Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Internet Explorer Re-directs user

Posted on 2011-03-04
Medium Priority
Last Modified: 2013-11-22

One of our users appears to have an issue where he gets re-directed to strange pages in IE, even while trying to browse google. I've posted the hijackthis file, and as well, his hosts file, which, fills up automatically. I've removed all entries in hosts, but, then they re-appear. I'm new to hijackthis and would appreciate any assistance you can offer.

Hijack This log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:28:02 PM, on 3/3/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Users\"private" (ive removed this)\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe
C:\Program Files\IBM\Lotus\Notes\NLNOTES.EXE
C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\\win32\x86\notes2.exe
C:\Program Files\IBM\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe"
O4 - HKCU\..\RunOnce: [*LogMeInRescue_2977238576] "C:\Users\"private"\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe" -runonce reboot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: CDPforFilesSrv.lnk = C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E734BF43-7194-4E3A-832F-307606DDF665} (Unyte Conferencing Plugin) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = "I've removed this for security reasons, but, it does show our domain"

O17 - HKLM\Software\..\Telephony: DomainName = "same as above"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: NameServer = "both showed fine, but removed for security
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = "removed"
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = "removed"
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CDPforFilesSrv (filepathsrv) - IBM Corporation - C:\Windows\system32\filepathsrv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Company - C:\Windows\system32\Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Lotus Notes Diagnostics - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nslsvice.exe
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxebserv.exe
O23 - Service: lxeb_device -   - C:\Windows\system32\lxebcoms.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: Validity VCS Fingerprint Service (vcsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vcsFPService.exe
O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

End of file - 9541 bytes

hosts file

# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#          # source server
#              # x client host

# localhost name resolution is handled within DNS itself.
#       localhost
#      ::1             localhost
Question by:ainsworth_mis
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 4
  • +5
LVL 28

Expert Comment

ID: 35037172
Easiest thing to do is check the DNS settings on the network interface to see if they are what you expect. Then check the hosts file to make sure nothing been added there.  FInally check the Proxy settings in IE.   If all this pans out, download, update and run malwarebytes from

Expert Comment

ID: 35037175
This article in EE will help you down the path
LVL 22

Expert Comment

ID: 35037209
Use this to reset Hosts file back to defaults:
1-Create a system restore point
2-Download unlocker + Microsoft's hosts fixit (av may detect it as a threat so disable av temporarly, if so)

3-Show hidden files

4-Run unlocker and browse to
Use unlocker to delete the host file

5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

>In case of a rootkit , malware present run these and posts logs as well :)
TdssKiller and Hitmanpro.
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 23

Expert Comment

ID: 35037248
The first thing I would try is Malware Bytes

If it won't run in normal mode try it in safe mode.

Pleas post back with the result.

Author Comment

ID: 35037326
Thanks everyone for your quick reply. I will try optoma's solution's but, am wondering if it's just better to re-install OS.. I wonder if that's what happens as the end result for most of these cases.. Anyway, give me some time to post results.
LVL 28

Expert Comment

ID: 35037383
Typically if a PC is highly infected, that's always a good idea, but at this juncture I think trying the things we have suggested, especially the checks and malwarebytes may solve your problem with a minimum of effort.

Author Comment

ID: 35037449
LVL 16

Accepted Solution

sjklein42 earned 2000 total points
ID: 35037471
I believe your router is infected with the Google Redirect virus.  If the router still has its default password, that is almost surely the problem.

The first step in clearing it up is to reset and secure the router.

There is a great deal of discussion about this on the Web, for example:
LVL 23

Expert Comment

ID: 35037577
@sjklein42 - Did you read this part?

" I've removed all entries in hosts, but, then they re-appear."
LVL 16

Expert Comment

ID: 35037613
Yes, I did read that.  That's what points the finger even more clearly at the router.  The Router has its own tables.  Clearing your HOSTS file does not fix the poisoned router tables.

You need to reset the router to clear the redirect entries that were placed there by the virus.
LVL 23

Expert Comment

ID: 35037644
I would like to know how it's managing to change the hosts file.
LVL 38

Expert Comment

ID: 35037664
Based on the actual entries in your HOSTS file, I don't think you will be able to get to any part of the Kaspersky web site (TDSSKiller recommendation from optoma).

If you can access it from another computer - then copy the zip file to USB/CD - then take it to the infected computer, you should be able to run it.

Basic post follows:
For Hijacking/re-directs, you might want to start with TDSSKILLER found here:

* Download the file and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.

I think you will have access to MBAM, but if not use the same process to copy to USB/CD.

You appear to have already installed it, but try this method:

Malwarebytes (MBAM) (
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.


Author Comment

ID: 35037683
I'll ask this user to check other computers on his home network to see if hosts file is infected.. That may help to determine if it's a router problem. I'll also have him reset the router to factory, then, change the password... I'll keep you all posted.

Author Comment

ID: 35037693
TDSSKILLER and MBAM found nothing, not even in safe mode.
LVL 16

Expert Comment

ID: 35037713
What happens is that, even after you disinfect your PC, the first time you go to google or one of the other sites that has a poisoned entry on the Router, you are redirected to a malicious site that reinfects the PC.  You can also spread the virus to other PCs on the same router if they have the same vulnerability as the originally infected PC.

Nefarious.  I didn't believe it at first either but with a few searches found many people talking about it.

"google redirect virus"
LVL 23

Expert Comment

ID: 35037759
Thanks for the explanation. That makes some sense but it's still not at the top of my list.

I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post. 
LVL 38

Expert Comment

ID: 35037760
The entire point of my post was to explain that you can't simply 'download' MBAM and run it - against all malware.

In some cases you have to rename the executable file before it touches the infected computer or it simply cannot do its job.

Also, running MBAM in 'Safe Mode' is basically only done if the computer will only boot to Safe Mode.

Author Comment

ID: 35037796

Understood, I'll try this and get back to the board.
LVL 16

Expert Comment

ID: 35037862

I have seen the Google redirect virus a few times recently, and you really do have all the symptoms.

Even if you don't want to reset your router for some reason (may be a pain, I know) please be sure you have a password on it.  If you did not have a password before (default password), it is even more indication that this is the source of your infection.

I won't chime in again, but I'm leaving my "bet" placed that this is your problem.

LVL 26

Expert Comment

ID: 35037910
I have previously (actually a couple of times) had this happen.  What actually fixed it was after running SpyBot and MalwareBytes and finding nothing I went in and deleted all temporary internet files. Then close the browser without navigating to any sites. Then re-open the browser and try again.

You may need to actually go to the folder and delete the files as the "delete all" doesn't actually delete all the cookies and temporary files.

Then make sure that you "imunize" with SpyBot and set it to protect your host file.

Author Comment

ID: 35037937
haha, you guys sure are fast with these great suggestions.. I've still yet to reach this user to try most of this stuff, however, my gut feeling points to a router infection...
LVL 26

Expert Comment

ID: 35037995
I have not heard of the router issue that sjklein42 referes too but I think I will look into it.  It sounds like a good idea.

I have a home network that consists of 1 desktop hardwired, 4 laptops, xbox360, ps3, WII and a Brother printer all wireless. So far I have only experienced this issue on 2 of the laptops and both times my method resolved it.

Keep us posted.
LVL 38

Expert Comment

ID: 35038080
I'm trying to think of how ANY router infection could modify the HOSTS file on a Windows system, but Lord knows anything is possible.

What is there about the Admin Account on a router that would allow access to the computer?

I tend to learn a lot more than I teach around here, so this would be good information to learn today.

My favorite program for cleaning Temp/Junk files from your system is CCleaner (

Author Closing Comment

ID: 35074866
I was surprised to find out, yes, the router was in fact infected..
LVL 38

Expert Comment

ID: 35086889
I read through the article about infected routers and it appears to me that you were also required to disinfect your computers after doing the router repair.

If you used any of the Expert's comments posted to repair your computers, you should rightfully have split points with those Experts.

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question