Redirect Issue

Status
Not open for further replies.

DeathsDesign

Posts: 31   +0
I am having issues when I search for something. A lot of the time it will attempt to redirect me. Now that I have zonealarm installed it will not go to the site at all but I can still see it is trying to go to a site starting with poiskin.ru. Before ZA install the redirect would take me to areaconnect.com site.

I have followed the 8 steps and am attaching my logs. TIA for any help you can give me.



Noticed that now it does not redirect me just goes back to the same search results page, but if I click on the link again, then it goes to the correct website. I am very confused. TIA.
 

Attachments

  • mbam-log-2009-04-19 (09-51-02).txt
    841 bytes · Views: 6
  • hijackthis.log
    4.3 KB · Views: 6
Looks like that took care of it!! thanks a million :)

So my hjt log looks ok then right? (did not see any suspicious on it either)
 
Hint...
use edit, rather than making multiple consecutive posts... keeps things cleaner.

I am not an expert on HJT... and I am out of time for tonight.
I'll look more closely tomorrow, but maybe someone else can look it over in the meanwhile?

Glad you had good results with the fix...
Did you use the TechSpot information, or Major Geeks, or both, or...?

HJT exam...
Other than some possible performance tweaks,
the only thing I see to check in your HTJ report is to make sure JAVA is up to date.
Should be version 6, update 13.
https://www.techspot.com/downloads/6463-java-se.html

Hmmm... I see that Touch is giving you help... looks like you are in good hands.
G'luck!
 
They both were pretty much the same thing and it seemed to have worked.



That was the last remnant of the dang virut virus. spent two and half days cleaning that sucker off my system and that Goored rascal was the last bit of it. Thanks!!
 
Hijackthis log looks clean ;)


So i am safe in assuming my 2 1/2 daqys of toiling over this virut.56 virus was successful? Is there anything else I can do to make sure sure i am completely free of this nasty nasty virus?\


Lets see, i have ran malwarebytes--now clean..SAS--now clean-- Kapersky and eowid(sp?) caught a couple of backdoors and porcesses running on explorer.exe near the end of the cleaning. Had to replace user32.dll. Drweb found tons of stuff and cured them. Avast says I am clean. I am just asking because it seems the majority vote is that with the virut.56 virus its best to format and forget it all, i was not willing to do that until absolutely necc. so I want to make sure I am good to go.

Thanks again everyone. I love hunting down and killing virii, and if you give me a clean bill of health I am going to rank this up with my 'biggest game' ever kill ;-)



Almost forgot, when i was waiting for an initial reply to this thread, I saw some others that suggested combofix. I tried that, (renaming combofix) disabled on-access protection with avast, disabled diskkeeper pro, disabled probe II, disabled sixengine (asus mb tool). and yet when i ran combofix it stayed on the screen stating 'scanning for infected files this could take ten minutes but a more infected machine could take twice as long' that ran for almost 8 hours with no change, still that prompt with the cursor blinking two lines down. I did not click on the screen or touch the computer in anyway, yet i did not see that it did anything so i stopped it. (i have a TB HD with about 500GB used).

Thanks again y'all.
 
You have´nt mentioned virut.56 virus before, that´s why I assume the computer are clean, which it apparently is not.

I´ll therefore suggest you run this scantool ->


Download DDS and save it to your desktop from here http://download.bleepingcomputer.com/sUBs/dds.scr)
or here (http://www.forospyware.com/sUBs/dds)

And then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Attach DDS.txt back to your topic.
 
Ok, I tried running that and when I did the window popped open and I got the message 'sort' is not a recognized as an internal or external command' and then sort.exe is not a recognized internal or external command or operable batch file' then it just sits there. is there something else I need to do?

sorry kind of slow this morning, there was no sort.exe in my windows/system32 folder, copied the one from servicepackfile/i386 gonna run the .scr now


ok, here ya go
 

Attachments

  • DDS.txt
    14.1 KB · Views: 6
Yes, it looks like explorer exe are infected, I´ll therefore suggest you run F-Secure online scanner.

Please run F-Secure online scanner Here:
http://support.f-secure.com/enu/home/ols.shtml

Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and attach the entire report in your next reply.
 
Unfortunality no :(

Reboot to safe mode, and see if combofix will run properly there. If it will, please attach the log (c:combofix.txt) in next reply
 
It will work. the missing sort.exe was preventing it from running as well.

brb

Here ya go

I am going to run stinger and drweb live cd and posts those results and will await your reply tomorrow. Thanks again.

Stinger found nothing. Drweb livecd found one exe that was in a quarantine folder. and another file located in applications data\firefox\profiles. it was a '*,default' file, and it was deleted

Did another f-secure online scan this morning. Now it shows all clean. virustotal.com still says explorer.exe is infected with the same two virii.. No other scanner, online or otherwise is picking them up though. False positive maybe?
 
Ok. Then I´ll suggest you run a Systemfile check ->

To do this simply go to the Run box on the Start Menu and type in:

sfc /scannow

Note the space between the c and the /

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

Reboot, and have explorer exe checked again at virustotal
 
Ok ran sfc, rebooted, uploaded explorer.exe to virustotal.com... same results. Hope ya have some more tricks up your sleeve. I have an idea, but I am waiting till we exhaust every other option as I am not sure if it will work.
 
I´m always open for ideas ;)


Start the computer from the Windows XP CD-Rom
Press ENTER at the "Setup Notification" screen. Press R to repair a Windows
XP installation, and then press C to use the Recovery Console. The Recovery
Console then prompts you for the administrator password. Hit Enter.

From the command prompt you can expand the file. Type:

expand E:\I386\explorer.ex_ %systemroot%\explorer.exe

Reboot, and tell how things goes ?

If E is your Cd drive, Otherwise, write the correct letter
 
Pffft, fine. LOL that is what i was going to do, with one minor addition. Before replacing the explorer.exe I was going to re-download xp sp3 and then after replacing explorer.exe i was going to boot into safe mode and reinstall sp3 since the explorer i have on cd is sp2. What do you think? I'll wait for your reply. Thanks again
 
Hmmm, ok very odd. When i expanded explorer.exe from my cd and then booted into safe mode and ran sp3 and then booted and uploaded the explorer.exe to virustotal.com it gave me the same dang results with the same two 'infections'. so i expanded again, (deleting explorer.exe within recovery console first.) then booted without reinstalling sp3 and uploaded the file and everything is now great. no infections.


why would installing sp3 make those two infections come back again?



Don't suppose anyone else with sp3 can upload explorer.exe to virustotal.com and see what results they get?
 
You´re right, it sounds odd. I´ve scanned My "own" explorer exe, all the scanners said -
Found nothing

It sounds like your computere are clean now ?
 
Yeah i guess it is... I did run Ultimate boot cd and ran avira off their and it found a couple more backdoor/trojans... but i think/hope, im good now..thanks....


do you only do the virus thread? have a question in the 'other software' section, but it does not look like many people are on it very much.
 
Is it - ZoneAlarm messages - you mean ?


It is time for the clean-up procedure ->

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.


Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.

Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place
 
Yes, the zonealarm messages. I will follow the steps and run the otcleanit


odd... add/remove programs show no programs at all. but they do show up with ccleaner, so no worries.
 
Status
Not open for further replies.
Back