I could use a little tech help with some malware

Kinja'd!!! "Jeff-God-of-Biscuits" (Jeff-God-of-Biscuits)
01/06/2014 at 22:21 • Filed to: None

Kinja'd!!!0 Kinja'd!!! 34

If anyone has an inclination.

I have run AVG 2014, along with malware bytes and I have not been able to get rid of it. whenever I do a google search, it re-directs the first link I click to a different site. From then on the rest of the searches on that page behave as normal. I have gotten trojan warnings from avg, but it tells me that the threat was removed only to have it resurface later. I have run both programs from safe mode, let them run full scans multiple times, and I am not having any luck. Any recommendations?

Some Alfas for your trouble.

Kinja'd!!! Kinja'd!!! Kinja'd!!! Kinja'd!!! Kinja'd!!!

DISCUSSION (34)


Kinja'd!!! Zipppy, Mazdurp builder, Probeski owner and former ricerboy > Jeff-God-of-Biscuits
01/06/2014 at 22:24

Kinja'd!!!1

Do your scan while the PC is in safe mode, it's worked most of the time in my case.

EDIT: nevermind..


Kinja'd!!! Velocity- Peuguette Connoisseur > Jeff-God-of-Biscuits
01/06/2014 at 22:25

Kinja'd!!!0

Go to the program editor thing and delete it manually. Control panel>programs and features. Look for stuff that you don't recognize, google them, and if they are malware, delete them by right clicking it's name.


Kinja'd!!! JGrabowMSt > Jeff-God-of-Biscuits
01/06/2014 at 22:25

Kinja'd!!!3

check all of your browsers for extensions, and disable them all.

You can right click on a link and use the "open in new tab" for some moderate success in not getting re-directed.

Find yourself Windows Defender Offline, and burn it to a CD or put it on a flash drive, boot from it, and let it take care of you. After you've done that, post the results, and we'll go from there.

Don't bother with running a "full system diagnostic" because I don't feel like reading the specs of your machine, that's where to start. Also, from now on, don't bother with AVG or Avast, or Malware Bytes, or anything else, just use Microsoft Security Essentials. Nothing else. Also, go into your Internet Options dialog, go all the way to the last tab on the right, and reset all settings to default.

Alfas are nice, I can handle that in return.


Kinja'd!!! StoneCold > Jeff-God-of-Biscuits
01/06/2014 at 22:25

Kinja'd!!!0

What operating system?

How long has this been occurring?

What site is it directing you to?

Edit: If you're on Windows, use JGrabowMSt's suggestion


Kinja'd!!! Jeff-God-of-Biscuits > StoneCold
01/06/2014 at 22:29

Kinja'd!!!0

vista(yes, I know the hate. But it's been stable for me.)

Bout a week.

the sites are random, and I have yet to see a pattern.

I am using firefox, all extensions are up to date.


Kinja'd!!! Jeff-God-of-Biscuits > JGrabowMSt
01/06/2014 at 22:29

Kinja'd!!!0

I will give that a go.


Kinja'd!!! The Opponaut formerly known as MattP123 > Jeff-God-of-Biscuits
01/06/2014 at 22:33

Kinja'd!!!1

I use Firefox with a few adblockers and a redirect cleaner. Also run Spybot search and destroy, malwarebytes , and TDSS killer . TDSS Killer is great for finding stuff that bogs you down but slips under the radar of most other anti-malware programs.


Kinja'd!!! DoctorDick > Jeff-God-of-Biscuits
01/06/2014 at 22:35

Kinja'd!!!0

If the malware is bad enough sometimes removing the problem from a linux live cd with malware bytes gets it. But that could be potentialy risky if your not sure what your doing.


Kinja'd!!! StoneCold > Jeff-God-of-Biscuits
01/06/2014 at 22:39

Kinja'd!!!0

Hmmm, I don't know if you caught the edit, but what JGrabow suggests is the correct (if exhaustive) way to go about this. Microsoft Security Essentials has caught a bunch for my clients (I do residential IT on the side), but the way I do it is I throw their hard drive into one of these: http://www.newegg.com/Product/Produc…

, connect to my "virus only" computer and do a custom scan, as well as tracing the plugin/extension/executable to it's source with Task Manager.

So TL;DR = Go with MSE, and you're probably going to have to trace it too


Kinja'd!!! StoneCold > The Opponaut formerly known as MattP123
01/06/2014 at 22:42

Kinja'd!!!0

Didn't know about TDSSkiller; giving it a try now, thanks!


Kinja'd!!! MountainCommand > Jeff-God-of-Biscuits
01/06/2014 at 22:47

Kinja'd!!!0

The link is not necessarily your problem, but the tools they link to are worth a shot. I recently dabbled in a bit of a problematic situation involving some torrents, and running all of these saved me. Avast didnt even know i had a problem. http://malwaretips.com/blogs/pup-opti…

AdwCleaner

JRT (junkware removal tool)

Malwarebytes Antimalware

Hitman Pro

Order doesnt really matter, but do hitman pro last.

EDIT:

also get rid of any torrent programs you use. uTorrent was actually the root of one of my problems. They sneak in a download of this program (i missed it...) and it installs something called Spigot. (check your 'uninstall programs' folder and you will see it if its there) Now that i read your post again, this sounds similar. It hijacked my startup of my browser to some random yahoo search and changed my default search.

Also id reccomend getting peer block. It will block any potentially dangerous IP inbound connections and not let you connect to it. i think of it as damage control.


Kinja'd!!! The Opponaut formerly known as MattP123 > StoneCold
01/06/2014 at 22:48

Kinja'd!!!0

It doesn't always fund stuff. You're probably safe with the shorter scan of the two options. But it doesn't hurt to try the full scan. Just make sure the stuff it wants to get rid of is legit junk.


Kinja'd!!! StoneCold > MountainCommand
01/06/2014 at 23:06

Kinja'd!!!0

It goes to something like 'Conduit' or something, right?

I've had problems with the uTorrent programs with clients, and it was a PITA to fully get off


Kinja'd!!! Jeff-God-of-Biscuits > Jeff-God-of-Biscuits
01/06/2014 at 23:07

Kinja'd!!!0

WEll, the quick scan came up clean. It is currently about 25% through c drive scan; not long after start I got the warning that meanie software might be installed. I will post updates as it goes along.


Kinja'd!!! Jeff-God-of-Biscuits > Velocity- Peuguette Connoisseur
01/06/2014 at 23:08

Kinja'd!!!0

Yeah, that's one of the first places i hit. Nothing there though this time.


Kinja'd!!! Jeff-God-of-Biscuits > DoctorDick
01/06/2014 at 23:09

Kinja'd!!!0

Have no fear, Capt Stupid is here!


Kinja'd!!! Jeff-God-of-Biscuits > The Opponaut formerly known as MattP123
01/06/2014 at 23:10

Kinja'd!!!0

Yeah, usually malware bytes catches everything, so I was surprised when it first happened


Kinja'd!!! MountainCommand > StoneCold
01/06/2014 at 23:15

Kinja'd!!!0

Im not sure. I had peer block running and whenever i launched firefox it wouldnt load my homepage, rather, it redirected to a yahoo link. That yahoo link was blocked by peerblock, so i assume its a bum yahoo, and not the real thing. Also, it changed my search bar preference without me doing anything.

Supposedly, its that new update from utorrent that did it because when you install it, there is a tiny little blurb about some yahoo tool bar. I think its one of those bugs that tries to stats pad their hit count. Try and make a bigger impression than what they actually are.

Yeah it was a PITA. I did everything and it still didnt work. But ultimately i had to totally get rid of utorrent, and it solved the issue.


Kinja'd!!! Jeff-God-of-Biscuits > Jeff-God-of-Biscuits
01/06/2014 at 23:51

Kinja'd!!!0

Well, it found some trojans, and cleaned them. Fired everything back up and did a quick search only to be directed to an antivirus site, oddly enough. I was looking for ducktail spoilers on ebay, so I think I still have the problem. I am going to do another restart and run a full scan on the entire machine.


Kinja'd!!! Jeff-God-of-Biscuits > The Opponaut formerly known as MattP123
01/06/2014 at 23:53

Kinja'd!!!0

tdss didn't catch anything, but I think the problem is still there. Going to run ms defender again on the full system and see if that does it. Thank you though for the links.


Kinja'd!!! The Opponaut formerly known as MattP123 > Jeff-God-of-Biscuits
01/07/2014 at 00:10

Kinja'd!!!0

No problem. Good luck tracking it down.


Kinja'd!!! DoctorDick > Jeff-God-of-Biscuits
01/07/2014 at 00:24

Kinja'd!!!0

Huh?


Kinja'd!!! JGrabowMSt > Jeff-God-of-Biscuits
01/07/2014 at 00:45

Kinja'd!!!0

Always run the full scan. The quick scan doesn't help diddly squat.

You're likely going to need to also do a winsock reset, if things are starting to look ugly. Most importantly though, do a full offline scan. When the operating system is running, you will not be able to check for everything. You're likely looking at a TDSS based virus, which means you're going to need to download the Kaspersky TDSS Killer. It's probably the only thing Kaspersky did that works great. Symantec also has their own version, probably the best piece of software Symantec ever made too, Norton isn't worth a couple rolls of toilet paper (or one for that matter). When you run the Kaspersky app (it's a portable exe) you need to check the advanced features and have it detected the TDSS Filesystem, otherwise you may as well not even run it. Symantec will automatically do that, but requires a full restart. In the event you're dealing with the more advanced form of it (sometimes known as Alureon), well, you're going to want to use the Symantec version. MSE will not be able to really clean a boot sector while the OS is running (another reason to use WDO).

I'm off to sleep for the night, I'll check this again in the morning to see how far you've gotten. I strongly suggest you use Firefox/Opera/Chrome if you're not already, and use an adblocker add on. The infection you've contracted is almost always gotten through an ad on a webpage, whether you click on it or not. Always bring a minigun to a knife fight.

EDIT: Also, you're going to want to crack open the MSCONFIG prompt, and check the startup options. If you see any entries that are random character strings or run out of the PROGRAM DATA director, uncheck it. Nothing should run out of Program Data. It's a hidden directory for files that don't run that you don't need to interact with unless there's a problem. MSCONFIG is not a fix though, it's a bandaid. Use it when you have to, not because someone heard from their girlfriends brother that it helped their computer run faster. It doesn't really address the issue. Don't just wildly disable everything either, and don't uncheck things because you don't know what they are. There are plenty of legit entries that have strange names, but there's a fine line between a strange name and a character string. In the past 4 years, I've only come across a single case where I had to resort to a linux live CD in order to stop an infection. If you can still boot and get onto the internet, you don't have that kind of problem.


Kinja'd!!! Jeff-God-of-Biscuits > DoctorDick
01/07/2014 at 07:35

Kinja'd!!!0

I played with linux once a long time ago, but I might as well have been trying to install it on a dead badger. That would make me the Capt..


Kinja'd!!! Tstanisch > Jeff-God-of-Biscuits
01/07/2014 at 08:41

Kinja'd!!!0

AVG is your problem, install ESET Antivirus, get ccleaner and get rid of all temp files. check your list of programs and uninstall anything that looks like it don't belong there.


Kinja'd!!! Jeff-God-of-Biscuits > JGrabowMSt
01/07/2014 at 09:02

Kinja'd!!!0

Strangely enough, I do have 2 legit programs that run out of Program Data. I have a Color Munki from X-Rite, and their calibration software seems to run from there. Full computer scan found nothing, after finding the ones from the c drive alone. Off to try the next ones...

I have been running firefox, though I have not had an adblocker. I'm gonna try the Kaspersky here in a bit, I can only take a little bit at a time during the day since they decided to close schools because it was cold. grrrrrrr. Gee thanks Fairfax.


Kinja'd!!! DoctorDick > Jeff-God-of-Biscuits
01/07/2014 at 14:22

Kinja'd!!!0

Oh ok, I thought you were calling me the captain. Actually you wouldn't have to install anything, I believe there is a malware bites live cd. You simply plug it into your usb port then boot into it. In some cases running Malware bytes outside of the windows system can be more effective.

But if you really don't want to run that method...I would try editing your msconfig so that only necessary programs come up, then run malware bytes. Sometimes the nasty sort of programs can run apps in the background from boot that make sure you can't remove the infection.

That's what I suggest from experience (has worked on computers for money as a side thing for a few years)


Kinja'd!!! JGrabowMSt > Jeff-God-of-Biscuits
01/07/2014 at 17:16

Kinja'd!!!0

How's that machine doing? I work in a computer shop, so I'm curious to know how well it's going at this point.

Long way away from Fairfax, but same time zone at least. If you're stuck, make sure you reply to something I posted, and I'll get back to you. I'm usually lurking on oppo for several hours in the evenings.


Kinja'd!!! Jeff-God-of-Biscuits > JGrabowMSt
01/08/2014 at 01:00

Kinja'd!!!0

well, it's still is doing the re-directs in Firefox. I have run WD of a USB stick, I have run AVG rescue off a USB stick; I have run Malware bytes, and I have also run TDSS from Kaspersky. I have also run them in safe mode. I am kinda stumped, although I am somewhat amused that the redirects are aiming me towards anti virus program sites! The irony is not lost, but the amusement is wearing thin. So far, it seems only to redirect the first result I click from a google search, regardless of it's order in the results. After that, I look at the link, and it's still blue indication unvisited, and on the second attempt it takes me to the correct page. Other links on the same search will also take me to the correct page, but if I go to another search, it will reload the redirect. So, that's where I stand at the moment, and as you know, it's almost 1, which means I am off to bed. Good news is that I tracked down the intermittent USB problems I was having; bad connection on the back of the machine! Anyway, I will persevere, and eventually, triumph. Right now, it's more like a TR-7 with Lucas Electrics, but that's beside the point.


Kinja'd!!! JGrabowMSt > Jeff-God-of-Biscuits
01/08/2014 at 09:12

Kinja'd!!!0

Have you done a full reset in Internet Options in the Advanced tab?
Time to look into the WinSock reset. There is a specific one for Vista, I will try and get you a direct link today.
Are all browser addons disabled?
If you boot into Safe Mode with Networking, does it still happen?
Have you found/run the Symantec TDSS fix?
Also try reinstalling Firefox, and installing another browser to check with that as well.


Kinja'd!!! Jeff-God-of-Biscuits > JGrabowMSt
01/08/2014 at 10:31

Kinja'd!!!0

Have you done a full reset in Internet Options in the Advanced tab? I didn't see that as a menu choice. I looked through all the different tabs, but never found it. firefox 26.0


Time to look into the WinSock reset. There is a specific one for Vista, I will try and get you a direct link today. I will also look myself and see if I can find it.


Are all browser addons disabled? yep
If you boot into Safe Mode with Networking, does it still happen? I have yet to try that, good idea! I did notice that seemed to go into remission while I was running Malwarebytes. I attempted to make it occur while running a scan and could not duplicate.
Have you found/run the Symantec TDSS fix? I have not done the Symantec version, but I will.


Also try reinstalling Firefox, and installing another browser to check with I have a scan running at the moment, and I could not duplicate in either firefox or IE 9 Iam going to re-attempt once the scan wraps up. Thanks again for taking all the time to help. This one seems pretty well dug in, and if it is aware, than kinda neat! (well, and scary too)


Kinja'd!!! JGrabowMSt > Jeff-God-of-Biscuits
01/08/2014 at 11:50

Kinja'd!!!0

Internet Options in the control panel, not Firefox. It will affect all browsers if something isnt configured correctly.
I wouldnt consider a virus to be a program thats aware, but there are some that will consistently replicate files to prevent them from being removed. Those typically need to have the drive removed and scanned through another machine to fix.
Skynet is a few more years away.


Kinja'd!!! JGrabowMSt > Jeff-God-of-Biscuits
01/09/2014 at 17:09

Kinja'd!!!0

Do yourself a favor, and find and run ComboFix, from Bleeping Computer. I nearly forgot about this because I have a laundry list of other things that I use before I resort to that.

Watch out on the Bleeping Computer website, it's got a ton of ads. That might be able to help you out with what you're having trouble with, if you're still having problems.


Kinja'd!!! Jeff-God-of-Biscuits > JGrabowMSt
01/09/2014 at 23:34

Kinja'd!!!0

I will give it a try. Right now it is in remission or gone... Not sure which. I still need to keep going until I see proof that it is gone before I will be comfortable though. Thanks again for all the help. I will let you know what I find out, if anything.