Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Believe I have a redirect virus. Need help/advice

22 Nov 2013   #1

Windows 7 64 bit
Believe I have a redirect virus. Need help/advice

Two days ago I noticed while going to to some websites like Stubhub that it would open the website, however, it would also open up another firefox window with a similar website that was not Stubhub, and the actual stubhub website would not work properly. I did some research and it seems to most closely match a redirect virus, which sounds pretty awful. I image my computer everyday with Marcium and restored twice, from 11/17 and 11/4 image, however, the problem still exists. From what I have read this virus digs itself into the MBR which is why my restore points might not be effective.

Can anyone tell me if this sounds like a redirect virus and also an effective way to remove it? I really would rather not re-image my whole computer and start from scratch. Any help would be greatly appreciated.

My System SpecsSystem Spec
22 Nov 2013   #2

Desk1 7 Home Prem / Desk2 7 Home Prem / Main lap Asus ROG 7 Pro 2 laptop Toshiba 7 Pro

Well jet you can try these for starters

download from bleeping computer
then this one

Free Malware Removal Tools

scroll down to the TDSS Killer and run it delete any rubbish the scans come up with.
My System SpecsSystem Spec
22 Nov 2013   #3
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8

I have never heard of a Virus sitting in the MBR - but that does no mean that it is not possible. You can try the bootable CD of Partition Wizard to rebuid the MBR. It is the last box on this website. The .iso you have to burn to CD and boot from the CD.

Free download Magic Partition Manager Software, partition magic alternative, free partition magic, partition magic Windows 7 and server partition software - Partition Wizard Online
My System SpecsSystem Spec

22 Nov 2013   #4

Desk1 7 Home Prem / Desk2 7 Home Prem / Main lap Asus ROG 7 Pro 2 laptop Toshiba 7 Pro

Yes I must agree with you WHS but when things like BIOS, RAM and gear like that can get infected as you say not out of the realms of possibility, after all it is sitting on HDD eh?.
My System SpecsSystem Spec
22 Nov 2013   #5
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8

Although there was talk about possible infections of the BIOS, there was never proof of that. And a virus in RAM would not survive very long. On the next reboot it would disappear.
My System SpecsSystem Spec
22 Nov 2013   #6

Windows 7 64 bit

Thanks all for the replies, I am not that confidant in my ability to rebuild the MBR. after hearing most of you say it is unlikely that the virus is in the MBR I will try to get rid of it with some virus removal tools. Does anyone have to add to ICit2lol's tools? Which ones may be best?
My System SpecsSystem Spec
22 Nov 2013   #7

Windows 7 Home Premium 64-bit

Hello jetblack,

In addition, you might try this tool, as well.

Download Junkware Removal Tool to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Hope this helps,
My System SpecsSystem Spec
22 Nov 2013   #8

Windows 7 64 bit

Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Professional x64
Ran by Joe on Fri 11/22/2013 at 20:31:15.08

~~~ Services

Successfully stopped: [Service] updater service for startnow toolbar
Successfully deleted: [Service] updater service for startnow toolbar

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\startnow search protect
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440}

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\dnu.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\secman.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\toolbar.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\toolbarbroker.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\zugo
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\bittorrentbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\competeinc
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\startnow toolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\conduit.engine
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdate
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.bandobject
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.bandobject.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.toolbarhelperobject
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.toolbarhelperobject.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\zgclnt.mngr
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\zgclnt.mngr.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\facemoods_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\facemoods_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\startnow toolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2790392
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}

~~~ Files

Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnu.dll"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnu.xpt"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnupdater2.dll"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnupdater2.xpt"

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Joe\AppData\Roaming\startnow toolbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\startnow toolbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\software update utility"
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{361B6B03-D7D0-4E3E-95AD-3206DDE60FA9}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{39204002-CAD3-4162-AE56-13D09F1AF457}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{5791ECBC-4A35-4C18-8CEB-EFB0C9049589}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{8FAA609B-C26C-4412-8848-3C9CEDBD8395}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{A04FFBDD-D62D-473A-A804-E0693B1A7D25}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{D99BBEA0-56C0-473D-9E23-D42EE6A718F8}

~~~ FireFox

Failed to delete: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\user.js
Successfully deleted: [File] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\searchplugins\bing-zugo.xml
Failed to delete: [Folder] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\extensions\{5911488e-9d1e-40ec-8cbb-06b231cc153f}
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\
Successfully deleted the following from C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\prefs.js

user_pref("keyword.URL", "hxxp:// GL15&toolbar_id=200&too
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.install_folder", "C:\\Program Files (x86)\\StartNow Toolbar");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.name", "StartNow Toolbar");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.startpage", "");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.update_url", "hxxp://{partner_id}&product_id={product_id}&affiliate_id={affiliate_id}
Emptied folder: C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\minidumps [173 files]

~~~ Event Viewer Logs were cleared

Scan was completed on Fri 11/22/2013 at 20:35:47.17
End of JRT log
My System SpecsSystem Spec
22 Nov 2013   #9

Desk1 7 Home Prem / Desk2 7 Home Prem / Main lap Asus ROG 7 Pro 2 laptop Toshiba 7 Pro

Quote   Quote: Originally Posted by whs View Post
Although there was talk about possible infections of the BIOS, there was never proof of that. And a virus in RAM would not survive very long. On the next reboot it would disappear.
Yep mate but generally speaking where there is smoke there is always the chance of fire I was just putting it up as a possible
My System SpecsSystem Spec
22 Nov 2013   #10


Quote   Quote: Originally Posted by jetablack4 View Post
...I will try to get rid of it with some virus removal tools. Does anyone have to add to ICit2lol's tools? Which ones may be best?
I would run Kaspersky's TDSSKiller first then run Bleepingcomputer's RKill followed by Malwarebytes Anti Malware (Update it's database version first) If you choose to do so, post back the results (logs) of each--the TDSS log may be a little long...just post the last 50 or so lines. SUPERAntiSpyware & AdwCleaner are also good tools as ICit2lol has noted. Ditto Junkware Removal Tool.
My System SpecsSystem Spec

 Believe I have a redirect virus. Need help/advice

Thread Tools

Similar help and support threads
Thread Forum
Need help removing redirect virus
I'm experiencing random redirects when I either do a search or sometimes click a link. I'm being redirected to searches and sites that usually start with a similar web address of "". I have run MSE, Superantispyware, and Malwarebytes, yet all have been unsuccessful in resolving...
System Security
Redirect Virus
I didnt know where else to post this, can anyone help me out with a redirect virus I just got, ever since ive been getting bsods that are more or less consistent with how heavy im using firefox, could it be making my system unstable, any help would be appreciated thanks!
System Security
Possible Redirect Virus? Need Urgent Help
Hi, I am certain that I have picked up a redirect virus in Internet Explorer 9 RC. It is not specifically pertaining to Google, but everything! In fact, I can no longer navigate to either yahoo or Google. However, Firefox and Google Chrome as well as Opera are working fine, for now. I have Bit...
System Security
Redirect virus?
Hello :) A while ago I got a "antimalwaredoctor" virus, and I got Malwarebytes, and it fixed it. But now often times when I click on links it redirects me to different pages. Like fake search engines and things like that. It mostly happens in google, but it happens on other links too. Malwarebytes...
System Security
HELP!! Google redirect Virus
A few weeks ago I got a virus and my computer got fixed. Since then it seems that I have the Google redirect Virus but when I try to do the fix I found online I can't find the file. Furthermore when I downloaded a new software that would find the Google Redirect Virus and get rid of it it kept...
System Security
Redirect virus
Hi there, I keep getting redirected from google results to numerous shopping pages and things. AVG and Malwarebytes' Anti-Malware aren't bringing up anything. Here is my HijackThis log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 16:13:10, on 16/06/2010 Platform: Windows 7 ...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:20.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App