Got a bad virus

[Lighty]

Got one of these fuckin annoying rootkit/webroot viruses I think, my lad was on the PC and has admitted to downloading something that I think was an .exe and installing it! Anyway ive usually been able to sort this sort of thing but I have tried everything, Malware bytes, spybot search and destroy, combofix etc etc, tried them all in safe mode and offline but still im getting redirected to spam websites all the time. I could really do without the hassle of reformatting and installing windows as I have got so much stuff on my C drive that I dont want to lose etc..
Its not a real problem what its doing its just an annoyance that every other google link I click on keeps taking me to this gringoheat.com site WTF is that all about??

[Roach-Rampino]

There's a good prog. called "Rkill" that will stop the virus so that you can then remove it. I am out at the park with my kids right now but will send you the file when I get home later.

[evilsatan]

Rkill.exe is here.

Note: Rkill will automatically close known bad processes, you should run this in admin mode before running malwarebytes full scan. After running Rkill.exe you cannot restart until you have completed your malwarebytes scan and removed the uninfected files or else the bad processes will start again.

Rkill and malwarebytes will not be able to remove some rootkits. I have only had two clients so far with hardware so badly infected it required a reformat, one of those two was this week and the infection seems to have altered/spread to the actual boot sectors on the HDD so I had to nuke the HDD sectors with DBAN before the new XP installation would start.

If you know you have a rootkit it would be sensible to backup your files and reformat, they are a lot more stubborn than most malware. The browser hijacking appears to be the hardest component to remove.

[Fon]

May be worth while also checking your proxy settings,

Fon

[Lighty]

OK thanks for all replys will give it a go now see how I get on.
Cheers

[Lighty]

just ran the rkill and i got the log at the end, im not sure it actually killed anything or not but doesnt look like it did?

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 27/03/2011 at 15:43:52.
Operating System: Windows 7 Enterprise


Processes terminated by Rkill or while it was running:



Rkill completed on 27/03/2011 at 15:43:56.

Followed up with malware scan and got this

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6176

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

27/03/2011 15:48:01
mbam-log-2011-03-27 (15-48-01).txt

Scan type: Quick scan
Objects scanned: 183982
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[prezzy]

what is the problem just redirecting web pages? what is it redirecting to? What browser are you using?

[Lighty]

firefox browser, sometimes its to this gringoheat site that just shows some advertising shit and sometimes to a facebook page, it seems very random to be honest

[evilsatan]

Rkill found no bad processes and malwarebytes found no malware. Sounds just like the couple of jobs I had to reformat, I would hazard a guess that you experience the redirecting in IE, firefox and chrome because the hijacker seems to operate in a core process somewhere. I checked proxies, HOST files, add-ons etc and still pages were being hijacked.

Redirects appear totally random, I have seen eBay, Facebook and small random sites.

[prezzy]

try typing - about:config in fierfox accept the caution thing then search for keyword.URL
See what the value is - should be google or similar
worth a try fixed one last week after getting all the shit off the pc it was still redirecting web pages cos that had changed

[Lighty]

shit shit shit, this is not hte answer I wanted
Im positive there must be a way to fix it, there always is usually, I know its sometimes easier to reformat but I really dont want to, so im gonna have to figure it out. It only happens in google, so say I search for something in google if I click on the link for the page I want it will sometimes take me to the site I want but more often than not it will say "JUMP" or "Re-Direct" in the tab at teh top of firefox then take me to some random site, I can get around it by clicking the links with the middle mouse wheel which opens the site in a new tab, that way I never get redirected. Not tried another browser yet so will give that a go.

[Lighty]

hmmmm just installed google chrome, never used it before properly looked at it once when it first came out but didnt think much of it, I have to say im quite liking it for speed and on screen simplicity, very clean looking. Also so far I dont seem to be having any redirection problems.??

[Possy_99]

if you really can't lose this stuff then why are you risking losing it? You've got popups leading to god knows where.. it only takes one redirect and a driveby download and your fu©ked again.. take the oppertunity / count your blessings you have a chance and get your important files off the os drive asap



p.s - google 'over the top / repair install' - may help.

[Lighty]

ive got network attached backups of all drives mirrored, I just meant I dont want to have to go through all the setup of my current windows installations, I have a massive amount of software installed like the size of my cuebase db alone is about 78GB so I dont want to have to install all those samples/loops again etc etc. But it seems OK now, like I said originally it wasnt me who put this thing on here I am very well protected in all areas but I cant help it if someone like my son installs something without realising.

[Possy_99]

limited user accounts

[evilsatan]

If only one browser is affected then look into what prezzy suggested and disable all extensions. I'm not sure if there is a 'safe mode' firefox like with IE. IMO chrome is the best browser out there so if it's working ok uninstall firefox.

[ilscuro]

Started using google chrome as well, was sick to death of firefox crashing

[greens117]

Stupid question, have you done system restore?

[DejaVu]

Firefox or Google Chrome, reinstall them.
Uninstall Internet Explorer 8 - Update to Internet Explorer 9.

If it's just a web surfing issue, dont reinstall your computer, just your browser.
If you ran Malwarebytes all the way through (up to date) and it found nothing - it's nothing major!

Install Safari and see if that gets affected. If it does - check you hosts file has not been tampered with (which is highly inlikely!)

[cewiii]

I had something simular the other day- (xp system)

Switch off system restor, restart in safe mode then ran virus check (AVG free) and then addaware.

Repinted ie 8 to my mates start page (which had been changed) and it worked like new.

Also ran this GREAT BIT OF KIT - Eusing Free Registry Cleaner.

http://www.eusing.com/free_registry_...ry_cleaner.htm


Eusing Free Registry Cleaner is a free registry repair software that allows you to safely clean and repair registry problems with a few simple mouse clicks. The Windows Registry is a crucial part of your PC's operation system.