IE8, FF, Yahoo

[Sobakh]

Hello all, a new user here looking for inf. on how to fix a problem.

Anyone maybe have some info on redirect virus on search engs.

Every link I click for what I searching for gets redirected

to some possible fraudulent sites or may even legit sites but

the search engs should not do this, multi-redirects.

This program I have just purchased doesn't seem to fix the problem.

I have been attacked and no solution to fix the problem, I have tried

many of the A/V out their, top notch malware programs, but none seem

top fix the problem. They all find virus and cookies and removes them.

But the thing is, these are web mail search engs. not software mail like

M$ Office, So how can this be, here is a log from one I just purchased

because it finds more than any other, I have McAfee and updated the

dats, but doesn't find any viruses. I'm not positive how I have gotten

struck by this.

My only solution now is to reinstall, just done that about two months

ago due to hardware failure (hd) went bad.

Any solutions... yes, no?

Sobakh

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 01/30/2010 at 05:06 AM

Application Version : 4.33.1000

Core Rules Database Version : 4540

Trace Rules Database Version: 2352

Scan type : Quick Scan

Total Scan Time : 00:13:13

Memory items scanned : 543

Memory threats detected : 0

Registry items scanned : 479

Registry threats detected : 0

File items scanned : 8408

File threats detected : 16

Trojan.Agent/Gen-FraudLoad

C:\DOCUMENTS AND SETTINGS\myrealname\OSSIOKE.EXE

C:\WINDOWS\SYSTEM32\RIXXW .EXE

Adware.Tracking Cookie

C:\WINDOWS\system32\config\systemprofile\Cookies\system@247realmedia[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pointroll[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@dc.tremormedia[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@adserver.adtechus[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@realmedia[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@content.yieldmanager[1].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@tacoda[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@tribalfusion[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@at.atwola[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@network.realmedia[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[2].txt

C:\WINDOWS\system32\config\systemprofile\Cookies\system@pointroll[2].txt

[Stjose]

Hi Sobakh

I'm a newbe here but I'm a tech who deals with this stuff all the time. What you have is a Browser Hijack. One place you could look is in your hosts file. It's located at C:\WINDOWS\system32\drivers\etc\ in there you'll find a file called hosts with no file extension.

Open it with notepad.

This below what it should look like..

If there's anything below "127.0.0.1 localhost" delete it..

Otherwise google "Browser hijack", don't want to break any rules here..

Good luck, they're usually pretty easy to resolve..

-----------------------------------

# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

----------------------------------------

[Sobakh]

Thanks for ur reply,

Already checked the host file, it(s)ok.

Not sure if this is actual called a 'browser hijack', is a search eng. virus

where as u click on a link in a search which redirects to other sites, also now

if u have tabs turned on multi-tabs will start opening.

Tip from an online friend, download RootkitRevealer from M$.

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

See attached file, also ran SUPERAntiSpywarePro again which I just purchased.

Nice little program u have here, but doesn't fix the problem.

Tho, It found more malware and Trojan than any other I have tried.

I think it(s) a decent program but doesn't go deep enough.

Sobakh

RootkitReveal_2.txt

[Stjose]

Humm..

Try CWShredder.. Cool Web is one of those rascles that's kind of hard to get rid of sometimes..

[dk70]

You could try Hitman Pro http://www.surfright.nl/en/hitmanpro - main/only feature is removal.

Or scan with ESET online scanner http://www.eset.com/onlinescan/ and Trends HouseCall http://housecall.trendmicro.com/

Both are almost on-demand scanners with quarantine and all. ESET can save a report of what it finds. Sadly Trends can not.

Disable Mcafee while this run. SAS probably don't matter but also disable/shutdown other security stuff you might have running.

All should be painless to use but take it easy.

May be simple, may be not That very old program you used to scan for rootkit points at couple of few strange files. Does not look right for sure. Should probably try an updated scanner like Gmer, but be careful. Try easy solutions first - later you can check with Gmer.

[Sobakh]

Their no program out their known to man kind will fix this problem,

seems only one thing to do, wipeout.... rebuild.

Sobakh

[dk70]

Well if nothing was found and you still have weird redirections then possible but there are special tools for special infections, like Kasperskys TDSSkiller http://support.kaspersky.com/viruses/solutions?qid=208280684

If you want to scan more you could their Virus Removal Tool http://support.kaspersky.com/viruses/avptool2010?level=2

Next step could be a boot-cd, Kaspersky have one of those too, or you could seek more/better help. Try search these forums for combofix a so called wonder tool but it depends a bit on who use it and how well it is scripted as of today... Can be risky to use without a plan B and perhaps not really on top of Plan A either. Or it will magically fix everything. Make up your own mind by reading this little guide http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Have not seen any dedicated removal section here but they are all over the place. You can post at the site with Combofix. But be sure to read rules and do as you are told basically. They don't do much unless based on log-reading so it is back and forth. Can take some days. Unless you really have something completely unknown there is very good chance it can be removed. Some way or another.

You would not happen to know which download you got infection from? If you still have that zip, rar or whatever you could upload it. Probably not a good idea to do it here but then do drop.io or similar. Then easy to check. Even if gone think about what went wrong, and how you can make sure it does not happen again.

[Sobakh]

Problem solved, no wipe out needed, thanks to the poster for the link

and Kasper

Kasper found the following 'Rootkit.Win32.TDSS.d in system memory, stored

in my windows/system32/drivers/fasttx2k.sys file, this file belongs to my

on-board 'Promise" sata controller, Kasper could not kill or quarantine,

From my laptop, google search the file, it lead me to Kasper forum, they

had knowledge of the rootkit, provided a zipfile to download, unzip to c:

then cmd to execute, killed, reboot, they suggest run malwarebytes after

reboot, malwarebytes found 'Rootkit.Agent.H' in a file called '62845211.sys,

quarantined, deleted, reboot ran both programs again, system clean, went online,

test google search...

Sobakh

[dk70]

Nice. Not much learned from a format c: But as far as I know some of those rootkits can at least until diagnosed be close to a "wipe out" situation.

Damn thing hooks on to stuff computer needs to run so what to do? Also I guess highly risky to offer an automatic solution. 1 point to Kaspersky for offering extra help.

If you feel like uninstalling Mcafee then be my guest but they all fail with certain infections. Why SAS, Malwarebytes, even Spybot&Destroy! Changing AV product every time you experience or hear about problems will make you install/uninstall 24/7 Stick with what you like and can use correctly. You can increase protection without going crazy perhaps. https://forums.superantispyware.com/index.php?/topic/3466-dns-tip/ just one way... If on Vista/7 don't turn UAC off, silent it perhaps but never completely off. Having good backup policy also works, heh.

If active on torrents, use many questonable RS links and so on then you need to adjust habits, at least check better Not saying you are but high risk computing require more than Mcafee, SAS.

[Guest carolpaul]

Nice. Not much learned from a format c: But as far as I know some of those rootkits can at least until diagnosed be close to a "wipe out" situation.

Damn thing hooks on to stuff computer needs to run so what to do? Also I guess highly risky to offer an automatic solution. 1 point to Kaspersky for offering extra help.

If you feel like uninstalling Mcafee then be my guest but they all fail with certain infections. Why SAS, Malwarebytes, even Spybot&Destroy! Changing AV product every time you experience or hear about problems will make you install/uninstall 24/7 Stick with what you like and can use correctly. You can increase protection without going crazy perhaps. https://forums.superantispyware.com/index.php?/topic/3466-dns-tip/ just one way... If on Vista/7 don't turn UAC off, silent it perhaps but never completely off. Having good backup policy also works, heh.

If active on torrents, use many questonable RS links and so on then you need to adjust habits, at least check better Not saying you are but high risk computing require more than Mcafee, SAS.

Thanks

I am a manager mainly on China legal consultation service and you know I mainly help international friends protect their business and rights in China. It is very very lucky that one customer in US tell us the place! Thank you so much,! I like it! I will introduce to my other international customers too!

Thank you so much and God bless you!

Carol

www.wincomchina.com.cn

www.wincomchina.com

[SUPERAntiSpy]

FYI, you were scanning with an old version of SUPERAntiSpyware (4.33) - you should always run the latest version, we likley would have picked up the TDSS component. Glad you resolved your problem.