New Virus?

I seem to have been infected with a malware file or site that redirects my
search engine inquiries to "r3953724.cn" which sends my inquiries to various
advertisers.
I tried several methods of removing this malware to no avail. Is this a new
threat and how do I get rid of it?
--
nobluesman

nobluesman wrote:

> I seem to have been infected with a malware file or site that redirects my
> search engine inquiries to "r3953724.cn" which sends my inquiries to
> various advertisers.
> I tried several methods of removing this malware to no avail. Is this a
> new threat and how do I get rid of it?

There are always new threats. The only links I found referencing your
particular redirect location (aside from yours) were on BleepingComputer's
HijackThis forums in threads getting guided help. That's probably what you
should do next.

Here is a list of numerous links to specialty forums where you can get that
guided help, including BleepingComputer's forum:

http://www.elephantboycomputers.com/...html#HJT-links

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
http://www.elephantboycomputers.com/#FAQ

From: "nobluesman" <(E-Mail Removed)>

| I seem to have been infected with a malware file or site that redirects my
| search engine inquiries to "r3953724.cn" which sends my inquiries to various
| advertisers.
| I tried several methods of removing this malware to no avail. Is this a new
| threat and how do I get rid of it?
| --
| nobluesman

Malware - Yes.
Virus -- probably not.

Perform a scan using Malwarebytes' Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Which AV product are you using? Which browser?

--



"nobluesman" <(E-Mail Removed)> wrote in message
news:83838157-6FCE-4C2D-9475-(E-Mail Removed)...
>
> I seem to have been infected with a malware file or site that redirects my
> search engine inquiries to "r3953724.cn" which sends my inquiries to
> various
> advertisers.
> I tried several methods of removing this malware to no avail. Is this a
> new
> threat and how do I get rid of it?
> --
> nobluesman

I have the same thing, it appears to be a remnant rootkit of Smitfraud
malware.

Clean installs of Malwarebytes, SuperAntiSpyware, adaware, spybot, and
ATF cleaner finally got everything removed but for the redirect
rootkit. Still looking for information on how to get rid of this.

From: "Arik" <(E-Mail Removed)>

| I have the same thing, it appears to be a remnant rootkit of Smitfraud
| malware.

| Clean installs of Malwarebytes, SuperAntiSpyware, adaware, spybot, and
| ATF cleaner finally got everything removed but for the redirect
| rootkit. Still looking for information on how to get rid of this.

If it is a RootKit, Gmer
http://www.gmer.net/#files

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

did not work. still getting redirected.

It is going to h**p://r3953724.cn followed by hundreds of characters
in a script and then redirecting to some ad sites.

"Arik" <(E-Mail Removed)> wrote in message
news:05fde4a4-c0c1-4e5c-a1c9-(E-Mail Removed)...
>I have the same thing, it appears to be a remnant rootkit of Smitfraud
> malware.
>
> Clean installs of Malwarebytes, SuperAntiSpyware, adaware, spybot, and
> ATF cleaner finally got everything removed but for the redirect
> rootkit. Still looking for information on how to get rid of this.

What is a "rootkit"?

Have you checked your "hosts" file or your ISP's DNS settings?

Do you get your connectivity through a router, and is it "locked down"?

From: "Arik" <(E-Mail Removed)>



| did not work. still getting redirected.

| It is going to h**p://r3953724.cn followed by hundreds of characters
| in a script and then redirecting to some ad sites.



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/i...hp?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"FromTheRafters" <erratic @nomail.afraid.org> wrote in message
news:(E-Mail Removed)...
> "Arik" <(E-Mail Removed)> wrote in message
> news:05fde4a4-c0c1-4e5c-a1c9-(E-Mail Removed)...
>>I have the same thing, it appears to be a remnant rootkit of Smitfraud
>> malware.
>>
>> Clean installs of Malwarebytes, SuperAntiSpyware, adaware, spybot, and
>> ATF cleaner finally got everything removed but for the redirect
>> rootkit. Still looking for information on how to get rid of this.
>
> What is a "rootkit"?

Are you serious???

"A rootkit is a software system that consists of one or more programs
designed to obscure the fact that a system has been compromised."

Check wikipedia!!! WTF!

DUH...

> Have you checked your "hosts" file or your ISP's DNS settings?

Oh yeah that is it... Double DUH.

> Do you get your connectivity through a router, and is it "locked down"?

Score again... Triple DUH.

--