stopmalwaresite.com virus removed but browser still redirecting (hijacked) - how to fully clean??

I recently had my Windows Vista Home Premium computer infected by a virus that installed something called Antivirus7 and redirected most of my web requests to a site called stopmalwaresite.com. I scanned with both AVG9 and Malwarebytes and removed everything they found. I also tried uninstalling IE8. I then tried Safari as well and it was redirecting also.

Some brief searching online led me to the instructions found in the following page to manually remove the virus: http://www.enigmasoftware.com/stopmalwaresitecom-removal/

The browser still redirects to this stopmalwaresite.com page though. Where can I check for things that are still maliciously redirecting internet requests?
LlewellynITAsked:
Who is Participating?
 
HangulmanConnect With a Mentor Commented:
First off, I feel your pain on these fake antivirus programs.  I have to kill 3 or 4 of them a week.

The first item on the list is to get a copy of the MalwareBytes Antimalware scanner.  It is a free download, and it is fairly small.  

Once you get MBAM.exe, you run it on your computer using an account with administrative privileges.

 I haven't had a case yet where MBAM didn't clean out all those roque entries after a few scans.  It is almost like they engineered that program just to thwart rogue AV/Antispyware programs.  BleepingComputer.com is a treasure trove for info on how to purge computers of this type of malware.
0
 
hunartCommented:
This type of problem will only be cleaned and removed in safe-mode.  Please download the latest updates from the anti-spyware vendor and then manually update the files.  Since you internet does not work so you have to download from another PC.  After the update is done, reboot your PC into safe mode without networking and then run the anti-spyware software.

0
 
ngcmosCommented:
use unhackme also . go to tools --->  internet options -- > advanced tab ----> reset...  also tools ---> internet options --- > connections .. make sure all those are unchecked.  be careful with unhackme though only "get it out" on things that have weird file names likes fhnsiadhfuilf.dll... if you are unsure click the yellow leaf. then run a malwarebytes scan again. remove anything it catches then run a scan using Kaspersky Antivirus ***IMPORTANT*** before using kaspersky remove any other antivirus programs
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
bbaoConnect With a Mentor IT ConsultantCommented:
if you followed the instructions at enigmasoftware.com and removed the programs and registry items, the virus should have been deactivated.

please double check if the following files are still there.

* %Program Files%\Antivirus7AV\Antivirus7.exe
* %Program Files%\AV\Antivirus7.exe
* %WINDOWS%\system32\UpdateCheck.dll
* %Program Files%\Antivirus7AV\unins000.exe
0
 
optomaCommented:
0
 
tskelly082598Commented:
Here is one possibility. The hosts file may have been edited to redirect to the IP for stopmalwaresite.com which appears to be 83.133.120.191

In Windows XP and Vista it is located at c:\windows\system32\drivers\etc

You can see it by clicking on Start, Run, c:\windows\system32\drivers\etc\hosts and open it with notepad.

If you try to edit the hosts file, and see that IP above, you can put # and space before it in each line it appears. Lines such as 127.0.0.1   local host are legitimate and can be left as is.

If you are unable to edit the hosts file, as it is readonly, there is a probably program running in memory that is preventing you saving changes. Consult back here for further assistance.
0
 
LlewellynITAuthor Commented:
We've scanned with Malwarebytes, TdssKiller, HitmanPro and it can't find anything. All of the registry entries/files in question are not even there. The hosts file also has no entries in it besides the loopback. We are trying one last MBAM scan on safe mode...
0
 
optomaCommented:
Try Combofix and post the log here.

Also power off/unplug your router/modem for few mins and power up again
0
 
LlewellynITAuthor Commented:
We just tried running combofix and I got a ton of "not a valid 32 bit application" errors then a final message saying the OS is not supported...
It created a weird directory on my C drive that is a random assortment of letters/numbers for the name and it has copies of iexplore.exe and other executables in it.
0
 
LlewellynITAuthor Commented:
Rebooted in Safe mode, tried to run ComboFix and it says "need admin priveleges". We ran as Administrator...no clue what next to try.
0
 
optomaCommented:
Reboot machine.

Run in normal mode.
Right click Combofix and select "run as administrator".
Let the scan run.
It will produce logfile at the end to post here
:)
0
 
LlewellynITAuthor Commented:
When I do that it says "You need administrator priveleges to run this tool". As mentioned I am right clicking and selecting "run as Administrator". On top of that, I am logged in as the Administrator.
0
 
LlewellynITAuthor Commented:
I hate Windows Vista. I'm going to format and upgrade the client to Windows 7. Done with it.
0
 
optomaCommented:
Lol. Yeah vista is a right pain!
0
 
tskelly082598Commented:
There was a report of a patched ws2_32.dll file that caused redirections.

http://remove-malware.com/antimalware/anti-malware-howto/ws2_32-dll-patched-this-malware-is-not-fun-at-all/
0
 
LlewellynITAuthor Commented:
tskelly - your solution requires Combofix which does not run. I mentioned this in the comments above...

Strangely I tried another user account, which does not seem to be affected by the redirection. So I'm creating a new profile and moving all the documents over from the corrupted one and calling it a day.
0
 
LlewellynITAuthor Commented:
I'm awarding points to the two steps that I took that definitely verified the virus was removed. Seeing that only the profile was corrupt makes me think this is a Vista issue as opposed to the virus still being present. Other profiles work great, so thanks for the reassurance that the virus is removed guys thanks!
0
All Courses

From novice to tech pro — start learning today.