How do remove JS Illredirect trojan?

Viruses and worms
1

Hi:

I just joined this board for I’m looking for an idea on how to remove a JS Ill redirect trojan
from my laptop.

Avast seems to be stopping the Trojan for now and is identifying the offending object as
coming from http://ads.updatecar.com/www.delivery/afr.php?zoneid=779&CB=insertrandom_number_here>gzip

ideas?

2

are you saying that avast is detecting it but can not remove it ?
Try boot scan http://spgscott.wordpress.com/tutorials/avast-boot-time-scan/

This often works on redirects
Kaspersky TDSSKiller http://support.kaspersky.com/viruses/solutions?qid=208280684

also check your computer for malware with
Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
always update before scanning so you have latest database
click the remove selected button to quarantine anything found
you may post the scan log here

3

Thanks a lot for the Malwarebytes site for I got 20 small hits which I deleted the
offending files :smiley:

Don’t know if I’m okay now Avast has been keeping the offending file from installing
for I was getting a constant threat alert from Avast from IE. Got nothing from the
other scans that you recommended.

Here is the log from Malwarebytes:

alwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5491

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/9/2011 6:56:30 PM
mbam-log-2011-01-09 (18-56-30).txt

Scan type: Quick scan
Objects scanned: 159990
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\ohdezijfryqakddsg.dll (Trojan.Agent) → Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\psrvmcgsrnhjhqov (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxbionrvtae (Trojan.Agent) → Value: hxbionrvtae → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\clickpotatolitesa (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\Users\Norm\AppData\Roaming\clickpotatolite (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.624.0 (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.624.0\firefox (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.624.0\firefox\extensions (Adware.ClickPotato) → Quarantined and deleted successfully.

Files Infected:
c:\Windows\System32\psrvmcgsrnhjhqov.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\psrvmcgsrnhjhqov.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Users\Norm\downloads\xvidsetup.exe (Adware.HotBar) → Quarantined and deleted successfully.
c:\Windows\System32\ohdezijfryqakddsg.dll (Trojan.Agent) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaabout.mht (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaau.dat (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesaeula.mht (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\programdata\clickpotatolitesa\clickpotatolitesa_kyf.dat (Adware.ClickPotato) → Quarantined and deleted successfully.
c:\program files (x86)\clickpotatolite\bin\10.0.624.0\firefox\extensions\install.rdf (Adware.ClickPotato) → Quarantined and deleted successfully.

4

Given that avast was stopping you getting to what would appear to be ad sites (the ads. bit at the front of the URL) and what was removed by MBAM, adware.clickpotato and adware.hotbar, which may have been responsible for the redirections. Both of which are potentially self-inflicted allowing the click potato firefox extension and the HotBar, probably a toolbar either allowed or bundled with other software.

The other trojan.agents could also have had something to do with it also. Then hopefully you shouldn’t see any more redirections.

Monitor your system and should the redirections start to come back (come back to this topic and report), it may well be something deeper that requires other tools to find and clear it out.