Nasty Redirect Virus

RunningMan · Oct 11, 2012

Did I say nasty? Whoa...

I have removed other minor redirect viruses, but this one was much worse. Never saw it before and it was bear to get rid of. Whenever I did a Google or Yahoo search it would redirect and "back" did not work at all.

I used Hitmanpro and found some trojans. Grr... but still there. Then used Kaspersky RootKit TDSS removal. Found Pharsic.C (or something). Great, but no help. Then I got Malewarebytes and found Aureleon (various). Still not it. My problem is male ego, as I kept clicking to see if it worked on a search engine and kept downloading more. They didn't.
Safe mode and used Microsoft Removal Tool Full Scan (overnight not connected). MRG.gen. Then got Microsoft Security Essentials and got rid of it.

STILL NOT GONE. Same trojans came back! Could not even search for a good geek or tech forum...kept redirecting. Why it mostly went to Norton products I don't know.

Finally went straight to www.techspot.com. Tried everything in their rundown to a product called RogueKiller. No charge, easy to run. Did the full scan and found a trojan called "ZERO ACCESS" which actually loaded from my DRO partition everytime I started up, which loaded other trojans. I did not say that it actually turned off my firewall, I believe by loading a fake firewall to override it.

So I went through the products one after the other while in network disconnect.

RogueKiller
CC Cleaner (used to clear locked cookies)
MalwareBytes
Kaspersky TDSS Killer
Microsoft Security Essentials
HitmanPro 3.6 (the onluy one I actually had to purchase) - had to hook in to get to the cloud

Cleared the various trojans one by one. Took hours with required reboots.

Gone. Finally. Or at least until the daughter uses the computer again....

What I don't understand is why each product surfaced a different virus.

AMEND TO ADD DETAILS:
1. I had to go to a previous restore point to limit number of trojans. The ZERO ACCESS virus still loaded from the DRO partition onto the restored registry.
2. After I got rid of all (see above), the firewall still would not work, so I had to go to Microsoft and find Windows XP Service Pack 3 (SP3) and found the tech version and downloaded, hoping that it would not destroy my machine. I didn't. It did replace old files and replace missing/broken ones without interference to the many upgrades since the first SP3 download.
3. Then I could use Microsoft fixit to repair the firewall.

Long way back and I don't want to have to do that often.

geoffs · Oct 11, 2012

Thanks for great info RunningI'm having the same problem all week! I'll do what you did, I'm not too technical. Thanks again.

AlaskaSue · Oct 11, 2012

Wow, that is something. I have it too and it makes me nuts. Right click on 'Back' takes me to the google page or whatever where I started, then it does not redirect when I go on (for each individual search). I just ran my Kaspersky and CC cleaner, looks like I have a lot more to get rid of this one. Nasty indeed; thanks for the pointers!

RunningMan · Oct 11, 2012

I found RogueKiller on http://www.techspot.com/community/topics/system-check-removal.176723/page-9

This forum has great advice and free downloads. These tech geeks LOVE this stuff. For me, I just want my computer to go where I want it to go without distractions. Usually here to TB2K. :-)

They say that ComboFix will work on the ZERO ACCESS virus. I don't know, because I screwed up a computer once before with ComboFix so I try to stay away from it.

Good luck. If I can point you where to go, let me know.

ontheright · Oct 12, 2012

Go to safe mode with networking and DELETE ALL restore points. Run RKILLER http://www.bleepingcomputer.com/download/rkill/ let it run and finish. Then D/L and run TDSKILLER http://support.kaspersky.com/faq/?qid=208283363 let run and finish. run Malwarebytes. Recheck and make sure all restore points are gone. Last go to RUN - CMD - type in ipconfig (space) /flushdns. Reboot to Windows and check, if everything is good create new restore point. Hope this helps

DrJerry · Oct 12, 2012

Another reason I wub my MAC

Memphis Weirdo · Nov 25, 2012

DrJerry said:
Another reason I wub my MAC

Are Macs totally immune?

Dosadi · Dec 11, 2012

RunningMan said:
Did I say nasty? Whoa...

I have removed other minor redirect viruses, but this one was much worse. Never saw it before and it was bear to get rid of. Whenever I did a Google or Yahoo search it would redirect and "back" did not work at all.

I used Hitmanpro and found some trojans. Grr... but still there. Then used Kaspersky RootKit TDSS removal. Found Pharsic.C (or something). Great, but no help. Then I got Malewarebytes and found Aureleon (various). Still not it. My problem is male ego, as I kept clicking to see if it worked on a search engine and kept downloading more. They didn't.
Safe mode and used Microsoft Removal Tool Full Scan (overnight not connected). MRG.gen. Then got Microsoft Security Essentials and got rid of it.

STILL NOT GONE. Same trojans came back! Could not even search for a good geek or tech forum...kept redirecting. Why it mostly went to Norton products I don't know.

Finally went straight to www.techspot.com. Tried everything in their rundown to a product called RogueKiller. No charge, easy to run. Did the full scan and found a trojan called "ZERO ACCESS" which actually loaded from my DRO partition everytime I started up, which loaded other trojans. I did not say that it actually turned off my firewall, I believe by loading a fake firewall to override it.

So I went through the products one after the other while in network disconnect.

RogueKiller
CC Cleaner (used to clear locked cookies)
MalwareBytes
Kaspersky TDSS Killer
Microsoft Security Essentials
HitmanPro 3.6 (the onluy one I actually had to purchase) - had to hook in to get to the cloud

Cleared the various trojans one by one. Took hours with required reboots.

Gone. Finally. Or at least until the daughter uses the computer again....

What I don't understand is why each product surfaced a different virus.

AMEND TO ADD DETAILS:
1. I had to go to a previous restore point to limit number of trojans. The ZERO ACCESS virus still loaded from the DRO partition onto the restored registry.
2. After I got rid of all (see above), the firewall still would not work, so I had to go to Microsoft and find Windows XP Service Pack 3 (SP3) and found the tech version and downloaded, hoping that it would not destroy my machine. I didn't. It did replace old files and replace missing/broken ones without interference to the many upgrades since the first SP3 download.
3. Then I could use Microsoft fixit to repair the firewall.

Long way back and I don't want to have to do that often.

Ran emsisoft first and killed all but the rootkit, then TDSS and got the root kit. (Did some manual clean up after that.

This one was pretty fun "/joking" to get rid of. (I use a crappy old laptop for web browsing and I suspect one of the kids got this one for me.

Worst thing is some of it was hiding in various jpeg / other picture formats.

Also something hiding in a pic of natzi pigolosi.

Yep, pretty fun.

ETA EMSISOFT had a pretty good rundown on cleaning this up. Be sure you git rid of all the restore points after you are done. (I had to turn off restore to prevent it from getting infected, fix it, then turn restore back on.)

Shinmen Takezo · Apr 22, 2013

There is a program (freeware) called "combofix" that will fix it all in one pass.

Had the same problem a few months ago--this scrubbed all that Russian crap off of it.

Google it and download it.

Nasty Redirect Virus

RunningMan

Inactive

geoffs

Veteran Member

AlaskaSue

North to the Future

RunningMan

Inactive

ontheright

TROPIC LIGHTNING GO 25th

DrJerry

Inactive

Memphis Weirdo

Peculiar To This World

Dosadi

Brown Coat

Shinmen Takezo

Membership Revoked