Solved

stopmalwaresite.com virus removed but browser still redirecting (hijacked) - how to fully clean??

Posted on 2010-08-26
17
1,425 Views
Last Modified: 2013-12-06
I recently had my Windows Vista Home Premium computer infected by a virus that installed something called Antivirus7 and redirected most of my web requests to a site called stopmalwaresite.com. I scanned with both AVG9 and Malwarebytes and removed everything they found. I also tried uninstalling IE8. I then tried Safari as well and it was redirecting also.

Some brief searching online led me to the instructions found in the following page to manually remove the virus: http://www.enigmasoftware.com/stopmalwaresitecom-removal/

The browser still redirects to this stopmalwaresite.com page though. Where can I check for things that are still maliciously redirecting internet requests?
0
Comment
Question by:LlewellynIT
  • 7
  • 4
  • 2
  • +4
17 Comments
 
LVL 2

Accepted Solution

by:
Hangulman earned 250 total points
ID: 33531702
First off, I feel your pain on these fake antivirus programs.  I have to kill 3 or 4 of them a week.

The first item on the list is to get a copy of the MalwareBytes Antimalware scanner.  It is a free download, and it is fairly small.  

Once you get MBAM.exe, you run it on your computer using an account with administrative privileges.

 I haven't had a case yet where MBAM didn't clean out all those roque entries after a few scans.  It is almost like they engineered that program just to thwart rogue AV/Antispyware programs.  BleepingComputer.com is a treasure trove for info on how to purge computers of this type of malware.
0
 
LVL 8

Expert Comment

by:hunart
ID: 33531734
This type of problem will only be cleaned and removed in safe-mode.  Please download the latest updates from the anti-spyware vendor and then manually update the files.  Since you internet does not work so you have to download from another PC.  After the update is done, reboot your PC into safe mode without networking and then run the anti-spyware software.

0
 
LVL 3

Expert Comment

by:ngcmos
ID: 33532373
use unhackme also . go to tools --->  internet options -- > advanced tab ----> reset...  also tools ---> internet options --- > connections .. make sure all those are unchecked.  be careful with unhackme though only "get it out" on things that have weird file names likes fhnsiadhfuilf.dll... if you are unsure click the yellow leaf. then run a malwarebytes scan again. remove anything it catches then run a scan using Kaspersky Antivirus ***IMPORTANT*** before using kaspersky remove any other antivirus programs
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 250 total points
ID: 33533006
if you followed the instructions at enigmasoftware.com and removed the programs and registry items, the virus should have been deactivated.

please double check if the following files are still there.

* %Program Files%\Antivirus7AV\Antivirus7.exe
* %Program Files%\AV\Antivirus7.exe
* %WINDOWS%\system32\UpdateCheck.dll
* %Program Files%\Antivirus7AV\unins000.exe
0
 
LVL 22

Expert Comment

by:optoma
ID: 33533488
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33535959
Here is one possibility. The hosts file may have been edited to redirect to the IP for stopmalwaresite.com which appears to be 83.133.120.191

In Windows XP and Vista it is located at c:\windows\system32\drivers\etc

You can see it by clicking on Start, Run, c:\windows\system32\drivers\etc\hosts and open it with notepad.

If you try to edit the hosts file, and see that IP above, you can put # and space before it in each line it appears. Lines such as 127.0.0.1   local host are legitimate and can be left as is.

If you are unable to edit the hosts file, as it is readonly, there is a probably program running in memory that is preventing you saving changes. Consult back here for further assistance.
0
 

Author Comment

by:LlewellynIT
ID: 33543481
We've scanned with Malwarebytes, TdssKiller, HitmanPro and it can't find anything. All of the registry entries/files in question are not even there. The hosts file also has no entries in it besides the loopback. We are trying one last MBAM scan on safe mode...
0
 
LVL 22

Expert Comment

by:optoma
ID: 33543930
Try Combofix and post the log here.

Also power off/unplug your router/modem for few mins and power up again
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:LlewellynIT
ID: 33544468
We just tried running combofix and I got a ton of "not a valid 32 bit application" errors then a final message saying the OS is not supported...
It created a weird directory on my C drive that is a random assortment of letters/numbers for the name and it has copies of iexplore.exe and other executables in it.
0
 

Author Comment

by:LlewellynIT
ID: 33544560
Rebooted in Safe mode, tried to run ComboFix and it says "need admin priveleges". We ran as Administrator...no clue what next to try.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33545177
Reboot machine.

Run in normal mode.
Right click Combofix and select "run as administrator".
Let the scan run.
It will produce logfile at the end to post here
:)
0
 

Author Comment

by:LlewellynIT
ID: 33545305
When I do that it says "You need administrator priveleges to run this tool". As mentioned I am right clicking and selecting "run as Administrator". On top of that, I am logged in as the Administrator.
0
 

Author Comment

by:LlewellynIT
ID: 33545410
I hate Windows Vista. I'm going to format and upgrade the client to Windows 7. Done with it.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33545636
Lol. Yeah vista is a right pain!
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33545691
There was a report of a patched ws2_32.dll file that caused redirections.

http://remove-malware.com/antimalware/anti-malware-howto/ws2_32-dll-patched-this-malware-is-not-fun-at-all/
0
 

Author Comment

by:LlewellynIT
ID: 33545965
tskelly - your solution requires Combofix which does not run. I mentioned this in the comments above...

Strangely I tried another user account, which does not seem to be affected by the redirection. So I'm creating a new profile and moving all the documents over from the corrupted one and calling it a day.
0
 

Author Closing Comment

by:LlewellynIT
ID: 33546601
I'm awarding points to the two steps that I took that definitely verified the virus was removed. Seeing that only the profile was corrupt makes me think this is a Vista issue as opposed to the virus still being present. Other profiles work great, so thanks for the reassurance that the virus is removed guys thanks!
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Suggested Solutions

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now