Argh Virus?

[Munkey]

The missus has been downloading from torrents again, and now something odd has popped up.

Everytime she searches from google, the links come back and all of them go to sites such as ebay, moxiemovie etc. No matter what the search is, the results come back linking to these sites.

Yahoo is unaffected. I've run about 10 different spyware programs, done anti-virus search etc. but nothing is returned.

Anyone know what the hell hijacks google searches? I'm at my wits end.

 

[Kryten]

Try going to some AV sites - i.e symantec.com and the likes. Do they get redirected?

Tried malwarebytes?

 

[Jupitus]

Same shit as affected Edmond... read that thread tbh :/

 

[Munkey]

Ran MalwareBytes, no luck.

If its any clue, a file called "MSN Optimzier" keeps popping up in folders over and over again, which really shouldn't be on the computer.

I had a look at Edmond's thread, but sounds dissimilar.

Gonna have to re-format her laptop.

*sigh*

 

[Wazzerphuk]

Try Ad-Aware? I had this a couple of times recently and got rid of it with a simple scan.

 

[Munkey]

No luck with ad-aware either, really, really odd. Tried another program as well, but the name escapes me.

Either way, have just decided to admit defeat and do a full system wipe and install. There goes my Monday night!

 

[nath]

Spyware Search & Destroy?

 

[Suicidal Tart]

Hey Munkey,

I've had a similar problem recently on my laptop. It was re directing to different sites though.

Everything i used to try and remove it failed, except Nod32.

Dont know if you've tried that one already but none of the other scanners picked it up apart from that!

Its not free so you'd have to get it from the usual places.. and make sure you update it too.

Hope that helps

Cheers

 

[Wazzerphuk]

Got this back again after shaking it. Annoying.

What annoys me is it redirects sometimes, and other times not.

Will attempt to find Nod32 now (whatever that is )

 

[MYstIC G]

Free NOD32 Antivirus Download from ESET International

 

[Insane]

What annoys me is it redirects sometimes, and other times not.

Will attempt to find Nod32 now (whatever that is )

ftp://193.110.109.53/anti-virus/tools/beta/

Its some of the F-Secure Malware removal tools (in particular the Conficker removal tool) which might help
and because its an ip address, there is no chance of the proggy blocking you from accessing it
(yes, I'm utterly paranoid regarding Conficker now... I blame GovCert )

 

[MYstIC G]

Unless it modifies your hosts file?

 

[Kryten]

If anyone is unable to get hold of appropriate download tools because of Conficker modifying the DNS/hosts exceptions in that manner feel free to post a request in here, I and many others will no doubt be happy to send them via email/over IRC etc.

 

[Wazzerphuk]

Nod32 did nothing, gonna try those tools Insane linked me to and hope it doesn't break anything

 

[smurkin]

ftp://193.110.109.53/anti-virus/tools/beta/

Its some of the F-Secure Malware removal tools (in particular the Conficker removal tool) which might help
and because its an ip address, there is no chance of the proggy blocking you from accessing it
(yes, I'm utterly paranoid regarding Conficker now... I blame GovCert )

I had confiker at work last week - the little shit of a worm wouldn't have been so bad if 1) our IT hadn't denied its existance hence promoting its propagation 2) Macaffee had detected it 3) The idiots in our IT actually allowed us to remove the damn thing instead of insisting their policy states a full HD wipe and install.

 

[Kryten]

Smurfin, they're not actually far wrong with the policy tbh. With a conficker infection, you can have absolutely no symptoms other than things like AV updates not working, security sites not working. I count myself lucky if I see a site with the ol' AV360/AV XP come up as I know there's an infection

In a couple of the school sites we've had with infection, I shut down the entire network, pulled the switches and manually worked through each machine disinfecting. It only takes one machine to get onto the network to propogate, even with very harsh security restrictions. It doesn't help when too many sites use silly dictionary passwords, and even more so when up to date AV software doesn't detect - mcafee and symantec included.

 

[Bahumat]

Right, my little bro seems to have this (search results going crazy)(if you google the link you want, then open in new tab it works).
He got it from msn and it seems to attach itself to messages to other people (thats how he got it). May have been a file called hahaphoto?

So far I've found some names in msconfig which may be the cause of this?

wscns c:\uhaa.exe
wscs c:\awa.exe

Malwarebytes found 8 files, one was a trojan bot, one was something called fxinstaller i think. I will try that Nod32 program along with what Insane linked.


He is also getting BSOD after enter your password on the Vista logon screen

 

[smurkin]

Smurfin, they're not actually far wrong with the policy tbh. With a conficker infection, you can have absolutely no symptoms other than things like AV updates not working, security sites not working. I count myself lucky if I see a site with the ol' AV360/AV XP come up as I know there's an infection

In a couple of the school sites we've had with infection, I shut down the entire network, pulled the switches and manually worked through each machine disinfecting. It only takes one machine to get onto the network to propogate, even with very harsh security restrictions. It doesn't help when too many sites use silly dictionary passwords, and even more so when up to date AV software doesn't detect - mcafee and symantec included.

Aye, but there is a tool to remove it. And it seemed nasty to me - it lay dormant until the 1st Feb - then pc rebooted every 5 mins, even when no user was logged on - and not a nice reboot - some script that forced instant reboot without any saving of settings. And the internet was fubared as they had to stop external access due to zombie activity connecting with the outside.

 

[Wazzerphuk]

Aye, but there is a tool to remove it.

Got a link?

 

[Kryten]

Have a quick google around, Sophos, Kaspersky, Symantec all have removers, an as discussed before malwarebytes also removes as does the MS removal tool (MSRT)

 

[Bahumat]

lol my brothers pc gives a bluescreen of death just as the profile select screen appears on vista.
gonna have to piss around with this and try to fix it with those tools above.

 

[smurkin]

Got a link?

Soz, No. I read about it on an email. I'm still suffering. When they rebuilt my os, they neglected to restore site wireless certificates, my encryption keys )so I can't digitally sign anything), and my wireless keys

 

[Kryten]

Bahumat : don't suppose it's just a "STOP" bluescreen, error code "0x0c000008 something something somethin" is it?
Had another one of those today, torn between a hardware error and viral infection - was infected with zlob and conficker (linked) anyway but cleaned and it was still at that. Didn't get time to format and rebuild but that's a job for next week.

 

[Wazzerphuk]

Symantec's cleaner found nothing.

SUPERAntiSpyware (which is free btw) picked up a few things, cleaned them, but I still have the google thing. Gonna try another more thorough scan with it.

It seems most of the auto-cleaners are highly ineffective and don't really work: most reports I see on the net are people having to manually clean (can't be arsed with this yet, hoping I can auto-nuke the fucker somehow).

 

[Wazzerphuk]

So SUPERAntiSpyware is no longer detecting the DNS changer but it's still happening. :<

 

[Kryten]

So many variants of this damned thing it's hard to narrow it down. Plus of course conficker itself doesn't do a huge amount of damage, but the plethora of nasties it allows through/is distributed with causes the main problem. Grab as many removal tools as possible.
I had to manually solve a few infections where the yellow warning bar was coming up in IE by deleting the plugins folder (or locating the exact plugin/BHO name) from IE - but stumbled across an app, ToolbarCop (shit name) that soon sorted that:
Using ToolbarCop to remove the unwanted Toolband, Toolbar Icons and BHO

 

[Sar]

I've had three BSOD's over the past couple of days, which is odd as they're the first I've had in years.

MWB picked nada up, and neither has Kaspersky.

 

[Kryten]

Sar: what are the BSOD's saying?

 

[Sar]

IRQ_NOT_LESS_OR_EQUAL yadda yadda

Stop messages 0, 1e, a and 8Efsomethingorother.

So I defragged every partition I've got, ran a full malware scan, full virus scan and removed a couple of programs I'd installed recently that I don't really need, and all seems well so far.

I can boot into Vista again (which I couldn't do recently) and XP seems to be running ok.

Might've just been in need of a tune up tbh.

 

[Kryten]

Ah, thats an easy one. Either a hardware fault or more likely, driver issue, so time to start upgrading (or downgrading) some drivers to see what the cause is. That is almost certainly not an infection.