rdsrv/www.reimageplus.com pop-up/virus

[Crazysah]

Hello,

 

I don't know what to call it but it's infecting my computer. It won't let me open links and just opens some rdsrv page or reimageplus or one of those. It's an annoying pop-up or maybe even a virus and I don't know how to get rid of it. I've tried doing a full scan on my computer and even getting the routers in the house reset.

 

What else can be done?

 

Thanks,
Crazysah

[sundayx Veteran]

I just did a quick Google, have you tried these guides?

 

http://malwaretips.com/blogs/reimageplus-popup-virus/

http://www.fixmalwareissues.com/how-can-you-remove-reimageplus-com-browser-hijacker-from-your-pc/

http://blog.yoocare.com/reimage-plus-popup-ads-removal-guide/

[Marshall Veteran]

Follow the instructions on this page to remedy this piece of adware/malware - http://malwaretips.com/blogs/reimageplus-popup-virus/

 

Edit: Jacky beat me to it

[Crazysah]

Does this actually work? I've tried something similar before with no results.

[BinaryData]

Does this actually work? I've tried something similar before with no results.

 

It should, however be prepared that it can't be fixed. Generally, it can be with time and effort. I do suggest, in advance, backing up your data, the critical files. Like photos, make list of programs you have installed, etc.. Bookmarks I'd avoid, in case this malware plays with them too..

[Crazysah]

No luck. Still bloody happening. It still keeps opening the damn page. I've blocked the page but it keeps saying, "pop-up blocked" or "malicious page detected".

 

Anything can be done to completely remove it? Reformatting the system?

[BinaryData]

No luck. Still bloody happening. It still keeps opening the damn page. I've blocked the page but it keeps saying, "pop-up blocked" or "malicious page detected".

 

Anything can be done to completely remove it? Reformatting the system?

 

Did you remove all of it from your browsers too? Formatting will remove it, but it'll nuke all your stuff

[sc302 Veteran]

if you followed the directions to the letter, you shouldn't have issues.  Each profile will probably need to be touched as it sits in the individual profiles.  

[+BudMan MVC]

so you have been dealing with this for 3 days now?  Why have you not nuked it already.. I would of nuked it day 1

[Crazysah]

Nuked it?

 

But I've followed all those directions to the tee. I still keep getting notifications about this website or that being blocked, so I know it's still somewhere on the system/router. I've reset the router multiple times. Is my last resort, formatting the computer?

[+BudMan MVC]

did you boot a live CD to validate its on the machine vs the router?

 

Yes -- why would anyone deal with an infection for more than a couple of hours.. Just nuke the thing and be done with it..  Take all of what an hour to reinstall the OS..

[BinaryData]

did you boot a live CD to validate its on the machine vs the router?

 

Yes -- why would anyone deal with an infection for more than a couple of hours.. Just nuke the thing and be done with it..  Take all of what an hour to reinstall the OS..

 

Agreed.

@ Crazysah - Do you happen to have multiple hard drives? I've ran across a few x-wares that like to hide on multiple drives. Also, how can you be sure it's embedded in your router? I've never seen a router get jacked like that, but according to BudMan I'm still a n00b. Nuke all your drives.

If you need a place to store data, hit me up, or BudMan might be able to help. He's a 1337 H@ckz0r

[+BudMan MVC]

"He's a 1337 H@ckz0r"

 

King of the Nerds ok,

[sinetheo]

I doubt your router is hacked. More than likely you have a nasty virus. I would reimage.

I actually seen malware that can survive a reimage too! It hid in the partition tables so a full format did not fix it! That one needed an f disk with the Mbr and a full disk partion deletion.

In the future:

1. Go into your bios and turn on secure boot or Windows efi mode

2. Heavens sake install an ad blocker and also flash blocker where you need to click on each flash object.

3. Try not to use IE as it does not have a flash blocking add on

4.Google Norton dns and add then to your routers dns which will block domains

5. Create a new user account for admin. One for user. On my machine I have one for Tim. One called super user locked with a password for both

6. Get a new av package. Yours failed and my guess is MSE? ;-)

That one lost it's certification and those that swear by it keep getting 0wned.

Do these 6 steps and the odds of being 0wned go down dramatically!

[sinetheo]

I doubt your router is hacked. More than likely you have a nasty virus. I would reimage.

I actually seen malware that can survive a reimage too! It hid in the partition tables so a full format did not fix it! That one needed an f disk with the Mbr and a full disk partion deletion.

In the future:

1. Go into your bios and turn on secure boot or Windows efi mode

2. Heavens sake install an ad blocker and also flash blocker where you need to click on each flash object.

3. Try not to use IE as it does not have a flash blocking add on

4.Google Norton dns and add then to your routers dns which will block domains

5. Create a new user account for admin. One for user. On my machine I have one for Tim. One called super user locked with a password for both

6. Get a new av package. Yours failed and my guess is MSE? ;-)

That one lost it's certification and those that swear by it keep getting 0wned.

Do these 6 steps and the odds of being 0wned go down dramatically!

One last tip if you need Java PLEASE disable it on your browsers. It's 2015 and the relic of the new millennia is an ancient pile of insecure dodo today. Even mine craft no longer uses it

[BinaryData]

One last tip if you need Java PLEASE disable it on your browsers. It's 2015 and the relic of the new millennia is an ancient pile of insecure dodo today. Even mine craft no longer uses it

 

By Default Chrome & Firefox disable Java. You have to force it to be enabled, and even that doesn't always work.

@ sinetheo: Your remark at Microsoft Security Essentials is hilarious. I have it running, and I've never had issues with it. It wasn't until I went to AVG, Nortons or Kaspersky that I had problems. Frankly, most issues can be avoided by using an Anti-Script in your browser. I use NoScript on Firefox, and it wasn't until recently that I had to nuke my drives. Why? My brother and his friends decided to play on my PC.

DNS? Norton? Please don't make me laugh, my balls hurt enough. I use Google's DNS 8.8.8.8 & 8.8.4.4, I never have any issues with them. Step 5 seems way too paranoid. I bet you BudMan doesn't do that sort of thing, and I've never done it.

What this boils down too, is actually common sense, something that's lacking in this world these days. If someone tells you to click on a link, copy it, go to google, and google it. See what it pulls up with, don't click unknown links, etc..

My biggest concern, don't use IE. It's like a walkman, it's way out of date, and has zero use for it. Google did a funny survey at one point, they looked at peoples browsers, and search requests. They found that 90% of users using IE, Googled for Mozilla FireFox or Google Chrome download. The other 10% were generic companies using IE for internal stuff.

 

Anyways, FireFox + No Script = heaven.

[Crazysah]

So basically I should verify if it is on any other machine and if it isn't, just re-install the whole operating system?

And if it is also on another system, then?

 

I also just downloaded Norton and it found nothing. I have Malwarebytes that keeps blocking links. It's like every time I go to sites like Reddit and things, I can't click on any links because it just keeps blocking the pop-up.

 

Also, it doesn't happen outside of my house. I'm going to test it in office again today and see. But since it doesn't happen outside the house, I think it's a router problem?

 

Thanks,

Crazysah

[BinaryData]

So basically I should verify if it is on any other machine and if it isn't, just re-install the whole operating system?

And if it is also on another system, then?

 

I also just downloaded Norton and it found nothing. I have Malwarebytes that keeps blocking links. It's like every time I go to sites like Reddit and things, I can't click on any links because it just keeps blocking the pop-up.

 

Also, it doesn't happen outside of my house. I'm going to test it in office again today and see. But since it doesn't happen outside the house, I think it's a router problem?

 

Thanks,

Crazysah

 

Honestly, if there was a virus out there that jacked into your router, it'd be all over the tech news. I can almost promise you, that it isn't your router. 99% of it will be on your PC.

[+BudMan MVC]

Dude it has been all over the news.. I have not heard of any new variant or anything but router hijacking or dns poisoning/spoofing is a valid attack.

 

Did you see my links to examples?

http://www.computerworld.com/article/2876292/dns-hijacking-flaw-affects-d-link-dsl-router-possibly-other-devices.html

http://arstechnica.com/security/2014/03/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/

 

If it doesn't happen at the office on the same machine, happens if he boots from live cd and multiple machines in the house its most likely not something on his machine.

 

Have also seen dns poisoning/spoofing as another method of having problems, where you query the wrong thing and it can return data that btw hey use this IP is the ns for domainx or tld .com, etc.  Even though you didn't even ask for that.  Now every time you do a query for www.domainx.tld or anything with a tld you get sent to some other name server that returns bad stuff, etc.

 

Infection of the machine is not always the cause.  Now that being said, its possible that at work they use a proxy that blocks access to the domains he machine is trying to go to which is why his is not seeing the popups, etc?

 

Does work use a proxy server?  How are we still dicking with this so many days later??  Are other machine in the house having the same problem?  If you boot from a live CD on your machine do you have the problem?  Nuke the thing already if your cleaning methods of not stopped it.  If on a clean install your having the problem - what are you using for dns?

[Crazysah]

I'm just heading to office and will see if it is still happening on my laptop,

 

I tried on another laptop in the house and whenever I click on anything on Reddit or a couple of other websites (doesn't happen with every site), it goes to performance.affiliaxe/pxlvlt/inttrax.com/websites I've never recognized before. 

 

So, I don't know. I've tried resetting the routers a couple of times. But I'm going to try the other router in the house before I go. I'm using the default DNS I've been using for years.

 

Also, on my laptop, Malawarebytes keeps popping up saying, "malicious website blocked" and half the time doesn't give a domain. So I just don't know what's going on.

 

Lastly, I was typing this message in the reply box and after a minute or so, I clicked on the screen and it would just open a pop-up and then close it (since I've blocked it with several tools) and not let me type. Anywhere on the screen I press and it brings that pop-up. Happening on any page I'm on right now. All my tabs.

 

[+BudMan MVC]

happening on another machine is sign of compromised dns..  Since they all most likely point to your router for dns.  Again boot a liveCD -- ubuntu, centos, whatever and use it for a while.. Do you get popups?  Do you get redirected to other locations?

 

So guess I am a mind reader on what dns you have been using for years??  Guessing its just your isp dns, pointing at your router as local?