I seem to have gotten a redirect trojan...

[Wilsongt]

Any advice, GAF? I am running Malwarebytes right now, and it caught something earlier and appeared to delete it, but it didn't seem to work.

Thanks in advance.

 

[clav]

http://www.bleepingcomputer.com/download/anti-virus/combofix

Download to C:\

Reboot and run tool in safe mode.

Let the tool run completely as it'll reboot the computer back to Normal user mode after finishing.

 

[spindashing]

Porn site, right?

I just did a System Restore to a previous date of the infection and that helped on my old computer.

Edit: Do try out Combofix though. That usually fixes everything.

 

[clav]

For prevention:

1. Make sure your third party browser add-ons like Flash and Java are updated. If you don't need Java, uninstall it. If you want to be worry-free, uninstall all Java and Flash instances and only use Chrome. Chrome keeps Flash updated automatically without any add-ons required.

2. Setup OpenDNS on your router with Malware Bot protection: http://www.opendns.com/

3. Keep your OS + Software updated.

 

[Wilsongt]

Thank you. Downloaded and will try.

 

[Wilsongt]

Ran it... still there.

 

[eosos]

System restore.

 

[Bam Bam Baklava]

Had to be porn. It would help if you knew the name of the particular trojan because there could be a removal tool out for it.

 

[cacophony]

download this to desktop
http://www.bleepingcomputer.com/download/anti-virus/rkill

restart and immediately run it when you can, then run a malewarebytes scan

might work, it has for me for similar things

 

[elrechazado]

isn't porn necessarily. My wife got one on my comp a few weeks ago on a coupon blog of all things.

 

[NoRéN]

isn't porn necessarily. My wife got one on my comp a few weeks ago on a coupon blog of all things.

Heck, the other day chrome warned me off a yahoo sports page. That was surprising.

 

[clav]

Ran it... still there.

Log file.

PM to me or post here.

Should be where you launched combofix.exe or Desktop.

 

[GrayFoxPL]

isn't porn necessarily. My wife got one on my comp a few weeks ago on a coupon blog of all things.

That's what she said!

 

[StylusX]

I got something similar and hitman pro worked for me.

 

[Wilsongt]

It actually showed up when I was on damnlol.com Thank you, Facebook friends... =/

 

[Shao Kahn Brewing a Stew]

I got something silmilar and hitman pro worked for me.

Yep.

It actually showed up when I was on damnlol.com Thank you, Facebook friends... =/

What the fuck is damnlol.com :/

That said, what does it redirect you to? Does it redirect during google search or redirects when you click any link (or redirects when you enter something else on Address bar and it sends you elsewhere).

Regardless of the problem, download trial version of Hitman Pro, it should deal with it.

 

[clav]

It actually showed up when I was on damnlol.com Thank you, Facebook friends... =/

Combofix found some culprits and deleted accordingly. Just look at the "Other Deletions" part.

Hitman Pro or a Full Scan of updated Malwarebytes to see if now the malware is crippled and now detectable.

 

[jamesinclair]

I had a really nasty one a few weeks ago.

Would redirect my google search results.

None of the major malware programs would remove it (adaware, spybot, etc).

Took some time, but its gone now.

TDSkiller was one of the programs that helped get it out, followed by Combofix

 

[Wilsongt]

It's a Google Redirect. If I were to search for the actual Trojan name, I get redirected.

I ran Malwarebytes again... Log

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7520

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

8/20/2011 4:40:35 PM
mbam-log-2011-08-20 (16-40-35).txt

Scan type: Quick scan
Objects scanned: 174119
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\020000002efe26081406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000002efe26081406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000002efe26081406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000002efe26081406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

Antivirus keeps saying I am being attacked...

 

[clav]

OP uses: Windows XP Home

Norton Security Software (do not approve)
Nvidia Active Armor Firewall (do not approve)

When you've tackled your malware problem, you need to do some cleanup.

 

[Wilsongt]

I need an upgrade, but do not have the money to do so... Lol.

 

[clav]

Try the other programs that people have suggested.

You're also way behind on system updates as well (XP should be on SP3, IE8, etc.), but deal with that later.

Fix the malware first before attempting system updates.

I'll throw in another suggestion:

http://www.microsoft.com/download/en/details.aspx?id=16

Run the Microsoft Malicious Software Removal Tool, which is updated monthly.

 

[MNC]

Girlfriend's laptop had it, Trojan Remover solved the problem.

 

[iNvid02]

combofix will cure what ails ya

 

[Trumpet909]

Check your hosts file:

1. find and open the host file
-go to c:/windows/system32/drivers/ect
your will see a host file with no exention right click on it and press open, a prompt will ask you what program to open it with select note pad.

It normally looks like this:

__________________________________________________________________
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
_______________________________________________________________

When I had this issue, mine looked like:

____________________________________________________________________
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
64.86.17.32 google.ae
64.86.17.32 google.as
64.86.17.32 google.at
64.86.17.32 google.az
64.86.17.32 google.ba
64.86.17.32 google.be
64.86.17.32 google.bg
64.86.17.32 google.bs
64.86.17.32 google.ca
64.86.17.32 google.cd
64.86.17.32 google.com.gh
64.86.17.32 google.com.hk
64.86.17.32 google.com.jm
64.86.17.32 google.com.mx
64.86.17.32 google.com.my
64.86.17.32 google.com.na
64.86.17.32 google.com.nf
64.86.17.32 google.com.ng

Replacing my host file with a clean one fixed my issue.

 

[D4Danger]

See if it changed anything in your host file

go to: %SystemRoot%\system32\drivers\etc\

open the file "hosts" in a text editor like notepad

ignore any line that starts with a # and delete everything else

(make a backup first just in case)


edit: damn you, Trumpet909

 

[PhoenixDark]

Run this:
http://support.kaspersky.com/faq/?qid=208280684

if it's a redirect that isn't being fixed by the common methods then it's probably a rootkit and tdsskiller will fix it.

 

[Wilsongt]

I will try those after I run the microsoft thing... I think this is incentive, though, to finally back up my important files and do a clean wipe + Upgrade to Windows 7.

 

[Shao Kahn Brewing a Stew]

It's a Google Redirect. If I were to search for the actual Trojan name, I get redirected.

Download and Install Hitman Pro. It's one of the few and only way it'll go the fuck away.

http://www.surfright.nl/en/downloads

 

[Weenerz]

Buy a mac.

 

[Shao Kahn Brewing a Stew]

Buy a mac.

*avatar quote*

 

[strikeselect]

For future reference:

Firefox + NoScript

 

[Enco]

Porn site, right?

I just did a System Restore to a previous date of the infection and that helped on my old computer.

Edit: Do try out Combofix though. That usually fixes everything.

What else?

Hijackthis, Hijackthis Analyser and Malwarebytes. That should be enough. You can also run a virus scanner and if nothing works, go back to a restore point.

 

[MNC]

Also: Afterwards, your internet most likely 'will not be working.' These things usually enable a proxy so after cleaning the PC, go into your browser settings and disable it again.

 

[Morn]

After you get something to clean it, and BEFORE you try cleaning it, disconnect your PC from the internet. Pull out the Ethernet cable or unplug your wireless router if you have to.

 

[ReturnOfTheRAT]

Do the hosts fix mentioned above.