Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Believe I have a redirect virus. Need help/advice


22 Nov 2013   #1
jetablack4

Windows 7 64 bit
 
 
Believe I have a redirect virus. Need help/advice

Two days ago I noticed while going to to some websites like Stubhub that it would open the website, however, it would also open up another firefox window with a similar website that was not Stubhub, and the actual stubhub website would not work properly. I did some research and it seems to most closely match a redirect virus, which sounds pretty awful. I image my computer everyday with Marcium and restored twice, from 11/17 and 11/4 image, however, the problem still exists. From what I have read this virus digs itself into the MBR which is why my restore points might not be effective.

Can anyone tell me if this sounds like a redirect virus and also an effective way to remove it? I really would rather not re-image my whole computer and start from scratch. Any help would be greatly appreciated.


My System SpecsSystem Spec
22 Nov 2013   #2
ICit2lol

Desk1 8 Pro / Desk2 7 Home Prem / Laptop 8.1 Pro all 64bit
 
 

Well jet you can try these for starters

http://www.superantispyware.com/

http://www.malwarebytes.org/products/malwarebytes_free/

http://www.bleepingcomputer.com/download/adwcleaner/

download from bleeping computer
then this one

Free Malware Removal Tools

scroll down to the TDSS Killer and run it delete any rubbish the scans come up with.
My System SpecsSystem Spec
22 Nov 2013   #3
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

I have never heard of a Virus sitting in the MBR - but that does no mean that it is not possible. You can try the bootable CD of Partition Wizard to rebuid the MBR. It is the last box on this website. The .iso you have to burn to CD and boot from the CD.

Free download Magic Partition Manager Software, partition magic alternative, free partition magic, partition magic Windows 7 and server partition software - Partition Wizard Online
My System SpecsSystem Spec
22 Nov 2013   #4
ICit2lol

Desk1 8 Pro / Desk2 7 Home Prem / Laptop 8.1 Pro all 64bit
 
 

Yes I must agree with you WHS but when things like BIOS, RAM and gear like that can get infected as you say not out of the realms of possibility, after all it is sitting on HDD eh?.
My System SpecsSystem Spec
22 Nov 2013   #5
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Although there was talk about possible infections of the BIOS, there was never proof of that. And a virus in RAM would not survive very long. On the next reboot it would disappear.
My System SpecsSystem Spec
22 Nov 2013   #6
jetablack4

Windows 7 64 bit
 
 

Thanks all for the replies, I am not that confidant in my ability to rebuild the MBR. after hearing most of you say it is unlikely that the virus is in the MBR I will try to get rid of it with some virus removal tools. Does anyone have to add to ICit2lol's tools? Which ones may be best?
My System SpecsSystem Spec
22 Nov 2013   #7
johnsmith45jock

Windows 7 Home Premium 64-bit
 
 

Hello jetblack,

In addition, you might try this tool, as well.

Download Junkware Removal Tool to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Hope this helps,
John
My System SpecsSystem Spec
22 Nov 2013   #8
jetablack4

Windows 7 64 bit
 
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Professional x64
Ran by Joe on Fri 11/22/2013 at 20:31:15.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] updater service for startnow toolbar
Successfully deleted: [Service] updater service for startnow toolbar



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\startnow search protect
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440}



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\dnu.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\secman.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\toolbar.dll
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\toolbarbroker.exe
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\zugo
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\bittorrentbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\competeinc
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\freeze.com
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\startnow toolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\conduit.engine
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdate
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloaduibrowser.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\dnupdater.downloadupdcontroller.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.bandobject
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.bandobject.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.toolbarhelperobject
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolbar.toolbarhelperobject.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\zgclnt.mngr
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\zgclnt.mngr.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\facemoods_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\facemoods_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\startnow toolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2790392
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskSLib_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}



~~~ Files

Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnu.dll"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnu.xpt"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnupdater2.dll"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npdnupdater2.xpt"



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Joe\AppData\Roaming\startnow toolbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\startnow toolbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\software update utility"
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{361B6B03-D7D0-4E3E-95AD-3206DDE60FA9}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{39204002-CAD3-4162-AE56-13D09F1AF457}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{5791ECBC-4A35-4C18-8CEB-EFB0C9049589}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{8FAA609B-C26C-4412-8848-3C9CEDBD8395}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{A04FFBDD-D62D-473A-A804-E0693B1A7D25}
Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{D99BBEA0-56C0-473D-9E23-D42EE6A718F8}



~~~ FireFox

Failed to delete: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml.old"
Successfully deleted: [File] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\user.js
Successfully deleted: [File] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\searchplugins\bing-zugo.xml
Failed to delete: [Folder] C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\extensions\{5911488e-9d1e-40ec-8cbb-06b231cc153f}
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\superfish@superfish.com
Successfully deleted the following from C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\prefs.js

user_pref("keyword.URL", "hxxp://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=DP GL15&toolbar_id=200&too
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.install_folder", "C:\\Program Files (x86)\\StartNow Toolbar");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.name", "StartNow Toolbar");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.startpage", "www.startnow.com");
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.update_url", "hxxp://tbupdate.zugo.com/ztb/update?partner_id={partner_id}&product_id={product_id}&affiliate_id={affiliate_id}
Emptied folder: C:\Users\Joe\AppData\Roaming\mozilla\firefox\profiles\pg7qdowq.default\minidumps [173 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 11/22/2013 at 20:35:47.17
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My System SpecsSystem Spec
22 Nov 2013   #9
ICit2lol

Desk1 8 Pro / Desk2 7 Home Prem / Laptop 8.1 Pro all 64bit
 
 

Quote   Quote: Originally Posted by whs View Post
Although there was talk about possible infections of the BIOS, there was never proof of that. And a virus in RAM would not survive very long. On the next reboot it would disappear.
Yep mate but generally speaking where there is smoke there is always the chance of fire I was just putting it up as a possible
My System SpecsSystem Spec
22 Nov 2013   #10
Urthboundmisfit

7 Pro x64 SP1, XP SP3 VM
 
 
Personally...

Quote   Quote: Originally Posted by jetablack4 View Post
...I will try to get rid of it with some virus removal tools. Does anyone have to add to ICit2lol's tools? Which ones may be best?
I would run Kaspersky's TDSSKiller first then run Bleepingcomputer's RKill followed by Malwarebytes Anti Malware (Update it's database version first) If you choose to do so, post back the results (logs) of each--the TDSS log may be a little long...just post the last 50 or so lines. SUPERAntiSpyware & AdwCleaner are also good tools as ICit2lol has noted. Ditto Junkware Removal Tool.
My System SpecsSystem Spec
Reply

 Believe I have a redirect virus. Need help/advice




Thread Tools



Similar help and support threads for2: Believe I have a redirect virus. Need help/advice
Thread Forum
Redirect Virus Removal System Security
Redirect Virus System Security
Redirect virus? System Security
Redirect virus System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:49 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App