Go Back   AnandTech Forums > Software > Software for Windows

· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· AMD Video Cards
· Nvidia
· Displays
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions

Thread Tools
Old 08-22-2012, 12:49 AM   #1
Platinum Member
ZippyDan's Avatar
Join Date: Sep 2001
Posts: 2,087
Default really annoying infection

I have a Windows 7 computer that is getting infected with spyware/malware/ransomware etc.

I keep cleaning the computer using Malwarebytes AND SuperAntispyware AND Avast Boot Time Scan AND Microsoft Security Essentials, but it keeps getting reinfected after a short time.

I don't think the problem is with a specific infection per se, but with some kind of weird redirection happening with all or almost all the browsers. The user almost exclusively uses FireFox, and every time the infection reappears it is when she launches Firefox (but not EVERY time).

I myself have seen my attempts to go to legitimate websites get redirected to strange URLs like

The redirects seem random in two ways: 1. they don't always go to the same place, 2. sometimes there is no redirect at all and the page you really wanted works fine.

I'm sure that whatever is doing this is sometimes redirecting her browser to websites that have malware.

What I can't seem to figure out is what is causing this random redirection. It happens in FireFox 14 and IE 10 and Chrome. I know FireFox has its own proxy settings, but I've checked both FireFox and IE for a proxy setting and there is none. I've also checked my hosts file and there is nothing there. I've also checked all three for extensions/add-ons, removed any non-standard search providers, and set all start pages to default.

What else could it be?
ZippyDan is offline   Reply With Quote
Old 08-22-2012, 12:57 AM   #2
Golden Member
Bubbaleone's Avatar
Join Date: Nov 2011
Posts: 1,735

You have a redirect virus that uses rootkit techniques to conceal itself from being detected or removed. Download and run Kaspersky's Anti-rootkit utility: TDSSKiller. And if that doesn't kill it there're bigger guns available. Post back with your results.


Last edited by Bubbaleone; 08-22-2012 at 01:02 AM.
Bubbaleone is online now   Reply With Quote
Old 08-22-2012, 01:25 AM   #3
Platinum Member
ZippyDan's Avatar
Join Date: Sep 2001
Posts: 2,087

thanks! will report back
ZippyDan is offline   Reply With Quote
Old 08-22-2012, 01:53 AM   #4
Golden Member
Bubbaleone's Avatar
Join Date: Nov 2011
Posts: 1,735

I've got to get some shut-eye so I'll leave you with this: Rootkits have become increasingly sophisticated to the point that many are virtually impossible to kill from within the Windows environment (including safe mode) due to their ability to replicate from all the tiny bits of code that they hide in multiple locations. You run your virus/malware scan, your anti-virus or anti-malware product says "I found it, and killed it", then you reboot the computer and it's right back.

The solution is a virus detection and removal tool that can access the infected disk while the disk is unmounted. When the disk is unmounted the rootkit (as well as everything else) is completely deactivated, and any code that it's injected into the MBR, boot sector, system files, and registry can be detected and deleted. It can't replicate.

Here's the "bigger gun": I've tested all of them but the best tool available for killing any rootkit is Kaspersky Rescue Disk 10 which is based on a live Linux disk...and it's free.

On that webpage click on the Knowledge Base tab and read how to use, before you try using it. Also have your internet connection connected, because when you boot from the live CD it will download Kaspersky's latest virus defs to your HDD and use those defs to scan with.

Bubbaleone is online now   Reply With Quote
Old 08-22-2012, 01:57 AM   #5
Platinum Member
ZippyDan's Avatar
Join Date: Sep 2001
Posts: 2,087

yeah my problem now is that the TDSSKiller won't even run (I guess the virus is shutting it down?)

I tried running RKill first and it found a bunch of stuff (including some rootkits) andd supposedly shut them down, but TDSSKiller still won't launch.

I'm working remotely via VNC so I can't try safemode nor the Live CD at this time, but I guess next step will be to get some local help.
ZippyDan is offline   Reply With Quote
Old 08-22-2012, 07:35 AM   #6
Platinum Member
Join Date: Jun 2009
Posts: 2,480

IMHO there is nothing you can do as with such grade of infection the attacker could have done some many things even to OS files that I would never trust that system again. You can't even be sure your like mp3 files are ok...Still backup personal files and do a full re-install. This mostly is also a lot faster than any other methods and a lot more secure.
beginner99 is offline   Reply With Quote
Old 08-22-2012, 08:12 AM   #7
Golden Member
MadScientist's Avatar
Join Date: Jul 2001
Location: TN
Posts: 1,947

Try running Rkill under a different filename since some viruses will not let Rkill run unless it has a certain filename. Variants can be found here: http://www.bleepingcomputer.com/download/rkill/

After you get Rkill to run, download and run Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix Follow instructions on how to uninstall Combofix.

If you have to reboot, then run Rkill again and then run TDSSkiller.
Then followup by first updating and running Malawarebytes Anti-malware
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, Zotac GeForce GTX 970, Samsung SH-S223B, Win 10 Pro 64bit
MadScientist is offline   Reply With Quote
Old 08-22-2012, 09:50 AM   #8
Super Moderator
Elite Member
mechBgon's Avatar
Join Date: Oct 1999
Posts: 30,699

Kaspersky also has a bootable Rescue Disc you can download in .ISO format and make a scanning disc: http://rescuedisk.kaspersky-labs.com..._rescue_10.iso edit: oops, Bubbaleone beat me to it

You can configure it for maximum detection like this:

If it were me, I would save the user's email, contacts, documents/pics/videos, then flatten the drive with DBAN (if it's a HDD) or a secure-erase (if it's SSD) and reinstall Windows. Unless your user has a definite preference for Firefox, switch them to a browser that has working sandbox protection (IE or Chrome), and I have further hardening tips in my signature link.

Also, if the computer's using a wireless connection, ensure that the router is using a password and preferably the strongest encryption it supports. There's malware that will actually inject malicious content into HTTP network traffic on-the-fly, among other shenanigans. Don't leave your wireless access open for just anyone to use.

Last edited by mechBgon; 08-22-2012 at 09:55 AM.
mechBgon is offline   Reply With Quote
Old 08-26-2012, 05:06 AM   #9
dinker99's Avatar
Join Date: Feb 2012
Posts: 82

A waste of time trying to get rid of this stuff - re-install. Hopefully you have an image of your OS plus standard applications somewhere safe.
dinker99 is offline   Reply With Quote
Old 08-29-2012, 06:58 AM   #10
Junior Member
Join Date: Aug 2012
Posts: 4

Yes, I agree with dinker99, you need to do a clean install. Once infected it is really difficult to get rid of all traces of the the virus/spyware, Antivirus software is useful for prevention mostly and you need to keep them updated at all times. Also sometimes there would be "zero day" viruses that are not known enough for Antivirus programs to recognize them. So better also be careful about suspicious exe files and websites.
Magellan1 is offline   Reply With Quote
Old 08-29-2012, 07:11 AM   #11
Senior Member
cantholdanymore's Avatar
Join Date: Mar 2011
Posts: 446

Any updates OP?
I also had a rootkit and the only solution was to fresh install. Bubbaleone gave me the same tip but it was too late for me; did it work for you?
Fractal Design Define Mini using 2 front fans (fractal) and one rear (noctua), Asus Maximus IV gene-z, Intel 2500k, Noctua NH-D14, G.Skill Ripjaws 16GB, Samsung 840 pro 256Gb SSD, NZXT HALE90 750w, Asus R9 280x, Asus BD burner, Seagate Barracude 2T.

Switching between 4.0GHz @ 1.2V and 4.6Ghz @1.30v.

4.9 stable using 1.46
cantholdanymore is offline   Reply With Quote
Old 08-29-2012, 08:22 AM   #12
Platinum Member
berryracer's Avatar
Join Date: Oct 2006
Location: Dubai
Posts: 2,676

Your system is FUBAR d00d I can't believe you are trying to fix such a messed up / deeply infected system!

F0rm4+ !!!!!!!!!!
ORIGIN PC - MILLENNIUM ASUS X-99 Deluxe Motherboard | Corsair AX1500i PSU | Intel Core i7 5930K @ 4.4GHz | Corsair Vengeance LPX 64GB 2400MHz RAM | 2x EVGA GeForce GTX 980 Ti SLI 6GB GDDR5 RAM | Realtek ALC1150 8-Channel High Definition Audio CODEC featuring Crystal Sound 2 | Intel 750 1.2TB PCIe SSD + 2x SanDisk Extreme PRO 960GB SSD | ASUS ROG Swift PG278Q 27" G-SYNC Monitor | Windows 7 Pro
berryracer is offline   Reply With Quote
Old 08-29-2012, 09:33 AM   #13
gitano's Avatar
Join Date: Aug 2008
Posts: 93

wipe the disk its the only way to be sure, remember to clean the boot sector also, and if i was you prolly re-flash the bios too, its not uncommon latelly bios infections on those rootkits.
I5-4440| Gigabyte B85M-D3V | Kingston DDR3-1600 8GB (2x4GB) | Radeon R9 270 | Windows 7 Ultimate 64-bit.
gitano is offline   Reply With Quote
Old 10-02-2012, 11:16 AM   #14
Platinum Member
ZippyDan's Avatar
Join Date: Sep 2001
Posts: 2,087

the Kaspersky rescue disk did the trick for me ... thanks Bubbaleone for your help

and i'll use the little extra trick mechBgon... thanks
ZippyDan is offline   Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -5. The time now is 07:49 AM.

Powered by vBulletin® Version 3.8.8 Alpha 1
Copyright ©2000 - 2015, vBulletin Solutions, Inc.