What to do about a virus-like problem?

[9strick9]

An infection is causing my system to redirect me to various commercial sites, many of which are scams. I have scanned my C: drive with two different anti-virus programs, an anti-spyware program and an anti-malware program. None of them could find any problems. I can't reinstall Windows because I don't have a disc.

Any suggestions on what to do?

Thanks

 

[baarod]

An infection is causing my system to redirect me to various commercial sites, many of which are scams. I have scanned my C: drive with two different anti-virus programs, an anti-spyware program and an anti-malware program. None of them could find any problems. I can't reinstall Windows because I don't have a disc.

Any suggestions on what to do?

Thanks

Internet Explorer is just running an add-on that you were tricked into installing. Reset IE to defaults. Start, type "inetcpl.cpl" and press enter. Click Reset... from the Advanced tab.

 

[Lemur]

Also reboot into safe mode and run malwarebytes with full scan...

 

[9strick9]

I followed the suggestions below as best I could but the problem remains. I reset the IE to its defaults and scanned with malwarebytes in safe mode. I use Firfox for my browser so I deactivated all of the addons that I had installed. None of this solved the problem. I then reinstalled Firefox but that didn't help either.

Any suggestions on what to do now?

Thank you.

 

[ZORG]

All right pal

Let´s start from the beginning. Download spybot search and destroy, install and run it. For a start, it may help you to get rid of the problem if it is a virus or a spyware. If it doesn´t ´we can try another one as super antispyware.

zorg

 

[mborner]

Take a look at you host file. Navigate to C:\Windows\system32\drivers\etc. There, you will see a file called "hosts". Open the hosts file in notepad.

 

[Jacee]

Clear your DNS cache and restore MS's Hosts file

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click to run as Administrator. Your computer will reboot itself.

Now, download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.50 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

 

[9strick9]

The "hosts" file looks ok.

127.0.0.1 localhost
::1 localhost
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost


I'm not sure how the clear the DNS cache and restore MS's Hosts file. Is this what the code you present does?

 

[Corrine]

Hi, 9strick9.

Please take another look at Jacee's instructions. You need to copy that code in Notepad and "Save as" flush.bat to your desktop. Then, just right-click to run flush.bat as Administrator.

 

[9strick9]

Got it! I did this and here are the results.


Malwarebytes' Anti-Malware 1.50
Malwarebytes

Database version: 5275

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/8/2010 9:07:49 PM
mbam-log-2010-12-08 (21-07-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 340734
Time elapsed: 1 hour(s), 10 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


It didn't find any problems. What next?

 

[Jacee]

What two anti-virus programs did you scan with?

 

[9strick9]

avast! Free and Norton Internet Security 2010

 

[Jaxryley]

Could relate to a rootkit?

Try a scan with TDSSKiller.

 

[9strick9]

I tried the TDSSKiller and it seems to have worked. I say "seems" because the problem occurred periodically and I don't know what triggered it.

TDSSKiller found Rootkit.Win32.TDSS.tdl4 and removed it. The problem hasn't occurred since the rootkit was removed and that was about three days ago. Prior to that, the problem occurred two or three times a day.

I believe the problem is solved and I really appreciate your help. I don't know what I would have done witout it.