• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 805
  • Last Modified:

Internet searches still being redirected after virus cleaned

Removed a virus using Malwarebytes in safe mode. Reset the start up settings that were altered by the virus. Checked the host file as well as LAN settings for changes.

When a search is done using IE8 the result seems valid but is then redirected to a bogus site.
0
2ndOf3
Asked:
2ndOf3
  • 7
  • 5
  • 3
  • +5
1 Solution
 
athomsfereCommented:
What virus was it?
Where is it redirecting you?

Is there a HJT log you meant to attach?
0
 
uescompCommented:
As stated above (by buttersk) check your addons and disable the ones you feel uncomfortable with, for a quick test try using IE without addons and see if the issue remains the same, uninstall all IE toolbars, and then check the registry for iexplorer.exe, sometimes viruses in the registry will add onto the tag so anytime iexplorer is started or running it will also execute something else.  I would fully update malwarebytes and try running it in safemode.

Also restore IE8 back to factory defaults.  Another thing is what kinds of redirectors you being brought to, is it adult content, fake antivirus pages/searches or things like netflix, movie places etc.  Some toolbars have been redirecting sites to movie pages etc.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
2ndOf3Author Commented:
I am new to HiJack this and was not sure how to submit. Please guide me if this is not a helpful file. Thank you!
wlkhjk.log
0
 
2ndOf3Author Commented:
I can not find the name of the virus. The Malwarebytes log doesnt list the name. I ran malware bytes fully updated less than 24 hours ago. Then i ran SuperAntiSpyware (also fully updated.) I can not find the log for that program so again I do not know the name of the virus.

The site that I am redirected to varies. If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.
0
 
athomsfereCommented:
This looks bad to me:
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

and this I do not recognize.
O4 - Global Startup: NextWindow TSA.lnk = C:\Program Files (x86)\NextWindow\NextWindowTSA.exe
0
 
athomsfereCommented:
If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.

What if you logon to another profile on the machine? Same redirect?
0
 
Ken ButtersCommented:
SuperAntiSpyware is a tool to remove spyware / adware etc;
NextWindowTSA.exe... I don't recognize this either.

Did you try disabling add-ons following the instructions at this site?

http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
0
 
2ndOf3Author Commented:
There is only one profile on this computer.

I believe the virus was like the fake alert virus. I found it in the programs and feature area and it was called Antivirus 2010. It attempted to get me to buy the full version.

The odd thing was that it disabled ALL services in start up. I had to turn microsofts most basic services back on using msconfig.

I will run with addons disabled after the next reboot. I am removing any toolbars that i can.
0
 
Paul SauvéCommented:
I submitted your hijackthis file to HijackThis.de Security which indicated the following problems:
  1. O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  2. O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  3. O4 - Startup: iWin Desktop Alerts.lnk = C:\ProgramData\iWin Games\DesktopAlerts\DesktopAlerts.exe
On the other hand,
  • O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
  • Safe
  • This entry was classified from our visitors as good.
I hope that helps.
0
 
phototropicCommented:
HJT does not work as well as it should with 64-bit systems.

I would try scanning with HitMan Pro 64-bit:

http://www.surfright.nl/en/downloads/

You can reset your hosts file using Mvps:

http://www.mvps.org/winhelp2002/hosts.htm

Also, try an online scan such as Eset:

http://www.eset.com/online-scanner/run

Good luck!!!
0
 
JeremySBrownCommented:
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/

Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.

You'll might need to rename the file before saving to your desktop so it will not be blocked.

Please note: Don't run Combofix in Safe Mode.
0
 
rpggamergirlCommented:
Scan with TDSSKiller, rogues often come bundle with these nasties as well.

http://support.kaspersky.com/viruses/solutions?qid=208280684
Do not use ComboFix.
0
 
JeremySBrownCommented:
Oops! I missed the part with "Safe Mode" and "Windows 64-bit".
0
 
2ndOf3Author Commented:
Jeremy
Combo fix does not make a 64-bit solution do they? I have used that program on an XP machine and it worked wonders. If there is a link to a 64 bi version that would be helpful.

rpqgamegirl
I am running the kaspersky executable now.

Phototropic
Will run HitMan as well and reset the host file.
0
 
JeremySBrownCommented:
Hi 2ndOf3,

To my knowledge, their isn't a 64-bit version of Combofix at this time.
0
 
2ndOf3Author Commented:
Kaspersky did not find anything.

Hitman found a suspicious file and i am rebooting to remove now.

Do others agree that using the suggested hosts file is a good solution?
http://www.mvps.org/winhelp2002/hosts.htm

McAfee has stopped working on this machine, probably knocked out by the virus. My plan is to uninstall and then install TrendMicro Titanium.
0
 
phototropicCommented:
mvps is a tried and tested way of resetting your hosts file after a virus infection.

What was the suspicious file that Hitman Pro removed?
0
 
2ndOf3Author Commented:
I ran Hitman instead of installing it. So there is no LOG to check. I think the file was bibpvphk.dll. I am unfamiliar with hitman and failed to make note of the name of the quarantined item.

Im running ESET scan now and am at 49% complete. Nothing so far.

By the way, i have NOT altered any settings related to ADD-ONS. There werent any that seemed suspicious. The redirection has stopped for now. I will reboot a few times and check out the status tomorrow.
0
 
phototropicCommented:
The Eset online scanner is pretty thorough.  Let's hope it comes up clean.
0
 
rpggamergirlCommented:

>>>"Do others agree that using the suggested hosts file is a good solution?"<<<
In your system, and in my case, NO not really necessary.

>>>"mvps is a tried and tested way of resetting your hosts file after a virus infection."<<<
@ phototropic,
Using mvps Hosts file means using a customized Hosts file, it's not the same as resetting the system's MS Hosts file back to default.
I'm not saying that using a customized Hosts file like MVPS Hosts is a bad idea(it's good), but a customized Hosts file also has its downside in some cases.

Updating Hosts file in Vista requires special attention also:
http://www.mvps.org/winhelp2002/hostsvista.htm

A big Hosts file tends to slow down the system so DNS Client needs to be disabled also, but if he is using "Network Discovery" then DNS Client service is required and should not be disabled.

If you just want to reset the Hosts file back to default then "HostsXpert" is the way to go, and it can be run from anywhere without installation.

HostsXpert "Restore MS Hosts file"
http://www.funkytoad.com/download/HostsXpert.zip</P>
0
 
2ndOf3Author Commented:
Hitman found and removed the dns changer rootkit. ESET found remnants. I did not change the host file or remove any addons. The redirection was virus related and not browser related.
0
 
phototropicCommented:
Glad to hear that your problem is resolved.
0
 
phototropicCommented:
rpggamergirl,

I tend to view the Mvps hosts file download as another line of defence, so resetting a hosts file with it sort of does two jobs at the same time. In Vista you just need to right-click and "Run as Administrator".

I hadn't considered the idea that the SIZE of a hosts file would impact on performance. I've not noticed that outcome, but I intend to do some testing.  Thanks for flagging that up.



0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 7
  • 5
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now