2ndOf3
asked on
Internet searches still being redirected after virus cleaned
Removed a virus using Malwarebytes in safe mode. Reset the start up settings that were altered by the virus. Checked the host file as well as LAN settings for changes.
When a search is done using IE8 the result seems valid but is then redirected to a bogus site.
When a search is done using IE8 the result seems valid but is then redirected to a bogus site.
try to disable add-ons.
See this site:
http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
See this site:
http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
As stated above (by buttersk) check your addons and disable the ones you feel uncomfortable with, for a quick test try using IE without addons and see if the issue remains the same, uninstall all IE toolbars, and then check the registry for iexplorer.exe, sometimes viruses in the registry will add onto the tag so anytime iexplorer is started or running it will also execute something else. I would fully update malwarebytes and try running it in safemode.
Also restore IE8 back to factory defaults. Another thing is what kinds of redirectors you being brought to, is it adult content, fake antivirus pages/searches or things like netflix, movie places etc. Some toolbars have been redirecting sites to movie pages etc.
Also restore IE8 back to factory defaults. Another thing is what kinds of redirectors you being brought to, is it adult content, fake antivirus pages/searches or things like netflix, movie places etc. Some toolbars have been redirecting sites to movie pages etc.
ASKER
I am new to HiJack this and was not sure how to submit. Please guide me if this is not a helpful file. Thank you!
wlkhjk.log
wlkhjk.log
ASKER
I can not find the name of the virus. The Malwarebytes log doesnt list the name. I ran malware bytes fully updated less than 24 hours ago. Then i ran SuperAntiSpyware (also fully updated.) I can not find the log for that program so again I do not know the name of the virus.
The site that I am redirected to varies. If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.
The site that I am redirected to varies. If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.
This looks bad to me:
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
and this I do not recognize.
O4 - Global Startup: NextWindow TSA.lnk = C:\Program Files (x86)\NextWindow\NextWindo wTSA.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
and this I do not recognize.
O4 - Global Startup: NextWindow TSA.lnk = C:\Program Files (x86)\NextWindow\NextWindo
If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.
What if you logon to another profile on the machine? Same redirect?
What if you logon to another profile on the machine? Same redirect?
SuperAntiSpyware is a tool to remove spyware / adware etc;
NextWindowTSA.exe... I don't recognize this either.
Did you try disabling add-ons following the instructions at this site?
http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
NextWindowTSA.exe... I don't recognize this either.
Did you try disabling add-ons following the instructions at this site?
http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
ASKER
There is only one profile on this computer.
I believe the virus was like the fake alert virus. I found it in the programs and feature area and it was called Antivirus 2010. It attempted to get me to buy the full version.
The odd thing was that it disabled ALL services in start up. I had to turn microsofts most basic services back on using msconfig.
I will run with addons disabled after the next reboot. I am removing any toolbars that i can.
I believe the virus was like the fake alert virus. I found it in the programs and feature area and it was called Antivirus 2010. It attempted to get me to buy the full version.
The odd thing was that it disabled ALL services in start up. I had to turn microsofts most basic services back on using msconfig.
I will run with addons disabled after the next reboot. I am removing any toolbars that i can.
I submitted your hijackthis file to HijackThis.de Security which indicated the following problems:
- O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4
243D812744 0} - C:\Program Files (x86)\Ask.com\GenericAskTo olbar.dll - O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4
243D812744 0} - C:\Program Files (x86)\Ask.com\GenericAskTo olbar.dll - O4 - Startup: iWin Desktop Alerts.lnk = C:\ProgramData\iWin Games\DesktopAlerts\Deskto
pAlerts.ex e
- O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
ERAntiSpyw are.exe - Safe
- This entry was classified from our visitors as good.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/
Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.
You'll might need to rename the file before saving to your desktop so it will not be blocked.
Please note: Don't run Combofix in Safe Mode.
http://www.ccleaner.com/
Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.
You'll might need to rename the file before saving to your desktop so it will not be blocked.
Please note: Don't run Combofix in Safe Mode.
Scan with TDSSKiller, rogues often come bundle with these nasties as well.
http://support.kaspersky.c om/viruses /solutions ?qid=20828 0684
Do not use ComboFix.
http://support.kaspersky.c
Do not use ComboFix.
Oops! I missed the part with "Safe Mode" and "Windows 64-bit".
ASKER
Jeremy
Combo fix does not make a 64-bit solution do they? I have used that program on an XP machine and it worked wonders. If there is a link to a 64 bi version that would be helpful.
rpqgamegirl
I am running the kaspersky executable now.
Phototropic
Will run HitMan as well and reset the host file.
Combo fix does not make a 64-bit solution do they? I have used that program on an XP machine and it worked wonders. If there is a link to a 64 bi version that would be helpful.
rpqgamegirl
I am running the kaspersky executable now.
Phototropic
Will run HitMan as well and reset the host file.
Hi 2ndOf3,
To my knowledge, their isn't a 64-bit version of Combofix at this time.
To my knowledge, their isn't a 64-bit version of Combofix at this time.
ASKER
Kaspersky did not find anything.
Hitman found a suspicious file and i am rebooting to remove now.
Do others agree that using the suggested hosts file is a good solution?
http://www.mvps.org/winhelp2002/hosts.htm
McAfee has stopped working on this machine, probably knocked out by the virus. My plan is to uninstall and then install TrendMicro Titanium.
Hitman found a suspicious file and i am rebooting to remove now.
Do others agree that using the suggested hosts file is a good solution?
http://www.mvps.org/winhelp2002/hosts.htm
McAfee has stopped working on this machine, probably knocked out by the virus. My plan is to uninstall and then install TrendMicro Titanium.
mvps is a tried and tested way of resetting your hosts file after a virus infection.
What was the suspicious file that Hitman Pro removed?
What was the suspicious file that Hitman Pro removed?
ASKER
I ran Hitman instead of installing it. So there is no LOG to check. I think the file was bibpvphk.dll. I am unfamiliar with hitman and failed to make note of the name of the quarantined item.
Im running ESET scan now and am at 49% complete. Nothing so far.
By the way, i have NOT altered any settings related to ADD-ONS. There werent any that seemed suspicious. The redirection has stopped for now. I will reboot a few times and check out the status tomorrow.
Im running ESET scan now and am at 49% complete. Nothing so far.
By the way, i have NOT altered any settings related to ADD-ONS. There werent any that seemed suspicious. The redirection has stopped for now. I will reboot a few times and check out the status tomorrow.
The Eset online scanner is pretty thorough. Let's hope it comes up clean.
>>>"Do others agree that using the suggested hosts file is a good solution?"<<<
In your system, and in my case, NO not really necessary.
>>>"mvps is a tried and tested way of resetting your hosts file after a virus infection."<<<
@ phototropic,
Using mvps Hosts file means using a customized Hosts file, it's not the same as resetting the system's MS Hosts file back to default.
I'm not saying that using a customized Hosts file like MVPS Hosts is a bad idea(it's good), but a customized Hosts file also has its downside in some cases.
Updating Hosts file in Vista requires special attention also:
http://www.mvps.org/winhel
A big Hosts file tends to slow down the system so DNS Client needs to be disabled also, but if he is using "Network Discovery" then DNS Client service is required and should not be disabled.
If you just want to reset the Hosts file back to default then "HostsXpert" is the way to go, and it can be run from anywhere without installation.
HostsXpert "Restore MS Hosts file"
http://www.funkytoad.com/d
ASKER
Hitman found and removed the dns changer rootkit. ESET found remnants. I did not change the host file or remove any addons. The redirection was virus related and not browser related.
Glad to hear that your problem is resolved.
rpggamergirl,
I tend to view the Mvps hosts file download as another line of defence, so resetting a hosts file with it sort of does two jobs at the same time. In Vista you just need to right-click and "Run as Administrator".
I hadn't considered the idea that the SIZE of a hosts file would impact on performance. I've not noticed that outcome, but I intend to do some testing. Thanks for flagging that up.
I tend to view the Mvps hosts file download as another line of defence, so resetting a hosts file with it sort of does two jobs at the same time. In Vista you just need to right-click and "Run as Administrator".
I hadn't considered the idea that the SIZE of a hosts file would impact on performance. I've not noticed that outcome, but I intend to do some testing. Thanks for flagging that up.
Where is it redirecting you?
Is there a HJT log you meant to attach?