Please help the CIH Forums by disabling AdBlock Plus on this page.
Forum Home Forum Home :: Miscellaneous :: Off-Topic
  New Posts New Posts RSS Feed - Search redirect viruses/malware
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Search redirect viruses/malware

 Post Reply Post Reply
Author
Message
ThreadKiller View Drop Down
Junior Executive
Junior Executive
Avatar

Joined: 04 Oct 2008
Location: Harrisburg, PA
Status: Offline
Points: 1148
Post Options Post Options   Thanks (0) Thanks(0)   Quote ThreadKiller Quote  Post ReplyReply Direct Link To This Post Topic: Search redirect viruses/malware
    Posted: 23 Oct 2012 at 3:48am
My work PC is a laptop, which I'm encouraged to tote home so I can "stay caught up" on things like email, reports, and performance reviews. I do some of that while watching TV, but I also do a bit of surfing to news sites, sports forums, and here (of course!). I don't visit sites that are known as risky for infection. 

The laptop has McAfee antivirus installed, which I'm now convinced is a worthless piece of crap. It's allowed search redirect viruses in three times in the past six months, with nary a peep of warning. For those of you who haven't had the pleasure, when your PC is infected with one of these, anytime you do a Google, Bing, etc. search, then click a link, the virus redirects you to one of its own result pages, usually with a several shopping links that are somewhat related to your original search. 

These things alter your registry and browser settings to implement the redirect, and are not easy to get rid of. The best free antivirus/malware programs haven't touched it the last two times. 

Anyone else get these? How did/do you deal with them? They're incredibly frustrating when you depend on searching to get your work done. 
Hundreds of threads killed.
Back to Top
Sponsored Links



Back to Top
Thor View Drop Down
Revolutionary
Revolutionary
Avatar

Joined: 16 Apr 2008
Location: Rockaway, NJ
Status: Offline
Points: 63906
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thor Quote  Post ReplyReply Direct Link To This Post Posted: 23 Oct 2012 at 5:14am

Now that you mention it, I haven't been redirected to one of those sites in a long time...possibly ever since Comcast switched my security software from McAfee to Norton.

Back to Top
zerocool View Drop Down
Junior Executive
Junior Executive
Avatar

Joined: 24 Nov 2011
Status: Offline
Points: 196
Post Options Post Options   Thanks (0) Thanks(0)   Quote zerocool Quote  Post ReplyReply Direct Link To This Post Posted: 23 Oct 2012 at 7:17am
As a general rule, I tell people to run SuperAntiSpyware and MalwareBytes' Anti-Malware. These are malware removal tools only. They are not designed to replace an anti-virus program.

Anyway, McAfee and Norton are awful. I personally use Microsoft Security Essentials on my home computer. At the very least, it's usually honest about the stuff it can't get rid of and still tells you about it. No problems here and it's free. Thumbs Up

You could also remove the damn things manually. The basics of it are as follows.

1) Click on Start -> Run and type regedit

2) There are a few keys you want to navigate to and check out (these are the most common):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

3) Note any programs named something random e.g. ef328ecs.exe and\or that are running from locations that look suspicious like C:\Windows\system32 or C:\users\(username)\AppData\...

4) Delete the registry entries and the associated programs or dll files. You may need to make hidden folders or system files visible. I use a program called Killbox for the stubborn ones that don't delete. If they don't delete simply because they're "currently in use", check the task manager for rundll32.exe or the name of the exe in the list. Close those processes.

5) Occasionally, these programs hijack all .exe files and maybe some other filetypes to run the malware program itself. This is called file-association hijacking. I boot from a CD called "Ultimate Boot CD for Windows". It's what's known as a "Pre-installed Environment" a.k.a "PE" CD. It's basically Windows XP on a CD with a bunch of tools ready to go. You can also put it on a USB drive (waaayyyy faster). ISOs of it are floating around out there for free, but I won't say any more. Hiren's Boot CD is an alternative to UBCD. Anyway, what you're looking for is the "remote registry editor" tool. It lets you run regedit.exe without invoking that malware (you're booted from another copy of Windows, remember?).

6) From the remote regedit, look at this key:
HKEY_CLASSES_ROOT\.exe

The "(Default)" value should be "exefile". If it's named anything else, you need to change it back to "exefile". You can do this by double clicking the value and typing it "exefile" in.

In addition to ".exe", you can look at any file type in HKEY_CLASSES_ROOT and make sure none are hijacked. This is really rare, and really obvious when it happens, so usually if exe is fine, the rest are too. Some notable ones I've seen are .doc, .lnk (shorcuts), .txt, folder, directory, and drive. The asterisk key "*" is a wildcard. In other words, it's the default settings unless otherwise specified in the other keys.

Anyway, this is pretty much what Malwarebytes and Superantispyware do automatically, but it never hurts to double check the work the right way. Take a look at the logs too.

Special note
Another thing to do about the redirects:
- is run a tool called LSPFix if you're running Windows XP. It's rare, but it'll show any "invalid" (read: malware) objects in the Winsock2 LSP stack.
- "HijackThis!" and Autoruns are good ones to look at too. Too much info to cover on using those here, but it's pretty straightforward. Google what you don't know and always back-up the registry before making changes.
- I've also been noticing that sometimes these pieces of malware come with bundled rootkits to ensure the problem keeps coming back. A rootkit is a type of malware that creates it's own little file system and everything on your hard drive and acts as a middleman between BIOS and Windows on startup. In other words, it gets loaded into memory before Windows meaning it's difficult to detect and get rid of. A tool that works great for these is called TDSSKiller by Kaspersky. It's actively updated and free.
- Reset your settings to default if you're in Internet Explorer. I'd recommend Firefox or Chrome, though if you are on IE. At the very least, you get your settings back from the cloud instead of defaults and they're not as heavily targeted as IE. They all have flaws, but IE is the most exploited.

And, that's pretty much the whole trick to that particular kind of malware you got. They're really common. I used to do tech work for a certain blue and yellow logo store years ago. I still do it for my family and friends, though so this info is still relevant.

In case you're wondering, it's true. The vast majority of the employees from that chain of stores are retarded wannabe technicians (who the hell aspires to be a technician anyway? pathetic). Working in retail stores is depressing. At least I have a much better job now that I'm out of college. I work with embedded electronics and write client software and firmware for industrial control systems. In my line of work, security is a pretty big deal. We can't have malware like Flame or Stuxnet threatening to take down the infrastructure we build now can we? Wink

EDIT: I didn't realize that the message I may be sending is that this somehow a part of security when it comes to embedded systems. It's not. It may be a problem if your IT department is run by sh*t-chucking apes that can't get it together and those infected workstations are running your client software, though. AngryAngryAngryAngry

Oh well, the workstations are low security anyway.

That's why we prefer to write code at the lowest-level and closest to the machine as possible. Ever wonder why industrial programs look so ugly? It's because the graphics are made from extended ASCII characters and/or handmade pixel maps because we'd rather not use someone else's code (some pretty graphics library) because it could have some obscure security vulnerability and be used an attack vector. These machines are usually not running Windows, though.
Back to Top
Thor View Drop Down
Revolutionary
Revolutionary
Avatar

Joined: 16 Apr 2008
Location: Rockaway, NJ
Status: Offline
Points: 63906
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thor Quote  Post ReplyReply Direct Link To This Post Posted: 23 Oct 2012 at 2:44pm
Thanks for the info, zerocool.  But if it requires going deep into regedit and changing codes, I'd rather go deep into my address list and contact my computer guy to come out and take a look.
 
He's better and cheaper than Geek Squad, and operates out of his house.  The first time I used him, I had lost my entire operating system (and had no disc for it).  He came to my house, checked it out, took it to his home, reinstalled the OS, cleaned it up, brought it back to my house in a few days, hooked it up, did some fine tuning---and charged me a total of $125.  I lost not one file.
 
I had previously asked Geek Squad about this.  Their solution (buy new computer and have them do a data transfer) would've cost me about $700.
 
 
Back to Top
zerocool View Drop Down
Junior Executive
Junior Executive
Avatar

Joined: 24 Nov 2011
Status: Offline
Points: 196
Post Options Post Options   Thanks (0) Thanks(0)   Quote zerocool Quote  Post ReplyReply Direct Link To This Post Posted: 23 Oct 2012 at 10:04pm
Originally posted by Thor Thor wrote:

Thanks for the info, zerocool.  But if it requires going deep into regedit and changing codes, I'd rather go deep into my address list and contact my computer guy to come out and take a look.
 
He's better and cheaper than Geek Squad, and operates out of his house.  The first time I used him, I had lost my entire operating system (and had no disc for it).  He came to my house, checked it out, took it to his home, reinstalled the OS, cleaned it up, brought it back to my house in a few days, hooked it up, did some fine tuning---and charged me a total of $125.  I lost not one file.
 
I had previously asked Geek Squad about this.  Their solution (buy new computer and have them do a data transfer) would've cost me about $700.
 


Yep. Sounds about right. LOL

Repair services are severely misunderstood by all retail chains I've ever seen doing them. In my experience, it's just another path to selling you a new computer or charge you obscene amounts of money by replacing things that don't need replacing and brute-forcing problems. It's very rare that you actually need to reinstall windows, but it is way easier and quicker. Backing up before re-install is fairly easy too. You can just copy the folder from the C:\Users directory and any other folders you may have stuff stored. Some further investigation may also be required as to where some programs stored the info the customer doesn't want to lose. It's not always all inside my documents. That's why they usually have you fill out that form before they take your computer. It asks stuff like "which programs do you use the most?" and "what do you use this computer for?". The technician is supposed to spend a few minutes explaining what those questions mean. They're vague because the people writing the forms are idiots.

I lost track of the amount of times I was told I wasn't being a "team player" for actually fixing a computer instead of just selling them a new one or sending it off-site (for god knows how long). They say the profit is minimal without getting the customer to buy attachments or a warranty, but I always highly doubted that. I guess it makes sense from a business perspective. In one shift I could have either sold about 7-10 computers or fixed 2-3. The repairs are almost pure profit, but if I were to guess I'd say the profit on the machine sales alone wins out.

Anyway, yeah you've got it right. It's kind of sad that the people working from home are the ones who do a more professional job, but it's the truth.
Back to Top
Tiz View Drop Down
Revolutionary
Revolutionary
Avatar
I donated!

Joined: 15 Apr 2008
Location: Virginia
Status: Offline
Points: 15588
Post Options Post Options   Thanks (0) Thanks(0)   Quote Tiz Quote  Post ReplyReply Direct Link To This Post Posted: 23 Oct 2012 at 10:17pm
^^ Any opinion on both the free and paid CCleaner registry cleaner? I use the free version plus MalWarebytes along with a paid McAfee suite.
Back to Top
JimAyzing View Drop Down
Junior Executive
Junior Executive
Avatar
Formerly powerboy

Joined: 07 Jun 2008
Location: Ohio
Status: Offline
Points: 780
Post Options Post Options   Thanks (0) Thanks(0)   Quote JimAyzing Quote  Post ReplyReply Direct Link To This Post Posted: 24 Oct 2012 at 1:56am
I have used all kinds, But I just use the Microsoft Security Essentials. I also use Zappit and CCleaner
Back to Top
ThreadKiller View Drop Down
Junior Executive
Junior Executive
Avatar

Joined: 04 Oct 2008
Location: Harrisburg, PA
Status: Offline
Points: 1148
Post Options Post Options   Thanks (0) Thanks(0)   Quote ThreadKiller Quote  Post ReplyReply Direct Link To This Post Posted: 24 Oct 2012 at 4:31am
Originally posted by zerocool zerocool wrote:

As a general rule, I tell people to run SuperAntiSpyware and MalwareBytes' Anti-Malware. These are malware removal tools only. They are not designed to replace an anti-virus program.

Anyway, McAfee and Norton are awful. I personally use Microsoft Security Essentials on my home computer. At the very least, it's usually honest about the stuff it can't get rid of and still tells you about it. No problems here and it's free. Thumbs Up
(...followed by lots of really great stuff, and then...)
 
It may be a problem if your IT department is run by sh*t-chucking apes that can't get it together and those infected workstations are running your client software, though. AngryAngryAngryAngry

(...and then some more stuff...)

 
ClapClapClapClapClapClapClapClapClap
 
Zerocool, many thanks for your response. I expected only some general "yeah that sucks, happened to me too" commiseration, and here you come providing real, detailed, meaningful help. I"m so giddy I don't even care if my non-techie fellow CIHers are bored to tears by this thread!LOL
 
Your removal instructions have been copied (to several places for safekeeping) and I'll give them a shot. I sometimes visit one of the volunteer tech-support forums where you post the HJT and Malwarebytes logs, and some very competent volunteers guide you through the removal based on what they're seeing.
 
Last time though, they were so busy they didn't get to me for week, and by then my hard drive had crashed--don't know if because of the virus or some other reason. I should add, our laptops are "protected" by Safeboot drive encryption, which basically means if you lose your disk, you are protected from being able to recover anything from it. LOL On startup one morning, I saw "invalid partitiion table" after the Safeboot login, but before the Windows startup. I have the super-techies in our central IT skunk works working on it, so I might get the files back someday.
 
I'm a big fan of MalwareBytes AMW, and also got rid of the first infection with TDSKiller by Kaspersky. But this latest time, nothing touched this sucker. I'll let you know how I make out with your instructions.
 
I strongly recommend Avast antivirus. Their free version is good, but I got the multilicense version of their full Internet protection (includes firewall, etc.) for our home PCs. I swear by it because my wife surfs a lot, shopping sites, coupon sites, forums, etc., and opens anything that lands in her email inbox. I was running scans and removing viruses from her PC on a weekly basis until I installed Avast over a year ago. Since then, nada. Avast just works.
 
Me, I work in state government IT, on the last laps of a 35-year career. Most of the time I was a database developer and app development manager. Then through a manager rotation I wound up on the infrastructure side--managing the network, server, telecomm, and support techies. All of them have more IT knowledge in their pinky than I have in my entire body, but I like to think I won their respect by listening, trying to learn the basics, and not being too proud to crawl under desks and in wiring closets helping them hook stuff up. Basically, trying hard not to be the Dilbert pointy-haired boss.
 
Our central IT has a multiyear contract with McAfee so we're not losing that junk anytime soon. I'd remove McAfee and install Avast on my laptop in a heartbeat, but of course the next time I connected to our network with my laptop, the mother ship would detect the change, toast my Avast install and reinstall McAfee. Those central IT folks are indeed the "sh*t-chucking apes that can't get it together" of whom you speak. I will share that with my team tomorrow...they'll love it.
 
Agan, many thanks...I'll be in touch.
 
Hundreds of threads killed.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.04
Copyright ©2001-2015 Web Wiz Ltd.

This page was generated in 0.250 seconds.