Believe I have a redirect virus. Need help/advice

Page 1 of 2 12 LastLast

  1. Posts : 56
    Windows 7 64 bit
       #1

    Believe I have a redirect virus. Need help/advice


    Two days ago I noticed while going to to some websites like Stubhub that it would open the website, however, it would also open up another firefox window with a similar website that was not Stubhub, and the actual stubhub website would not work properly. I did some research and it seems to most closely match a redirect virus, which sounds pretty awful. I image my computer everyday with Marcium and restored twice, from 11/17 and 11/4 image, however, the problem still exists. From what I have read this virus digs itself into the MBR which is why my restore points might not be effective.

    Can anyone tell me if this sounds like a redirect virus and also an effective way to remove it? I really would rather not re-image my whole computer and start from scratch. Any help would be greatly appreciated.
      My Computer


  2. Posts : 21,004
    Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
       #2

    Well jet you can try these for starters

    http://www.superantispyware.com/

    http://www.malwarebytes.org/products/malwarebytes_free/

    http://www.bleepingcomputer.com/download/adwcleaner/

    download from bleeping computer
    then this one

    Free Malware Removal Tools

    scroll down to the TDSS Killer and run it delete any rubbish the scans come up with.
      My Computer


  3. whs
    Posts : 26,210
    Vista, Windows7, Mint Mate, Zorin, Windows 8
       #3

    I have never heard of a Virus sitting in the MBR - but that does no mean that it is not possible. You can try the bootable CD of Partition Wizard to rebuid the MBR. It is the last box on this website. The .iso you have to burn to CD and boot from the CD.

    Free download Magic Partition Manager Software, partition magic alternative, free partition magic, partition magic Windows 7 and server partition software - Partition Wizard Online
      My Computer


  4. Posts : 21,004
    Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
       #4

    Yes I must agree with you WHS but when things like BIOS, RAM and gear like that can get infected as you say not out of the realms of possibility, after all it is sitting on HDD eh?.
      My Computer


  5. whs
    Posts : 26,210
    Vista, Windows7, Mint Mate, Zorin, Windows 8
       #5

    Although there was talk about possible infections of the BIOS, there was never proof of that. And a virus in RAM would not survive very long. On the next reboot it would disappear.
      My Computer


  6. Posts : 56
    Windows 7 64 bit
    Thread Starter
       #6

    Thanks all for the replies, I am not that confidant in my ability to rebuild the MBR. after hearing most of you say it is unlikely that the virus is in the MBR I will try to get rid of it with some virus removal tools. Does anyone have to add to ICit2lol's tools? Which ones may be best?
      My Computer


  7. Posts : 2,167
    Windows 7 Home Premium 64-bit
       #7

    Hello jetblack,

    In addition, you might try this tool, as well.

    Download Junkware Removal Tool to your Desktop.
    • Close your security software to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
    • The tool will open and start scanning your system.
    • Be patient as this can take a while to complete, depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
    • Please post the contents of JRT.txt into your reply.
    Hope this helps,
    John
      My Computer


  8. Posts : 56
    Windows 7 64 bit
    Thread Starter
       #8

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.0.8 (11.05.2013:1)
    OS: Windows 7 Professional x64
    Ran by Joe on Fri 11/22/2013 at 20:31:15.08
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services

    Successfully stopped: [Service] updater service for startnow toolbar
    Successfully deleted: [Service] updater service for startnow toolbar



    ~~~ Registry Values

    Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\startnow search protect
    Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
    Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440}



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\dnu.exe
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\secman.dll
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\toolbar.dll
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\toolbarbroker.exe
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\zugo
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\bittorrentbar
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\competeinc
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\freeze.com
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\startnow toolbar
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\conduit.engine
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdate
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser.1
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller.1
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.bandobject
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.bandobject.1
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.toolbarhelperobject
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.toolbarhelperobject.1
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\zgclnt.mngr
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\zgclnt.mngr.1
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\facemoods_rasapi32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\facemoods_rasmancs
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\startnow toolbar
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2790392
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASMANCS
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASMANCS
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASMANCS
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASMANCS
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}



    ~~~ Files

    Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnu.dll"
    Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnu.xpt"
    Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnupdater2.dll"
    Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnupdater2.xpt"



    ~~~ Folders

    Successfully deleted: [Folder] "C:\Users\Joe\AppData\Roaming\startnow toolbar"
    Successfully deleted: [Folder] "C:\Program Files (x86)\startnow toolbar"
    Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\software update utility"
    Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{361B6B03-D7D0-4E3E-95AD-3206DDE60FA9}
    Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{39204002-CAD3-4162-AE56-13D09F1AF457}
    Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{5791ECBC-4A35-4C18-8CEB-EFB0C9049589}
    Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{8FAA609B-C26C-4412-8848-3C9CEDBD8395}
    Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{A04FFBDD-D62D-473A-A804-E0693B1A7D25}
    Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{D99BBEA0-56C0-473D-9E23-D42EE6A718F8}



    ~~~ FireFox

    Failed to delete: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
    Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
    Successfully deleted: [File] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\user.js
    Successfully deleted: [File] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\searchplugins\bing-zugo.xml
    Failed to delete: [Folder] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\extensions\{5911488e-9d1e-40ec-8cbb-06b231cc153f}
    Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\superfish@superfish.com
    Successfully deleted the following from C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\prefs.js

    user_pref("keyword.URL", "hxxp://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=DP GL15&toolbar_id=200&too
    user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.install_folder", "C:\\Program Files (x86)\\StartNow Toolbar");
    user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.name", "StartNow Toolbar");
    user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.startpage", "www.startnow.com");
    user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.update_url", "hxxp://tbupdate.zugo.com/ztb/update?partner_id={partner_id}&product_id={product_id}&affiliate_id={affiliate_id}
    Emptied folder: C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\minidumps [173 files]



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Fri 11/22/2013 at 20:35:47.17
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      My Computer


  9. Posts : 21,004
    Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
       #9

    whs said:
    Although there was talk about possible infections of the BIOS, there was never proof of that. And a virus in RAM would not survive very long. On the next reboot it would disappear.
    Yep mate but generally speaking where there is smoke there is always the chance of fire I was just putting it up as a possible:)
      My Computer


  10. Posts : 461
    Win 10 Pro x64, Win 7 Pro x64
       #10

    Personally...


    jetablack4 said:
    ...I will try to get rid of it with some virus removal tools. Does anyone have to add to ICit2lol's tools? Which ones may be best?
    I would run Kaspersky's TDSSKiller first then run Bleepingcomputer's RKill followed by Malwarebytes Anti Malware (Update it's database version first) If you choose to do so, post back the results (logs) of each--the TDSS log may be a little long...just post the last 50 or so lines. SUPERAntiSpyware & AdwCleaner are also good tools as ICit2lol has noted. Ditto Junkware Removal Tool.
    Last edited by Urthboundmisfit; 22 Nov 2013 at 23:44. Reason: add title
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:08.
Find Us