Avast WEBforum

Other => Viruses and worms => Topic started by: jaxter9000 on June 01, 2010, 12:46:53 PM

Title: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 01, 2010, 12:46:53 PM

Hello,

Yesterday night (May 31, 2010), I searched Google for Hyundai. I clicked on the Wikipedia link, and was redirected to a website that caused Avast to pop up with the warning siren that says "Caution: A virus has been detected."

I tried this with several other searches with the same result.

I did not click on any "sponsored links" either. These links were the normal ones.

I even tried a different search engine, Bing, and the same thing still occurs.

Thankfully unlike my previous virus troubles, my computer isn't 99% crippled by this one. :P

What program(s) should I download and what log(s) should I post and how would I go about finding them?  :) (Please remember that I cannot use any search engines due to the nature of my problem)

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: Lisandro on June 01, 2010, 01:20:37 PM

What exactly do you want? Get your computer clean?
Are you experiencing trouble in any search you perform?

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 01, 2010, 01:23:02 PM

Yes, I am experiencing trouble in every search I perform.

And yes, I would like to get my computer clean please. I think a virus might be causing this problem.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: Lisandro on June 01, 2010, 01:30:32 PM

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan (http://www.abelhadigital.com) tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).

Step 6 seems to be essential.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: Jtaylor83 on June 01, 2010, 05:02:34 PM

Please follow Essexboy's instructions (http://forum.avast.com/index.php?topic=53253.0).

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 02, 2010, 02:06:56 AM

I have attached the MBAM log and the OTL log to this post. Due to the file size restriction, I must most the OTL extra file in the next post.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 02, 2010, 02:07:26 AM

I have attached the OTL extra file to this post.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: essexboy on June 02, 2010, 10:31:51 PM

Those look clear - are your still getting re-directed ?

(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  (http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 03, 2010, 02:14:11 AM

I'm not being redirected anymore, but should I still do the GMER thing to make sure I got everything off?

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: essexboy on June 03, 2010, 09:09:01 PM

Yes please

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 04, 2010, 06:03:56 AM

Hey essexboy, sorry about this, but the problem returned before I got around to doing the GMER scan. I ran another MBAM and OTL scan. I've attached the files to this post. I don't know if this will change anything, so I will wait for further instructions to proceed with anything.

Sorry about this complication  :-[

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: essexboy on June 04, 2010, 08:46:30 PM

Hi I will need the GMER log as that will show me which file has been patched

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 05, 2010, 04:55:34 AM

The GMER log is attached to this post.

I don't know what is happening to my computer at this point; it got so slow that I had to restart it because it froze multiple times while I was scanning with GMER. After the GMER scan finally finished (took roughly 3 hours), I had to restart my computer again because my internet wouldn't load.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: essexboy on June 05, 2010, 12:53:45 PM

OK me sees it

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in your C:\ drive
  
• Reboot your computer
• Please post the contents of that log

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 05, 2010, 06:35:28 PM

Quote from: essexboy on June 05, 2010, 12:53:45 PM

OK me sees it

Haha that made my day  ;D

The scan produced two logs, so I'm posting both. :)

Edit: I think the first file was older, but was updated by the restart, I was looking at the dates that the files were last updated when I posted them.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: essexboy on June 05, 2010, 07:07:29 PM

The redirects should now have ceased

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 05, 2010, 08:12:26 PM

The log is attached to this post.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: essexboy on June 05, 2010, 08:22:14 PM

What problems do you have now ?

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: jaxter9000 on June 05, 2010, 08:28:11 PM

None that I can see as of now. I will keep you updated if anything comes up.

Title: Re: Search Engine Links Lead me to Virus-Detected Sites
Post by: essexboy on June 05, 2010, 08:34:01 PM

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

SPRING CLEAN
 
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here (http://www.xs4all.nl/~fstaal01/flushflash-us.html) and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
  (http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://"http://www.malwarebytes.org/mbam-download.php").  Run weekly to keep your system clean
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update (http://windowsupdate.microsoft.com)
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Keep safe  :wave: