Help, virus has hijacked my browser.

hank

Registered user
Joined
Feb 21, 2007
Messages
404
Reaction score
1
Location
On the lost highway, Scotland.
Since last night I have had a problem with a hijacker type trojan that is redirecting links from google search pages. I suspect the culprit may be RTKT_STITCH.D but I am unable to do a search for a sollution. My antivirus website is also being blocked (Trend Micro) so I am unable to contact the support techies.

My antivirus software is locking up at the cleaning stage.

I have tryed to do a system restore but this is also blocked.

Any help in erradicating this menace gratefully recieved.

Hank :beer::beer::beer:
 
Hello Hank,

You'll need to give us a bit more to go on.

What do you mean you're being redirected from Google search pages?
Sounds like you can reach Google OK. You type some search term. What happens when you hit 'Google Search'?
Do you get a bunch of results back? If not what page is loaded?
Or do you get search results back and when you click on one you're taken to an unexpected page?
What makes you think you have RTKT_STITCH.D?
What's the operating system? Windows XP?
There is a file called lmhosts that usually lives in
C:\WINDOWS\system32\drivers\etc
or
C:\WINNT\system32\drivers\etc

Does that have any lines in it which don't start with a #

And what's stopping you doing a system restore? What message are you seeing?

Cheers
 
I am running on XP


When I click a link on the google search results a new tab opens and takes me to a totally unrelated website.

When I tried to roll back the system to a recent checkpoint I get as far as "press next to restore", when Ipress the button nothing happens. No error messages.



Here is a copy of the virus scan log.

"Virus Scan Logs" "Sep 15, 2008" ""
"Time" "Detected by" "Source Type" "Threat Name" "Infected File" "First Action" "Second Action"
"08:00" "Manual Scan" "File" "TROJ_FAKEAVAL.AI" "C:\WINDOWS\system32\tdssmain.dll" "Quarantined Success" ""
"08:00" "Manual Scan" "File" "RTKT_STITCH.D" "C:\WINDOWS\system32\tdssserf.dll" "Quarantined Fail" ""
"09:47" "Manual Scan" "File" "TROJ_FAKEAVAL.AE" "C:\WINDOWS\system32\tdsslog.dll" "Quarantined Success" ""
"09:47" "Manual Scan" "File" "TROJ_FAKEAVAL.AI" "C:\WINDOWS\system32\tdssmain.dll" "Quarantined Success" ""
"09:47" "Manual Scan" "File" "RTKT_STITCH.D" "C:\WINDOWS\system32\tdssserf.dll" "Quarantined Success" ""
"11:12" "Manual Scan" "File" "TROJ_FAKEAVAL.AE" "C:\WINDOWS\system32\tdsslog.dll" "Quarantined Success" ""
"11:12" "Manual Scan" "File" "TROJ_FAKEAVAL.AI" "C:\WINDOWS\system32\tdssmain.dll" "Quarantined Success" ""
"11:12" "Manual Scan" "File" "RTKT_STITCH.D" "C:\WINDOWS\system32\tdssserf.dll" "Quarantined Success" ""


Hope this gives a better picture of my problems

Thanks for helping.

Hank :beer::beer::beer:
 
Hank if that was my machine I would burn all my Docs., Photos and anything else I wanted to save onto disc.
Then I would Format the drive and re-install XP from scratch:thumb2
 
Yup - had exactly the same problem with the same virus t'other day. The latest update from McAffee sorted mine - is your virus definition file up-to-date?

If all else fails, go to the various files identified by your scanner and delete them; they're in c:\windows\system32 and c:\windows\system32\drivers

To get Google to work, you have to type the link address from the search results manually into the address bar.

HTH
 
These files are malware but they don't look like they're piggy-backed on Windows system DLLs. So you could just delete them. But your virus scanner has already done that. That's why they're marked as quarantined.

It sounds like there's some other stuff going on too. I guess you're using Internet Explorer. Try downloading and installing Firefox (http://www.mozilla.com/en-US/firefox/) and see whether you still get redirected.
When you get redirected is it always to the same page? Is it one you'd rather the missus didn't know about? :augie:

Don't forget what I said about LMHOSTS. This file allows you to define redirects. Have a quick look at it. If there's anything you don't understand, post its contents here (only the lines that don't start #).

There's a decent bit of information here:

http://www.microsoft.com/communitie...e6f-b9f4-c199b934c707&lang=en&cr=US&sloc=&p=1

about cleaning malware and rootkits. It might help you.

You might want to have a look here:

http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/print.html

to get wise as to how not to get infected again.

HTH
 
Thanks for all the help.

I am going to reinstall windows and start again, so I may be a bit quiet for a while.

Am all set with a pile of dvd's ready to make backups of pics and essential docs,will keep you updated on my proggress.

Thanks again

Hank :beer::beer::beer:
 
maybe a bit late but maybe not... if you are going to do a reinstall and have some extra time it should be noted that if you format the drive before hand all the info is still there, a format does not remove the data.

I always think its good practice to erase the drive and then do a clean install - look for a programme called kill disc - it will write zero's to the drive so it is in effect a "clean new" drive when u install xp.
 
Not sure if this is any help but you never know.

Looking at your virus scan there's a file that wasn't quarentined called TDSSSERF.DLL

Here's a description.

TDSSSERF.DLL description and detail of TDSSSERF.DLL:

The filename TDSSSERF.DLL was last seen on 08.27.2008, and it is considered unsafe.
Threat name Win32.X Filename [System32Root]\tdssserf.dll Filesize Unknown Last seen 08.27.2008 Status Known to RemoveIT Pro as unsafe.
This file can perform following behavior.
- Usualy created by unsafe process.
- Registered as a Dynamic Link Library File.
- Usualy have random filename and refers to many versions of a dynamic link library.
- Can be injected/attached to the legitimate Windows process such as explorer.exe or other.

Here's the removal process:

TDSSSERF.DLL remove instruction

1. Temporarily Disable System Restore, Reboot computer in SafeMode;

2. Locate TDSSSERF.DLL virus files and uninstall TDSSSERF.DLL files program. Follow the screen step-by-step screen instructions to complete uninstallation of TDSSSERF.DLL.

3. Delete/Modify any values added to the registry related with TDSSSERF.DLL,Exit registry editor and restart the computer;

4.Clean/delete all TDSSSERF.DLLinfected file(s):TDSSSERF.DLL and related,or rename TDSSSERF.DLL virus files;

5.Please delete all your IE temp files with TDSSSERF.DLL manually,run a whole scan with antivirus program ;
 
I recently had similar problems that trend micro couldn't fix with my web browser. I downloaded a malware removal tool from 'malwarebytes' and ran it and it found several trojans and removed them. Not had a problem since. It worked a treat and was free, though I believe you have to buy it if you want to keep using it.

http://www.malwarebytes.org/

Worth a try ??
 
If you want to keep your browser safe use Firefox and install the 'Add on' called 'NO SCRIPT' it takes a little while to get used to it's foibles but it protects your browser and your privacy by stopping all active X and java svript from loading when you visit a site for the first time.
At first a web page may appear a bit bare or the site you are visiting will warn you that ' java' must be enabled to view or use the site, using the no script menu you can then authorise the 'individual elements of the website.

You will be surprised at just how much crap is being put on your machine without your knowledge.

Dick
 
My antivirus software claims to have quarantined the trojans but they are still active. I have run a system recovery fom my hard drive, but that failed to get rid of the problem.
I am running out of time on this due to working long hours and am condidering replacing the hard drive and installing a fresh copy of windows.
Would this eradicate my problem or could it be still show up on the new drive?

Thanks again.

Hank. :beer::beer::beer:
 
No need to replace the drive, if you have a copy of XP boot up from it , follow the installation procedure until you are presented with the choice of which partition you wish to install it on, you should then also have a choice to 'DELETE' the existing partition(s), delete the partition and reboot and then carry on the installation from the beginning again:thumb2
 
Unfortunately I dont have a copy of XP. I bought my system from PC World and the disc I thought was the Win XP disc turns out to be a copy of MS Works, which I have never installed as I have a licenced copy of MS Office. The cheapskates did however put a restore version on a partition of the hard drive. I performed a non destructive reinstall from this as advised by the destruction book. I have some time off tomorrow
so I might rescue some of the programmes that Iuse from the original install and then go for full destruction and rebuild.

I have tried to locate the rogue files in order to delete them but they are hiding some where deep in the bilges.

Thanks all.

Hank ( The computer destroyer ) :beer::beer::beer:
 
Hank if you were subscribed people could pm you and offer further assistance, 12 quid is a lot cheaper than a copy of XP:augie
 


Back
Top Bottom