• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1145
  • Last Modified:

Internet Explorer Re-directs user


One of our users appears to have an issue where he gets re-directed to strange pages in IE, even while trying to browse google. I've posted the hijackthis file, and as well, his hosts file, which, fills up automatically. I've removed all entries in hosts, but, then they re-appear. I'm new to hijackthis and would appreciate any assistance you can offer.

Hijack This log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:28:02 PM, on 3/3/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Users\"private" (ive removed this)\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe
C:\Program Files\IBM\Lotus\Notes\NLNOTES.EXE
C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.1.20090925-1604\win32\x86\notes2.exe
C:\Program Files\IBM\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe"
O4 - HKCU\..\RunOnce: [*LogMeInRescue_2977238576] "C:\Users\"private"\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe" -runonce reboot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: CDPforFilesSrv.lnk = C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E734BF43-7194-4E3A-832F-307606DDF665} (Unyte Conferencing Plugin) - https://ds.conferenceservers.com/components/WDPLUGIN.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = "I've removed this for security reasons, but, it does show our domain"

O17 - HKLM\Software\..\Telephony: DomainName = "same as above"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: NameServer = "both showed fine, but removed for security
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = "removed"
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = "removed"
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CDPforFilesSrv (filepathsrv) - IBM Corporation - C:\Windows\system32\filepathsrv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Company - C:\Windows\system32\Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Lotus Notes Diagnostics - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nslsvice.exe
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxebserv.exe
O23 - Service: lxeb_device -   - C:\Windows\system32\lxebcoms.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: Validity VCS Fingerprint Service (vcsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vcsFPService.exe
O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

End of file - 9541 bytes

hosts file

# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#     rhino.acme.com          # source server
#     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       localhost
#      ::1             localhost akamai.avg.com antivir.es anti-virus.by avast.com avg.com avp.com avp.ru avp.ru/download/ avpg.crsi.symantec.com backup.avg.cz bancoguayaquil.com bcpzonasegura.viabcp.com bitdefender.com clamav.net comodo.com customer.symantec.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com downloads1.kaspersky-labs.com downloads1.kaspersky-labs.com/products/ downloads1.kaspersky-labs.com/updates/ downloads2.kaspersky-labs.com downloads2.kaspersky-labs.com/products/ downloads2.kaspersky-labs.com/updates/ downloads3.kaspersky-labs.com downloads3.kaspersky-labs.com/products/ downloads3.kaspersky-labs.com/updates/ downloads4.kaspersky-labs.com downloads4.kaspersky-labs.com/products/ downloads4.kaspersky-labs.com/updates/ downloads5.kaspersky-labs.com downloads5.kaspersky-labs.com/products/ downloads5.kaspersky-labs.com/updates/ drweb.com emsisoft.com eset.com eset.com/ eset.com/download/index.php eset.com/joomla/ eset.com/products/index.php eset.es fortinet.com f-prot.com f-secure.com gdata.es go.microsoft.com hacksoft.com.pe ikarus.at kaspersky.com kaspersky.ru kaspersky-labs.com liveupdate.symantec.com liveupdate.symantecliveupdate.com macafee.com mast.mcafee.com mcafee.com microsoft.com msdn.microsoft.com my-etrust.com networkassociates.com nod32.com norman.com norton.com nprotect.com pandasecurity.com pandasoftware.com pctools.com pif.symantec.com pifmain.symantec.com rads.mcafee.com rising-global.com scanner.novirusthanks.org secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com sunbeltsoftware.com support.microsoft.com symantec.com symantec.com/updates threatexpert.com trendmicro.com u2.eset.com u20.eset.com u3.eset.com u3.eset.com/ u4.eset.com u4.eset.com/ u7.eset.com update.avg.com update.microsoft.com update.symantec.com updates.symantec.com updates1.kaspersky-labs.com updates2.kaspersky-labs.com updates3.kaspersky-labs.com us.mcafee.com viabcp.com virscan.org virusbuster.hu viruslist.com viruslist.ru virusscan.jotti.org virustotal.com windowsupdate.microsoft.com www.ahnlab.com www.aladdin.com www.antivir.es www.antiy.net www.authentium.com www.avast.com www.avg.com www.avp.com www.avp.ru www.avp.ru/download/ www.bitdefender.com www.clamav.net www.comodo.com www.download.mcafee.com www.drweb.com www.emsisoft.com www.eset.com www.eset.com/ www.eset.com/download/index.php www.eset.com/joomla/ www.eset.com/products/index.php www.fortinet.com www.f-prot.com www.f-secure.com www.gdata.es www.grisoft.com www.ikarus.at www.kaspersky.com www.kaspersky.ru www.kaspersky-labs.com www.macafee.com www.mcafee.com www.microsoft.com www.my-etrust.com www.networkassociates.com www.nod32.com www.norman.com www.norton.com www.nprotect.com www.pandasecurity.com www.pandasoftware.com www.pctools.com www.rising-global.com www.scanner.novirusthanks.org www.sophos.com www.sunbeltsoftware.com www.symantec.com www.symantec.com/updates www.trendmicro.com www.virscan.org www.viruslist.com www.viruslist.ru www.virusscan.jotti.org www.virustotal.com www.windowsupdate.microsoft.com
  • 7
  • 4
  • 4
  • +5
1 Solution
Easiest thing to do is check the DNS settings on the network interface to see if they are what you expect. Then check the hosts file to make sure nothing been added there.  FInally check the Proxy settings in IE.   If all this pans out, download, update and run malwarebytes from malwarebytes.org.
This article in EE will help you down the path
Use this to reset Hosts file back to defaults:
1-Create a system restore point
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)

3-Show hidden files

4-Run unlocker and browse to
Use unlocker to delete the host file

5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

>In case of a rootkit , malware present run these and posts logs as well :)
TdssKiller and Hitmanpro.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

The first thing I would try is Malware Bytes http://www.malwarebytes.org/

If it won't run in normal mode try it in safe mode.

Pleas post back with the result.
ainsworth_misAuthor Commented:
Thanks everyone for your quick reply. I will try optoma's solution's but, am wondering if it's just better to re-install OS.. I wonder if that's what happens as the end result for most of these cases.. Anyway, give me some time to post results.
Typically if a PC is highly infected, that's always a good idea, but at this juncture I think trying the things we have suggested, especially the checks and malwarebytes may solve your problem with a minimum of effort.
ainsworth_misAuthor Commented:
I believe your router is infected with the Google Redirect virus.  If the router still has its default password, that is almost surely the problem.

The first step in clearing it up is to reset and secure the router.

There is a great deal of discussion about this on the Web, for example:

@sjklein42 - Did you read this part?

" I've removed all entries in hosts, but, then they re-appear."
Yes, I did read that.  That's what points the finger even more clearly at the router.  The Router has its own tables.  Clearing your HOSTS file does not fix the poisoned router tables.

You need to reset the router to clear the redirect entries that were placed there by the virus.
I would like to know how it's managing to change the hosts file.
Based on the actual entries in your HOSTS file, I don't think you will be able to get to any part of the Kaspersky web site (TDSSKiller recommendation from optoma).

If you can access it from another computer - then copy the zip file to USB/CD - then take it to the infected computer, you should be able to run it.

Basic post follows:
For Hijacking/re-directs, you might want to start with TDSSKILLER found here:

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.

I think you will have access to MBAM, but if not use the same process to copy to USB/CD.

You appear to have already installed it, but try this method:

Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.

ainsworth_misAuthor Commented:
I'll ask this user to check other computers on his home network to see if hosts file is infected.. That may help to determine if it's a router problem. I'll also have him reset the router to factory, then, change the password... I'll keep you all posted.
ainsworth_misAuthor Commented:
TDSSKILLER and MBAM found nothing, not even in safe mode.
What happens is that, even after you disinfect your PC, the first time you go to google or one of the other sites that has a poisoned entry on the Router, you are redirected to a malicious site that reinfects the PC.  You can also spread the virus to other PCs on the same router if they have the same vulnerability as the originally infected PC.

Nefarious.  I didn't believe it at first either but with a few searches found many people talking about it.

"google redirect virus"
Thanks for the explanation. That makes some sense but it's still not at the top of my list.

I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
The entire point of my post was to explain that you can't simply 'download' MBAM and run it - against all malware.

In some cases you have to rename the executable file before it touches the infected computer or it simply cannot do its job.

Also, running MBAM in 'Safe Mode' is basically only done if the computer will only boot to Safe Mode.
ainsworth_misAuthor Commented:

Understood, I'll try this and get back to the board.

I have seen the Google redirect virus a few times recently, and you really do have all the symptoms.

Even if you don't want to reset your router for some reason (may be a pain, I know) please be sure you have a password on it.  If you did not have a password before (default password), it is even more indication that this is the source of your infection.

I won't chime in again, but I'm leaving my "bet" placed that this is your problem.

I have previously (actually a couple of times) had this happen.  What actually fixed it was after running SpyBot and MalwareBytes and finding nothing I went in and deleted all temporary internet files. Then close the browser without navigating to any sites. Then re-open the browser and try again.

You may need to actually go to the folder and delete the files as the "delete all" doesn't actually delete all the cookies and temporary files.

Then make sure that you "imunize" with SpyBot and set it to protect your host file.
ainsworth_misAuthor Commented:
haha, you guys sure are fast with these great suggestions.. I've still yet to reach this user to try most of this stuff, however, my gut feeling points to a router infection...
I have not heard of the router issue that sjklein42 referes too but I think I will look into it.  It sounds like a good idea.

I have a home network that consists of 1 desktop hardwired, 4 laptops, xbox360, ps3, WII and a Brother printer all wireless. So far I have only experienced this issue on 2 of the laptops and both times my method resolved it.

Keep us posted.
I'm trying to think of how ANY router infection could modify the HOSTS file on a Windows system, but Lord knows anything is possible.

What is there about the Admin Account on a router that would allow access to the computer?

I tend to learn a lot more than I teach around here, so this would be good information to learn today.

My favorite program for cleaning Temp/Junk files from your system is CCleaner (www.ccleaner.com).
ainsworth_misAuthor Commented:
I was surprised to find out, yes, the router was in fact infected..
I read through the article about infected routers and it appears to me that you were also required to disinfect your computers after doing the router repair.

If you used any of the Expert's comments posted to repair your computers, you should rightfully have split points with those Experts.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 7
  • 4
  • 4
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now