Help with Computer (Redirects in Search Engine)

7-9-2011 | raybbr

[raybbr]

My wife's laptop is infected with some sort of redirect virus. I have tried Malwarebytes, ComboFix, F-Secure, Microsoft Security Essentials and nothing has worked.

It happens when I do a search in FF or IE using any search engine. The site returns results but if you click on any of the direct result links you get re-directed to a site that is mostly spam with further links.

There are plenty of thread on bleepingcomputer.com. I have tried everything I can think of. Any help will be appreciated.

raybbr

[max americana]

..ask the Freeper who used to consult for Norton and Avast’s rootkit-hunting system. Some of the freepers were correct but how they said it were wrong.

[EvilOverlord]

No, it worked for me on the desktop. Let me search a bit.

I assume you unzipped it and doubled-clicked on

Disinfection of an infected system TDSSKiller.exe?

From http://support.kaspersky.com/viruses/solutions?qid=208280684

Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.

Execute the file TDSSKiller.exe.

Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.

[raybbr]

don’t have Yahoo toolbar. Won’t ever load it.

[raybbr]

I assume you unzipped it and doubled-clicked on Disinfection of an infected system TDSSKiller.exe?

Yep, and tried to run it both from the folder and the desktop. It looks like it's starting but I never see anything else.

[Netizen]

I couldn’t delete or disable the yahoo toolbar since my email account is yahoo. I need it. I do have a lot of things I don’t use disabled in there though. I like the AdBlock though. :)

[EvilOverlord]

From BleepingComputer.com : http://www.bleepingcomputer.com/forums/topic400716.html

Let’s confirm you are running it properly. Is this a 64 bit system? That would be a problem.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky’s website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
•Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

•If TDSSKiller does not run, try renaming it.

•To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

•Click the Start Scan button.

•Do not use the computer during the scan

•If the scan completes with nothing found, click Close to exit.

•If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

•Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

•A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).

[raybbr]

I am now in Safe mode and it still won’t work.

[Netizen]

What search engine is taking over?

[alecqss]

Rename it to something random with extension ".com" (rootkit blocks execution of many programs).

From the manual: 2.Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com.

[raybbr]

DL’ed the newest exe file and it still won’t run. GRRRRRRR1

[EvilOverlord]

Here’s a Youtube video related to TDSS:

http://www.youtube.com/watch?v=TLVifFbLIso&feature=related

[EvilOverlord]

Here’s a Youtube video related to TDSS:

http://www.youtube.com/watch?v=TLVifFbLIso&feature=related

[TStro]

Get to system restore with command prompt. Type “rstrui.exe” without the quotation marks. This will let you restore without the virus interfering. I have used this many times. If this doesn’t work, for the whole sequence, google system restore from command prompt. It has worked for the worst bugs I have seen, and I picked up some nasties.

[usnadad]

Go to www.majorgeeks.com and follow the instructions to the tee. It is a nasty bug and it will take some work to cure it.

[Pali Pass]

This just happened to me. I’ve tried to rid the browser redirects when using Bing search on my WinXP Pro for over a week now. After many tries with Norton, I found that this Microsoft file worked for me. It is a free malware scan done by Microsoft. The file name is msert dot exe and can be downloaded from this Microsoft site:
http://www.microsoft.com/security/scanner/en-us/default.aspx
I selected the 32bit option. I did the quick scan first followed by the full scan and discovered that I had 3 Trojan virus files on my computer. Believe me, I never go to weird sites, so I was shocked to have discovered the url redirect virus on my computer. Norton must have been contacted about their scans not picking it up because my Norton Internet Security now scans for “Security: URL Redirect” ... finally.
Hope this works for you.

[xone]

ph

[Cedar]

The web site spywareinfo (. com) was always a fantastic site for getting guidance, and free also. They helped me several years ago when my computer had a redirect virus.

Took us a while but I followed every step the guy gave me. It worked!

Unfortunately, the last couple of times I tried to get advice on other problems, I never got an answer. I guess they are so overloaded now with requests, it’s hard to get help. But you might give ‘em a try.

[Kellis91789]

You opened the file with Notepad, right ? It is not the filename itself that has a # in front of it. It is the lines in the text file. There should be many lines that begin with a #, because those are just comments on how to use the file to block bad websites, etc. When you open the file it should look like the below, and you can see the one line I've left after the # lines which has the effect of blocking access to "delivery.trafficjunky.net" by redirecting it back to the PC itself. Some adware blockers like "SpyBot" will add lines to this section to block known malicious websites, but if the line doesn't begin with 127.0.0.1 you should delete that line. # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to computernames # (NetBIOS) names. Each entry should be kept on an individual line. # The IP address should be placed in the first column followed by the # corresponding computername. The address and the computername # should be separated by at least one space or tab. The "#" character # is generally used to denote the start of a comment (see the exceptions # below). # # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts # files and offers the following extensions: # # #PRE # #DOM: # #INCLUDE # #BEGIN_ALTERNATE # #END_ALTERNATE # \0xnn (non-printing character support) # # Following any entry in the file with the characters "#PRE" will cause # the entry to be preloaded into the name cache. By default, entries are # not preloaded, but are parsed only after dynamic name resolution fails. # # Following an entry with the "#DOM:" tag will associate the # entry with the domain specified by . This affects how the # browser and logon services behave in TCP/IP environments. To preload # the host name associated with #DOM entry, it is necessary to also add a # #PRE to the line. The is always preloaded although it will not # be shown when the name cache is viewed. # # Specifying "#INCLUDE " will force the RFC NetBIOS (NBT) # software to seek the specified and parse it as if it were # local. is generally a UNC-based name, allowing a # centralized lmhosts file to be maintained on a server. # It is ALWAYS necessary to provide a mapping for the IP address of the # server prior to the #INCLUDE. This mapping must use the #PRE directive. # In addtion the share "public" in the example below must be in the # LanManServer list of "NullSessionShares" in order for client machines to # be able to read the lmhosts file successfully. This key is under # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares # in the registry. Simply add "public" to the list found there. # # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE # statements to be grouped together. Any single successful include # will cause the group to succeed. # # Finally, non-printing characters can be embedded in mappings by # first surrounding the NetBIOS name in quotations, then using the # \0xnn notation to specify a hex value for a non-printing character. # # The following example illustrates all of these extensions: # # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC # 102.54.94.102 "appname \0x14" #special app server # 102.54.94.123 popular #PRE #source server # 102.54.94.117 localsrv #PRE #needed for the include # # #BEGIN_ALTERNATE # #INCLUDE \\localsrv\public\lmhosts # #INCLUDE \\rhino\public\lmhosts # #END_ALTERNATE # # In the above example, the "appname" server contains a special # character in its name, the "popular" and "localsrv" server names are # preloaded, and the "rhino" server name is specified so it can be used # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" # system is unavailable. # # Note that the whole file is parsed including comments on each lookup, # so keeping the number of comments to a minimum will improve performance. # Therefore it is not advisable to simply add lmhosts file entries onto the # end of this file. 127.0.0.1 delivery.trafficjunky.net

[veritas3]

If all else fails Erase the entire HD with Eraser and do a clean install of the OS and all programs installed. Hope you had your documents, photos etc backed up so you can do this. If not you will lose everything on the computer. The clean install will correct the problem and speed up the computer. The down side is you lose all data and it takes a lot of effort

[WePledge]

Sounds like you've got one of the so called “recovery viruses”. It drove me nuts for days. I finally found a site
called Cnet.com that has the best help forums for laymen
[me]and they helped me to dig the damned thing out without having to wipe my hard drive again. I'm learning computing the hard and expensive way.