[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

stopmalwaresite.com virus removed but browser still redirecting (hijacked) - how to fully clean??

Posted on 2010-08-26
17
Medium Priority
?
1,439 Views
Last Modified: 2013-12-06
I recently had my Windows Vista Home Premium computer infected by a virus that installed something called Antivirus7 and redirected most of my web requests to a site called stopmalwaresite.com. I scanned with both AVG9 and Malwarebytes and removed everything they found. I also tried uninstalling IE8. I then tried Safari as well and it was redirecting also.

Some brief searching online led me to the instructions found in the following page to manually remove the virus: http://www.enigmasoftware.com/stopmalwaresitecom-removal/

The browser still redirects to this stopmalwaresite.com page though. Where can I check for things that are still maliciously redirecting internet requests?
0
Comment
Question by:LlewellynIT
  • 7
  • 4
  • 2
  • +4
17 Comments
 
LVL 2

Accepted Solution

by:
Hangulman earned 1000 total points
ID: 33531702
First off, I feel your pain on these fake antivirus programs.  I have to kill 3 or 4 of them a week.

The first item on the list is to get a copy of the MalwareBytes Antimalware scanner.  It is a free download, and it is fairly small.  

Once you get MBAM.exe, you run it on your computer using an account with administrative privileges.

 I haven't had a case yet where MBAM didn't clean out all those roque entries after a few scans.  It is almost like they engineered that program just to thwart rogue AV/Antispyware programs.  BleepingComputer.com is a treasure trove for info on how to purge computers of this type of malware.
0
 
LVL 8

Expert Comment

by:hunart
ID: 33531734
This type of problem will only be cleaned and removed in safe-mode.  Please download the latest updates from the anti-spyware vendor and then manually update the files.  Since you internet does not work so you have to download from another PC.  After the update is done, reboot your PC into safe mode without networking and then run the anti-spyware software.

0
 
LVL 3

Expert Comment

by:ngcmos
ID: 33532373
use unhackme also . go to tools --->  internet options -- > advanced tab ----> reset...  also tools ---> internet options --- > connections .. make sure all those are unchecked.  be careful with unhackme though only "get it out" on things that have weird file names likes fhnsiadhfuilf.dll... if you are unsure click the yellow leaf. then run a malwarebytes scan again. remove anything it catches then run a scan using Kaspersky Antivirus ***IMPORTANT*** before using kaspersky remove any other antivirus programs
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 37

Assisted Solution

by:bbao
bbao earned 1000 total points
ID: 33533006
if you followed the instructions at enigmasoftware.com and removed the programs and registry items, the virus should have been deactivated.

please double check if the following files are still there.

* %Program Files%\Antivirus7AV\Antivirus7.exe
* %Program Files%\AV\Antivirus7.exe
* %WINDOWS%\system32\UpdateCheck.dll
* %Program Files%\Antivirus7AV\unins000.exe
0
 
LVL 22

Expert Comment

by:optoma
ID: 33533488
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33535959
Here is one possibility. The hosts file may have been edited to redirect to the IP for stopmalwaresite.com which appears to be 83.133.120.191

In Windows XP and Vista it is located at c:\windows\system32\drivers\etc

You can see it by clicking on Start, Run, c:\windows\system32\drivers\etc\hosts and open it with notepad.

If you try to edit the hosts file, and see that IP above, you can put # and space before it in each line it appears. Lines such as 127.0.0.1   local host are legitimate and can be left as is.

If you are unable to edit the hosts file, as it is readonly, there is a probably program running in memory that is preventing you saving changes. Consult back here for further assistance.
0
 

Author Comment

by:LlewellynIT
ID: 33543481
We've scanned with Malwarebytes, TdssKiller, HitmanPro and it can't find anything. All of the registry entries/files in question are not even there. The hosts file also has no entries in it besides the loopback. We are trying one last MBAM scan on safe mode...
0
 
LVL 22

Expert Comment

by:optoma
ID: 33543930
Try Combofix and post the log here.

Also power off/unplug your router/modem for few mins and power up again
0
 

Author Comment

by:LlewellynIT
ID: 33544468
We just tried running combofix and I got a ton of "not a valid 32 bit application" errors then a final message saying the OS is not supported...
It created a weird directory on my C drive that is a random assortment of letters/numbers for the name and it has copies of iexplore.exe and other executables in it.
0
 

Author Comment

by:LlewellynIT
ID: 33544560
Rebooted in Safe mode, tried to run ComboFix and it says "need admin priveleges". We ran as Administrator...no clue what next to try.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33545177
Reboot machine.

Run in normal mode.
Right click Combofix and select "run as administrator".
Let the scan run.
It will produce logfile at the end to post here
:)
0
 

Author Comment

by:LlewellynIT
ID: 33545305
When I do that it says "You need administrator priveleges to run this tool". As mentioned I am right clicking and selecting "run as Administrator". On top of that, I am logged in as the Administrator.
0
 

Author Comment

by:LlewellynIT
ID: 33545410
I hate Windows Vista. I'm going to format and upgrade the client to Windows 7. Done with it.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33545636
Lol. Yeah vista is a right pain!
0
 
LVL 8

Expert Comment

by:tskelly082598
ID: 33545691
There was a report of a patched ws2_32.dll file that caused redirections.

http://remove-malware.com/antimalware/anti-malware-howto/ws2_32-dll-patched-this-malware-is-not-fun-at-all/
0
 

Author Comment

by:LlewellynIT
ID: 33545965
tskelly - your solution requires Combofix which does not run. I mentioned this in the comments above...

Strangely I tried another user account, which does not seem to be affected by the redirection. So I'm creating a new profile and moving all the documents over from the corrupted one and calling it a day.
0
 

Author Closing Comment

by:LlewellynIT
ID: 33546601
I'm awarding points to the two steps that I took that definitely verified the virus was removed. Seeing that only the profile was corrupt makes me think this is a Vista issue as opposed to the virus still being present. Other profiles work great, so thanks for the reassurance that the virus is removed guys thanks!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question