Solved

Internet searches still being redirected after virus cleaned

Posted on 2010-11-08
24
787 Views
Last Modified: 2013-12-06
Removed a virus using Malwarebytes in safe mode. Reset the start up settings that were altered by the virus. Checked the host file as well as LAN settings for changes.

When a search is done using IE8 the result seems valid but is then redirected to a bogus site.
0
Comment
Question by:2ndOf3
  • 7
  • 5
  • 3
  • +5
24 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 34087061
What virus was it?
Where is it redirecting you?

Is there a HJT log you meant to attach?
0
 
LVL 19

Expert Comment

by:Ken Butters
ID: 34087064
0
 
LVL 16

Expert Comment

by:uescomp
ID: 34087115
As stated above (by buttersk) check your addons and disable the ones you feel uncomfortable with, for a quick test try using IE without addons and see if the issue remains the same, uninstall all IE toolbars, and then check the registry for iexplorer.exe, sometimes viruses in the registry will add onto the tag so anytime iexplorer is started or running it will also execute something else.  I would fully update malwarebytes and try running it in safemode.

Also restore IE8 back to factory defaults.  Another thing is what kinds of redirectors you being brought to, is it adult content, fake antivirus pages/searches or things like netflix, movie places etc.  Some toolbars have been redirecting sites to movie pages etc.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:2ndOf3
ID: 34087141
I am new to HiJack this and was not sure how to submit. Please guide me if this is not a helpful file. Thank you!
wlkhjk.log
0
 

Author Comment

by:2ndOf3
ID: 34087302
I can not find the name of the virus. The Malwarebytes log doesnt list the name. I ran malware bytes fully updated less than 24 hours ago. Then i ran SuperAntiSpyware (also fully updated.) I can not find the log for that program so again I do not know the name of the virus.

The site that I am redirected to varies. If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 34087372
This looks bad to me:
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

and this I do not recognize.
O4 - Global Startup: NextWindow TSA.lnk = C:\Program Files (x86)\NextWindow\NextWindowTSA.exe
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 34087381
If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.

What if you logon to another profile on the machine? Same redirect?
0
 
LVL 19

Expert Comment

by:Ken Butters
ID: 34087696
SuperAntiSpyware is a tool to remove spyware / adware etc;
NextWindowTSA.exe... I don't recognize this either.

Did you try disabling add-ons following the instructions at this site?

http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
0
 

Author Comment

by:2ndOf3
ID: 34087728
There is only one profile on this computer.

I believe the virus was like the fake alert virus. I found it in the programs and feature area and it was called Antivirus 2010. It attempted to get me to buy the full version.

The odd thing was that it disabled ALL services in start up. I had to turn microsofts most basic services back on using msconfig.

I will run with addons disabled after the next reboot. I am removing any toolbars that i can.
0
 
LVL 31

Expert Comment

by:Paul Sauvé
ID: 34087916
I submitted your hijackthis file to HijackThis.de Security which indicated the following problems:
  1. O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  2. O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  3. O4 - Startup: iWin Desktop Alerts.lnk = C:\ProgramData\iWin Games\DesktopAlerts\DesktopAlerts.exe
On the other hand,
  • O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
  • Safe
  • This entry was classified from our visitors as good.
I hope that helps.
0
 
LVL 23

Accepted Solution

by:
phototropic earned 250 total points
ID: 34088229
HJT does not work as well as it should with 64-bit systems.

I would try scanning with HitMan Pro 64-bit:

http://www.surfright.nl/en/downloads/

You can reset your hosts file using Mvps:

http://www.mvps.org/winhelp2002/hosts.htm

Also, try an online scan such as Eset:

http://www.eset.com/online-scanner/run

Good luck!!!
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 34088684
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/

Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.

You'll might need to rename the file before saving to your desktop so it will not be blocked.

Please note: Don't run Combofix in Safe Mode.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 34088767
Scan with TDSSKiller, rogues often come bundle with these nasties as well.

http://support.kaspersky.com/viruses/solutions?qid=208280684
Do not use ComboFix.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 34088915
Oops! I missed the part with "Safe Mode" and "Windows 64-bit".
0
 

Author Comment

by:2ndOf3
ID: 34095889
Jeremy
Combo fix does not make a 64-bit solution do they? I have used that program on an XP machine and it worked wonders. If there is a link to a 64 bi version that would be helpful.

rpqgamegirl
I am running the kaspersky executable now.

Phototropic
Will run HitMan as well and reset the host file.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 34095971
Hi 2ndOf3,

To my knowledge, their isn't a 64-bit version of Combofix at this time.
0
 

Author Comment

by:2ndOf3
ID: 34096059
Kaspersky did not find anything.

Hitman found a suspicious file and i am rebooting to remove now.

Do others agree that using the suggested hosts file is a good solution?
http://www.mvps.org/winhelp2002/hosts.htm

McAfee has stopped working on this machine, probably knocked out by the virus. My plan is to uninstall and then install TrendMicro Titanium.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34096251
mvps is a tried and tested way of resetting your hosts file after a virus infection.

What was the suspicious file that Hitman Pro removed?
0
 

Author Comment

by:2ndOf3
ID: 34096719
I ran Hitman instead of installing it. So there is no LOG to check. I think the file was bibpvphk.dll. I am unfamiliar with hitman and failed to make note of the name of the quarantined item.

Im running ESET scan now and am at 49% complete. Nothing so far.

By the way, i have NOT altered any settings related to ADD-ONS. There werent any that seemed suspicious. The redirection has stopped for now. I will reboot a few times and check out the status tomorrow.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34097482
The Eset online scanner is pretty thorough.  Let's hope it comes up clean.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 34099984

>>>"Do others agree that using the suggested hosts file is a good solution?"<<<
In your system, and in my case, NO not really necessary.

>>>"mvps is a tried and tested way of resetting your hosts file after a virus infection."<<<
@ phototropic,
Using mvps Hosts file means using a customized Hosts file, it's not the same as resetting the system's MS Hosts file back to default.
I'm not saying that using a customized Hosts file like MVPS Hosts is a bad idea(it's good), but a customized Hosts file also has its downside in some cases.

Updating Hosts file in Vista requires special attention also:
http://www.mvps.org/winhelp2002/hostsvista.htm

A big Hosts file tends to slow down the system so DNS Client needs to be disabled also, but if he is using "Network Discovery" then DNS Client service is required and should not be disabled.

If you just want to reset the Hosts file back to default then "HostsXpert" is the way to go, and it can be run from anywhere without installation.

HostsXpert "Restore MS Hosts file"
http://www.funkytoad.com/download/HostsXpert.zip</P>
0
 

Author Closing Comment

by:2ndOf3
ID: 34145873
Hitman found and removed the dns changer rootkit. ESET found remnants. I did not change the host file or remove any addons. The redirection was virus related and not browser related.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34148669
Glad to hear that your problem is resolved.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34149022
rpggamergirl,

I tend to view the Mvps hosts file download as another line of defence, so resetting a hosts file with it sort of does two jobs at the same time. In Vista you just need to right-click and "Run as Administrator".

I hadn't considered the idea that the SIZE of a hosts file would impact on performance. I've not noticed that outcome, but I intend to do some testing.  Thanks for flagging that up.



0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question