LlewellynIT
asked on
stopmalwaresite.com virus removed but browser still redirecting (hijacked) - how to fully clean??
I recently had my Windows Vista Home Premium computer infected by a virus that installed something called Antivirus7 and redirected most of my web requests to a site called stopmalwaresite.com. I scanned with both AVG9 and Malwarebytes and removed everything they found. I also tried uninstalling IE8. I then tried Safari as well and it was redirecting also.
Some brief searching online led me to the instructions found in the following page to manually remove the virus: http://www.enigmasoftware.com/stopmalwaresitecom-removal/
The browser still redirects to this stopmalwaresite.com page though. Where can I check for things that are still maliciously redirecting internet requests?
Some brief searching online led me to the instructions found in the following page to manually remove the virus: http://www.enigmasoftware.com/stopmalwaresitecom-removal/
The browser still redirects to this stopmalwaresite.com page though. Where can I check for things that are still maliciously redirecting internet requests?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This type of problem will only be cleaned and removed in safe-mode. Please download the latest updates from the anti-spyware vendor and then manually update the files. Since you internet does not work so you have to download from another PC. After the update is done, reboot your PC into safe mode without networking and then run the anti-spyware software.
use unhackme also . go to tools ---> internet options -- > advanced tab ----> reset... also tools ---> internet options --- > connections .. make sure all those are unchecked. be careful with unhackme though only "get it out" on things that have weird file names likes fhnsiadhfuilf.dll... if you are unsure click the yellow leaf. then run a malwarebytes scan again. remove anything it catches then run a scan using Kaspersky Antivirus ***IMPORTANT*** before using kaspersky remove any other antivirus programs
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Here is one possibility. The hosts file may have been edited to redirect to the IP for stopmalwaresite.com which appears to be 83.133.120.191
In Windows XP and Vista it is located at c:\windows\system32\driver s\etc
You can see it by clicking on Start, Run, c:\windows\system32\driver s\etc\host s and open it with notepad.
If you try to edit the hosts file, and see that IP above, you can put # and space before it in each line it appears. Lines such as 127.0.0.1 local host are legitimate and can be left as is.
If you are unable to edit the hosts file, as it is readonly, there is a probably program running in memory that is preventing you saving changes. Consult back here for further assistance.
In Windows XP and Vista it is located at c:\windows\system32\driver
You can see it by clicking on Start, Run, c:\windows\system32\driver
If you try to edit the hosts file, and see that IP above, you can put # and space before it in each line it appears. Lines such as 127.0.0.1 local host are legitimate and can be left as is.
If you are unable to edit the hosts file, as it is readonly, there is a probably program running in memory that is preventing you saving changes. Consult back here for further assistance.
ASKER
We've scanned with Malwarebytes, TdssKiller, HitmanPro and it can't find anything. All of the registry entries/files in question are not even there. The hosts file also has no entries in it besides the loopback. We are trying one last MBAM scan on safe mode...
Try Combofix and post the log here.
Also power off/unplug your router/modem for few mins and power up again
Also power off/unplug your router/modem for few mins and power up again
ASKER
We just tried running combofix and I got a ton of "not a valid 32 bit application" errors then a final message saying the OS is not supported...
It created a weird directory on my C drive that is a random assortment of letters/numbers for the name and it has copies of iexplore.exe and other executables in it.
It created a weird directory on my C drive that is a random assortment of letters/numbers for the name and it has copies of iexplore.exe and other executables in it.
ASKER
Rebooted in Safe mode, tried to run ComboFix and it says "need admin priveleges". We ran as Administrator...no clue what next to try.
Reboot machine.
Run in normal mode.
Right click Combofix and select "run as administrator".
Let the scan run.
It will produce logfile at the end to post here
:)
Run in normal mode.
Right click Combofix and select "run as administrator".
Let the scan run.
It will produce logfile at the end to post here
:)
ASKER
When I do that it says "You need administrator priveleges to run this tool". As mentioned I am right clicking and selecting "run as Administrator". On top of that, I am logged in as the Administrator.
ASKER
I hate Windows Vista. I'm going to format and upgrade the client to Windows 7. Done with it.
Lol. Yeah vista is a right pain!
There was a report of a patched ws2_32.dll file that caused redirections.
http://remove-malware.com/antimalware/anti-malware-howto/ws2_32-dll-patched-this-malware-is-not-fun-at-all/
http://remove-malware.com/antimalware/anti-malware-howto/ws2_32-dll-patched-this-malware-is-not-fun-at-all/
ASKER
tskelly - your solution requires Combofix which does not run. I mentioned this in the comments above...
Strangely I tried another user account, which does not seem to be affected by the redirection. So I'm creating a new profile and moving all the documents over from the corrupted one and calling it a day.
Strangely I tried another user account, which does not seem to be affected by the redirection. So I'm creating a new profile and moving all the documents over from the corrupted one and calling it a day.
ASKER
I'm awarding points to the two steps that I took that definitely verified the virus was removed. Seeing that only the profile was corrupt makes me think this is a Vista issue as opposed to the virus still being present. Other profiles work great, so thanks for the reassurance that the virus is removed guys thanks!