Sobakh Posted January 30, 2010 Hello all, a new user here looking for inf. on how to fix a problem. Anyone maybe have some info on redirect virus on search engs. Every link I click for what I searching for gets redirected to some possible fraudulent sites or may even legit sites but the search engs should not do this, multi-redirects. This program I have just purchased doesn't seem to fix the problem. I have been attacked and no solution to fix the problem, I have tried many of the A/V out their, top notch malware programs, but none seem top fix the problem. They all find virus and cookies and removes them. But the thing is, these are web mail search engs. not software mail like M$ Office, So how can this be, here is a log from one I just purchased because it finds more than any other, I have McAfee and updated the dats, but doesn't find any viruses. I'm not positive how I have gotten struck by this. My only solution now is to reinstall, just done that about two months ago due to hardware failure (hd) went bad. Any solutions... yes, no? Sobakh SUPERAntiSpyware Scan Loghttps://www.superantispyware.com Generated 01/30/2010 at 05:06 AM Application Version : 4.33.1000 Core Rules Database Version : 4540 Trace Rules Database Version: 2352 Scan type : Quick Scan Total Scan Time : 00:13:13 Memory items scanned : 543 Memory threats detected : 0 Registry items scanned : 479 Registry threats detected : 0 File items scanned : 8408 File threats detected : 16 Trojan.Agent/Gen-FraudLoad C:\DOCUMENTS AND SETTINGS\myrealname\OSSIOKE.EXE C:\WINDOWS\SYSTEM32\RIXXW .EXE Adware.Tracking Cookie C:\WINDOWS\system32\config\systemprofile\Cookies\system@247realmedia[1].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pointroll[1].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@dc.tremormedia[1].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@adserver.adtechus[1].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@realmedia[2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@content.yieldmanager[1].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@tacoda[2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@tribalfusion[2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@at.atwola[2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@network.realmedia[2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[2].txt C:\WINDOWS\system32\config\systemprofile\Cookies\system@pointroll[2].txt Share this post Link to post Share on other sites
Stjose Posted January 30, 2010 Hi Sobakh I'm a newbe here but I'm a tech who deals with this stuff all the time. What you have is a Browser Hijack. One place you could look is in your hosts file. It's located at C:\WINDOWS\system32\drivers\etc\ in there you'll find a file called hosts with no file extension. Open it with notepad. This below what it should look like.. If there's anything below "127.0.0.1 localhost" delete it.. Otherwise google "Browser hijack", don't want to break any rules here.. Good luck, they're usually pretty easy to resolve.. ----------------------------------- # Copyright © 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ---------------------------------------- Share this post Link to post Share on other sites
Sobakh Posted January 31, 2010 Thanks for ur reply, Already checked the host file, it(s)ok. Not sure if this is actual called a 'browser hijack', is a search eng. virus where as u click on a link in a search which redirects to other sites, also now if u have tabs turned on multi-tabs will start opening. Tip from an online friend, download RootkitRevealer from M$. http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx See attached file, also ran SUPERAntiSpywarePro again which I just purchased. Nice little program u have here, but doesn't fix the problem. Tho, It found more malware and Trojan than any other I have tried. I think it(s) a decent program but doesn't go deep enough. Sobakh RootkitReveal_2.txt Share this post Link to post Share on other sites
Stjose Posted January 31, 2010 Humm.. Try CWShredder.. Cool Web is one of those rascles that's kind of hard to get rid of sometimes.. Share this post Link to post Share on other sites
dk70 Posted January 31, 2010 You could try Hitman Pro http://www.surfright.nl/en/hitmanpro - main/only feature is removal. Or scan with ESET online scanner http://www.eset.com/onlinescan/ and Trends HouseCall http://housecall.trendmicro.com/ Both are almost on-demand scanners with quarantine and all. ESET can save a report of what it finds. Sadly Trends can not. Disable Mcafee while this run. SAS probably don't matter but also disable/shutdown other security stuff you might have running. All should be painless to use but take it easy. May be simple, may be not That very old program you used to scan for rootkit points at couple of few strange files. Does not look right for sure. Should probably try an updated scanner like Gmer, but be careful. Try easy solutions first - later you can check with Gmer. Share this post Link to post Share on other sites
Sobakh Posted January 31, 2010 Their no program out their known to man kind will fix this problem, seems only one thing to do, wipeout.... rebuild. Sobakh Share this post Link to post Share on other sites
dk70 Posted February 1, 2010 Well if nothing was found and you still have weird redirections then possible but there are special tools for special infections, like Kasperskys TDSSkiller http://support.kaspersky.com/viruses/solutions?qid=208280684 If you want to scan more you could their Virus Removal Tool http://support.kaspersky.com/viruses/avptool2010?level=2 Next step could be a boot-cd, Kaspersky have one of those too, or you could seek more/better help. Try search these forums for combofix a so called wonder tool but it depends a bit on who use it and how well it is scripted as of today... Can be risky to use without a plan B and perhaps not really on top of Plan A either. Or it will magically fix everything. Make up your own mind by reading this little guide http://www.bleepingcomputer.com/combofix/how-to-use-combofix Have not seen any dedicated removal section here but they are all over the place. You can post at the site with Combofix. But be sure to read rules and do as you are told basically. They don't do much unless based on log-reading so it is back and forth. Can take some days. Unless you really have something completely unknown there is very good chance it can be removed. Some way or another. You would not happen to know which download you got infection from? If you still have that zip, rar or whatever you could upload it. Probably not a good idea to do it here but then do drop.io or similar. Then easy to check. Even if gone think about what went wrong, and how you can make sure it does not happen again. Share this post Link to post Share on other sites
Sobakh Posted February 1, 2010 Problem solved, no wipe out needed, thanks to the poster for the link and Kasper Kasper found the following 'Rootkit.Win32.TDSS.d in system memory, stored in my windows/system32/drivers/fasttx2k.sys file, this file belongs to my on-board 'Promise" sata controller, Kasper could not kill or quarantine, From my laptop, google search the file, it lead me to Kasper forum, they had knowledge of the rootkit, provided a zipfile to download, unzip to c: then cmd to execute, killed, reboot, they suggest run malwarebytes after reboot, malwarebytes found 'Rootkit.Agent.H' in a file called '62845211.sys, quarantined, deleted, reboot ran both programs again, system clean, went online, test google search... Sobakh Share this post Link to post Share on other sites
dk70 Posted February 1, 2010 Nice. Not much learned from a format c: But as far as I know some of those rootkits can at least until diagnosed be close to a "wipe out" situation. Damn thing hooks on to stuff computer needs to run so what to do? Also I guess highly risky to offer an automatic solution. 1 point to Kaspersky for offering extra help. If you feel like uninstalling Mcafee then be my guest but they all fail with certain infections. Why SAS, Malwarebytes, even Spybot&Destroy! Changing AV product every time you experience or hear about problems will make you install/uninstall 24/7 Stick with what you like and can use correctly. You can increase protection without going crazy perhaps. https://forums.superantispyware.com/index.php?/topic/3466-dns-tip/ just one way... If on Vista/7 don't turn UAC off, silent it perhaps but never completely off. Having good backup policy also works, heh. If active on torrents, use many questonable RS links and so on then you need to adjust habits, at least check better Not saying you are but high risk computing require more than Mcafee, SAS. Share this post Link to post Share on other sites
Guest carolpaul Posted May 13, 2010 Nice. Not much learned from a format c: But as far as I know some of those rootkits can at least until diagnosed be close to a "wipe out" situation. Damn thing hooks on to stuff computer needs to run so what to do? Also I guess highly risky to offer an automatic solution. 1 point to Kaspersky for offering extra help. If you feel like uninstalling Mcafee then be my guest but they all fail with certain infections. Why SAS, Malwarebytes, even Spybot&Destroy! Changing AV product every time you experience or hear about problems will make you install/uninstall 24/7 Stick with what you like and can use correctly. You can increase protection without going crazy perhaps. https://forums.superantispyware.com/index.php?/topic/3466-dns-tip/ just one way... If on Vista/7 don't turn UAC off, silent it perhaps but never completely off. Having good backup policy also works, heh. If active on torrents, use many questonable RS links and so on then you need to adjust habits, at least check better Not saying you are but high risk computing require more than Mcafee, SAS. Thanks I am a manager mainly on China legal consultation service and you know I mainly help international friends protect their business and rights in China. It is very very lucky that one customer in US tell us the place! Thank you so much,! I like it! I will introduce to my other international customers too! Thank you so much and God bless you! Carol www.wincomchina.com.cn www.wincomchina.com Share this post Link to post Share on other sites
SUPERAntiSpy Posted May 13, 2010 FYI, you were scanning with an old version of SUPERAntiSpyware (4.33) - you should always run the latest version, we likley would have picked up the TDSS component. Glad you resolved your problem. Share this post Link to post Share on other sites