really annoying infection

Discussion in 'Software for Windows' started by ZippyDan, Aug 22, 2012.

  1. ZippyDan

    ZippyDan Platinum Member

    Joined:
    Sep 28, 2001
    Messages:
    2,127
    Likes Received:
    0
    I have a Windows 7 computer that is getting infected with spyware/malware/ransomware etc.

    I keep cleaning the computer using Malwarebytes AND SuperAntispyware AND Avast Boot Time Scan AND Microsoft Security Essentials, but it keeps getting reinfected after a short time.

    I don't think the problem is with a specific infection per se, but with some kind of weird redirection happening with all or almost all the browsers. The user almost exclusively uses FireFox, and every time the infection reappears it is when she launches Firefox (but not EVERY time).

    I myself have seen my attempts to go to legitimate websites get redirected to strange URLs like

    8.26.70.252
    click.gethotresults.com
    toolbar.inbox.com

    The redirects seem random in two ways: 1. they don't always go to the same place, 2. sometimes there is no redirect at all and the page you really wanted works fine.

    I'm sure that whatever is doing this is sometimes redirecting her browser to websites that have malware.

    What I can't seem to figure out is what is causing this random redirection. It happens in FireFox 14 and IE 10 and Chrome. I know FireFox has its own proxy settings, but I've checked both FireFox and IE for a proxy setting and there is none. I've also checked my hosts file and there is nothing there. I've also checked all three for extensions/add-ons, removed any non-standard search providers, and set all start pages to default.

    What else could it be?
     
  2. Loading...

    Similar Threads - annoying infection Forum Date
    Win7 annoyance with multi-monitors, how to move window with only 1 display on? Software for Windows Nov 3, 2015
    Waterfox 36.0 - annoying page "flash" when changing pages Software for Windows Mar 2, 2015
    Annoying Google Drive Sync problem Software for Windows Sep 19, 2014
    Is there any AV tool I can use on a USB and clean infected computers? Software for Windows Jul 17, 2013
    Chrome Annoyance (Auto Complete?) Software for Windows Mar 10, 2013

  3. Bubbaleone

    Bubbaleone Golden Member

    Joined:
    Nov 20, 2011
    Messages:
    1,803
    Likes Received:
    4
    You have a redirect virus that uses rootkit techniques to conceal itself from being detected or removed. Download and run Kaspersky's Anti-rootkit utility: TDSSKiller. And if that doesn't kill it there're bigger guns available. Post back with your results.


    .
     
    #2 Bubbaleone, Aug 22, 2012
    Last edited: Aug 22, 2012
  4. ZippyDan

    ZippyDan Platinum Member

    Joined:
    Sep 28, 2001
    Messages:
    2,127
    Likes Received:
    0
    thanks! will report back :)
     
  5. Bubbaleone

    Bubbaleone Golden Member

    Joined:
    Nov 20, 2011
    Messages:
    1,803
    Likes Received:
    4
    I've got to get some shut-eye so I'll leave you with this: Rootkits have become increasingly sophisticated to the point that many are virtually impossible to kill from within the Windows environment (including safe mode) due to their ability to replicate from all the tiny bits of code that they hide in multiple locations. You run your virus/malware scan, your anti-virus or anti-malware product says "I found it, and killed it", then you reboot the computer and it's right back.

    The solution is a virus detection and removal tool that can access the infected disk while the disk is unmounted. When the disk is unmounted the rootkit (as well as everything else) is completely deactivated, and any code that it's injected into the MBR, boot sector, system files, and registry can be detected and deleted. It can't replicate.

    Here's the "bigger gun": I've tested all of them but the best tool available for killing any rootkit is Kaspersky Rescue Disk 10 which is based on a live Linux disk...and it's free.

    On that webpage click on the Knowledge Base tab and read how to use, before you try using it. Also have your internet connection connected, because when you boot from the live CD it will download Kaspersky's latest virus defs to your HDD and use those defs to scan with.


    .
     
  6. ZippyDan

    ZippyDan Platinum Member

    Joined:
    Sep 28, 2001
    Messages:
    2,127
    Likes Received:
    0
    yeah my problem now is that the TDSSKiller won't even run (I guess the virus is shutting it down?)

    I tried running RKill first and it found a bunch of stuff (including some rootkits) andd supposedly shut them down, but TDSSKiller still won't launch.

    I'm working remotely via VNC so I can't try safemode nor the Live CD at this time, but I guess next step will be to get some local help.
     
  7. beginner99

    beginner99 Diamond Member

    Joined:
    Jun 2, 2009
    Messages:
    3,479
    Likes Received:
    220
    IMHO there is nothing you can do as with such grade of infection the attacker could have done some many things even to OS files that I would never trust that system again. You can't even be sure your like mp3 files are ok...Still backup personal files and do a full re-install. This mostly is also a lot faster than any other methods and a lot more secure.
     
  8. MadScientist

    MadScientist Platinum Member

    Joined:
    Jul 15, 2001
    Messages:
    2,015
    Likes Received:
    1
    Try running Rkill under a different filename since some viruses will not let Rkill run unless it has a certain filename. Variants can be found here: http://www.bleepingcomputer.com/download/rkill/

    After you get Rkill to run, download and run Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix Follow instructions on how to uninstall Combofix.

    If you have to reboot, then run Rkill again and then run TDSSkiller.
    Then followup by first updating and running Malawarebytes Anti-malware
     
  9. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    Kaspersky also has a bootable Rescue Disc you can download in .ISO format and make a scanning disc: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso edit: oops, Bubbaleone beat me to it :)

    You can configure it for maximum detection like this:

    [​IMG]

    If it were me, I would save the user's email, contacts, documents/pics/videos, then flatten the drive with DBAN (if it's a HDD) or a secure-erase (if it's SSD) and reinstall Windows. Unless your user has a definite preference for Firefox, switch them to a browser that has working sandbox protection (IE or Chrome), and I have further hardening tips in my signature link.

    Also, if the computer's using a wireless connection, ensure that the router is using a password and preferably the strongest encryption it supports. There's malware that will actually inject malicious content into HTTP network traffic on-the-fly, among other shenanigans. Don't leave your wireless access open for just anyone to use.
     
    #8 mechBgon, Aug 22, 2012
    Last edited: Aug 22, 2012
  10. dinker99

    dinker99 Member

    Joined:
    Feb 18, 2012
    Messages:
    82
    Likes Received:
    0
    A waste of time trying to get rid of this stuff - re-install. Hopefully you have an image of your OS plus standard applications somewhere safe.
     
  11. Magellan1

    Magellan1 Junior Member

    Joined:
    Aug 29, 2012
    Messages:
    4
    Likes Received:
    0
    Yes, I agree with dinker99, you need to do a clean install. Once infected it is really difficult to get rid of all traces of the the virus/spyware, Antivirus software is useful for prevention mostly and you need to keep them updated at all times. Also sometimes there would be "zero day" viruses that are not known enough for Antivirus programs to recognize them. So better also be careful about suspicious exe files and websites.
     
  12. cantholdanymore

    cantholdanymore Senior member

    Joined:
    Mar 20, 2011
    Messages:
    447
    Likes Received:
    0
    Any updates OP?
    I also had a rootkit and the only solution was to fresh install. Bubbaleone gave me the same tip but it was too late for me; did it work for you?
     
  13. berryracer

    berryracer Platinum Member

    Joined:
    Oct 4, 2006
    Messages:
    2,771
    Likes Received:
    1
    Your system is FUBAR d00d I can't believe you are trying to fix such a messed up / deeply infected system!


    F0rm4+ !!!!!!!!!!
     
  14. gitano

    gitano Member

    Joined:
    Aug 4, 2008
    Messages:
    93
    Likes Received:
    0
    wipe the disk its the only way to be sure, remember to clean the boot sector also, and if i was you prolly re-flash the bios too, its not uncommon latelly bios infections on those rootkits.
     
  15. ZippyDan

    ZippyDan Platinum Member

    Joined:
    Sep 28, 2001
    Messages:
    2,127
    Likes Received:
    0
    the Kaspersky rescue disk did the trick for me ... thanks Bubbaleone for your help

    and i'll use the little extra trick mechBgon... thanks