Need help removing browser redirect malware/virus.

Discussion in 'Security' started by BlueWeasel, Dec 11, 2012.

  1. BlueWeasel

    BlueWeasel Lifer

    Joined:
    Jun 2, 2000
    Messages:
    15,628
    Likes Received:
    0
    I've got a single system here at the office that has been compromised with redirect malware. Not sure exactly which one it is, but most of the redirects point to "The Click Check" site. The browser is Firefox and I'm not sure if the problem exists in IE.

    So far, I've done the following:

    • Scanned with Malwarebytes Anti-Malware and SuperAntiSpyware
    • Scanned for virus with AVG and Kaspersky rescue CDs (no virus found)
    • Used RKill, Combofix, and TDSSkiller
    • Checked all proxy, DNS, etc. settings
    • Checked the windows host file for bad entries

    Even after all that, the redirects are still occurring. My next step may be to completely remove Firefox, delete the user profile, and reinstall. I don't see any FF add-ons/extensions that could be the cause.

    I've had systems loaded with tons of viruses that are easier to clean than this. :mad:

    Any suggestions?
     
    #1 BlueWeasel, Dec 11, 2012
    Last edited: Dec 11, 2012
  2. mikeymikec

    mikeymikec Diamond Member

    Joined:
    May 19, 2011
    Messages:
    7,249
    Likes Received:
    3
    What is the product "Anti-Malware"? I've never heard of it I'm afraid. Try MalwareBytes (free, no trial)?

    Confirm whether the redirect occurs with IE, then you know whether your efforts regarding a Firefox-specific problem are completely pointless or not :)

    You could also confirm whether it happens with a different user on the same machine, then you know whether the infection is at the user-level or higher.

    Can you take the disk out and scan it connected to another machine externally?

    TBH I've tried an AVG Rescue CD (up-to-date of course) several times and it hasn't ever turned up a result.
     
  3. BlueWeasel

    BlueWeasel Lifer

    Joined:
    Jun 2, 2000
    Messages:
    15,628
    Likes Received:
    0
    Anti-Malware is one and the same. :)
     
  4. Danimal1209

    Danimal1209 Senior member

    Joined:
    Nov 9, 2011
    Messages:
    355
    Likes Received:
    0
    I would suggest to uninstall, then install to a different directory.
     
  5. AdvancedSetup

    AdvancedSetup Junior Member

    Joined:
    Dec 12, 2012
    Messages:
    9
    Likes Received:
    0
    I'm not sure of the rules for posting links to routines or other websites so I won't do that for now but basically there are a few sites that provide dedicated malware detection and removal. Malwarebytes is one of them, there is also Bleepingcomputer and TechSupportForum

    These sites have trained members that can help you to clean your system.
     
  6. MadScientist

    MadScientist Platinum Member

    Joined:
    Jul 15, 2001
    Messages:
    2,002
    Likes Received:
    0
    OP,
    Looks like you ran almost all the correct av programs.
    1. Did you try a System Restore?
    2. Did you boot into Safe Mode with Networking and run Rkill first before running any AV program? After each reboot Rkill must be run again.
    3. Did you try running Task Manager (Ctrl-Alt-Del) and check under processes for anything suspicious like Click Check running? If you find something suspicious running End the process.

    After running Rkill, run TDSSkiller, then MBAM, then HitmanPro, then Combofix. Then run HijackThis and post the log here or copy and paste the log here http://www.hijackthis.de/ and click on Analyze.

    If all this does not work you can try manually removing Click Check. Do a search of your local drives for Click Check and delete any files it finds. Run Ccleaner. Backup your registry file. Open your registry file, regedit.exe, under Edit, Find, type in Click Check, Find Next, right click on entries, Delete, hit F3, and repeat until all Click Check entries are deleted.
     
  7. KeithP

    KeithP Diamond Member

    Joined:
    Jun 15, 2000
    Messages:
    5,140
    Likes Received:
    1
  8. AdvancedSetup

    AdvancedSetup Junior Member

    Joined:
    Dec 12, 2012
    Messages:
    9
    Likes Received:
    0
    Indiscriminately running anti-malware and antivirus tools can actually make it more difficult to clean the computer from an infection. There are also infections that running the wrong tool will almost guarantee that without a lot more work you'll end up needing to format the drive and reinstall Windows.

    In most cases these items are simply JavaScript or XML redirect tricks and AdwCleaner or JunkRemovalTool can clear them up.

    However sometimes when these redirects have been on the system for a while sooner or later you'll hit some site with a drive-by and end up with a real infection.

    You should NEVER use a temporary file cleaner until you've ascertained which infection you have. Doing so will cause you to lose data that cannot easily be recovered.

    Don't forget you should also have an external backup of all important data. Hardware failure can potentially cause more harm than a serious infection if you end up losing all your data.
     
  9. MadScientist

    MadScientist Platinum Member

    Joined:
    Jul 15, 2001
    Messages:
    2,002
    Likes Received:
    0
    I do not agree with your first statement. I have never had an AV/AM program itself do harm to a computer. It’s the fallout damage from the viruses they remove that’s a PITA; i.e., no Startup Program or desktop shortcuts, empty Administrative Tools folders, cannot turn the Windows Firewall on, or no internet access.

    I have never had any data loss after using Ccleaner as a temp file cleaner. I do recommend to run Ccleaner last if you have a virus. Some viruses when removed will delete your shortcuts. Before running Ccleaner check your shortcuts. Running Ccleaner deletes the %Temp%\smtmp folder making it harder to restore the shortcuts.

    The Click Check virus may or may not be a simple browser hijacker. I have used AdwCleaner before. It will clean out some adware and leftover toolbar files, but it will also delete your browser homepage. I have not used it on a browser hijacker virus.
     
  10. AdvancedSetup

    AdvancedSetup Junior Member

    Joined:
    Dec 12, 2012
    Messages:
    9
    Likes Received:
    0
  11. MadScientist

    MadScientist Platinum Member

    Joined:
    Jul 15, 2001
    Messages:
    2,002
    Likes Received:
    0
    That's what a tech forum is all about, an exchange of experiences, opinions, and knowledge.