NickCat11
asked on
Browser Hijack
I have a Windows XP machine here that has a browser redirect virus. Here is what I have tried
1. Malwarebytes
2. Superantispyware
3. Spybot
4. Combofix
5. Hitmanpro
6. Fixed proxy settings.
7. Avira
8. Checked Hijackthis with no luck seeing anything suspicious
Any suggestions?
1. Malwarebytes
2. Superantispyware
3. Spybot
4. Combofix
5. Hitmanpro
6. Fixed proxy settings.
7. Avira
8. Checked Hijackthis with no luck seeing anything suspicious
Any suggestions?
ASKER
Forgot to mention I tried that as well. Reset IE back to defaults which basically disables everything. Did the same with Mozilla and that remain hijacked as well. I am attaching a HJT log just in case I missed anything.
log.txt
log.txt
Have you checked your hosts file for problems?
C:\WINDOWS\SYSTEM32\DRIVER S\etc\host s
C:\WINDOWS\SYSTEM32\DRIVER
ASKER
I installed the mvp hosts file and I'm pretty sure combofix resets the host file as well.
Well it's still early, I am sure someone else will have some ideas that you haven't already sort of tried.
Can you post Combofix's logfile.
Also run tdsskiller>post its logfile from c:\
http://support.kaspersky.com/faq/?qid=208280684
Happens in all web browsers?
Happens with all searchs?
Also run tdsskiller>post its logfile from c:\
http://support.kaspersky.com/faq/?qid=208280684
Happens in all web browsers?
Happens with all searchs?
What kind of malware do you see can you describe it for me (Which site it redirects?)
ASKER
log....
ComboFix.txt
ComboFix.txt
c:\windows\system32\ws2_32 .dll . . . is infected!!
I think it is infected with "Trojan.Adgunbe!inf"
Just use Windows Security Essentials: http://www.microsoft.com/security_essentials/ it will remove it without any doubt!
I think it is infected with "Trojan.Adgunbe!inf"
Just use Windows Security Essentials: http://www.microsoft.com/security_essentials/ it will remove it without any doubt!
ASKER
WSE wont do it...
ASKER
tdsskiller showed no infections. Happens with IE and Firefox on sporadic searches.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes it is! The majority of the scanners say Trojan Win32 patched. Whats the next step?
Do you have your XP pro cd? Will be needed for this.
If so run from cmd console (Hit start,run, type cmd . Hit ok)
sfc /purgecache hit enter
then
sfc /scannow hit enter
Reboot machine and check ws2_32.dll again at virustotal (system32 and i386 locations)
>If that dosn't work we can try something else :)
If so run from cmd console (Hit start,run, type cmd . Hit ok)
sfc /purgecache hit enter
then
sfc /scannow hit enter
Reboot machine and check ws2_32.dll again at virustotal (system32 and i386 locations)
>If that dosn't work we can try something else :)
ASKER
I went ahead and replaced the file with a good copy I had from an XP machine....tested clean on virus total. I still have the redirect problem. Should I still attempt sfc/scannow?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sounds good, I will give that a shot.
If the redirect continues after replacing the infected file.. run Gmer and attach the log please.
1. Run GMER.
http://www.gmer.net/gmer.zip
Unzip it to your Desktop.
2. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
3. In the right panel, you will see several boxes that have been checked. Make sure that "Sections" box is checked.
Ensure the following are UNCHECKED ...
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)
4. Then click the Scan button & wait for it to finish.
5. Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
6. Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
If Gmer hangs, uncheck everything but leave "Sections" box and "Files" box checked.
1. Run GMER.
http://www.gmer.net/gmer.zip
Unzip it to your Desktop.
2. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
3. In the right panel, you will see several boxes that have been checked. Make sure that "Sections" box is checked.
Ensure the following are UNCHECKED ...
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)
4. Then click the Scan button & wait for it to finish.
5. Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
6. Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
If Gmer hangs, uncheck everything but leave "Sections" box and "Files" box checked.
ASKER
Sounds good. CF on stage 4 as we speak. Will keep everyone updated.
ASKER
That did the trick! Thanks for all your help everyone!
That's great!
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Or rename ComboFix.exe to Uninstall.exe and double click it.
Thanks for using Experts-Exchange!
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /Uninstall
Or rename ComboFix.exe to Uninstall.exe and double click it.
Thanks for using Experts-Exchange!
iexplore -extoff
Navigate to google.com and test for being redirected. If not just go to tools\Manage Addons. It shouldn't be hard to find the culprit and disable it.