5 Replies Latest reply on Nov 1, 2010 7:27 PM by Hayton

    redirect virus

      I find that I have some kind of "redirect" virus.  When I use search engines on my McAfee-"protected" computer, so far I've seen this with both Google and Yahoo search engines, I am redirected to some other, unwanted site.  The history drop-down list (Firefox) shows the original search page and "redirect," and I can get back to my original search using that.  I can copy the REAL web site addresses from the search page, then open a new tab and paste them in, so I can use the search engines, I'm assuming, safely, but this is NOT how I want my computer to work.  I can hover over the links and see the redirect address, and can post a sample if that is helpful.

       

      My main question right now, however, is, why did the McAfee that I am paying for to guard against this kind of thing totally fail to detect or block this, and why is it unable to find it now?  I do a full scan and it says everything is fine.  In have seen several others posting here about similar  problems, and McAfee also seems not to have helped them.

       

      My McAfee is coming up for renewal in a couple of weeks.  This is by far the worst malware experience I have had in decades of computer/Internet use (when I first went on the Internet, it was black screen, all white text, Unix, and the WorldWideWeb was all text with highlighted words, only a demo at the time).  I have been to no "shady" web sites that I know of, and always keep antivirus, spyware, and firewall software running and up to date.

       

      Does anyone have a recommendation to renew/not to renew?  Or, of course, a way to get this redirect thing to go away?

       

      Thanks for any help anyone can offer.

       

      Mary

        • 1. Re: redirect virus
          Hayton

          Funnily enough, I've just dealt with a possible case of browser hijacking on my PC. I ran Malwarebytes Anti-Malware and it found two sets of 3 registry entries which it said were a browser hijack. So I quarantined them. Like you, I wondered why McAfee didn't detect that they were inserted into my browser, so I went to Malwarebytes' own user forums and found that someone had posted, a few hours earlier, about the same thing. I added my voice to that person's, and since then several others have joined in saying they have had the same items detected.

           

          I'm wondering whether you've got the same piece of mini-malware. As far as I know, no-one's reported major problems from it, and Malwarebytes clears it very efficiently. No-one's sure yet where it comes from, or indeed what exactly it is. If you don't have Malwarebytes it's a useful free program to have - run it and see what it says.

           

          As to why McAfee doesn't detect it or remove it, it may be that it's not a serious threat - on a par with cookies perhaps. Intrusive, unwanted, but not dangerous. Maybe. I'll wait and see what they say.

           

          Malwarebytes : http://www.malwarebytes.org/mbam.php

          1 of 1 people found this helpful
          • 2. Re: redirect virus

            I think I may be back to normal now, although I'd still like to know how I got this thing.  Hayton, I appreciate your information very much.

             

            I did run Malwarebytes, and Sophos Rootkit, and SuperantiSpyware, and AdAware, I think each of them found stuff, several were described as Trojans, all of them removed or otherwise dealt with what they found, but I still had the search engine situation I described in my earlier post.

             

            I think the thing that did the trick for me, following the removal of all that stuff by the programs above (still burned that McAfee seemed completely oblivious to all of them AND my continuing problem), which I hope means it won't come back, was to remove the 127.0.0.1 that had been put into my Proxy Settings, and then to remove the hosts file from C:\Windows\System32\Drivers\etc.  Also opened several of the other files there and edited out any "127.0.0.1" in them, or, if the computer wouldn't let me resave them as txt files (I realize now I could get around that if I wanted/needed to), deleted them.  (I saved them elsewhere with .txt extensions in case they seem to be needed later, but they looked as if they were just informational.)  I found directions about this when I was on a computer at another location, and printed a hard copy to take home, sorry I can't give its url right now, but I'll try to find it if anyone would like a look at it.

             

            Anyway, after I cleaned up the hosts file I restarted, and currently my searches are working normally (and I'm sending this from the formerly - I hope - infected computer).

             

            If this has truly worked, it wasn't difficult to fix, but it surely was a big hassle and very distressing to find out WHAT to do.

             

            Again, thank you, Hayton.

             

            Mary

            • 3. Re: redirect virus
              Hayton

              My pleasure. Glad I could help, even if only in a small way.

               

              I was interested in what you had to say about the hosts file, since I installed one on my PC over the weekend using one of the options in Spybot. I've been waiting to see what problems there might be in using a hosts file, and you've just highlighted one potential problem I shall watch out for. Could you get the URL you mentioned and post it here, or send it to me by Private Message?

              • 4. Re: redirect virus

                I don't actually understand a lot of this stuff, including exactly what the hosts file is for (I just checked, and I currently have NONE on the computer being discussed - it didn't come back and the machine still seems to be working normally).  The web site that told me about hosts is at Symantec, http://www.symantec.com/connect/forums/search-engine-redirect-virus.  Also, this site: http://www.brighthub.com/internet/security-privacy/articles/73919.aspx appears to have a very similar discussion.

                 

                I expect that the host business was a leftover effect caused by the original virus or Trojan or whatever, which I hope was one of those items that was dealt with in my all-day, run-every-free-checking-programmy-thing-you-can-find session.

                 

                I will keep an eye on any future funny behavior from this computer, don't want to find out that there's any remaining sinister stuff lurking and waiting...

                • 5. Re: redirect virus
                  Hayton

                  Well, this is new to me as well. I've seen a lot of discussion about hosts files, but never seen one until two days ago. I think it works like this ... It's basically a list of web addresses - URLs - that you might want to block. Of course, in there could be some addresses that you *don't* want to block, which is a pain. Each address has an IP address of 127.0.0.1 beside it, so it's just a giant look-up table. When your browser gets a URL address it looks in the hosts file first and if it finds the address there it just gets redirected back to your own machine, so you never get to a blocked website at all.

                   

                  The hosts file should be a read-only file, so that malware can't get in and tamper with the contents. Still doesn't explain how Spybot can do just that, but that's not for me to worry about.

                   

                  Thanks for providing the URLs; at the moment if anything isn't working right with the hosts file my only option is to get rid of it. I'd like to keep it, but learn how to use it.

                   

                  And your experience is useful to us all : every anti-malware program that is any good will find stuff that the others don't or can't detect. I guess it's down to a decision by the software providers to concentrate on certain areas and investigate those areas in depth, while providing a lesser degree of coverage for other areas where perhaps they don't have as much expertise. Which is why there's endless argument in all the forums as to which one of these malware fixers is "best".