Help With Virus Or Malware?

[colchar]

Lately, when searching for something on Google and clicking on the links that appear, I am being directed away from the page I am trying to access and end up getting the message that the page google.ad.sgdoubleclick.net cannot be reached. I am assuming this is the result of a virus, or maybe just malware, but I cannot seem to get rid of it.

I have tried various spyware programs and my antivirus software isn't detecting anything either. Does anyone here know what is causing this and are there any recommendations for a free program that will get rid of this problem? If not, I guess I can wipe my laptop and reinstall Windows but that is a pain in the arse so I would prefer not to have to do that if it can be avoided.

Thanks in advance.

[CameronBornAndBred]

Lately, when searching for something on Google and clicking on the links that appear, I am being directed away from the page I am trying to access and end up getting the message that the page google.ad.sgdoubleclick.net cannot be reached. I am assuming this is the result of a virus, or maybe just malware, but I cannot seem to get rid of it.

I have tried various spyware programs and my antivirus software isn't detecting anything either. Does anyone here know what is causing this and are there any recommendations for a free program that will get rid of this problem? If not, I guess I can wipe my laptop and reinstall Windows but that is a pain in the arse so I would prefer not to have to do that if it can be avoided.

Thanks in advance.

You have a rootkit virus, that is one of the symptoms of the nasty one that's out now. Download combofix http://www.forospyware.com/sUBs/ComboFix.exe
to your desktop then run it. Once it's finished (probably after a couple of reboots) run it again. If when you run it the second time it still reports a rootkit virus, then post back. It's written into your Master Boot Record and is harder to make go away.
If it doesn't find it on the second run, then also download MalwareBytes Anti-Malware (from download.com) and run that one. You should be ok then.

As far as googling goes, you can get around the misdirection by coping the linked URL you get and then pasting it into your browser address bar.

[colchar]

Thanks. I'll try that shortly and will report back.

[colchar]

BTW, should I run that program in safe mode or just when the laptop is running normally?

[colchar]

I can't run Combofix because I am on a 64 bit Windows 7 machine. I am trying my antivirus in safe mode now and will try a few other detection tools as well. If they don't solve it then I guess I'll have no choice other than to reinstall Windows.

[CameronBornAndBred]

I can't run Combofix because I am on a 64 bit Windows 7 machine. I am trying my antivirus in safe mode now and will try a few other detection tools as well. If they don't solve it then I guess I'll have no choice other than to reinstall Windows.

You don't have to do that..but you DO want to back up before you fix it. Once you are backed up, follow the directions on this page to repair your master boot record, which should also remove the rootkit virus.

http://www.ehow.com/how_4836283_repair-mbr-windows.html

[colchar]

I can't run Combofix because I am on a 64 bit Windows 7 machine. I am trying my antivirus in safe mode now and will try a few other detection tools as well. If they don't solve it then I guess I'll have no choice other than to reinstall Windows.

You don't have to do that..but you DO want to back up before you fix it. Once you are backed up, follow the directions on this page to repair your master boot record, which should also remove the rootkit virus.

http://www.ehow.com/how_4836283_repair-mbr-windows.html

Awesome, thank you. I've got a bunch of stuff to do this afternoon and evening but I'll have some time to back up and to go through that procedure later tonight. I'll report back then, hopefully with good news.

[colchar]

I was just on one of the guitar boards I frequent and saw the following message:
"As a precaution everyone should scan their computers to insure that no trojans were inserted into your system from visiting ****.com over the past 3 days.

A hacker did breach our security and install a piece of malware that would have attempted to install itself on your computer from simply visiting the home page of the site.

We suggest Malwarebytes as a good option for scanning your computer. You can download a free copy at Malwarebytes

Thanks for your understanding.
****.com"


So it looks like that was how my laptop was infected

[CameronBornAndBred]

I was just on one of the guitar boards I frequent and saw the following message:
"As a precaution everyone should scan their computers to insure that no trojans were inserted into your system from visiting ****.com over the past 3 days.

A hacker did breach our security and install a piece of malware that would have attempted to install itself on your computer from simply visiting the home page of the site.

We suggest Malwarebytes as a good option for scanning your computer. You can download a free copy at Malwarebytes

Thanks for your understanding.
****.com"


So it looks like that was how my laptop was infected

That sucks..and what also sucks is that malwarebytes won't get rid of the infection. (Not a knock against MWB, that program kicks ass, it's just this virus burys itself deep.) This virus and others are most often delivered through hacked sites now..gone are the days where you were safe as long as you stayed away from porn. Bright side, you can go back to viewing porn.

[colchar]

I was just on one of the guitar boards I frequent and saw the following message:
"As a precaution everyone should scan their computers to insure that no trojans were inserted into your system from visiting ****.com over the past 3 days.

A hacker did breach our security and install a piece of malware that would have attempted to install itself on your computer from simply visiting the home page of the site.

We suggest Malwarebytes as a good option for scanning your computer. You can download a free copy at Malwarebytes

Thanks for your understanding.
****.com"


So it looks like that was how my laptop was infected

That sucks..and what also sucks is that malwarebytes won't get rid of the infection. (Not a knock against MWB, that program kicks ass, it's just this virus burys itself deep.) This virus and others are most often delivered through hacked sites now..gone are the days where you were safe as long as you stayed away from porn. Bright side, you can go back to viewing porn.

'Go back to' presupposes that I ever stopped ;)

[colchar]

I'm trying to repair my MBR and am a little confused. I have booted from the CD and gone into the command prompt. The directions in the link you provided say to "You're now presented with 3 choices. Click on "Repair Your Computer" to gain access to the System Recovery window. Now choose "Command Prompt" in order to run the desired utility which is called "bootsect.exe". Bootsect is located inside the boot folder so change your directory to boot. Now run "bootsect /nt60 C:\" if you had Win 7 initially installed in the C partition. Alternatively, you can run "bootsect /nt60 SYS" or "bootsect /nt60 ALL" to repair the system partition or all partitions. Eject the DVD, and restart computer. Your computer should now boot Win 7 again.


As I said, I am in the command prompt but I do not understand what it means when it says "Bootsect is located inside the boot folder so change your directory to boot." How do I change my directory?

Care to offer a 'for computer illiterate morons' version of the step-by-step instructions from this point on?

[colchar]

I checked Microsoft's website and found the following:

Bootrec.exe options
The Bootrec.exe tool supports the following options. Use the option that is appropriate for your situation.

Note If rebuilding the BCD does not resolve the startup issue, you can export and delete the BCD, and then run this option again. By doing this, you make sure that the BCD is completely rebuilt. To do this, type the following commands at the Windows RE command prompt:

* bcdedit /export C:\BCD_Backup
* c:
* cd boot
* attrib bcd -s -h -r
* ren c:\boot\bcd bcd.old
* bootrec /RebuildBcd

/FixMbr
The /FixMbr option writes a Windows 7 or Windows Vista-compatible MBR to the system partition. This option does not overwrite the existing partition table. Use this option when you must resolve MBR corruption issues, or when you have to remove non-standard code from the MBR.

/FixBoot
The /FixBoot option writes a new boot sector to the system partition by using a boot sector that is compatible with Windows Vista or Windows 7. Use this option if one of the following conditions is true:

* The boot sector has been replaced with a non-standard Windows Vista or Windows 7 boot sector.
* The boot sector is damaged.
* An earlier Windows operating system has been installed after Windows Vista or Windows 7 was installed. In this scenario, the computer starts by using Windows NT Loader (NTLDR) instead of Windows Boot Manager (Bootmgr.exe).

/ScanOs
The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.

/RebuildBcd
The /RebuildBcd option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option lets you select the installations that you want to add to the BCD store. Use this option when you must completely rebuild the BCD.



I am assuming that I have to use the /FixMbr command but don't want to do anything until you confirm that this is the right thing to do.

[CameronBornAndBred]

Yes, you will use the FIXMBR. As far as the post above, when it says change to your boot directory, you would use the command "CD C:\".
That will then put you in the c:\ directory, your cursor prompt should also change to C:\

[colchar]

When I typed in CD C:\ I got a message saying ' \ ' is not recognized as an internal or external command, operable program, or batch file.

I then tried CD C:/ and all I got was the X:\Sources> prompt back again.

I also tried typing in Bootrec.exe which gave me the message about how this repairs critical disk structures which also included the info I posted above from Microsoft's website. I tried typing in /FixMbr and simply got a message stating '/FixMbr' is not recognized as an internal or external command, operable program or batch file.


Once again:

[CameronBornAndBred]

Try leaving off the slash ... CD C:

[CameronBornAndBred]

I looked at the MS instructions, and I like those better. (I've never done and MBR repair in windows 7, so this is new to me.)
Looking at what you found, this is what you want to do...

* bcdedit /export C:\BCD_Backup
* c:
* cd boot
* attrib bcd -s -h -r
* ren c:\boot\bcd bcd.old
* bootrec /FIXMBR

In fact, that last line is all you need to enter. bootrec /fixmbr

[colchar]

Thanks. I did so and got the message 'the operation completed successfully' which is great but it appeared almost instantly. Should it really happen that fast?


ETA: Even if it did work, after I rebooted I am still getting redirected when clicking on links after Google searches.

[CameronBornAndBred]

yup...it's a quick job.

[CameronBornAndBred]

ETA: Even if it did work, after I rebooted I am still getting redirected when clicking on links after Google searches.

Google rootkit removal tool.
Try this site and what it offers. http://www.pchell.com/support/rootkitremovaltools.shtml
Try some of the tools there and see if you have luck. The tech I work with told me about one he found last week that worked great, but I can't remember the name, I'll post it tomorrow.

Rootkits are nasty fuckers, and can be really hard to toast. If you are still being redirected, either the MBR fix didn't work, or it wasn't done right. (I'm sure you did it right though.)

[colchar]

I tried a bunch of those tools but none of then found anything. I also tried several other programs but none of them found anything either. The only one that found anything was Stopzilla but I am hesitant about believing that as nothing else found anything and Stopzilla immediately asks for payment so I am wondering if its finds were legit.

I'm at a loss and think I might have no choice but to reload Windows.