The browser is Firefox and I'm not sure if the problem exists in IE.

So far, I've done the following:

Scanned with Malwarebytes Anti-Malware and SuperAntiSpyware
Scanned for virus with AVG and Kaspersky rescue CDs (no virus found)
Used RKill, Combofix, and TDSSkiller
Checked all proxy, DNS, etc. settings
Checked the windows host file for bad entries

Even after all that, the redirects are still occurring. My next step may be to completely remove Firefox, delete the user profile, and reinstall. I don't see any FF add-ons/extensions that could be the cause.

I've had systems loaded with tons of viruses that are easier to clean than this.

Any suggestions?

mikeymikec · 12-11-2012, 11:19 AM

What is the product "Anti-Malware"? I've never heard of it I'm afraid. Try MalwareBytes (free, no trial)?

Confirm whether the redirect occurs with IE, then you know whether your efforts regarding a Firefox-specific problem are completely pointless or not

You could also confirm whether it happens with a different user on the same machine, then you know whether the infection is at the user-level or higher.

Can you take the disk out and scan it connected to another machine externally?

TBH I've tried an AVG Rescue CD (up-to-date of course) several times and it hasn't ever turned up a result.

BlueWeasel · 12-11-2012, 11:27 AM

Quote:

Originally Posted by mikeymikec

What is the product "Anti-Malware"? I've never heard of it I'm afraid. Try MalwareBytes (free, no trial)?

Anti-Malware is one and the same.

Danimal1209 · 12-12-2012, 05:19 PM

I would suggest to uninstall, then install to a different directory.

AdvancedSetup · 12-12-2012, 06:34 PM

I'm not sure of the rules for posting links to routines or other websites so I won't do that for now but basically there are a few sites that provide dedicated malware detection and removal. Malwarebytes is one of them, there is also Bleepingcomputer and TechSupportForum

These sites have trained members that can help you to clean your system.

MadScientist · 12-13-2012, 06:55 PM

OP,
Looks like you ran almost all the correct av programs.
1. Did you try a System Restore?
2. Did you boot into Safe Mode with Networking and run Rkill first before running any AV program? After each reboot Rkill must be run again.
3. Did you try running Task Manager (Ctrl-Alt-Del) and check under processes for anything suspicious like Click Check running? If you find something suspicious running End the process.

After running Rkill, run TDSSkiller, then MBAM, then HitmanPro, then Combofix. Then run HijackThis and post the log here or copy and paste the log here http://www.hijackthis.de/ and click on Analyze.

If all this does not work you can try manually removing Click Check. Do a search of your local drives for Click Check and delete any files it finds. Run Ccleaner. Backup your registry file. Open your registry file, regedit.exe, under Edit, Find, type in Click Check, Find Next, right click on entries, Delete, hit F3, and repeat until all Click Check entries are deleted.

KeithP · 12-13-2012, 07:02 PM

You may want to look around in about:config and check for changed settings, or just reset it altogether.

http://kb.mozillazine.org/Resetting_...n_about:config

-KeithP

AdvancedSetup · 12-14-2012, 05:19 AM

Indiscriminately running anti-malware and antivirus tools can actually make it more difficult to clean the computer from an infection. There are also infections that running the wrong tool will almost guarantee that without a lot more work you'll end up needing to format the drive and reinstall Windows.

In most cases these items are simply JavaScript or XML redirect tricks and AdwCleaner or JunkRemovalTool can clear them up.

However sometimes when these redirects have been on the system for a while sooner or later you'll hit some site with a drive-by and end up with a real infection.

You should NEVER use a temporary file cleaner until you've ascertained which infection you have. Doing so will cause you to lose data that cannot easily be recovered.

Don't forget you should also have an external backup of all important data. Hardware failure can potentially cause more harm than a serious infection if you end up losing all your data.

MadScientist · 12-14-2012, 11:02 AM

Quote:

Originally Posted by AdvancedSetup

Indiscriminately running anti-malware and antivirus tools can actually make it more difficult to clean the computer from an infection. There are also infections that running the wrong tool will almost guarantee that without a lot more work you'll end up needing to format the drive and reinstall Windows.

In most cases these items are simply JavaScript or XML redirect tricks and AdwCleaner or JunkRemovalTool can clear them up.

However sometimes when these redirects have been on the system for a while sooner or later you'll hit some site with a drive-by and end up with a real infection.

You should NEVER use a temporary file cleaner until you've ascertained which infection you have. Doing so will cause you to lose data that cannot easily be recovered.

Don't forget you should also have an external backup of all important data. Hardware failure can potentially cause more harm than a serious infection if you end up losing all your data.

I do not agree with your first statement. I have never had an AV/AM program itself do harm to a computer. It’s the fallout damage from the viruses they remove that’s a PITA; i.e., no Startup Program or desktop shortcuts, empty Administrative Tools folders, cannot turn the Windows Firewall on, or no internet access.

I have never had any data loss after using Ccleaner as a temp file cleaner. I do recommend to run Ccleaner last if you have a virus. Some viruses when removed will delete your shortcuts. Before running Ccleaner check your shortcuts. Running Ccleaner deletes the %Temp%\smtmp folder making it harder to restore the shortcuts.

The Click Check virus may or may not be a simple browser hijacker. I have used AdwCleaner before. It will clean out some adware and leftover toolbar files, but it will also delete your browser homepage. I have not used it on a browser hijacker virus.

AdvancedSetup · 12-14-2012, 09:22 PM

No problem. Everyone is welcome to their own opinions. I'm not here to argue with or upset anyone over it.

Groups authorized to help with HJT logs

MadScientist · 12-16-2012, 09:34 AM

Quote:

Originally Posted by AdvancedSetup

No problem. Everyone is welcome to their own opinions. I'm not here to argue with or upset anyone over it.

Groups authorized to help with HJT logs

That's what a tech forum is all about, an exchange of experiences, opinions, and knowledge.