Help with stubborn malware redirect.
June 22, 2012 1:42 PM Subscribe
Help removing a particularly stubborn piece of Malware. It's appears to be a rootkit that causes a Firefox redirect.(details inside)
So, I have this computer that appears to have some nasty malware. The best way to reproduce it is to open Firefox and search Google for Malware removal. It will show the right link titles for Mbam, SaS, etc. but all of the links redirect to an IP address that takes you to a paid spam site with fake removal tools. So far I've run the following in Safe Mode and I'm trying to report the results:
TrendMicro Housecall: nothing
Hijack This!: nothing obvious
Mbam: reported TDSSkiller as a rootkit (?) and found cookies
Super Anti-spyware: nothing
TDSSkiller: nothing
rkill: nothing
ComboFix: nothing
Rootkit Revealer: won't run with 64bit
RootkitRemover (mcAfee): nothing
This is a 64-bit laptop running Windows 7 home. Any suggestions? I'm thinking I need a liveCD or something but not sure how to proceed. Thanks in advance!
So, I have this computer that appears to have some nasty malware. The best way to reproduce it is to open Firefox and search Google for Malware removal. It will show the right link titles for Mbam, SaS, etc. but all of the links redirect to an IP address that takes you to a paid spam site with fake removal tools. So far I've run the following in Safe Mode and I'm trying to report the results:
TrendMicro Housecall: nothing
Hijack This!: nothing obvious
Mbam: reported TDSSkiller as a rootkit (?) and found cookies
Super Anti-spyware: nothing
TDSSkiller: nothing
rkill: nothing
ComboFix: nothing
Rootkit Revealer: won't run with 64bit
RootkitRemover (mcAfee): nothing
This is a 64-bit laptop running Windows 7 home. Any suggestions? I'm thinking I need a liveCD or something but not sure how to proceed. Thanks in advance!
It may have set up a proxy server on your machine that's doing the redirecting. Check your internet properties. But follow deezil's advice.
posted by DarkForest at 1:55 PM on June 22, 2012 [1 favorite]
posted by DarkForest at 1:55 PM on June 22, 2012 [1 favorite]
Seconding Deezil's Profile. When using TDSSKiller, make sure you go under "Change Parameteres" and check for unsigned drivers and the TDSS FS. Also try GMER and Autoruns to help identify any odd runtime injections.
You may be best off creating that live CD you're already considering. My suggestions would be to use another computer to create a Kapersky AV Rescue CD or a Hiren's Boot CD, both of which are available online for free.
posted by samsara at 1:57 PM on June 22, 2012
You may be best off creating that live CD you're already considering. My suggestions would be to use another computer to create a Kapersky AV Rescue CD or a Hiren's Boot CD, both of which are available online for free.
posted by samsara at 1:57 PM on June 22, 2012
Response by poster: Okay, although I've worked through most of the stuff on his profile (in a different order), I'll try going through the steps again with the additional ones. Thanks!
posted by Raichle at 2:00 PM on June 22, 2012
posted by Raichle at 2:00 PM on June 22, 2012
Have you tried running ccleaner (make sure to select ALL the firefox and Internet explorer cleaning options)? Often these nasty browser redirect things are hiding in temp folders somewhere.
posted by Wavelet at 2:01 PM on June 22, 2012
posted by Wavelet at 2:01 PM on June 22, 2012
Response by poster: Yes, I usually do that before starting any removal process. Very good for people who don't know, it will speed things up considerably!
posted by Raichle at 2:13 PM on June 22, 2012
posted by Raichle at 2:13 PM on June 22, 2012
Have you installed any toolbars on your browser? Or downloaded any "free" applications?
posted by Obscure Reference at 2:19 PM on June 22, 2012
posted by Obscure Reference at 2:19 PM on June 22, 2012
Go to
C:\windows\system32\drivers\etc\
And post the contents of the file "hosts" in here. Open it up in Notepad.
posted by I-baLL at 2:22 PM on June 22, 2012
C:\windows\system32\drivers\etc\
And post the contents of the file "hosts" in here. Open it up in Notepad.
posted by I-baLL at 2:22 PM on June 22, 2012
Response by poster: It's not mine, just fixing for a friend. Nothing obvious beyond WildTangent stuff. Doesn't matter much *how* he got it at this point, just what tool can nuke it ;)
posted by Raichle at 2:22 PM on June 22, 2012
posted by Raichle at 2:22 PM on June 22, 2012
Format the drive and start over. You can probably have it backed up and completely re-installed in three or four hours. Less if your friend doesn't use a ton of apps. The laptop will run faster too. When you've got an infection that bad, there's no way to be sure it's really, really gone and you'll spend two or three times as long trying to clean it as you would just reformatting it.
posted by cnc at 3:00 PM on June 22, 2012 [1 favorite]
posted by cnc at 3:00 PM on June 22, 2012 [1 favorite]
Response by poster: I will reformat *only* when all other options have been exhausted.
Hosts file looks normal. Local Host followed by all of the entries that a Spybot Immunization puts in. Working through the deezil page now, but not seeing much success.
posted by Raichle at 3:10 PM on June 22, 2012
Hosts file looks normal. Local Host followed by all of the entries that a Spybot Immunization puts in. Working through the deezil page now, but not seeing much success.
posted by Raichle at 3:10 PM on June 22, 2012
I forgot to ask. Is this only happening with FireFox? Are you able to reproduce the issue in IE? If it's just FireFox then I would focus your efforts on the FireFox installation, its addons, and any configuration files associated with it (prefs.js, etc).
posted by samsara at 3:32 PM on June 22, 2012
posted by samsara at 3:32 PM on June 22, 2012
Response by poster: Interesting - When I run the SmitFraudFix file (renamed to something random), I see a line saying something about not being able to find C:\Windows\System32\drivers\etc (which exists) followed by a bunch of lines saying "access denied". Then it says something about a VAC and then explorer quits. The only way to do anything is to restart at this point. Has anybody encountered this?
posted by Raichle at 3:33 PM on June 22, 2012
posted by Raichle at 3:33 PM on June 22, 2012
Response by poster: I've only been able to reproduce this in Firefox, but the owner of the laptop says it happened in IE too.
posted by Raichle at 3:34 PM on June 22, 2012
posted by Raichle at 3:34 PM on June 22, 2012
Response by poster: Okay, removing Firefox and all of it's data and profiles seems to have fixed the problem. Still makes me nervous since I never figured out exactly where/what *it* is. I guess I'll advise he wipe/re-install but it's probably okay now.
posted by Raichle at 3:53 PM on June 22, 2012
posted by Raichle at 3:53 PM on June 22, 2012
The SmitFraudFix error is probably ok...you may want to try it again by right-clicking it and running as Administrator (or CTRL+SHIFT+DBLCLICK). The error was likely caused by Windows 7's UAC (User Account Control).
My best guess is what you encountered was a something similar to this hijack of XUL Runner. Hope that helps!
posted by samsara at 4:35 PM on June 22, 2012
My best guess is what you encountered was a something similar to this hijack of XUL Runner. Hope that helps!
posted by samsara at 4:35 PM on June 22, 2012
« Older How do I explain this in simple terms? | I have to notarize some Canadian legal paperwork... Newer »
This thread is closed to new comments.
posted by Chocolate Pickle at 1:45 PM on June 22, 2012 [1 favorite]