Virus removed but internet hyperlinks are on the fritz

splash

A friend of mine got yet another virus that asks him to input his credit card. During a visit to a website a bunch of windows or messages came up and a fake "Security Center" program installed. In addition to the fake scanning program itself and making a blue screen that would restart the computer every 5 minutes or so, it disabled task manager and MBAM and seems to have messed with internet browser or DNS settings (or whatever?).

I ran MBAM in Safe Mode which detected many things and they were deleted. After that MBAM could run again in normal Windows mode. A full Avast scan came up with a few additional bad files which were deleted. I looked up how to remove the registry key that was disabling task manager and that was easy. But I really need help now...

Google Chrome basically still would not work at all, it just kept loading and wouldn't connect to any site. I actually uninstalled it since he says he doesn't use it. Firefox works and when he types in web addresses manually it works fine but when he clicks on hyperlinks he gets redirected to some places he doesn't expect. Otherwise his computer seems to run fine.

At this point I know he really friggin needs a reformat but on his prebuilt HP that won't be easy (in addition to him having to buy an external hard drive for backup if he has to get another windows license I don't think he can afford it right now). What can I do in the meantime to attack this internet problem?

Helpame please!

shadydentist

Shouldn't having a prebuilt HP make it easier to reformat? Most prebuilt computers come with a system restore partition, so he might not even need the disk. And he definitely won't need another windows licence.

My advice is for you to burn a Ubuntu LiveCD for him. He can boot off the CD directly, and use that to get all his important files off, and use the internet and stuff safely in the meantime.

uean

are these major destinations (like facebook, twitter, digg, or whatever)? they can be targetted in the hosts file sometimes, though its not terribly common.

Evyl

That virus breaks IE (it won't connect to any site at all) by changing the connection settings to use a proxy server. I realize you are using different browsers, but this could be the same root cause.

splash

Okay, while I will look at how to reformat the HP which does have a system restore partition, I'm going to look into the host files or proxy settings. Are these the only possible causes? He says it happens on any website not just major ones.

Maybe I can borrow an external hard drive from someone to backup his data.

splash

This is really bugging me now. Casually talking to a neighbor about her computer it seems the exact same thing is going on for her. She had a virus/trojan stuff removed by a repair shop months ago but this search result redirect thing happens 50-90% of the time.

I'm gonna try about:config in Firefox to see about his keyword search settings and after that I've run out of ideas. It's not the HOST file, not proxy settings, no weird modem or IP settings, can't find anything suspicious running in tasks. Typing in websites works fine. But only from using search results do the redirects happen.

Echo

no DNS hijacking?

TelMarine

have you tried using TDSSKiller? I remember my dad's office had something similar to this, he had a rootkit. http://support.kaspersky.com/viruses/solutions?qid=208280684

theclam

You need to run more antispyware scans with a different product. Try Super Antispyware.

psycojester

Okay i got the exact same fucking thing a while back when my girlfriend thought it was a good idea to go browsing the internet on my laptop using internet explorer instead of a browser a toddler couldn't infect. Here's what you want to do.

Go download ComboFix on another machine, rename the .exe to something else, restart the computer in safe mode and then follow the instructions in that link.

After you've done that start it up in safe mode again, give it a second run through with MBAM, again use the rename exe trick.

After that give it a run through with your standard anti-virus and adaware and that should be that.

KiTA

You have a rootkit. Security Center is a really nasty piece of work, that installs itself like a fake device driver, making MBAM not see it. I was fixing it about 8 times a day before my bosses finished the perquisite 8 week AT&T Retardation correspondence course and I was set free from that hellish nightmare.

You can thank Sony for this shit, btw. They popularized the idea of rootkits in modern computers. Without that stupid DRM fiasco, the idea might not have ever reached the Russian script kiddies' heads.

You need to run ComboFix in safe mode. Save ComboFix as something like c1f2.exe and run it off a flash drive in Safe Mode (not safe mode with networking). You might even have to rename it something like c1f2.COM, as I believe Security Center is one that installs itself as a handler for EXE files -- i.e., whenever you run a program, Security Center runs itself.

You can get around that, if it's happening, by opening a command prompt first and running the EXE files in DOS. Sometimes.

After running CF and letting it do everything it wants, THEN install MBAM (into a different folder, like say C:\m1b\) and rename mbam.exe inside the MBAM folder to like, 1.exe.

Then run that, and it will find a shitload more stuff.

THEN you will be fixed. Maybe.

Make sure you update Adobe Acrobat Reader, Adobe Flash, and Sun Java, as those 3 things are where these shitty Malware Worms are getting in through.

I'd say "This isn't common", but I regularly saw IE 6 and Adobe like, 6.2 in my helldesk job for AT&T, so...

splash

Yep, there's no DNS hijacking. Tried Super Antispyware and nothing, tried Avast boot scan and nothing. Multiple runs of Avast and MBAM came up empty (after successfully removing the main components of the virus/trojan mind you, but the internet search problem remains).

Is the renaming because whatever leftover rookit will block it from seeing it or working correctly? I thought you only had to rename the malware programs if a virus was stopping you from opening it.

In any case I'll look at TDSSKiller, and I know Combofix is powerful and haven't done it yet due to concerns over them not having files backed up.

Well thanks to you guys I have some more options. I saw this post about a certain .sys dll and exe being created which I'll check quickly but I'd think one of the programs would have caught that and then trying to reset the settings for Internet explorer and Firefox, but he reinstalled Firefox completely and it still happens so it's probably not this either.

One of them is thinking of going to the computer repair store one more time (already spent $200) on getting two viruses fixed and talking about switching to a mac soon and I don't want her to have to waste money. I think it's fine that she wants to start using a mac in the future but the PC she bought can be reformatted if nothing else and then will work like new, there's no reason to completely disregard it. Plus figuring it out will let me fix the other person's same problem who is begging me to get it fixed or running the browser

Thanks KiTA for the extra explanation. You helped me big time last time too.

BTW what really sucks is one of them is keeping really up to date and and it happened. Firefox, Adobe Reader, and Flash are all being automatically updated. He has Adblock Plus. He doesn't even have Java on the machine. Reader has Javascript disabled. Next step would be NoScript for Firefox. I've grown concerned that maybe his Qwest modem router sucks or something though I don't know much about them but NAT routers are supposed to be more secure? I looked at the modem configuration and it's all pretty standard but I saw an option to increase the "safety level" which could reduce "productivity" level or something.

UncleSporky

You can help remove one point of attack: uninstall Adobe Reader and put on a different one like Foxit.

KiTA

even without java, you have microsoft's built in Java, but we all know how vigilant Microsoft is about securi... yeah. haha, can't finish that.

Install the latest Sun Java, if only to overwrite Microsoft's piece o' junk.

Niceguy Myeye

I had a similar virus that I was able to remove with the Microsoft Antivirus program. I wasn't able to clean the linking problems with Malware Bytes alone. MB was able to get rid of the secondary infection, but the Microsoft program did a swell job on the initial virus.

splash

KiTA wrote: »

even without java, you have microsoft's built in Java, but we all know how vigilant Microsoft is about securi... yeah. haha, can't finish that.

Install the latest Sun Java, if only to overwrite Microsoft's piece o' junk.

shiii didn't know. Installed that.

I've got him setup with MSE + MBAM now instead of Avast + MBAM.

I couldn't run Combo Fix in safe mode, it gave access denied permission. But in Windows it was able to run, found a rookit and rebooted to do it's full scan. His computer now looks to be completely cleared. FIXED!!

For the other person, my women neighbor who wants to switch to a Mac, she is having a couple of other problems with her computer that greatly complicates the issue now and I can only get into safe mode. She has the same type of rootkit and if I can't run ComboFix in safe mode I can't clear it off, but moot point since the machine blue screens at the windows user login screen.

The blue screen seems suspicious to me but it only intermittently happened in previous months, as in she says it could happen once a day or once every 2 weeks. Additionally her internet connection is acting very slow. Using the modem and wireless router her laptop has the same slow connection or where the connection gives up, so it wouldn't seem to be due to another virus issue. I looked at ipconfig on both machines and the DNS server (listed once) was the same as her router IP address. It's not like she can't connect to the internet but that looked dumb to me. Yet I think the problem is a wireless card she's using is causing a conflict or something and possible causing the blue screen? She thinks it started happening after it was installed.

bloodatonement

I had a similar problem. I ran the BitDefender rescue cd and it fixed the last remnants of the virus.