Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Help with Computer (Redirects in Search Engine)
7-9-2011 | raybbr

Posted on 07/09/2011 9:03:47 PM PDT by raybbr

My wife's laptop is infected with some sort of redirect virus. I have tried Malwarebytes, ComboFix, F-Secure, Microsoft Security Essentials and nothing has worked.

It happens when I do a search in FF or IE using any search engine. The site returns results but if you click on any of the direct result links you get re-directed to a site that is mostly spam with further links.

There are plenty of thread on bleepingcomputer.com. I have tried everything I can think of. Any help will be appreciated.

raybbr


TOPICS: Computers/Internet
KEYWORDS:
Navigation: use the links below to view more comments.
first 1-5051-58 next last

1 posted on 07/09/2011 9:03:56 PM PDT by raybbr
[ Post Reply | Private Reply | View Replies]

To: raybbr; ShadowAce

Running XP Pro on an older Lenovo laptop.


2 posted on 07/09/2011 9:04:40 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

I would try to make sure all your browser add ons are deactivated. I then might just delete then reinstall your browsers.


3 posted on 07/09/2011 9:08:11 PM PDT by UB355 (Slower traffic keep right)
[ Post Reply | Private Reply | To 2 | View Replies]

To: raybbr

Your hosts file (local DNS) is compromised. Google it from another PC.


4 posted on 07/09/2011 9:09:15 PM PDT by DigitalVideoDude (It's amazing what you can accomplish when you don't care who gets the credit. -Ronald Reagan)
[ Post Reply | Private Reply | To 2 | View Replies]

To: raybbr

Your hosts file (local DNS) is compromised. Google it from another PC.


5 posted on 07/09/2011 9:09:26 PM PDT by DigitalVideoDude (It's amazing what you can accomplish when you don't care who gets the credit. -Ronald Reagan)
[ Post Reply | Private Reply | To 2 | View Replies]

To: raybbr

Try the portable version of Super Anti-Spyware run from a flash drive. www.superantispyware.com


6 posted on 07/09/2011 9:10:49 PM PDT by The Great RJ ("The problem with socialism is that pretty soon you run out of other people's money" M. Thatcher)
[ Post Reply | Private Reply | To 1 | View Replies]

To: DigitalVideoDude
Your hosts file (local DNS) is compromised. Google it from another PC.

Google what?

7 posted on 07/09/2011 9:10:49 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: DigitalVideoDude

Double post. Ungh.


8 posted on 07/09/2011 9:11:35 PM PDT by DigitalVideoDude (It's amazing what you can accomplish when you don't care who gets the credit. -Ronald Reagan)
[ Post Reply | Private Reply | To 5 | View Replies]

To: raybbr

I always give System Restore to a date before the occurrence a try.


9 posted on 07/09/2011 9:13:43 PM PDT by John W (Natural-born US citizen since 1955)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

Sorry. Google “host file hijack fix” or “host file redirect fix”.


10 posted on 07/09/2011 9:14:59 PM PDT by DigitalVideoDude (It's amazing what you can accomplish when you don't care who gets the credit. -Ronald Reagan)
[ Post Reply | Private Reply | To 7 | View Replies]

To: raybbr
System restore is your best way to start off. It will probably fix it.

http://support.microsoft.com/kb/306084

11 posted on 07/09/2011 9:15:30 PM PDT by E. Pluribus Unum ("A society of sheep must in time beget a government of wolves." - Bertrand de Jouvenel des Ursins)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

This is what I had to download and run to fix my computer when I had a redirect virus: TDSS Rootkit

http://support.kaspersky.com/faq/?qid=208280684

then go to old timer tools and run Temp File Cleaner

http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/


12 posted on 07/09/2011 9:17:49 PM PDT by lastchance ("Nisi credideritis, non intelligetis" St. Augustine)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

There is a file with no extension at

C:\WINDOWS\system32\drivers\etc\Hosts

that can be opened and edited using Notepad. It can contain hardcoded paths based on domain names and partial url addesses, and instead direct anything to a specific IP address rather than looking up the IP address at a public DNS server.

I don’t know if DigitalVideo is right that this is your problem, but it won’t hurt to open the file and delete any lines from the bottom that do not begin with a # symbol.


13 posted on 07/09/2011 9:20:27 PM PDT by Kellis91789 (There's a reason the mascot of the Democratic Party is a jackass.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: lastchance

I agree. You need TDSS Killer.

System restore will NOT work.

My wife had this on her computer, and TDSS Killer was the only thing that worked.

However, it *only* works if you run it from the desktop, for some reason.


14 posted on 07/09/2011 9:22:31 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Kellis91789

Only one listing at “C:\WINDOWS\system32\drivers\etc\Hosts” and it doesn’t have # in front of it.


15 posted on 07/09/2011 9:30:12 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: raybbr

Go to tools,
then add ons,
Look for Yahoo toolbar and click options
on the left you will see some boxes with checkmarks
look for the ‘enable 404 assist’ If that box os checked, uncheck it.

I was having the same problem and this fixed it for me. I may have rebooted afterwards. But I stopped getting the redirect after I did this.


16 posted on 07/09/2011 9:31:23 PM PDT by Netizen
[ Post Reply | Private Reply | To 1 | View Replies]

To: Trillian

sound familiar?


17 posted on 07/09/2011 9:33:00 PM PDT by Conservative4Life (Those who don't learn from the past are condemned to repeat it. Elections have consequences.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Netizen

Kind of like my advice. Eliminate all ad ons including extra tool bars.


18 posted on 07/09/2011 9:35:14 PM PDT by UB355 (Slower traffic keep right)
[ Post Reply | Private Reply | To 16 | View Replies]

To: EvilOverlord

Downloaded TDSS and put it on the desktop but it won’t run. Any ideas?


19 posted on 07/09/2011 9:36:25 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: UB355

I like some of my add ons. I just didn’t like Yahoo taking over the search engine.


20 posted on 07/09/2011 9:37:50 PM PDT by Netizen
[ Post Reply | Private Reply | To 18 | View Replies]

To: raybbr

..ask the Freeper who used to consult for Norton and Avast’s rootkit-hunting system. Some of the freepers were correct but how they said it were wrong.


21 posted on 07/09/2011 9:40:38 PM PDT by max americana (FUBO NATION 2012 FAK BARAK)
[ Post Reply | Private Reply | To 19 | View Replies]

To: raybbr

No, it worked for me on the desktop. Let me search a bit.

I assume you unzipped it and doubled-clicked on

Disinfection of an infected system TDSSKiller.exe?

From http://support.kaspersky.com/viruses/solutions?qid=208280684

Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.

Execute the file TDSSKiller.exe.

Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.


22 posted on 07/09/2011 9:42:59 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Netizen

don’t have Yahoo toolbar. Won’t ever load it.


23 posted on 07/09/2011 9:43:38 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: EvilOverlord
I assume you unzipped it and doubled-clicked on Disinfection of an infected system TDSSKiller.exe?

Yep, and tried to run it both from the folder and the desktop. It looks like it's starting but I never see anything else.

24 posted on 07/09/2011 9:45:03 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: UB355

I couldn’t delete or disable the yahoo toolbar since my email account is yahoo. I need it. I do have a lot of things I don’t use disabled in there though. I like the AdBlock though. :)


25 posted on 07/09/2011 9:45:34 PM PDT by Netizen
[ Post Reply | Private Reply | To 18 | View Replies]

To: raybbr

From BleepingComputer.com : http://www.bleepingcomputer.com/forums/topic400716.html

Let’s confirm you are running it properly. Is this a 64 bit system? That would be a problem.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky’s website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
•Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

•If TDSSKiller does not run, try renaming it.

•To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

•Click the Start Scan button.

•Do not use the computer during the scan

•If the scan completes with nothing found, click Close to exit.

•If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

•Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

•A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).


26 posted on 07/09/2011 9:45:36 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 19 | View Replies]

To: EvilOverlord

I am now in Safe mode and it still won’t work.


27 posted on 07/09/2011 9:45:54 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: raybbr

What search engine is taking over?


28 posted on 07/09/2011 9:46:47 PM PDT by Netizen
[ Post Reply | Private Reply | To 23 | View Replies]

To: raybbr
Rename it to something random with extension ".com" (rootkit blocks execution of many programs).

From the manual: 2.Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com.
29 posted on 07/09/2011 9:46:56 PM PDT by alecqss
[ Post Reply | Private Reply | To 19 | View Replies]

To: EvilOverlord

DL’ed the newest exe file and it still won’t run. GRRRRRRR1


30 posted on 07/09/2011 9:56:34 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: raybbr

Here’s a Youtube video related to TDSS:

http://www.youtube.com/watch?v=TLVifFbLIso&feature=related


31 posted on 07/09/2011 9:58:30 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 27 | View Replies]

To: raybbr

Here’s a Youtube video related to TDSS:

http://www.youtube.com/watch?v=TLVifFbLIso&feature=related


32 posted on 07/09/2011 9:58:35 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 27 | View Replies]

To: raybbr

Get to system restore with command prompt. Type “rstrui.exe” without the quotation marks. This will let you restore without the virus interfering. I have used this many times. If this doesn’t work, for the whole sequence, google system restore from command prompt. It has worked for the worst bugs I have seen, and I picked up some nasties.


33 posted on 07/09/2011 9:58:56 PM PDT by TStro
[ Post Reply | Private Reply | To 27 | View Replies]

To: raybbr

Go to www.majorgeeks.com and follow the instructions to the tee. It is a nasty bug and it will take some work to cure it.


34 posted on 07/09/2011 10:12:53 PM PDT by usnadad
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

This just happened to me. I’ve tried to rid the browser redirects when using Bing search on my WinXP Pro for over a week now. After many tries with Norton, I found that this Microsoft file worked for me. It is a free malware scan done by Microsoft. The file name is msert dot exe and can be downloaded from this Microsoft site:
http://www.microsoft.com/security/scanner/en-us/default.aspx
I selected the 32bit option. I did the quick scan first followed by the full scan and discovered that I had 3 Trojan virus files on my computer. Believe me, I never go to weird sites, so I was shocked to have discovered the url redirect virus on my computer. Norton must have been contacted about their scans not picking it up because my Norton Internet Security now scans for “Security: URL Redirect” ... finally.
Hope this works for you.


35 posted on 07/09/2011 10:13:00 PM PDT by Pali Pass
[ Post Reply | Private Reply | To 1 | View Replies]

ph


36 posted on 07/09/2011 10:31:35 PM PDT by xone
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

The web site spywareinfo (. com) was always a fantastic site for getting guidance, and free also. They helped me several years ago when my computer had a redirect virus.

Took us a while but I followed every step the guy gave me. It worked!

Unfortunately, the last couple of times I tried to get advice on other problems, I never got an answer. I guess they are so overloaded now with requests, it’s hard to get help. But you might give ‘em a try.


37 posted on 07/09/2011 10:32:10 PM PDT by Cedar
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr
You opened the file with Notepad, right ? It is not the filename itself that has a # in front of it. It is the lines in the text file. There should be many lines that begin with a #, because those are just comments on how to use the file to block bad websites, etc. When you open the file it should look like the below, and you can see the one line I've left after the # lines which has the effect of blocking access to "delivery.trafficjunky.net" by redirecting it back to the PC itself. Some adware blockers like "SpyBot" will add lines to this section to block known malicious websites, but if the line doesn't begin with 127.0.0.1 you should delete that line. # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to computernames # (NetBIOS) names. Each entry should be kept on an individual line. # The IP address should be placed in the first column followed by the # corresponding computername. The address and the computername # should be separated by at least one space or tab. The "#" character # is generally used to denote the start of a comment (see the exceptions # below). # # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts # files and offers the following extensions: # # #PRE # #DOM: # #INCLUDE # #BEGIN_ALTERNATE # #END_ALTERNATE # \0xnn (non-printing character support) # # Following any entry in the file with the characters "#PRE" will cause # the entry to be preloaded into the name cache. By default, entries are # not preloaded, but are parsed only after dynamic name resolution fails. # # Following an entry with the "#DOM:" tag will associate the # entry with the domain specified by . This affects how the # browser and logon services behave in TCP/IP environments. To preload # the host name associated with #DOM entry, it is necessary to also add a # #PRE to the line. The is always preloaded although it will not # be shown when the name cache is viewed. # # Specifying "#INCLUDE " will force the RFC NetBIOS (NBT) # software to seek the specified and parse it as if it were # local. is generally a UNC-based name, allowing a # centralized lmhosts file to be maintained on a server. # It is ALWAYS necessary to provide a mapping for the IP address of the # server prior to the #INCLUDE. This mapping must use the #PRE directive. # In addtion the share "public" in the example below must be in the # LanManServer list of "NullSessionShares" in order for client machines to # be able to read the lmhosts file successfully. This key is under # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares # in the registry. Simply add "public" to the list found there. # # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE # statements to be grouped together. Any single successful include # will cause the group to succeed. # # Finally, non-printing characters can be embedded in mappings by # first surrounding the NetBIOS name in quotations, then using the # \0xnn notation to specify a hex value for a non-printing character. # # The following example illustrates all of these extensions: # # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC # 102.54.94.102 "appname \0x14" #special app server # 102.54.94.123 popular #PRE #source server # 102.54.94.117 localsrv #PRE #needed for the include # # #BEGIN_ALTERNATE # #INCLUDE \\localsrv\public\lmhosts # #INCLUDE \\rhino\public\lmhosts # #END_ALTERNATE # # In the above example, the "appname" server contains a special # character in its name, the "popular" and "localsrv" server names are # preloaded, and the "rhino" server name is specified so it can be used # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" # system is unavailable. # # Note that the whole file is parsed including comments on each lookup, # so keeping the number of comments to a minimum will improve performance. # Therefore it is not advisable to simply add lmhosts file entries onto the # end of this file. 127.0.0.1 delivery.trafficjunky.net
38 posted on 07/09/2011 11:10:24 PM PDT by Kellis91789 (There's a reason the mascot of the Democratic Party is a jackass.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: raybbr

If all else fails Erase the entire HD with Eraser and do a clean install of the OS and all programs installed. Hope you had your documents, photos etc backed up so you can do this. If not you will lose everything on the computer. The clean install will correct the problem and speed up the computer. The down side is you lose all data and it takes a lot of effort


39 posted on 07/09/2011 11:51:03 PM PDT by veritas3
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr
Sounds like you've got one of the so called “recovery viruses”. It drove me nuts for days. I finally found a site
called Cnet.com that has the best help forums for laymen
[me]and they helped me to dig the damned thing out without having to wipe my hard drive again. I'm learning computing the hard and expensive way.
40 posted on 07/10/2011 2:45:20 AM PDT by WePledge (Ich werde fur immer ein Hollenhund werden. Semper Fidelis)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

pfl


41 posted on 07/10/2011 4:52:21 AM PDT by outofsalt ("If History teaches us anything it's that history rarely teaches us anything")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Kellis91789
You opened the file with Notepad, right ? It is not the filename itself that has a # in front of it. It is the lines in the text file.

Yep. It only has one line "127.0.0.1" in it. No number symbols or anything else.

Ran SuperAntiSpyware and it came up with a couple of things - cleaned - still the same.

Am now running Microsoft Security Scanner. We'll see what that finds.

42 posted on 07/10/2011 5:29:01 AM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 38 | View Replies]

To: raybbr; rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

43 posted on 07/10/2011 6:46:00 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

Open Internet Explorer
Tools
Internet Options
Connections
Lan Settings
Make sure NOTHING is in there (particularly PROXY SERVER)
Check the automatic configuration box
save settings restart IE


44 posted on 07/10/2011 6:53:29 AM PDT by corbe (mystified)
[ Post Reply | Private Reply | To 1 | View Replies]

To: max americana
...ask the Freeper who used to consult for Norton and Avast’s rootkit-hunting system.

Who's that?

45 posted on 07/10/2011 7:45:43 AM PDT by GOPJ (Honk if I’m paying for your car, your mortgage, and your big, fat Greek bailout - mewzilla)
[ Post Reply | Private Reply | To 21 | View Replies]

To: raybbr

I had the same issue. I used Stopzilla. Problem solved.


46 posted on 07/10/2011 8:23:40 AM PDT by Puppage (You may disagree with what I have to say, but I shall defend to your death my right to say it)
[ Post Reply | Private Reply | To 1 | View Replies]

To: lastchance

Yeah, it is a root kit. I cleaned up a similar one on a Laptop at work last month.


47 posted on 07/10/2011 8:43:20 AM PDT by w1andsodidwe (Barrak has now won the contest. He is even worse than Jimmah.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: corbe

right! make sure there is no proxy server checked in lan settings. rename any desireable anti rootkit program as “.com” and not “.exe”

hijack this is great too along with TDSS and malwarebytes.

you may have to wipe the o/s though. A family member’s pc had this rootkit on it and although that part was cleaned, it would bluescreen on windows updates (Vista 32 bit)


48 posted on 07/10/2011 7:01:21 PM PDT by AbolishCSEU (Percentage of Income in CS is inversely proportionate to Mother's parenting of children)
[ Post Reply | Private Reply | To 44 | View Replies]

To: raybbr

Well, I still don’t see this file as being the problem, although it is odd that it is empty. XP Pro ships with the file’s contents as I put in my post. I’d guess whatever bug you’ve got cleared the file so you couldn’t shortstop it. Or one of the tools you’ve already tried cleared the file as a precaution.

It doesn’t NEED to have anything in it. It exists only to provide shortcuts to url’s so your PC doesn’t need to lookup the IP address for a url on a DNS server somewhere. Putting “wrong” entries in it is useful to prevent popups and other content on webpages from finding the correct address on a DNS — a bad address means that popup or whatever fails to run, which is exactly what you want sometimes.


49 posted on 07/11/2011 10:49:19 PM PDT by Kellis91789 (There's a reason the mascot of the Democratic Party is a jackass.)
[ Post Reply | Private Reply | To 42 | View Replies]

To: Kellis91789

I finally got TDSS Killer to work. It was the “Volsnap” virus. It’s apparently new and hard to find/get rid of.

Thanks for your advice.


50 posted on 07/12/2011 3:44:55 AM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-58 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson