News:

Don't forget to visit the main site! There's lots of helpful docs, patches, and more!

Main Menu

Fix my housemate's laptop

Started by Jathys, November 02, 2011, 09:25:11 PM

Previous topic - Next topic

Jathys

She had a virus/trojan/malware that pretends to be security software. I undid most of the harmful things it caused, except for two things (that I notice):

  • iexplore.exe runs at start up in the background. I can kill it, but a few minutes later it's returns.
  • Search results from google are redirected to nonsense sites. Bringing down the "Back" list, you can verify that your site was opened, then immediately hijacked. Going to the site directly allows it to open. Opening in a new tab allows it to open. May be other internet quirks, but I haven't noticed them. Other web searches appear to be fine.
BTW- the google redirect happens in all browsers.

Here's what I've done so far (in this order, there and back again several times, minus the first step which was done only the once):

  • System Restore to get files and settings retrieved
  • Searches with -> Malwarebytes, Spybot S&D, Avast, Ad-Aware, and SuperAntispyware
  • Brute force to fix random shit -> ComboFix
  • System Restore disabled/cleared (to keep from accidentally restoring to bad state)
  • Cleared all internet history, cookies, etc...
  • Disabled all add-ons
  • Reset the router (though this computer isn't experiencing any issues
  • Cleared DNS cache -> ipconfig /flushdns
Still having issues with the google redirect and the iexplore.exe running even when it hasn't been started by the user.

[spoiler]PS- I'm posting on the boards because the laptop is really starting to piss me off and I'm done thinking about solutions for the time being.[/spoiler]

Qactis

Her iexplore.exe is corrupted. I'd say go into windows components and uninstall internet explorer there, then run combofix again which will get rid of any rogue iexplores. Internet Explorer is definitely the most targeted browser for malware and trojans, I recommend completely getting rid of it altogether.

Jathys

Done and done, but...

ComboFix freezes now. Gets to the screen telling you it'll take about 10 minutes (or twice as long on bad systems). 6 hours later, it's on the same screen. Had to forceably reboot. Did so without any major complications, but...

Security software updates are being rejected again. All scans claim the system is clean, but clearly not the case. Attempted the recovery console that ComboFix installs (if you need it) just for giggles. It fails after less than a second. So...

Laptop is heading on a road trip with my housemate (which is good, because I'm about to throw it into a wall). Ideas welcome while it's away. In the meantime, trying to figure out whether or not a PC installation CD can be forced to work on a laptop.

Quietus

A lot of times, problems with redirection come hand-in-hand with an infected hosts file.  Check here to see where your hosts file will be (different for each version of Windows).  If you notice anything odd, you can normally just remove the dodgy lines.  I believe the only mandatory one is the 127.0.0.1 localhost.

Check the Microsoft page for instructions on automatically or manually removing things.

Good luck. :^_^:

Qactis

Must be some recently buffed rootkit virus. Combofix isn't God, and I can't comment on how often it is updated, as it might not even have anything on your virus. I hope hostsman's replacement hosts file fixes any possible bad hosts connections your computer might be making :/

Corruptor

I've dealt with viruses like these before, if you can't find the problem starter for internet explorer, You could find some way for your friend to download Mozilla Firefox(FTW), as it is one of the best search sites I've ever used or seen. Your best option, it would seem, would be to delete Internet explorer and reinstall it. You can also check the file location and look around for the redirection files, and delete them. If you can't delete those files on your first try, rename them, restart the laptop or computer, and try to delete them again. Right click Internet explorer to get to and click file location (in case you didn't know). I have no other idea on how to help, considering the options you've already used.

Quietus

Quote from: Corruptor on April 02, 2012, 04:59:11 PMFirefox...  ...as it is one of the best search sites I've ever used or seen.
:O_o:

Smiley

Mega-bumb and mega-fail at the same time! :^_^:

Corruptor

Quote from: Quietus on April 02, 2012, 05:21:10 PM
Quote from: Corruptor on April 02, 2012, 04:59:11 PMFirefox...  ...as it is one of the best search sites I've ever used or seen.
:O_o:
what? whats wrong with firefox? T.T  :stern:

Mon732

#9
Not only did you necro bump a 3 month old thread but you missunderstood what the :O_o: was about.

Firefox is a "web browser" not a "search site". :razz:

EDIT: Apologies Corruptor that wasn't supposed to come out like that.

Corruptor

#10
My mistake... :mad: and this is a thread that nobody cares about, right? Well, I'm just responding to all the posts to me or something like that. And, should you not care, which is obviously not true because you bothered to posted, just like I did.
Edit: sorry if I sound angry or mad, Cause I don't want to sound like a jerk. I probably did, though. And I am sorry.

Zhs2

Aw, yeah, necrobumps, woo!

No seriously, getting mad about necrobumping or people pointing out necrobumping is silly, just like the people pointing out necrobumping. Calm yourself.