Solved

Internet searches still being redirected after virus cleaned

Posted on 2010-11-08
24
792 Views
Last Modified: 2013-12-06
Removed a virus using Malwarebytes in safe mode. Reset the start up settings that were altered by the virus. Checked the host file as well as LAN settings for changes.

When a search is done using IE8 the result seems valid but is then redirected to a bogus site.
0
Comment
Question by:2ndOf3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +5
24 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 34087061
What virus was it?
Where is it redirecting you?

Is there a HJT log you meant to attach?
0
 
LVL 19

Expert Comment

by:Ken Butters
ID: 34087064
0
 
LVL 16

Expert Comment

by:uescomp
ID: 34087115
As stated above (by buttersk) check your addons and disable the ones you feel uncomfortable with, for a quick test try using IE without addons and see if the issue remains the same, uninstall all IE toolbars, and then check the registry for iexplorer.exe, sometimes viruses in the registry will add onto the tag so anytime iexplorer is started or running it will also execute something else.  I would fully update malwarebytes and try running it in safemode.

Also restore IE8 back to factory defaults.  Another thing is what kinds of redirectors you being brought to, is it adult content, fake antivirus pages/searches or things like netflix, movie places etc.  Some toolbars have been redirecting sites to movie pages etc.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:2ndOf3
ID: 34087141
I am new to HiJack this and was not sure how to submit. Please guide me if this is not a helpful file. Thank you!
wlkhjk.log
0
 

Author Comment

by:2ndOf3
ID: 34087302
I can not find the name of the virus. The Malwarebytes log doesnt list the name. I ran malware bytes fully updated less than 24 hours ago. Then i ran SuperAntiSpyware (also fully updated.) I can not find the log for that program so again I do not know the name of the virus.

The site that I am redirected to varies. If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 34087372
This looks bad to me:
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

and this I do not recognize.
O4 - Global Startup: NextWindow TSA.lnk = C:\Program Files (x86)\NextWindow\NextWindowTSA.exe
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 34087381
If i google search Home Depot and click the top google result... I am redirected to lycos.com or health.com or travel.aol.com.

What if you logon to another profile on the machine? Same redirect?
0
 
LVL 19

Expert Comment

by:Ken Butters
ID: 34087696
SuperAntiSpyware is a tool to remove spyware / adware etc;
NextWindowTSA.exe... I don't recognize this either.

Did you try disabling add-ons following the instructions at this site?

http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/5c2e4c37-1647-47d2-b46e-d49a550c9ff5
0
 

Author Comment

by:2ndOf3
ID: 34087728
There is only one profile on this computer.

I believe the virus was like the fake alert virus. I found it in the programs and feature area and it was called Antivirus 2010. It attempted to get me to buy the full version.

The odd thing was that it disabled ALL services in start up. I had to turn microsofts most basic services back on using msconfig.

I will run with addons disabled after the next reboot. I am removing any toolbars that i can.
0
 
LVL 32

Expert Comment

by:Paul Sauvé
ID: 34087916
I submitted your hijackthis file to HijackThis.de Security which indicated the following problems:
  1. O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  2. O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
  3. O4 - Startup: iWin Desktop Alerts.lnk = C:\ProgramData\iWin Games\DesktopAlerts\DesktopAlerts.exe
On the other hand,
  • O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
  • Safe
  • This entry was classified from our visitors as good.
I hope that helps.
0
 
LVL 23

Accepted Solution

by:
phototropic earned 250 total points
ID: 34088229
HJT does not work as well as it should with 64-bit systems.

I would try scanning with HitMan Pro 64-bit:

http://www.surfright.nl/en/downloads/

You can reset your hosts file using Mvps:

http://www.mvps.org/winhelp2002/hosts.htm

Also, try an online scan such as Eset:

http://www.eset.com/online-scanner/run

Good luck!!!
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 34088684
Run a temporary file remover...CCleaner is a good one and it's free.
http://www.ccleaner.com/

Download Combofix by sUBs.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Before running Combofix, temporary disable any firewall(s) shield(s) ect...to prevent any conflicts with Combofix. After Combofix is done scanning, it will create a log, for further instructions, save and paste the results by Attach File, or by Code Snippet so other experts can take a look at it. Once after the log looks clean, you may enable your firewall(s) shield(s) ect. Combofix will disconnect your machine from the Internet. Your Internet connection will be automatically restored just before Combofix completes its scan. If Combofix runs into problems, your Internet connection can be manually restored by restarting your machine.

You'll might need to rename the file before saving to your desktop so it will not be blocked.

Please note: Don't run Combofix in Safe Mode.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 34088767
Scan with TDSSKiller, rogues often come bundle with these nasties as well.

http://support.kaspersky.com/viruses/solutions?qid=208280684
Do not use ComboFix.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 34088915
Oops! I missed the part with "Safe Mode" and "Windows 64-bit".
0
 

Author Comment

by:2ndOf3
ID: 34095889
Jeremy
Combo fix does not make a 64-bit solution do they? I have used that program on an XP machine and it worked wonders. If there is a link to a 64 bi version that would be helpful.

rpqgamegirl
I am running the kaspersky executable now.

Phototropic
Will run HitMan as well and reset the host file.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 34095971
Hi 2ndOf3,

To my knowledge, their isn't a 64-bit version of Combofix at this time.
0
 

Author Comment

by:2ndOf3
ID: 34096059
Kaspersky did not find anything.

Hitman found a suspicious file and i am rebooting to remove now.

Do others agree that using the suggested hosts file is a good solution?
http://www.mvps.org/winhelp2002/hosts.htm

McAfee has stopped working on this machine, probably knocked out by the virus. My plan is to uninstall and then install TrendMicro Titanium.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34096251
mvps is a tried and tested way of resetting your hosts file after a virus infection.

What was the suspicious file that Hitman Pro removed?
0
 

Author Comment

by:2ndOf3
ID: 34096719
I ran Hitman instead of installing it. So there is no LOG to check. I think the file was bibpvphk.dll. I am unfamiliar with hitman and failed to make note of the name of the quarantined item.

Im running ESET scan now and am at 49% complete. Nothing so far.

By the way, i have NOT altered any settings related to ADD-ONS. There werent any that seemed suspicious. The redirection has stopped for now. I will reboot a few times and check out the status tomorrow.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34097482
The Eset online scanner is pretty thorough.  Let's hope it comes up clean.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 34099984

>>>"Do others agree that using the suggested hosts file is a good solution?"<<<
In your system, and in my case, NO not really necessary.

>>>"mvps is a tried and tested way of resetting your hosts file after a virus infection."<<<
@ phototropic,
Using mvps Hosts file means using a customized Hosts file, it's not the same as resetting the system's MS Hosts file back to default.
I'm not saying that using a customized Hosts file like MVPS Hosts is a bad idea(it's good), but a customized Hosts file also has its downside in some cases.

Updating Hosts file in Vista requires special attention also:
http://www.mvps.org/winhelp2002/hostsvista.htm

A big Hosts file tends to slow down the system so DNS Client needs to be disabled also, but if he is using "Network Discovery" then DNS Client service is required and should not be disabled.

If you just want to reset the Hosts file back to default then "HostsXpert" is the way to go, and it can be run from anywhere without installation.

HostsXpert "Restore MS Hosts file"
http://www.funkytoad.com/download/HostsXpert.zip</P>
0
 

Author Closing Comment

by:2ndOf3
ID: 34145873
Hitman found and removed the dns changer rootkit. ESET found remnants. I did not change the host file or remove any addons. The redirection was virus related and not browser related.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34148669
Glad to hear that your problem is resolved.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34149022
rpggamergirl,

I tend to view the Mvps hosts file download as another line of defence, so resetting a hosts file with it sort of does two jobs at the same time. In Vista you just need to right-click and "Run as Administrator".

I hadn't considered the idea that the SIZE of a hosts file would impact on performance. I've not noticed that outcome, but I intend to do some testing.  Thanks for flagging that up.



0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question