New Virus?

Discussion in 'Virus Information' started by nobluesman, Oct 26, 2009.

  1. nobluesman

    nobluesman Guest

    I seem to have been infected with a malware file or site that redirects my
    search engine inquiries to "r3953724.cn" which sends my inquiries to various
    advertisers.
    I tried several methods of removing this malware to no avail. Is this a new
    threat and how do I get rid of it?
     
    nobluesman, Oct 26, 2009
    #1
    1. Advertisements

  2. nobluesman

    Malke Guest

    There are always new threats. The only links I found referencing your
    particular redirect location (aside from yours) were on BleepingComputer's
    HijackThis forums in threads getting guided help. That's probably what you
    should do next.

    Here is a list of numerous links to specialty forums where you can get that
    guided help, including BleepingComputer's forum:

    http://www.elephantboycomputers.com/page2.html#HJT-links

    Malke
     
    Malke, Oct 26, 2009
    #2
    1. Advertisements

  3. From: "nobluesman" <>

    | I seem to have been infected with a malware file or site that redirects my
    | search engine inquiries to "r3953724.cn" which sends my inquiries to various
    | advertisers.
    | I tried several methods of removing this malware to no avail. Is this a new
    | threat and how do I get rid of it?
    | --
    | nobluesman

    Malware - Yes.
    Virus -- probably not.

    Perform a scan using Malwarebytes' Anti-Malware
    http://www.malwarebytes.org/mbam/program/mbam-setup.exe
     
    David H. Lipman, Oct 26, 2009
    #3
  4. Which AV product are you using? Which browser?
     
    The Central Scrutinizer, Oct 26, 2009
    #4
  5. nobluesman

    Arik Guest

    I have the same thing, it appears to be a remnant rootkit of Smitfraud
    malware.

    Clean installs of Malwarebytes, SuperAntiSpyware, adaware, spybot, and
    ATF cleaner finally got everything removed but for the redirect
    rootkit. Still looking for information on how to get rid of this.
     
    Arik, Oct 26, 2009
    #5
  6. From: "Arik" <>

    | I have the same thing, it appears to be a remnant rootkit of Smitfraud
    | malware.

    | Clean installs of Malwarebytes, SuperAntiSpyware, adaware, spybot, and
    | ATF cleaner finally got everything removed but for the redirect
    | rootkit. Still looking for information on how to get rid of this.

    If it is a RootKit, Gmer
    http://www.gmer.net/#files
     
    David H. Lipman, Oct 26, 2009
    #6
  7. nobluesman

    Arik Guest

    did not work. :( still getting redirected.

    It is going to h**p://r3953724.cn followed by hundreds of characters
    in a script and then redirecting to some ad sites.
     
    Arik, Oct 27, 2009
    #7
  8. What is a "rootkit"?

    Have you checked your "hosts" file or your ISP's DNS settings?

    Do you get your connectivity through a router, and is it "locked down"?
     
    FromTheRafters, Oct 27, 2009
    #8
  9. From: "Arik" <>



    | did not work. :( still getting redirected.

    | It is going to h**p://r3953724.cn followed by hundreds of characters
    | in a script and then redirecting to some ad sites.



    Download and execute HiJack This! (HJT)
    http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

    Then post the contents of the HJT log in your post with a full explanation of your problem
    and what you have done to date in one of the below expert forums...

    { Please - Do NOT post the HJT Log here ! }

    Forums where you can get expert advice for HiJack This! (HJT) Logs.

    NOTE: Registration is REQUIRED in any of the below before posting a log

    Suggested primary:
    http://www.thespykiller.co.uk/index.php?board=3.0

    Suggested secondary:
    http://www.bleepingcomputer.com/forums/forum22.html
    http://www.malwarebytes.org/forums/index.php?showforum=7

    Suggested tertiary:
    http://www.dslreports.com/forum/cleanup
    http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
    http://www.atribune.org/forums/index.php?showforum=9
    http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    http://gladiator-antivirus.com/forum/index.php?showforum=170
    http://forum.networktechs.com/forumdisplay.php?f=130
    http://forums.maddoktor2.com/index.php?showforum=17
    http://www.spywarewarrior.com/viewforum.php?f=5
    http://forums.spywareinfo.com/index.php?showforum=18
    http://forums.techguy.org/f54-s.html
    http://forums.tomcoyote.org/index.php?showforum=27
    http://forums.subratam.org/index.php?showforum=7
    http://www.5starsupport.com/ipboard/index.php?showforum=18
    http://aumha.net/viewforum.php?f=30
    http://makephpbb.com/phpbb/viewforum.php?f=2
    http://forums.techguy.org/54-security/
    http://forums.security-central.us/forumdisplay.php?f=13
     
    David H. Lipman, Oct 27, 2009
    #9
  10. Are you serious???

    "A rootkit is a software system that consists of one or more programs
    designed to obscure the fact that a system has been compromised."

    Check wikipedia!!! WTF!

    DUH...
    Oh yeah that is it... Double DUH.
    Score again... Triple DUH.

    --
     
    The Central Scrutinizer, Oct 28, 2009
    #10
  11. Yes, but I wasn't asking *you*. Just because someone's IP address lookup
    returns a substitute address, doesn't mean it is happening on *your*
    computer and it being protected by a rootkit. See DNS poisoning and DNS
    changer malware for more information.
    Don't be such an ass.
     
    FromTheRafters, Oct 28, 2009
    #11
  12. How does throwing advertisements in the user's face attain this goal?
     
    FromTheRafters, Oct 28, 2009
    #12
  13. nobluesman

    Peter Foldes Guest

    Ignore a troll in making.
     
    Peter Foldes, Oct 28, 2009
    #13
  14. ....and not very bright at that. :eek:)

     
    FromTheRafters, Oct 28, 2009
    #14
  15. :)
     
    The Central Scrutinizer, Oct 28, 2009
    #15
  16. I successfully cleaned this infection a few days ago. It’s a rootkit in
    atapi.sys. Use the newest version of ComboFix to detect and clean it.
    Disable your A/V before running ComboFix and make sure you allow it to:
    1) update itself to the newest version
    2) install the recovery console if it’s not already present

    Good luck!
     
    Propeller Head, Oct 30, 2009
    #16
  17. nobluesman

    Arik Guest

    THANKS!!

    Anyone know how to disable Symantec corporate so I can run combofix?
     
    Arik, Oct 30, 2009
    #17
  18. nobluesman

    Arik Guest

    So many thanks! had to disable Symantec in services but combofix found
    and removed this nasty rootkit!
     
    Arik, Oct 30, 2009
    #18
  19. You're very welcome Arik - glad I could help! 8^)
     
    Propeller Head, Oct 30, 2009
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.