asked on

Internet Explorer Re-directs user

Hi,

One of our users appears to have an issue where he gets re-directed to strange pages in IE, even while trying to browse google. I've posted the hijackthis file, and as well, his hosts file, which, fills up automatically. I've removed all entries in hosts, but, then they re-appear. I'm new to hijackthis and would appreciate any assistance you can offer.

---------------------------------------------------------------------
Hijack This log
---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:28:02 PM, on 3/3/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Users\"private" (ive removed this)\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Users\"private"\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe
C:\Program Files\IBM\Lotus\Notes\NLNOTES.EXE
C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.1.20090925-1604\win32\x86\notes2.exe
C:\Program Files\IBM\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe"
O4 - HKCU\..\RunOnce: [*LogMeInRescue_2977238576] "C:\Users\"private"\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe" -runonce reboot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: CDPforFilesSrv.lnk = C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E734BF43-7194-4E3A-832F-307606DDF665} (Unyte Conferencing Plugin) - https://ds.conferenceservers.com/components/WDPLUGIN.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = "I've removed this for security reasons, but, it does show our domain"

O17 - HKLM\Software\..\Telephony: DomainName = "same as above"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: NameServer = "both showed fine, but removed for security
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = "removed"
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = "removed"
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CDPforFilesSrv (filepathsrv) - IBM Corporation - C:\Windows\system32\filepathsrv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Company - C:\Windows\system32\Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Lotus Notes Diagnostics - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nslsvice.exe
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxebserv.exe
O23 - Service: lxeb_device - - C:\Windows\system32\lxebcoms.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: Validity VCS Fingerprint Service (vcsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vcsFPService.exe
O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

--
End of file - 9541 bytes
--------------------------------------------

----------------
hosts file
-----------------

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

127.0.0.1 82.165.237.14
127.0.0.1 82.165.250.33
127.0.0.1 akamai.avg.com
127.0.0.1 antivir.es
127.0.0.1 anti-virus.by
127.0.0.1 avast.com
127.0.0.1 avg.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 avp.ru/download/
127.0.0.1 avpg.crsi.symantec.com
127.0.0.1 backup.avg.cz
127.0.0.1 bancoguayaquil.com
127.0.0.1 bcpzonasegura.viabcp.com
127.0.0.1 bitdefender.com
127.0.0.1 clamav.net
127.0.0.1 comodo.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/products/
127.0.0.1 downloads1.kaspersky-labs.com/updates/
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com/products/
127.0.0.1 downloads2.kaspersky-labs.com/updates/
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com/products/
127.0.0.1 downloads3.kaspersky-labs.com/updates/
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com/products/
127.0.0.1 downloads4.kaspersky-labs.com/updates/
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com/products/
127.0.0.1 downloads5.kaspersky-labs.com/updates/
127.0.0.1 drweb.com
127.0.0.1 emsisoft.com
127.0.0.1 eset.com
127.0.0.1 eset.com/
127.0.0.1 eset.com/download/index.php
127.0.0.1 eset.com/joomla/
127.0.0.1 eset.com/products/index.php
127.0.0.1 eset.es
127.0.0.1 fortinet.com
127.0.0.1 f-prot.com
127.0.0.1 f-secure.com
127.0.0.1 gdata.es
127.0.0.1 go.microsoft.com
127.0.0.1 hacksoft.com.pe
127.0.0.1 ikarus.at
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky.ru
127.0.0.1 kaspersky-labs.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 macafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 networkassociates.com
127.0.0.1 nod32.com
127.0.0.1 norman.com
127.0.0.1 norton.com
127.0.0.1 nprotect.com
127.0.0.1 pandasecurity.com
127.0.0.1 pandasoftware.com
127.0.0.1 pctools.com
127.0.0.1 pif.symantec.com
127.0.0.1 pifmain.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 rising-global.com
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sunbeltsoftware.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com/updates
127.0.0.1 threatexpert.com
127.0.0.1 trendmicro.com
127.0.0.1 u2.eset.com
127.0.0.1 u20.eset.com
127.0.0.1 u3.eset.com
127.0.0.1 u3.eset.com/
127.0.0.1 u4.eset.com
127.0.0.1 u4.eset.com/
127.0.0.1 u7.eset.com
127.0.0.1 update.avg.com
127.0.0.1 update.microsoft.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 us.mcafee.com
127.0.0.1 viabcp.com
127.0.0.1 virscan.org
127.0.0.1 virusbuster.hu
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 virusscan.jotti.org
127.0.0.1 virustotal.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.ahnlab.com
127.0.0.1 www.aladdin.com
127.0.0.1 www.antivir.es
127.0.0.1 www.antiy.net
127.0.0.1 www.authentium.com
127.0.0.1 www.avast.com
127.0.0.1 www.avg.com
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.avp.ru/download/
127.0.0.1 www.bitdefender.com
127.0.0.1 www.clamav.net
127.0.0.1 www.comodo.com
127.0.0.1 www.download.mcafee.com
127.0.0.1 www.drweb.com
127.0.0.1 www.emsisoft.com
127.0.0.1 www.eset.com
127.0.0.1 www.eset.com/
127.0.0.1 www.eset.com/download/index.php
127.0.0.1 www.eset.com/joomla/
127.0.0.1 www.eset.com/products/index.php
127.0.0.1 www.fortinet.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.gdata.es
127.0.0.1 www.grisoft.com
127.0.0.1 www.ikarus.at
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.macafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.nod32.com
127.0.0.1 www.norman.com
127.0.0.1 www.norton.com
127.0.0.1 www.nprotect.com
127.0.0.1 www.pandasecurity.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.pctools.com
127.0.0.1 www.rising-global.com
127.0.0.1 www.scanner.novirusthanks.org
127.0.0.1 www.sophos.com
127.0.0.1 www.sunbeltsoftware.com
127.0.0.1 www.symantec.com
127.0.0.1 www.symantec.com/updates
127.0.0.1 www.trendmicro.com
127.0.0.1 www.virscan.org
127.0.0.1 www.viruslist.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 www.virustotal.com
127.0.0.1 www.windowsupdate.microsoft.com

jhyiesla

Easiest thing to do is check the DNS settings on the network interface to see if they are what you expect. Then check the hosts file to make sure nothing been added there. FInally check the Proxy settings in IE. If all this pans out, download, update and run malwarebytes from malwarebytes.org.

maxxmyer

This article in EE will help you down the path
http://rdsrc.us/41sOIU

optoma

Use this to reset Hosts file back to defaults:
1-Create a system restore point

2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file

5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

>In case of a rootkit , malware present run these and posts logs as well :)
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

edbedb

The first thing I would try is Malware Bytes http://www.malwarebytes.org/

If it won't run in normal mode try it in safe mode.

Pleas post back with the result.

ainsworth_mis

ASKER

Thanks everyone for your quick reply. I will try optoma's solution's but, am wondering if it's just better to re-install OS.. I wonder if that's what happens as the end result for most of these cases.. Anyway, give me some time to post results.

jhyiesla

Typically if a PC is highly infected, that's always a good idea, but at this juncture I think trying the things we have suggested, especially the checks and malwarebytes may solve your problem with a minimum of effort.

ainsworth_mis

ASKER

Agreed.

ASKER CERTIFIED SOLUTION

sjklein42

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

edbedb

@sjklein42 - Did you read this part?

" I've removed all entries in hosts, but, then they re-appear."

sjklein42

Yes, I did read that. That's what points the finger even more clearly at the router. The Router has its own tables. Clearing your HOSTS file does not fix the poisoned router tables.

You need to reset the router to clear the redirect entries that were placed there by the virus.

edbedb

I would like to know how it's managing to change the hosts file.

younghv

Based on the actual entries in your HOSTS file, I don't think you will be able to get to any part of the Kaspersky web site (TDSSKiller recommendation from optoma).

If you can access it from another computer - then copy the zip file to USB/CD - then take it to the infected computer, you should be able to run it.

Basic post follows:
For Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete", you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
**************************

I think you will have access to MBAM, but if not use the same process to copy to USB/CD.

You appear to have already installed it, but try this method:

Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.

ainsworth_mis

ASKER

I'll ask this user to check other computers on his home network to see if hosts file is infected.. That may help to determine if it's a router problem. I'll also have him reset the router to factory, then, change the password... I'll keep you all posted.

ainsworth_mis

ASKER

TDSSKILLER and MBAM found nothing, not even in safe mode.

sjklein42

What happens is that, even after you disinfect your PC, the first time you go to google or one of the other sites that has a poisoned entry on the Router, you are redirected to a malicious site that reinfects the PC. You can also spread the virus to other PCs on the same router if they have the same vulnerability as the originally infected PC.

Nefarious. I didn't believe it at first either but with a few searches found many people talking about it.

"google redirect virus"

edbedb

Thanks for the explanation. That makes some sense but it's still not at the top of my list.

I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

younghv

ainsworth_mis,
The entire point of my post was to explain that you can't simply 'download' MBAM and run it - against all malware.

In some cases you have to rename the executable file before it touches the infected computer or it simply cannot do its job.

Also, running MBAM in 'Safe Mode' is basically only done if the computer will only boot to Safe Mode.

ainsworth_mis

ASKER

younghv:

Understood, I'll try this and get back to the board.

sjklein42

edbedb:

I have seen the Google redirect virus a few times recently, and you really do have all the symptoms.

Even if you don't want to reset your router for some reason (may be a pain, I know) please be sure you have a password on it. If you did not have a password before (default password), it is even more indication that this is the source of your infection.

I won't chime in again, but I'm leaving my "bet" placed that this is your problem.

g'luck!

Steven Carnahan

I have previously (actually a couple of times) had this happen. What actually fixed it was after running SpyBot and MalwareBytes and finding nothing I went in and deleted all temporary internet files. Then close the browser without navigating to any sites. Then re-open the browser and try again.

You may need to actually go to the folder and delete the files as the "delete all" doesn't actually delete all the cookies and temporary files.

Then make sure that you "imunize" with SpyBot and set it to protect your host file.

ainsworth_mis

ASKER

haha, you guys sure are fast with these great suggestions.. I've still yet to reach this user to try most of this stuff, however, my gut feeling points to a router infection...

Steven Carnahan

I have not heard of the router issue that sjklein42 referes too but I think I will look into it. It sounds like a good idea.

I have a home network that consists of 1 desktop hardwired, 4 laptops, xbox360, ps3, WII and a Brother printer all wireless. So far I have only experienced this issue on 2 of the laptops and both times my method resolved it.

Keep us posted.

younghv

I'm trying to think of how ANY router infection could modify the HOSTS file on a Windows system, but Lord knows anything is possible.

What is there about the Admin Account on a router that would allow access to the computer?

I tend to learn a lot more than I teach around here, so this would be good information to learn today.

ALSO:
My favorite program for cleaning Temp/Junk files from your system is CCleaner (www.ccleaner.com).

ainsworth_mis

ASKER

I was surprised to find out, yes, the router was in fact infected..

younghv

@ainsworth_mis,
I read through the article about infected routers and it appears to me that you were also required to disinfect your computers after doing the router repair.

If you used any of the Expert's comments posted to repair your computers, you should rightfully have split points with those Experts.