Hiya guys

Recently i had an attack from a virus, well virus's which i have managed to get rid of , but their is 1 which i just cannot. Basicly im using firefox and whenever i go to a search engine such as google and type in something. i'll click on a result and instead of it taking me to that result page it will take me to another site (spam site or some description) and i click back and click the link again , and it does it 3-4 times then lets me to go the site i wanted to go to.

This also happens after i searched something or just randomly pops up. I could be on this forum and it will open a new tab by its self and go to some random site which i've never heard of or try and take me to this 'fantastic new windows 2010 antivirus' (i know thats a virus). Im just unsure how to clear this virus's ive used Comodo to search for it and found nothing, i've used PCTools and couldent find it , CCleaner and did nothing, Trend Micro house doctor and it found nothing.

Thanks

See this: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010

MalwareBytes (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe) should be able to remove it.

sounds like a virus similar to conficker, it changes your DNS server settings to a private one that resolves the link names to spam site ip's

See this: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010

MalwareBytes (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe) should be able to remove it.
Im sure i dont have antivirus 2010, i had it on my pc but followed a guide to remove it , im just scanning using malware bytes though

sounds like a virus similar to conficker, it changes your DNS server settings to a private one that resolves the link names to spam site ip's
How can i change that back?

Ok i just did a malware bytes scan and fixed 2 virus's and that still hasnt fixed it, how do i change my DNS back arcanise

I had road runner do the same to me for firefox. Look in the config and see if its been changed.
Link (http://www.firefoxfacts.com/2008/01/13/change-default-search-in-firefox/)

I had road runner do the same to me for firefox. Look in the config and see if its been changed.
Link (http://www.firefoxfacts.com/2008/01/13/change-default-search-in-firefox/)
What do you mean roadrunner, btw i dont need that link :P even if its not just on google i could be on lockerz and something and a tab will just open up and go to a random site. Im just doing another scan on malware bytes and will paste the results here soon.

in command prompt type ipconfig /all and tell me what your DNS server is

192.168.0.1

Run a HJT scan and provide the results: http://free.antivirus.com/hijackthis/

Also, the IP address provided indicates you are relying on your router for DNS. If you know how to check your DNS settings on your router, tell us what DNS server your router is using. If you don't know how to do that, tell us the make and model of your router.

Netgear DG834G

I'll download HJT and give you the log shortly

in your web browser type that ip 192.168.0.1 login as required and find in the settings or tool tab what your DNS server is

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:03:16, on 08/05/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'Default user')
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3503 bytes


Edit: Arcanise , i dont have access to the router, my mum does and i dont have access to it

Can you screenshot this page of your router settings?

http://www.farina1.com/DG834G/basic-settings.jpg

You can view your router settings by going to the address 192.168.0.1 in an internet explorer window. If you, your mom, or someone else hasn't configured your own username and password for this, the username is admin and the password is password.

In HJT, you need to cleanup these:

O4 - HKUS\S-1-5-18\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'Default user')

Cleaning these, and rebooting, will resolve the core of your issue. It may also solve the symptom you are seeing, although additional steps may be required to fix whatever those executable files were doing.

O4 - HKUS\S-1-5-18\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'Default user')That is definitely not legit. Reboot in safemode and delete the following folder:

C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai

Can you screenshot this page of your router settings?

http://www.farina1.com/DG834G/basic-settings.jpg

You can view your router settings by going to the address 192.168.0.1 in an internet explorer window. If you, your mom, or someone else hasn't configured your own username and password for this, the username is admin and the password is password.

In HJT, you need to cleanup these:

O4 - HKUS\S-1-5-18\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [panwnlxi] C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai\ekbnkibtssd.exe (User 'Default user')

Cleaning these, and rebooting, will resolve the core of your issue. It may also solve the symptom you are seeing, although additional steps may be required to fix whatever those executable files were doing.
Thanks, Yep logged in with default:
http://img687.imageshack.us/i/searchw.jpg/

That is definitely not legit. Reboot in safemode and delete the following folder:

C:\Windows\system32\config\systemprofile\AppData\L ocal\wofrtdtai
Thanks will do that now

Also, clean the regentries with HJT, as well as delete that folder.

And thanks for the screenshot, that confirms you are obtaining legitimate DNS information from your ISP.

Just logged into safemode and deleted that folder , now im in normal mode and did a test and its not popping up or redirecting, YET ;)

After a few hours i've noticed it's still happening >.<

Run HiJackThis and post the log here again.

Just logged into safemode and deleted that folder , now im in normal mode and did a test and its not popping up or redirecting, YET ;)

You have to delete registry entries, also, or they'll just re-appear.

It depends petteyg359...

Something has to spawn a process. Deleting the registry entries, or deleting the files should kill that portion of the worm - the reg entries won't do anything if the files are missing, and the files won't do anything if the registry entry is missing and no call gets made to the files.

That's the main difference between malware and viruses. A virus is self replicating and doesn't require user interation to flourish. Malware is clever but nasty programming which typically hides registry entries or hooks into other application calls to activate itself.

If the registry entries are back, there are a couple possibilitites.

1. You are running an infected file. This could be a downloaded/cracked application with a malware exploit (adobe cs4).

2. It could also be some sort of browser hook that gets spawned from temporary internet files, a bad plugin, or other similar trigger.

3. A system file has been replaced with a similar but malicious version that contains malware code. This could be a driver file or something similar. System file checker was designed to counter these sorts of problems.

In any case, any one of these could repair the malware after you delete pieces and parts. Your best bet is to remove any browser add-ins, delete all temp files with something like ccleaner, then run malwarebytes and hjt, and ensure you delete everything that doesn't belong.

If you are visiting cracks, warez, or porn sites, you should increase your browser security settings to keep from getting reinfected. Or even better, run sandboxie and run your browser in a sandbox where things can't screw up the rest of your system.

And if you have any cracked or warezd apps, you should start by removing those. Something got you infected, so you need to consider what you've been doing on the pc that you shouldn't have been doing.

I will put my input when I had a virus like this and it kept coming back for weeks. Updated malawarebytes and got spybot search and destroy and scanned in safemode. Then used adaware as a third scan. Took about 3-4 reboots of it finding something for it to be 100% cleared. Microsoft security essentials is good at taking care of it also if you don't mind removing your old virus scanner and putting this one in. I hear though that this virus can get deep enough to require a format though.

Run HiJackThis and post the log here again.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 07:42:26, on 09/05/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 3078 bytes

Hjt log is clean. Are you still getting misdirected on search result pages?

Hjt log is clean. Are you still getting misdirected on search result pages?
yep. And it sometimes pops up to on an new tab. Its only firefox that it happening to.

Where did you download Firefox from? If it was anywhere other than mozilla.com, uninstall it and re-download from the official source.

EDIT: If you're by any chance using OpenDNS, I recommend avoiding them like the plague.

Have you cleared temp files at all? Disabled browser add-ons?

Take a look in your hosts file... You may have a redirect there...

Located in C:\WINDOWS\SYSTEM32\Drivers\etc\

Hosts file has no extension. Edit it with notepad

by default, will have one entry

127.0.0.1 LOCAL HOST

Not if his observations are true, it's a firefox only issue. Host file is system wide so it couldn't be a problem with that.

Not if his observations are true, it's a firefox only issue. Host file is system wide so it couldn't be a problem with that.

Wouldn't hurt to take a look...


Wait.... Fix your winsock (http://support.microsoft.com/kb/299357#FixItForMe)...

then reboot..

It wouldn't hurt no, but it would be a waste of his time unless his observations are wrong - he'd be seeing the same behavior in other browsers if it is a host file issue.

Also, please link to the actual microsoft page for things like that fixit file - linking directly to msi's or exe's is dangerous, people should be directed to the source so they can verify the authenticity of what they are running. Not that you would give someone a bad file, we know you, but its still good to provide the source and set a good example for others. ;)

Link Fixed, just helping the guy out, so he did not have to "find" the file.

I've just did what you gave the link to Joetech , just about to restart PC. I downloaded from Firefox from their site, I only download it from their only. I am a officially beta testing for firefox so i get emails from the beta manager @ mozilla with the direct link to the mozila firefox site to the latest beta.

Edit: restarted and still having issues , I dont really wanna reinstall Windows as a i have 1TB of stuff >.<

Does not look like that beta is all that good... :shock:

sounds liek your "beta" provider is giving you an infected mozila

Firefox beta downloads are obtained easily from the official site (http://www.mozilla.com/en-US/firefox/all-beta.html). There's absolutely no good reason to be downloading from a link somebody emailed to you.

Any chance the person emailing you the link is giving you a Comcast pre-hijacked version (http://www.mozilla.com/en-US/firefox/all-beta.html)? Many other ISPs seem to offer the same hindrance as a "value-added service".

sounds liek your "beta" provider is giving you an infected mozila

from Marcia Knous <marcia@mozilla.org>
to betatesters@mozilla.org,
macqa@mozilla.org,
vistaqa@mozilla.org,
communityqateam@mozilla.org

Comes from them which is Mozilla , I can easily unsubscribe each month they let me know.

There's nothing wrong with your Beta. It's a firefox only issue though, and since you've ensured the OS is clean, you need to do a few more things...

1. Delete all temp files with ccleaner, to remove any infected files you have in your browser's cache or OS cache
2. Disable any 3rd party plugins you have for firefox

I don't know why you are talking about reinstalling windows, it's clearly not a windows problem if Firefox is the only application with a problem.

Personally, I'd do this:

1. delete all temp files with ccleaner
2. Uninstall firefox
3. Delete firefox application data/profile folder
4. Reinstall firefox downloading directly from http://www.mozilla.com/en-US/firefox/all-beta.html

If you skip or ignore any of those steps, you'll probably still have your problem

Hiya guys. just uninstalled firefox and done a ccleaner and delete temp etc. Just came onto IE to check next step here and a popup came up and its that search virus thing. So its not just on FF

If you follow the removal guides for antivirus 2010 and it doesn't work, you could waste a lot more time messing around and hoping to get lucky, or you could just do a fresh install.

I'd recommend fresh install at this point.

Assuming you won't like that answer, your best bet may be here:
http://forums.malwarebytes.org/index.php?showtopic=9573

Dr web is also very good...

I will put my input when I had a virus like this and it kept coming back for weeks. Updated malawarebytes and got spybot search and destroy or superantispyware and scanned in safemode. Then used ad-aware as a third scan. Took about 3-4 reboots of it finding something for it to be 100% cleared. Microsoft security essentials is good at taking care of it also if you don't mind removing your old virus scanner and putting this one in. I hear though that this virus can get deep enough to require a format though.

Hiya guys. just uninstalled firefox and done a ccleaner and delete temp etc. Just came onto IE to check next step here and a popup came up and its that search virus thing. So its not just on FF

Did you try what I posted? I had the identicle virus as you and got rid of it. Logs reported clean but still had pop ups and I had to do multiple scans in safemode for it to fully clear.

Also please go to internet explorer then :tools,Internet options, Connections and then click on lansettings and make sure the box "use a proxy server for your lan" Is unchecked as this helps the virus aswell. Also if you go to documents and settings, Then find the account name you are on and click on it, Then go to application data if you see file names that are just random letters for example: xacaxfsaretgre or anything that is not an actual word please post it here. That was a file that my scanner could not detect and deleting it fully cleared the virus.


When I got the virus and I got redirected to search engines and I had to take about 100 different steps to get rid of it.


There may be folders like this c:\Program Files\AV2010

If you are not affraid to go into your registry these keys may show up also: HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run “Windows Gamma Display”
HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}






You could also try a system restore to a point before the symptoms where happening if you decide to reformat your computer.

Im just storing things atm then ganna do a reinstall so. Luckily windows 7 dont take to long to install

Download and install MSE before you start restoring any backups, just in case one of those files is infected.

Only files i backed up were Flight Sim X and GTA oh and my music.