Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Help with Computer (Redirects in Search Engine)
7-9-2011 | raybbr

Posted on 07/09/2011 9:03:47 PM PDT by raybbr

My wife's laptop is infected with some sort of redirect virus. I have tried Malwarebytes, ComboFix, F-Secure, Microsoft Security Essentials and nothing has worked.

It happens when I do a search in FF or IE using any search engine. The site returns results but if you click on any of the direct result links you get re-directed to a site that is mostly spam with further links.

There are plenty of thread on bleepingcomputer.com. I have tried everything I can think of. Any help will be appreciated.

raybbr


TOPICS: Computers/Internet
KEYWORDS:
Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 next last
To: raybbr

..ask the Freeper who used to consult for Norton and Avast’s rootkit-hunting system. Some of the freepers were correct but how they said it were wrong.


21 posted on 07/09/2011 9:40:38 PM PDT by max americana (FUBO NATION 2012 FAK BARAK)
[ Post Reply | Private Reply | To 19 | View Replies]

To: raybbr

No, it worked for me on the desktop. Let me search a bit.

I assume you unzipped it and doubled-clicked on

Disinfection of an infected system TDSSKiller.exe?

From http://support.kaspersky.com/viruses/solutions?qid=208280684

Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.

Execute the file TDSSKiller.exe.

Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.


22 posted on 07/09/2011 9:42:59 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Netizen

don’t have Yahoo toolbar. Won’t ever load it.


23 posted on 07/09/2011 9:43:38 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: EvilOverlord
I assume you unzipped it and doubled-clicked on Disinfection of an infected system TDSSKiller.exe?

Yep, and tried to run it both from the folder and the desktop. It looks like it's starting but I never see anything else.

24 posted on 07/09/2011 9:45:03 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: UB355

I couldn’t delete or disable the yahoo toolbar since my email account is yahoo. I need it. I do have a lot of things I don’t use disabled in there though. I like the AdBlock though. :)


25 posted on 07/09/2011 9:45:34 PM PDT by Netizen
[ Post Reply | Private Reply | To 18 | View Replies]

To: raybbr

From BleepingComputer.com : http://www.bleepingcomputer.com/forums/topic400716.html

Let’s confirm you are running it properly. Is this a 64 bit system? That would be a problem.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky’s website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
•Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

•If TDSSKiller does not run, try renaming it.

•To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

•Click the Start Scan button.

•Do not use the computer during the scan

•If the scan completes with nothing found, click Close to exit.

•If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

•Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

•A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).


26 posted on 07/09/2011 9:45:36 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 19 | View Replies]

To: EvilOverlord

I am now in Safe mode and it still won’t work.


27 posted on 07/09/2011 9:45:54 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: raybbr

What search engine is taking over?


28 posted on 07/09/2011 9:46:47 PM PDT by Netizen
[ Post Reply | Private Reply | To 23 | View Replies]

To: raybbr
Rename it to something random with extension ".com" (rootkit blocks execution of many programs).

From the manual: 2.Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com.
29 posted on 07/09/2011 9:46:56 PM PDT by alecqss
[ Post Reply | Private Reply | To 19 | View Replies]

To: EvilOverlord

DL’ed the newest exe file and it still won’t run. GRRRRRRR1


30 posted on 07/09/2011 9:56:34 PM PDT by raybbr (People who still support Obama are either a Marxist or a moron.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: raybbr

Here’s a Youtube video related to TDSS:

http://www.youtube.com/watch?v=TLVifFbLIso&feature=related


31 posted on 07/09/2011 9:58:30 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 27 | View Replies]

To: raybbr

Here’s a Youtube video related to TDSS:

http://www.youtube.com/watch?v=TLVifFbLIso&feature=related


32 posted on 07/09/2011 9:58:35 PM PDT by EvilOverlord (Socialism makes workers into slaves and couch potatoes into kings)
[ Post Reply | Private Reply | To 27 | View Replies]

To: raybbr

Get to system restore with command prompt. Type “rstrui.exe” without the quotation marks. This will let you restore without the virus interfering. I have used this many times. If this doesn’t work, for the whole sequence, google system restore from command prompt. It has worked for the worst bugs I have seen, and I picked up some nasties.


33 posted on 07/09/2011 9:58:56 PM PDT by TStro
[ Post Reply | Private Reply | To 27 | View Replies]

To: raybbr

Go to www.majorgeeks.com and follow the instructions to the tee. It is a nasty bug and it will take some work to cure it.


34 posted on 07/09/2011 10:12:53 PM PDT by usnadad
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

This just happened to me. I’ve tried to rid the browser redirects when using Bing search on my WinXP Pro for over a week now. After many tries with Norton, I found that this Microsoft file worked for me. It is a free malware scan done by Microsoft. The file name is msert dot exe and can be downloaded from this Microsoft site:
http://www.microsoft.com/security/scanner/en-us/default.aspx
I selected the 32bit option. I did the quick scan first followed by the full scan and discovered that I had 3 Trojan virus files on my computer. Believe me, I never go to weird sites, so I was shocked to have discovered the url redirect virus on my computer. Norton must have been contacted about their scans not picking it up because my Norton Internet Security now scans for “Security: URL Redirect” ... finally.
Hope this works for you.


35 posted on 07/09/2011 10:13:00 PM PDT by Pali Pass
[ Post Reply | Private Reply | To 1 | View Replies]

ph


36 posted on 07/09/2011 10:31:35 PM PDT by xone
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

The web site spywareinfo (. com) was always a fantastic site for getting guidance, and free also. They helped me several years ago when my computer had a redirect virus.

Took us a while but I followed every step the guy gave me. It worked!

Unfortunately, the last couple of times I tried to get advice on other problems, I never got an answer. I guess they are so overloaded now with requests, it’s hard to get help. But you might give ‘em a try.


37 posted on 07/09/2011 10:32:10 PM PDT by Cedar
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr
You opened the file with Notepad, right ? It is not the filename itself that has a # in front of it. It is the lines in the text file. There should be many lines that begin with a #, because those are just comments on how to use the file to block bad websites, etc. When you open the file it should look like the below, and you can see the one line I've left after the # lines which has the effect of blocking access to "delivery.trafficjunky.net" by redirecting it back to the PC itself. Some adware blockers like "SpyBot" will add lines to this section to block known malicious websites, but if the line doesn't begin with 127.0.0.1 you should delete that line. # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to computernames # (NetBIOS) names. Each entry should be kept on an individual line. # The IP address should be placed in the first column followed by the # corresponding computername. The address and the computername # should be separated by at least one space or tab. The "#" character # is generally used to denote the start of a comment (see the exceptions # below). # # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts # files and offers the following extensions: # # #PRE # #DOM: # #INCLUDE # #BEGIN_ALTERNATE # #END_ALTERNATE # \0xnn (non-printing character support) # # Following any entry in the file with the characters "#PRE" will cause # the entry to be preloaded into the name cache. By default, entries are # not preloaded, but are parsed only after dynamic name resolution fails. # # Following an entry with the "#DOM:" tag will associate the # entry with the domain specified by . This affects how the # browser and logon services behave in TCP/IP environments. To preload # the host name associated with #DOM entry, it is necessary to also add a # #PRE to the line. The is always preloaded although it will not # be shown when the name cache is viewed. # # Specifying "#INCLUDE " will force the RFC NetBIOS (NBT) # software to seek the specified and parse it as if it were # local. is generally a UNC-based name, allowing a # centralized lmhosts file to be maintained on a server. # It is ALWAYS necessary to provide a mapping for the IP address of the # server prior to the #INCLUDE. This mapping must use the #PRE directive. # In addtion the share "public" in the example below must be in the # LanManServer list of "NullSessionShares" in order for client machines to # be able to read the lmhosts file successfully. This key is under # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares # in the registry. Simply add "public" to the list found there. # # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE # statements to be grouped together. Any single successful include # will cause the group to succeed. # # Finally, non-printing characters can be embedded in mappings by # first surrounding the NetBIOS name in quotations, then using the # \0xnn notation to specify a hex value for a non-printing character. # # The following example illustrates all of these extensions: # # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC # 102.54.94.102 "appname \0x14" #special app server # 102.54.94.123 popular #PRE #source server # 102.54.94.117 localsrv #PRE #needed for the include # # #BEGIN_ALTERNATE # #INCLUDE \\localsrv\public\lmhosts # #INCLUDE \\rhino\public\lmhosts # #END_ALTERNATE # # In the above example, the "appname" server contains a special # character in its name, the "popular" and "localsrv" server names are # preloaded, and the "rhino" server name is specified so it can be used # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv" # system is unavailable. # # Note that the whole file is parsed including comments on each lookup, # so keeping the number of comments to a minimum will improve performance. # Therefore it is not advisable to simply add lmhosts file entries onto the # end of this file. 127.0.0.1 delivery.trafficjunky.net
38 posted on 07/09/2011 11:10:24 PM PDT by Kellis91789 (There's a reason the mascot of the Democratic Party is a jackass.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: raybbr

If all else fails Erase the entire HD with Eraser and do a clean install of the OS and all programs installed. Hope you had your documents, photos etc backed up so you can do this. If not you will lose everything on the computer. The clean install will correct the problem and speed up the computer. The down side is you lose all data and it takes a lot of effort


39 posted on 07/09/2011 11:51:03 PM PDT by veritas3
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr
Sounds like you've got one of the so called “recovery viruses”. It drove me nuts for days. I finally found a site
called Cnet.com that has the best help forums for laymen
[me]and they helped me to dig the damned thing out without having to wipe my hard drive again. I'm learning computing the hard and expensive way.
40 posted on 07/10/2011 2:45:20 AM PDT by WePledge (Ich werde fur immer ein Hollenhund werden. Semper Fidelis)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson