Redirect virus hell! :(

[NTAC]

I can usually clean out viruses sooner or later, but redirect viruses give me hell for some reason, I think I formated the last time I had one of these bastards, and I'd rather avoid that if I can, so I'm hoping for some help from you guys

OS: Win7 64 bit

The virus is pretty straight forward, occasionally when I click on a site it takes me to some stupid redirect site and that's about the jist of it.

I don't think it is the TSSD virus or whatever, because I don't see any sign of that in my non-plug and play section in Device Manager.

Things I have tried:
1. Run the TSSD.exe remover thing that some sites show, but it found no issues
2. Ran a full scan in safe mode with malwarebytes, but it found nothing
3. Ran a full scan in safe mode with spy bot, but it found nothing
4. Cleaned out startup items in MSCONFIG, I know, a reach, obviously, did nothing.
5. Set my browser proxy setting to NONE (it was not set to none when I first discovered virus, but now I have set it back to none, and it seems to have stuck, but still, no cigar.)

When I get redirected to a site Malwarebytes will mention that it blocked something from Firefox, but, that doesn't really help me much.

Anyway, I'm running out of options... When I get home, if necesary, I can provide a full list of what is in my device manager's non plug and play list, maybe something in that list needs to be disabled, but I don't know what.

Any help would be greatly appreciated. Thanks!!

 

[daveybrat]

Alright, 2 big things you need to run and i can almost assure you this will be fixed.

First: http://support.kaspersky.com/faq/?qid=208283363

Second: http://www.bleepingcomputer.com/download/anti-virus/combofix

Tdsskiller is the best at finding most rootkits. And Combofix is pretty much the best program at finding all of the nastiest stuff out there.

Make sure to boot your computer into safe mode first and then run these in the order listed above.

 

[NTAC]

Will do, thanks! I also did some more reading just now and noticed that I didn't use the preferences to add more scanning options to the TDSSKILLER app, so I'll also do that tonight.

I'll report back. Thanks again!

 

[Bubbaleone]

Daveybrat lists two excellent tools, but if you can't install anything or run a scan in Windows because of redirection, even in safe mode, you need to work at the disk level. IMHO Kasperky's got the best damn BART CD ever made. In the last year I've used this disk twice to kill two differnt, very destructive, rootkits. You can download the Kaspersky AntiVirus Rescue 10 ISO (200 MB) from this link:

RescueDisk 10


Download and burn the ISO on a different PC if possible. Have your infected machine connected to the internet because when you boot the RescueDisk, select "update", and it will download and install all the latest virus definitions to a folder it creates on C:\ drive. It then uses those files for scanning so don't be concerned about the 10 March 2011 date.

Take your time, check out ALL the settings so you're familiar, set scan level, and heuristic parameters to max. Set disinfection or deletion to automatic. Depending on the size of your hard drive or partition, an intensive scan will take several hours to complete. Don't interrupt the scan if possible.

 

[NTAC]

Thanks, I don't think this redirect is that vicious, I was not prevented from running Malwarebytes, Spy Bot or the TSSDkiller app in normal or safe mode, so at least on the surface it appears that I have the green light to scan my little heart out.

But I'll keep that in mind for the more nasty things out there.

 

[Motorheader]

As suggested - Spybot, TSSDKiller, and Combofix are great tools. I also use Z-Oleg as directed here:

http://www.malwareremoval.com/forum/viewtopic.php?f=26&t=48936

I also have used Dave Lipman's Multi_AV utility as well:

http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html

 

[paul878]

I had that virus and all those suggested fixes did not work, had to reformat!

 

[boochi]

For redirects, check the hosts file first.

 

[cubby1223]

I had that virus and all those suggested fixes did not work, had to reformat!

I am yet to see a problem that gets past combofix's log file. There is a reason why it presents you with a log file at the end.

The "redirect virus" comes in a multitude of varieties, it is not one single virus and everyone has the same thing.

 

[DirkGently1]

Having spent hours doing all of the above, how long would it take to do a clean install of Windows, or install an Image Backup that you should have had in the first place?

 

[Motorheader]

One more tool for the nasty ones is NPE.EXE - norton power eraser. A relative had a redirect that just would let go and this was able to get rid of it. His son had downloaded a keygen and it had replaced the TCP/winsock stack and this was able to resolve it first time. Similar to what mcafee stinger used to do years back.

 

[NTAC]

Alright, 2 big things you need to run and i can almost assure you this will be fixed.

First: http://support.kaspersky.com/faq/?qid=208283363

Second: http://www.bleepingcomputer.com/download/anti-virus/combofix

Tdsskiller is the best at finding most rootkits. And Combofix is pretty much the best program at finding all of the nastiest stuff out there.

Make sure to boot your computer into safe mode first and then run these in the order listed above.

Thanks! I think the ComboFix took care of it, I'll keep an eye out but I would have seen it back by now if it was still around

Having spent hours doing all of the above, how long would it take to do a clean install of Windows, or install an Image Backup that you should have had in the first place?

I'm tired of clean installing windows every time I run into a problem. I did spend a couple of hours trying to remove the virus and now I know that the solution is really just a 15 minute ride.

So yes I wasted 2 hours, but I gained information that will save me time in the future.

I do also have an image, its a bit older, but it is a clean install + drivers + useful tools image that I can always fall back on if I really get stuck, I just decided that this time I'm going to remove the virus.

What's the point of your post anyway, it certainly has a douche bag type of feel to it, was that what you were going for?

To everyone that has helped me out in this thread, thanks a bunch!!!

 

[daveybrat]

Glad to help and hopefully you are virus free for now. Have a happy new year!!

 

[exdeath]

Double check the DNS settings in your router as well. DNS should be set to automatic to get DNS servers from your ISP via DHCP.

I've seen some malware modify router settings, usually DNS servers, via UPNP such that the redirects still occurred after a complete disk wipe. Very frustrating considering how slow HDDs are and how long such an operation takes, only to be for nothing at all.

The worst part is that the machine you just wiped and reconfigured can get infected again due to the DNS redirects going to malicious pages in and of itself.

 

[NTAC]

Double check the DNS settings in your router as well. DNS should be set to automatic to get DNS servers from your ISP via DHCP.

I've seen some malware modify router settings, usually DNS servers, via UPNP such that the redirects still occurred after a complete disk wipe. Very frustrating considering how slow HDDs are and how long such an operation takes, only to be for nothing at all.

The worst part is that the machine you just wiped and reconfigured can get infected again due to the DNS redirects going to malicious pages in and of itself.

Yeah that would be brutal, I did check those based on some other doc I read and they seem to be OK, but yeah, scary thought.

 

[DirkGently1]

Thanks! I think the ComboFix took care of it, I'll keep an eye out but I would have seen it back by now if it was still around



I'm tired of clean installing windows every time I run into a problem. I did spend a couple of hours trying to remove the virus and now I know that the solution is really just a 15 minute ride.

So yes I wasted 2 hours, but I gained information that will save me time in the future.

I do also have an image, its a bit older, but it is a clean install + drivers + useful tools image that I can always fall back on if I really get stuck, I just decided that this time I'm going to remove the virus.

What's the point of your post anyway, it certainly has a douche bag type of feel to it, was that what you were going for?

To everyone that has helped me out in this thread, thanks a bunch!!!

Sounds like you run into problems a lot, and yet you don't have a good backup procedure in place? Perhaps you just like wasting your own and other peoples time?

 

[Bubbaleone]

Sounds like you run into problems a lot, and yet you don't have a good backup procedure in place? Perhaps you just like wasting your own and other peoples time?

I guess I missed the part where it says: Computer Help is only for erudite senior system administrators. And speak for yourself about wasting anyones time

 

[Motorheader]

Now...Now... we're here to assist each other. We all get irritated from time to time and must remember that everyone has a different level of computer savvy and understanding. Things shouldn't get testy as it doesn't help the overall "cause" of this board.

 

[NTAC]

Sounds like you run into problems a lot, and yet you don't have a good backup procedure in place? Perhaps you just like wasting your own and other peoples time?

Because I don't have anything on my PC that I can't do without, so I don't need a good backup procedure when I can wipe it clean and re-install without any issues.

I wanted to learn how to clean this redirect, that was the main goal, and that's been accomplished now, no thanks to you.

And who's time am I wasting besides my own may I ask and why are you so concerned with how I spend my time?

 

[THRiLL KiLL]

ignore the troll.

On a side note, what are you using for an antivirus?

we may be able to suggest a better one for you

 

[NTAC]

ignore the troll.

On a side note, what are you using for an antivirus?

we may be able to suggest a better one for you

Right now just running Malwarebytes in the background.

I think I might have had it accidentally turned off for a short period of time without realizing it. I usually turn it off when I play an online madden game, so probably just forgot to turn it back on.