Solved

Internet searches still being redirected after virus cleaned

Posted on 2010-11-08
24
783 Views
Last Modified: 2013-12-06
Removed a virus using Malwarebytes in safe mode. Reset the start up settings that were altered by the virus. Checked the host file as well as LAN settings for changes.

When a search is done using IE8 the result seems valid but is then redirected to a bogus site.
0
Comment
Question by:2ndOf3
  • 7
  • 5
  • 3
  • +5
24 Comments
 
LVL 14

Expert Comment

by:athomsfere
Comment Utility
What virus was it?
Where is it redirecting you?

Is there a HJT log you meant to attach?
0
 
LVL 19

Expert Comment

by:Ken Butters
Comment Utility
0
 
LVL 16

Expert Comment

by:uescomp
Comment Utility
As stated above (by buttersk) check your addons and disable the ones you feel uncomfortable with, for a quick test try using IE without addons and see if the issue remains the same, uninstall all IE toolbars, and then check the registry for iexplorer.exe, sometimes viruses in the registry will add onto the tag so anytime iexplorer is started or running it will also execute something else.  I would fully update malwarebytes and try running it in safemode.

Also restore IE8 back to factory defaults.  Another thing is what kinds of redirectors you being brought to, is it adult content, fake antivirus pages/searches or things like netflix, movie places etc.  Some toolbars have been redirecting sites to movie pages etc.
0
 

Author Comment

by:2ndOf3
Comment Utility
I am new to HiJack this and was not sure how to submit. Please guide me if this is not a helpful file. Thank you!
wlkhjk.log
0
 

Author Comment

by:2ndOf3
Comment Utility
I can not find the name of the virus. The Malwarebytes log doesnt list the name. I ran malware bytes fully updated less than 24 hours ago. Then i ran SuperAntiSpyware (also fully updated.) I can not find the log for that program so again I do not know the name of the virus.

The site that I am redirected to varies. If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.
0
 
LVL 14

Expert Comment

by:athomsfere
Comment Utility
This looks bad to me:
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

and this I do not recognize.
O4 - Global Startup: NextWindow TSA.lnk = C:\Program Files (x86)\NextWindow\NextWindowTSA.exe
0
 
LVL 14

Expert Comment

by:athomsfere
Comment Utility
If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.

What if you logon to another profile on the machine? Same redirect?
0
 
LVL 19

Expert Comment

by:Ken Butters
Comment Utility
SuperAntiSpyware is a tool to remove spyware / adware etc;
NextWindowTSA.exe... I don't recognize this either.

Did you try disabling add-ons following the instructions at this site?

http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
0
 

Author Comment

by:2ndOf3
Comment Utility
There is only one profile on this computer.

I believe the virus was like the fake alert virus. I found it in the programs and feature area and it was called Antivirus 2010. It attempted to get me to buy the full version.

The odd thing was that it disabled ALL services in start up. I had to turn microsofts most basic services back on using msconfig.

I will run with addons disabled after the next reboot. I am removing any toolbars that i can.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
Comment Utility
I submitted your hijackthis file to HijackThis.de Security which indicated the following problems:
  1. O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  2. O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  3. O4 - Startup: iWin Desktop Alerts.lnk = C:\ProgramData\iWin Games\DesktopAlerts\DesktopAlerts.exe
On the other hand,
  • O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
  • Safe
  • This entry was classified from our visitors as good.
I hope that helps.
0
 
LVL 23

Accepted Solution

by:
phototropic earned 250 total points
Comment Utility
HJT does not work as well as it should with 64-bit systems.

I would try scanning with HitMan Pro 64-bit:

http://www.surfright.nl/en/downloads/

You can reset your hosts file using Mvps:

http://www.mvps.org/winhelp2002/hosts.htm

Also, try an online scan such as Eset:

http://www.eset.com/online-scanner/run

Good luck!!!
0
 
LVL 13

Expert Comment

by:JeremySBrown
Comment Utility
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/

Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.

You'll might need to rename the file before saving to your desktop so it will not be blocked.

Please note: Don't run Combofix in Safe Mode.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Scan with TDSSKiller, rogues often come bundle with these nasties as well.

http://support.kaspersky.com/viruses/solutions?qid=208280684
Do not use ComboFix.
0
 
LVL 13

Expert Comment

by:JeremySBrown
Comment Utility
Oops! I missed the part with "Safe Mode" and "Windows 64-bit".
0
 

Author Comment

by:2ndOf3
Comment Utility
Jeremy
Combo fix does not make a 64-bit solution do they? I have used that program on an XP machine and it worked wonders. If there is a link to a 64 bi version that would be helpful.

rpqgamegirl
I am running the kaspersky executable now.

Phototropic
Will run HitMan as well and reset the host file.
0
 
LVL 13

Expert Comment

by:JeremySBrown
Comment Utility
Hi 2ndOf3,

To my knowledge, their isn't a 64-bit version of Combofix at this time.
0
 

Author Comment

by:2ndOf3
Comment Utility
Kaspersky did not find anything.

Hitman found a suspicious file and i am rebooting to remove now.

Do others agree that using the suggested hosts file is a good solution?
http://www.mvps.org/winhelp2002/hosts.htm

McAfee has stopped working on this machine, probably knocked out by the virus. My plan is to uninstall and then install TrendMicro Titanium.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
mvps is a tried and tested way of resetting your hosts file after a virus infection.

What was the suspicious file that Hitman Pro removed?
0
 

Author Comment

by:2ndOf3
Comment Utility
I ran Hitman instead of installing it. So there is no LOG to check. I think the file was bibpvphk.dll. I am unfamiliar with hitman and failed to make note of the name of the quarantined item.

Im running ESET scan now and am at 49% complete. Nothing so far.

By the way, i have NOT altered any settings related to ADD-ONS. There werent any that seemed suspicious. The redirection has stopped for now. I will reboot a few times and check out the status tomorrow.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
The Eset online scanner is pretty thorough.  Let's hope it comes up clean.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility

>>>"Do others agree that using the suggested hosts file is a good solution?"<<<
In your system, and in my case, NO not really necessary.

>>>"mvps is a tried and tested way of resetting your hosts file after a virus infection."<<<
@ phototropic,
Using mvps Hosts file means using a customized Hosts file, it's not the same as resetting the system's MS Hosts file back to default.
I'm not saying that using a customized Hosts file like MVPS Hosts is a bad idea(it's good), but a customized Hosts file also has its downside in some cases.

Updating Hosts file in Vista requires special attention also:
http://www.mvps.org/winhelp2002/hostsvista.htm

A big Hosts file tends to slow down the system so DNS Client needs to be disabled also, but if he is using "Network Discovery" then DNS Client service is required and should not be disabled.

If you just want to reset the Hosts file back to default then "HostsXpert" is the way to go, and it can be run from anywhere without installation.

HostsXpert "Restore MS Hosts file"
http://www.funkytoad.com/download/HostsXpert.zip</P>
0
 

Author Closing Comment

by:2ndOf3
Comment Utility
Hitman found and removed the dns changer rootkit. ESET found remnants. I did not change the host file or remove any addons. The redirection was virus related and not browser related.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
Glad to hear that your problem is resolved.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
rpggamergirl,

I tend to view the Mvps hosts file download as another line of defence, so resetting a hosts file with it sort of does two jobs at the same time. In Vista you just need to right-click and "Run as Administrator".

I hadn't considered the idea that the SIZE of a hosts file would impact on performance. I've not noticed that outcome, but I intend to do some testing.  Thanks for flagging that up.



0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now