techiegirl

[techiegirlwithsearchresvir]

All, I seem to have the same issue. Malwarebytes' Antimalware is detecting svchost process attempting ip connects to 91.212.226.6 when firefox is not running, and other ips when firefox is running.

Also, when I search in Bing search textbox or Firefox s Google search text box, in either Internet Explorer or Firefox,respectively, and I click on the search result, it goes to other sites other than the original link. I checked the network tool part of Firefox 4, and it shows routes in the next following log.

Malwarebytes' Malware did not detect it with version ~6879 today, nor did it detect anything when I tried a few days ago. I just updated to 6885 and trying again. A few days ago, I tried running ComboFix but it only deleted things in archive zip files and a java scheduler.

May you please help me too? Should I open a new topic?

Malwarebytes' Antimaleware log

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55264, Process: firefox.exe)

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55265, Process: firefox.exe)

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55266, Process: firefox.exe)

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55267, Process: firefox.exe)

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55268, Process: firefox.exe)

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55269, Process: firefox.exe)

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55270, Process: firefox.exe)

09:50:03 Diane IP-BLOCK 199.238.181.201 (Type: outgoing, Port: 55271, Process: firefox.exe)

09:59:03 Diane IP-BLOCK 91.213.29.63 (Type: outgoing, Port: 55399, Process: firefox.exe)

09:59:03 Diane IP-BLOCK 188.95.52.161 (Type: outgoing, Port: 55400, Process: firefox.exe)

10:02:07 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55422, Process: svchost.exe)

10:32:33 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55591, Process: svchost.exe)

10:42:33 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55602, Process: svchost.exe)

12:54:20 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55735, Process: svchost.exe)

13:24:45 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55765, Process: svchost.exe)

13:34:45 Diane IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55777, Process: svchost.exe)

CLICKING ON TEXTpad download search result, when I had textpad download in search toolbar, spawns these HTTP requests:

PLEASE DONT go to these URLS! THIS IS JUST FOR INFORMATIVE PURPOSES OF THE VIRUS.

[01:25:03.941] GET http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.textpad.com%2Fdownload%2F&rct=j&q=textpad%20download&ei=Wjb8Td-uDYTx0gHqmrjMAw&usg=AFQjCNENIlIsriJbDbX7pwA4aFqrwF1lWQ&sig2=kGnhU6eU4bvJl-Qxrz0aJg [HTTP/1.1 200 OK 34ms]

[01:25:03.994] GET http://www.textpad.com/download/ [HTTP/1.1 200 OK 135ms]

[01:25:04.166] GET http://ajrentals.com/default.pk?tsearch=textpad+download&search_button.x=0&search_button.y=0 [HTTP/1.1 200 OK 446ms]

[01:25:04.643] GET http://195.3.145.184/6Vm3c4LL7t5ytoc915399c4acfcba3b08dbfb662cfba8ca937h [undefined 11ms]

Request URL:

http://www.textpad.com/download/

Request Method:

GET

Status Code:

HTTP/1.1 200 OK

Request Headers

01:25:04.018

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7Accept-Encoding:gzip, deflateAccept-Language:en-us,en;q=0.5Connection:keep-aliveHost:www.textpad.comKeep-Alive:115Referer:http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.textpad.com%2Fdownload%2F&rct=j&q=textpad%20download&ei=Wjb8Td-uDYTx0gHqmrjMAw&usg=AFQjCNENIlIsriJbDbX7pwA4aFqrwF1lWQ&sig2=kGnhU6eU4bvJl-Qxrz0aJgUser-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Sent Cookie

__utnc:1

Response Headers

?135ms

Cache-Control:no-cache, no-store, must-revalidate

Connection:close

Content-Length:143

Content-Type:text/html

Expires:Fri, 01 Jan 1990 00:00:00 GMTPragma:no-cacheSet-Cookie:__utnc=1; expires=Sat, 18-Jun-2011 05:55:04 GMT

Response Body

?0ms

<iframe src='http://ajrentals.com/default.pk?tsearch=textpad+download&search_button.x=0&search_button.y=0' style='visibility:hidden;'></iframe>

[techiegirlwithsearchresvir]

I fixed this virus by researching it and finding a legitimate solution here.

Anyone with symptoms that I describe above, you probably have this Google search redirect virus. It is known as the TDSS virus.

The cure solution is explained in this article.

It refers to a trusted TDSSKiller.zip that removes this known rootkit virus TDSSKiller. It was found on my OEM partition, not C drive or registry files.

The cure solution TDSSKiller.zip should detect this TDSS virus. Once executed, it shows the detected virus, with option to "Cure". Click the Cure button, to safely cure the virus. The article says not to delete or quarantine because it might be in valid Windows files.

Users, Best of luck!

Malwarebytes' reps - you probably could put the same type of removal procedure for this rootkit TDSS virus in your ComboFix software. That would be best of both worlds, right?

-Diane

[LDTate]

We do not recommend users run these tools without supervision.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Same for TDSSKiller.

Note: if the Cure option is not there, please select 'Skip'.

The developers of Combofix and TDSSKiller are different parties.

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!