Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3239 Views 2 Replies Latest reply: Nov 8, 2010 5:05 AM by paullotion RSS
frustratedredraider Newcomer 1 posts since
Nov 5, 2010
Currently Being Moderated

Nov 5, 2010 10:15 PM

Twist on redirect virus?

I have been reading threads here and following links to try to figure what to do.  A few weeks ago I picked up this epoclick virus somewhere.  McAfee would not update, I couldn't log into antivirus help sites or download programs or anything.  Luckily I still had a CD copy of my Webroot Spy Sweeper I had purchased for my previous computer when it got swamped by a virus and had a three computer license that had not expired.

 

I installed it and called their tech service, getting a hold of someone who was able to help me get to a point to be able to log in to their online tech service where they tried to help me.  They had me download GMER, Wlogs,regbak, Sophos, and Combofix and run the programs and send logs and so forth.

 

It seemed to work for all of a day.  No sooner had I told them things were running better did my (what i thought) internet start freezing randomly.  It would lock up completely sometimes, sometimes let the mouse scroll, sometimes let task manager come up but nothing could be clicked on.  I also started getting blue screens of death implying problems with drivers.  I emailed them back and they told me they didn't work with hardware issues.  Then I had the computer completely lockup with no internet windows open, so I started digging.  This is when I realized that my webpages were taking forever to load (on a DSL) and  discovered the search engine redirect.  I started searching for help sites, and I saw that my searches were being redirected.  This was using Bing and Yahoo.  I did find out two things though.  If you clicked on the cached page, it worked.  I also discovered if you went back to the search page using the back button, the site names still showed but the websites below the description were for screwy websites (probably the redirects) and the cached pages were gone.  I started using new tabs with the cached pages to save the original search page and cached results.

 

I downloaded Malwarebytes, SuperAntiSpyware, and a registry fixer called Frontline Registry Cleaner (which I am not sure of and I had to buy to actually clean the registry which was not quite implied when I looked into it).  I scanned with Malwarebytes and SAS and the blue screens and lockups have slowed but not stopped.  Its every few days instead of every few hours.  But the search engines still redirect, and none of the scanning programs detect anything now, even in safe mode.    McAfee and the others all seem to be updating ok as well.

 

Another thing I noticed, and this is what makes it potentially very dangerous in my opinion, is that it also redirects from certain secure sites.  My online banking has dual entry screens, id, then password on new screen, and if it doesn't recognize you at first, it has an intermediary screen that asks one of a number of security questions.  I wanted to test this so I logged my id into the main screen.  Instead of going to either of those screens, I got new screen that said the site does not recognize your computer and to please enter specific account info into the following boxes.  I didn't do that.  I backed up and found that trying the demo also led to the same screen.  I have checked my account from a safe computer since and it is fine.  But people should be aware it tries to trick you at some secure websites with a redirect.

 

I am about to try a couple of more attempts with ideas from these threads.  However, in one of the threads a link to google redirect remover at review-buddy provided some manual fixes.  There is no TDSSserv.sys in my hidden non-plug-and-play devices (and this is the second website I found saying to look for this), nothing in my host program in the etc subfolder of Systems32, and Obtain DNS server automatically is already checked.  Another potential bad program in my System32 folders is not there either.  

 

I will try the tdsskiller, another spyware scanner, and am downloading an assistance program from my ISP with supposedly live tech support.  I need to get this fixed quickly because I have to get into my bank account and I need to get some presents on Amazon, and I need to feel secure with my remote access to my work computer so I can work from home.

 

I know this was lengthy, but I hope someone can help because I am running out of options.

 

Thank you .

  • Hayton Volunteer Moderator 4,599 posts since
    Sep 27, 2010
    Currently Being Moderated
    1. Nov 6, 2010 4:40 AM (in response to frustratedredraider)
    Re: Twist on redirect virus?

    You're doing everything right, as far as I can see. This redirect Trojan is indeed 'terrorising the internet'. It may be related to a previously-known Trojan but there seem to be some added nasty refinements this time round. I'm not a real expert so don't take my word for it, but I would have thought that by now the majors would have put out a fix if it had been easy to do.

     

    I'm posting stuff up as fast as I come across it. It's being talked about everywhere, and some of the contributors to other forums occasionally either come up with a piece of new information or confirm that a hoped-for fix doesn't work for everybody. That's the best I can do; I'm not a malware expert. I just try to let everyone know what's going on elsewhere.

     

    I wasn't aware that this thing redirects you from secure sites. That's bad. If you're using Firefox at all I think there's an add-on to prevent redirects. It might be worth trying.

     

    As for the file TDSSserv.sys, keep an eye open for it just in case, and also on the 'Obtain DNS server automatically' setting. And a Hosts file *can* be a good thing if you know in advance the name of some of the suspect sites that you might get redirected to, because if you put the name(s) into the file with 127.0.0.1 beside them the redirect is foiled, and your browser just gets pointed back to your own PC. At least, that's my understanding of it - any techies out there who disagree will no doubt shoot me down if I'm wrong, and if they do I won't mind. I want to learn, and techies are good to learn from.

     

    Let us all know what results you get from tdsskiller. I haven't tried most of these suggested fixes, but then I haven't been hit by the redirect Trojan (touch wood). I wonder why - I mean, what have I been doing right? I'll have to give that some thought.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • paullotion Apprentice 8,078 posts since
    Apr 13, 2006
    Currently Being Moderated
    2. Nov 8, 2010 5:10 AM (in response to frustratedredraider)
    Re: Twist on redirect virus?

    Hello,

     

    It looks like you may have been infected with a Tdl rootkit, most likely version 3 or 4. These rootkits are a nasty piece of work and i am afriad at this time there is no automactic fix around. If you are infected with a Tdl variant, they can also infect your MBR(Master Boot Recorder), again no easy fix for this either.

    http://www.drweb.com/static/BackDoor.Tdss.565_%28aka%20TDL3%29_en.pdf

    http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf

     

    You`ll need to visit one of the security forums, they are able to remove the rootkit(you may need your Windows CD/DVD), and also restore the MBR. Do not try any other fixes you see on the internet, if your MBR goes south you`ll lose everything.

    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/305963 -new-instructions-read-before-posting-malware-removal-help.html

    http://www.bleepingcomputer.com/forums/topic34773.html

     

    Also, Webroot should not be asking you to run Combofix, i doubt if they asked the tools creator for permission.

     

     

    on 08/11/10 11:10:12 GMT

    The Black Bear

    *Important News for BT/TalkTalk customers*

    BT/TalkTalk dump Phorm spyware, for more information see this article Here , also visit the NODPI website for much more information relating to DPI.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points