really annoying infection

[ZippyDan]

I have a Windows 7 computer that is getting infected with spyware/malware/ransomware etc.

I keep cleaning the computer using Malwarebytes AND SuperAntispyware AND Avast Boot Time Scan AND Microsoft Security Essentials, but it keeps getting reinfected after a short time.

I don't think the problem is with a specific infection per se, but with some kind of weird redirection happening with all or almost all the browsers. The user almost exclusively uses FireFox, and every time the infection reappears it is when she launches Firefox (but not EVERY time).

I myself have seen my attempts to go to legitimate websites get redirected to strange URLs like

8.26.70.252
click.gethotresults.com
toolbar.inbox.com

The redirects seem random in two ways: 1. they don't always go to the same place, 2. sometimes there is no redirect at all and the page you really wanted works fine.

I'm sure that whatever is doing this is sometimes redirecting her browser to websites that have malware.

What I can't seem to figure out is what is causing this random redirection. It happens in FireFox 14 and IE 10 and Chrome. I know FireFox has its own proxy settings, but I've checked both FireFox and IE for a proxy setting and there is none. I've also checked my hosts file and there is nothing there. I've also checked all three for extensions/add-ons, removed any non-standard search providers, and set all start pages to default.

What else could it be?

[Bubbaleone]

You have a redirect virus that uses rootkit techniques to conceal itself from being detected or removed. Download and run Kaspersky's Anti-rootkit utility: TDSSKiller. And if that doesn't kill it there're bigger guns available. Post back with your results.


.

[ZippyDan]

thanks! will report back

[Bubbaleone]

I've got to get some shut-eye so I'll leave you with this: Rootkits have become increasingly sophisticated to the point that many are virtually impossible to kill from within the Windows environment (including safe mode) due to their ability to replicate from all the tiny bits of code that they hide in multiple locations. You run your virus/malware scan, your anti-virus or anti-malware product says "I found it, and killed it", then you reboot the computer and it's right back.

The solution is a virus detection and removal tool that can access the infected disk while the disk is unmounted. When the disk is unmounted the rootkit (as well as everything else) is completely deactivated, and any code that it's injected into the MBR, boot sector, system files, and registry can be detected and deleted. It can't replicate.

Here's the "bigger gun": I've tested all of them but the best tool available for killing any rootkit is Kaspersky Rescue Disk 10 which is based on a live Linux disk...and it's free.

On that webpage click on the Knowledge Base tab and read how to use, before you try using it. Also have your internet connection connected, because when you boot from the live CD it will download Kaspersky's latest virus defs to your HDD and use those defs to scan with.


.

[ZippyDan]

yeah my problem now is that the TDSSKiller won't even run (I guess the virus is shutting it down?)

I tried running RKill first and it found a bunch of stuff (including some rootkits) andd supposedly shut them down, but TDSSKiller still won't launch.

I'm working remotely via VNC so I can't try safemode nor the Live CD at this time, but I guess next step will be to get some local help.

[beginner99]

IMHO there is nothing you can do as with such grade of infection the attacker could have done some many things even to OS files that I would never trust that system again. You can't even be sure your like mp3 files are ok...Still backup personal files and do a full re-install. This mostly is also a lot faster than any other methods and a lot more secure.

[MadScientist]

Try running Rkill under a different filename since some viruses will not let Rkill run unless it has a certain filename. Variants can be found here: http://www.bleepingcomputer.com/download/rkill/

After you get Rkill to run, download and run Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix Follow instructions on how to uninstall Combofix.

If you have to reboot, then run Rkill again and then run TDSSkiller.
Then followup by first updating and running Malawarebytes Anti-malware

[mechBgon]

Kaspersky also has a bootable Rescue Disc you can download in .ISO format and make a scanning disc: http://rescuedisk.kaspersky-labs.com..._rescue_10.iso edit: oops, Bubbaleone beat me to it

You can configure it for maximum detection like this:



If it were me, I would save the user's email, contacts, documents/pics/videos, then flatten the drive with DBAN (if it's a HDD) or a secure-erase (if it's SSD) and reinstall Windows. Unless your user has a definite preference for Firefox, switch them to a browser that has working sandbox protection (IE or Chrome), and I have further hardening tips in my signature link.

Also, if the computer's using a wireless connection, ensure that the router is using a password and preferably the strongest encryption it supports. There's malware that will actually inject malicious content into HTTP network traffic on-the-fly, among other shenanigans. Don't leave your wireless access open for just anyone to use.

[dinker99]

A waste of time trying to get rid of this stuff - re-install. Hopefully you have an image of your OS plus standard applications somewhere safe.

[Magellan1]

Yes, I agree with dinker99, you need to do a clean install. Once infected it is really difficult to get rid of all traces of the the virus/spyware, Antivirus software is useful for prevention mostly and you need to keep them updated at all times. Also sometimes there would be "zero day" viruses that are not known enough for Antivirus programs to recognize them. So better also be careful about suspicious exe files and websites.

[cantholdanymore]

Any updates OP?
I also had a rootkit and the only solution was to fresh install. Bubbaleone gave me the same tip but it was too late for me; did it work for you?

[berryracer]

Your system is FUBAR d00d I can't believe you are trying to fix such a messed up / deeply infected system!


F0rm4+ !!!!!!!!!!

[gitano]

wipe the disk its the only way to be sure, remember to clean the boot sector also, and if i was you prolly re-flash the bios too, its not uncommon latelly bios infections on those rootkits.

[ZippyDan]

the Kaspersky rescue disk did the trick for me ... thanks Bubbaleone for your help

and i'll use the little extra trick mechBgon... thanks