redirect virus - GoFuckYourself.com

Centurion · 11-03-2010, 05:16 PM

I am having just a total fit with this redirect virus. I've had it before, and usually combofix.exe fixes it..but this time around, no luck with combo, malwarez, hitmanpro.exe, superantispyware, supersplybot, etc etc..and
it still redirects..google, yahoo and bing..

Has anyone come across a DIFFERENT program that actually works..or knows how to MANUALLY remove it?

Many thanks in advance!

bigluv · 11-03-2010, 05:27 PM

try anti rootkit software. and a proper virus scanner as well.

Supz · 11-03-2010, 05:29 PM

use malwarebytes, free trial download. it usually is pretty good with shit like that.

signupdamnit · 11-03-2010, 06:39 PM

Realize that each time you get these things your entire security is severely at risk. You have to do something (even if it means switching Operating Systems) to stop yourself from getting them in the first place or eventually the results will be disastrous. Playing cleanup just isn't enough. As a webmaster, if the wrong thing gets in your system and you update your sites it could potentially mean infecting thousands of users or worse.

I'd probably reinstall to be safe. But if you don't want to do that make sure you are running those programs in safe mode. And are you sure the problem isn't an infected router? Don't forget to check to make sure it didn't set a proxy somewhere either. Sometimes these utilities will leave the errant proxy in place within the settings.

Centurion · 11-03-2010, 07:46 PM

Quote:

Originally Posted by bigluv

try anti rootkit software. and a proper virus scanner as well.

did and do..no luck

Centurion · 11-03-2010, 07:47 PM

Quote:

Originally Posted by Supz

use malwarebytes, free trial download. it usually is pretty good with shit like that.

did..several times..no luck

Should probably mention I run windows xp pro

Hessie · 11-03-2010, 08:07 PM

Run msconfig and go to the startup tab. Uncheck everything and restart. If the redirect is gone, it means that one of the items in your startup is doing it. Enable one item and restart - do this one item at a time until you find the one that is doing the redirect. Look carefully at the line that is causing the redirect to determine the actual program and its registry entry - then remove them.

Furious_Male · 11-03-2010, 08:27 PM

Did you check your host file? Combofix should get rid of the redirect virus on an XP pro machine. Check to be sure your host file isn't modified.

Centurion · 11-03-2010, 08:52 PM

Quote:

Originally Posted by Furious_Male

Did you check your host file? Combofix should get rid of the redirect virus on an XP pro machine. Check to be sure your host file isn't modified.

I did check that early on and it was infected..so I got rid of everything except the line for local host that should be there. I just ran combofix a 2nd time and it said the same things as hitman pro said..that explorer.exe in windows.0 was infected and restored it..and that winlogon.exe in windows.0 was also infected, but was NOT able to restore it for some reason. So that's the latest thing I am working on.

Centurion · 11-03-2010, 08:53 PM

Quote:

Originally Posted by Hessie

Run msconfig and go to the startup tab. Uncheck everything and restart. If the redirect is gone, it means that one of the items in your startup is doing it. Enable one item and restart - do this one item at a time until you find the one that is doing the redirect. Look carefully at the line that is causing the redirect to determine the actual program and its registry entry - then remove them.

Did that early on..made no difference.

Centurion · 11-03-2010, 10:01 PM

For what it is worth (and this applies to those who use winxp pro btw)
I did manage to get rid of the virus..turns out the explorer.exe and winlogon.exe file in windows.0 was infected. Deleting them and restoring them off of your installation disk did that for me.

BUT..also check your host file..c:\windows\system32\drivers\etc
look at that file..and there should be only ONE entry in the first file..and that is the local host ip address. Anything else should be deleted out.

Thanks for everyone's input too!

Zorgman · 11-03-2010, 10:21 PM

Bump for you. I have something on my system too and followed all the info about along with about 15 different spyware killers and virus programs and I still have it.

What happens is when I go to google images and it will display the first 3 lines then I will not be able to use anything connected to google for another 10 minutes. It does this with other sites too like gfy and cnn. I have no idea what it is but nothing I do is working.

Is that like yours?

Centurion · 11-03-2010, 11:51 PM

Quote:

Originally Posted by Zorgman

Bump for you. I have something on my system too and followed all the info about along with about 15 different spyware killers and virus programs and I still have it.

What happens is when I go to google images and it will display the first 3 lines then I will not be able to use anything connected to google for another 10 minutes. It does this with other sites too like gfy and cnn. I have no idea what it is but nothing I do is working.

Is that like yours?

Over the last 3-4 days..I was really frustrated with problems like this..and I tried MANY different proggies and read so many forums I was sick of it.
Don't know if you are running xp, vista, or win7..but the BEST program I could find that finally narrowed down the culprits in my case (explore.exe and winlogon.exe in windows.0 being infected and having to be deleted and re-installed), was hitmanpro..so would suggest getting that proggie and trying it and see what you come up with . Combofix.exe found the same problem but for some reason could re-install the new files..but could do that with hitmanpro.exe

PAR · 11-04-2010, 12:45 AM

safest way to run a pc online is to run inside VMware,
Partition your drive into 4,
1- windows
2- saved local data/trusted data
3- email
4- saved internet files

Or learn to use Linux and uses vmware to run windows applications.

You can try the following as its not always something in your root system sometimes its just a cache issue
ipconfig /flushdns in a command prompt to fix it.

You can also do the following
To edit your local DNS lookup file, explore this folder:
C:\Windows\System32\Drivers\etc
the file name is hosts
search for anything you feel is not needed

If you've never edited your HOSTS file before, this is what it should look like:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

seeandsee · 11-04-2010, 01:35 AM

format harddisk, install fresh OS if it's not full of installed stuff

11-03-2010, 05:16 PM	#1
Centurion Confirmed User Industry Role: Join Date: Dec 2002 Location: SeATtle Posts: 6,033	redirect virus I am having just a total fit with this redirect virus. I've had it before, and usually combofix.exe fixes it..but this time around, no luck with combo, malwarez, hitmanpro.exe, superantispyware, supersplybot, etc etc..and it still redirects..google, yahoo and bing.. Has anyone come across a DIFFERENT program that actually works..or knows how to MANUALLY remove it? Many thanks in advance! __________________

11-03-2010, 08:27 PM	#8
Furious_Male Doing the grind since 99 Industry Role: Join Date: Oct 2003 Location: Buffalo NY Posts: 16,881	Did you check your host file? Combofix should get rid of the redirect virus on an XP pro machine. Check to be sure your host file isn't modified. __________________ Living in Virtual Reality Contact: Email (preferred): furiousmale .at. gmail - Skype: live:shanedws

11-03-2010, 10:01 PM	#11
Centurion Confirmed User Industry Role: Join Date: Dec 2002 Location: SeATtle Posts: 6,033	For what it is worth (and this applies to those who use winxp pro btw) I did manage to get rid of the virus..turns out the explorer.exe and winlogon.exe file in windows.0 was infected. Deleting them and restoring them off of your installation disk did that for me. BUT..also check your host file..c:\windows\system32\drivers\etc look at that file..and there should be only ONE entry in the first file..and that is the local host ip address. Anything else should be deleted out. Thanks for everyone's input too! __________________

11-03-2010, 10:21 PM	#12
Zorgman Confirmed User Join Date: Aug 2002 Location: Sydney, Australia Posts: 6,103	Bump for you. I have something on my system too and followed all the info about along with about 15 different spyware killers and virus programs and I still have it. What happens is when I go to google images and it will display the first 3 lines then I will not be able to use anything connected to google for another 10 minutes. It does this with other sites too like gfy and cnn. I have no idea what it is but nothing I do is working. Is that like yours? __________________ ---

11-04-2010, 01:35 AM	#15
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	format harddisk, install fresh OS if it's not full of installed stuff __________________ BUY MY SIG - 50$/Year Contact here

11-03-2010, 05:27 PM	#2
bigluv Confirmed User Join Date: Jul 2008 Posts: 850	try anti rootkit software. and a proper virus scanner as well.

11-03-2010, 05:29 PM	#3
Supz Arthur Flegenheimer Industry Role: Join Date: Jul 2006 Location: New York City Posts: 11,056	use malwarebytes, free trial download. it usually is pretty good with shit like that.

11-03-2010, 06:39 PM	#4
signupdamnit Confirmed User Industry Role: Join Date: Aug 2007 Posts: 6,697	Realize that each time you get these things your entire security is severely at risk. You have to do something (even if it means switching Operating Systems) to stop yourself from getting them in the first place or eventually the results will be disastrous. Playing cleanup just isn't enough. As a webmaster, if the wrong thing gets in your system and you update your sites it could potentially mean infecting thousands of users or worse. I'd probably reinstall to be safe. But if you don't want to do that make sure you are running those programs in safe mode. And are you sure the problem isn't an infected router? Don't forget to check to make sure it didn't set a proxy somewhere either. Sometimes these utilities will leave the errant proxy in place within the settings.

11-03-2010, 08:07 PM	#7
Hessie Registered User Industry Role: Join Date: Sep 2010 Posts: 20	Run msconfig and go to the startup tab. Uncheck everything and restart. If the redirect is gone, it means that one of the items in your startup is doing it. Enable one item and restart - do this one item at a time until you find the one that is doing the redirect. Look carefully at the line that is causing the redirect to determine the actual program and its registry entry - then remove them.

11-04-2010, 12:45 AM	#14
PAR Confirmed User Industry Role: Join Date: May 2005 Posts: 1,835	safest way to run a pc online is to run inside VMware, Partition your drive into 4, 1- windows 2- saved local data/trusted data 3- email 4- saved internet files Or learn to use Linux and uses vmware to run windows applications. You can try the following as its not always something in your root system sometimes its just a cache issue ipconfig /flushdns in a command prompt to fix it. You can also do the following To edit your local DNS lookup file, explore this folder: C:\Windows\System32\Drivers\etc the file name is hosts search for anything you feel is not needed If you've never edited your HOSTS file before, this is what it should look like: # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost