Solved

Internet Explorer Re-directs user

Posted on 2011-03-04
25
1,042 Views
Last Modified: 2013-11-22
Hi,

One of our users appears to have an issue where he gets re-directed to strange pages in IE, even while trying to browse google. I've posted the hijackthis file, and as well, his hosts file, which, fills up automatically. I've removed all entries in hosts, but, then they re-appear. I'm new to hijackthis and would appreciate any assistance you can offer.

---------------------------------------------------------------------
Hijack This log
---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:28:02 PM, on 3/3/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Users\"private" (ive removed this)\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Users\"private"\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe
C:\Program Files\IBM\Lotus\Notes\NLNOTES.EXE
C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.1.20090925-1604\win32\x86\notes2.exe
C:\Program Files\IBM\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe"
O4 - HKCU\..\RunOnce: [*LogMeInRescue_2977238576] "C:\Users\"private"\AppData\Local\Temp\LMIR0001.tmp\lmi_rescue.exe" -runonce reboot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: CDPforFilesSrv.lnk = C:\Program Files\Tivoli\CDP_for_Files\FilePathSrv.exe
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E734BF43-7194-4E3A-832F-307606DDF665} (Unyte Conferencing Plugin) - https://ds.conferenceservers.com/components/WDPLUGIN.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = "I've removed this for security reasons, but, it does show our domain"

O17 - HKLM\Software\..\Telephony: DomainName = "same as above"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B160DB8F-4791-4671-BE2C-09D77E531E34}: NameServer = "both showed fine, but removed for security
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = "removed"
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = "removed"
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = "removed"
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CDPforFilesSrv (filepathsrv) - IBM Corporation - C:\Windows\system32\filepathsrv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Company - C:\Windows\system32\Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Lotus Notes Diagnostics - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nsd.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\IBM\Lotus\Notes\nslsvice.exe
O23 - Service: lxebCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxebserv.exe
O23 - Service: lxeb_device -   - C:\Windows\system32\lxebcoms.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_1fb74af29935fce6\STacSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: Validity VCS Fingerprint Service (vcsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vcsFPService.exe
O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

--
End of file - 9541 bytes
--------------------------------------------

----------------
hosts file
-----------------

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost
#      ::1             localhost




127.0.0.1 82.165.237.14
127.0.0.1 82.165.250.33
127.0.0.1 akamai.avg.com
127.0.0.1 antivir.es
127.0.0.1 anti-virus.by
127.0.0.1 avast.com
127.0.0.1 avg.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 avp.ru/download/
127.0.0.1 avpg.crsi.symantec.com
127.0.0.1 backup.avg.cz
127.0.0.1 bancoguayaquil.com
127.0.0.1 bcpzonasegura.viabcp.com
127.0.0.1 bitdefender.com
127.0.0.1 clamav.net
127.0.0.1 comodo.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/products/
127.0.0.1 downloads1.kaspersky-labs.com/updates/
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com/products/
127.0.0.1 downloads2.kaspersky-labs.com/updates/
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com/products/
127.0.0.1 downloads3.kaspersky-labs.com/updates/
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com/products/
127.0.0.1 downloads4.kaspersky-labs.com/updates/
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com/products/
127.0.0.1 downloads5.kaspersky-labs.com/updates/
127.0.0.1 drweb.com
127.0.0.1 emsisoft.com
127.0.0.1 eset.com
127.0.0.1 eset.com/
127.0.0.1 eset.com/download/index.php
127.0.0.1 eset.com/joomla/
127.0.0.1 eset.com/products/index.php
127.0.0.1 eset.es
127.0.0.1 fortinet.com
127.0.0.1 f-prot.com
127.0.0.1 f-secure.com
127.0.0.1 gdata.es
127.0.0.1 go.microsoft.com
127.0.0.1 hacksoft.com.pe
127.0.0.1 ikarus.at
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky.ru
127.0.0.1 kaspersky-labs.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 macafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 networkassociates.com
127.0.0.1 nod32.com
127.0.0.1 norman.com
127.0.0.1 norton.com
127.0.0.1 nprotect.com
127.0.0.1 pandasecurity.com
127.0.0.1 pandasoftware.com
127.0.0.1 pctools.com
127.0.0.1 pif.symantec.com
127.0.0.1 pifmain.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 rising-global.com
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sunbeltsoftware.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com/updates
127.0.0.1 threatexpert.com
127.0.0.1 trendmicro.com
127.0.0.1 u2.eset.com
127.0.0.1 u20.eset.com
127.0.0.1 u3.eset.com
127.0.0.1 u3.eset.com/
127.0.0.1 u4.eset.com
127.0.0.1 u4.eset.com/
127.0.0.1 u7.eset.com
127.0.0.1 update.avg.com
127.0.0.1 update.microsoft.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 us.mcafee.com
127.0.0.1 viabcp.com
127.0.0.1 virscan.org
127.0.0.1 virusbuster.hu
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 virusscan.jotti.org
127.0.0.1 virustotal.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.ahnlab.com
127.0.0.1 www.aladdin.com
127.0.0.1 www.antivir.es
127.0.0.1 www.antiy.net
127.0.0.1 www.authentium.com
127.0.0.1 www.avast.com
127.0.0.1 www.avg.com
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.avp.ru/download/
127.0.0.1 www.bitdefender.com
127.0.0.1 www.clamav.net
127.0.0.1 www.comodo.com
127.0.0.1 www.download.mcafee.com
127.0.0.1 www.drweb.com
127.0.0.1 www.emsisoft.com
127.0.0.1 www.eset.com
127.0.0.1 www.eset.com/
127.0.0.1 www.eset.com/download/index.php
127.0.0.1 www.eset.com/joomla/
127.0.0.1 www.eset.com/products/index.php
127.0.0.1 www.fortinet.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.gdata.es
127.0.0.1 www.grisoft.com
127.0.0.1 www.ikarus.at
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.macafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.nod32.com
127.0.0.1 www.norman.com
127.0.0.1 www.norton.com
127.0.0.1 www.nprotect.com
127.0.0.1 www.pandasecurity.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.pctools.com
127.0.0.1 www.rising-global.com
127.0.0.1 www.scanner.novirusthanks.org
127.0.0.1 www.sophos.com
127.0.0.1 www.sunbeltsoftware.com
127.0.0.1 www.symantec.com
127.0.0.1 www.symantec.com/updates
127.0.0.1 www.trendmicro.com
127.0.0.1 www.virscan.org
127.0.0.1 www.viruslist.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 www.virustotal.com
127.0.0.1 www.windowsupdate.microsoft.com
0
Comment
Question by:ainsworth_mis
  • 7
  • 4
  • 4
  • +5
25 Comments
 
LVL 28

Expert Comment

by:jhyiesla
Comment Utility
Easiest thing to do is check the DNS settings on the network interface to see if they are what you expect. Then check the hosts file to make sure nothing been added there.  FInally check the Proxy settings in IE.   If all this pans out, download, update and run malwarebytes from malwarebytes.org.
0
 
LVL 2

Expert Comment

by:maxxmyer
Comment Utility
This article in EE will help you down the path
http://rdsrc.us/41sOIU
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Use this to reset Hosts file back to defaults:
1-Create a system restore point
 
2-Download unlocker + Microsoft's hosts fixit
http://ccollomb.free.fr/unlocker/unlocker1.8.8-portable.zip (av may detect it as a threat so disable av temporarly, if so)
http://support.microsoft.com/kb/972034

3-Show hidden files
http://www.bleepingcomputer.com/tutorials/tutorial62.html

4-Run unlocker and browse to
C:\windows\system32\drivers\etc
Use unlocker to delete the host file


5-Reboot and run Microsoft's fixit to create new host file

6-Reboot again and check hosts file

>In case of a rootkit , malware present run these and posts logs as well :)
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
The first thing I would try is Malware Bytes http://www.malwarebytes.org/

If it won't run in normal mode try it in safe mode.

Pleas post back with the result.
0
 

Author Comment

by:ainsworth_mis
Comment Utility
Thanks everyone for your quick reply. I will try optoma's solution's but, am wondering if it's just better to re-install OS.. I wonder if that's what happens as the end result for most of these cases.. Anyway, give me some time to post results.
0
 
LVL 28

Expert Comment

by:jhyiesla
Comment Utility
Typically if a PC is highly infected, that's always a good idea, but at this juncture I think trying the things we have suggested, especially the checks and malwarebytes may solve your problem with a minimum of effort.
0
 

Author Comment

by:ainsworth_mis
Comment Utility
Agreed.
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 500 total points
Comment Utility
I believe your router is infected with the Google Redirect virus.  If the router still has its default password, that is almost surely the problem.

The first step in clearing it up is to reset and secure the router.

There is a great deal of discussion about this on the Web, for example:

http://tidystorm.com/423/the-redirect-virus-was-in-my-router/
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
@sjklein42 - Did you read this part?

" I've removed all entries in hosts, but, then they re-appear."
0
 
LVL 16

Expert Comment

by:sjklein42
Comment Utility
Yes, I did read that.  That's what points the finger even more clearly at the router.  The Router has its own tables.  Clearing your HOSTS file does not fix the poisoned router tables.

You need to reset the router to clear the redirect entries that were placed there by the virus.
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
I would like to know how it's managing to change the hosts file.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Based on the actual entries in your HOSTS file, I don't think you will be able to get to any part of the Kaspersky web site (TDSSKiller recommendation from optoma).

If you can access it from another computer - then copy the zip file to USB/CD - then take it to the infected computer, you should be able to run it.

Basic post follows:
For Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
**************************

I think you will have access to MBAM, but if not use the same process to copy to USB/CD.

You appear to have already installed it, but try this method:

Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:ainsworth_mis
Comment Utility
I'll ask this user to check other computers on his home network to see if hosts file is infected.. That may help to determine if it's a router problem. I'll also have him reset the router to factory, then, change the password... I'll keep you all posted.
0
 

Author Comment

by:ainsworth_mis
Comment Utility
TDSSKILLER and MBAM found nothing, not even in safe mode.
0
 
LVL 16

Expert Comment

by:sjklein42
Comment Utility
What happens is that, even after you disinfect your PC, the first time you go to google or one of the other sites that has a poisoned entry on the Router, you are redirected to a malicious site that reinfects the PC.  You can also spread the virus to other PCs on the same router if they have the same vulnerability as the originally infected PC.

Nefarious.  I didn't believe it at first either but with a few searches found many people talking about it.

"google redirect virus"
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
Thanks for the explanation. That makes some sense but it's still not at the top of my list.

I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
ainsworth_mis,
The entire point of my post was to explain that you can't simply 'download' MBAM and run it - against all malware.

In some cases you have to rename the executable file before it touches the infected computer or it simply cannot do its job.

Also, running MBAM in 'Safe Mode' is basically only done if the computer will only boot to Safe Mode.
0
 

Author Comment

by:ainsworth_mis
Comment Utility
younghv:

Understood, I'll try this and get back to the board.
0
 
LVL 16

Expert Comment

by:sjklein42
Comment Utility
edbedb:

I have seen the Google redirect virus a few times recently, and you really do have all the symptoms.

Even if you don't want to reset your router for some reason (may be a pain, I know) please be sure you have a password on it.  If you did not have a password before (default password), it is even more indication that this is the source of your infection.

I won't chime in again, but I'm leaving my "bet" placed that this is your problem.

g'luck!
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
I have previously (actually a couple of times) had this happen.  What actually fixed it was after running SpyBot and MalwareBytes and finding nothing I went in and deleted all temporary internet files. Then close the browser without navigating to any sites. Then re-open the browser and try again.

You may need to actually go to the folder and delete the files as the "delete all" doesn't actually delete all the cookies and temporary files.

Then make sure that you "imunize" with SpyBot and set it to protect your host file.
0
 

Author Comment

by:ainsworth_mis
Comment Utility
haha, you guys sure are fast with these great suggestions.. I've still yet to reach this user to try most of this stuff, however, my gut feeling points to a router infection...
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
I have not heard of the router issue that sjklein42 referes too but I think I will look into it.  It sounds like a good idea.

I have a home network that consists of 1 desktop hardwired, 4 laptops, xbox360, ps3, WII and a Brother printer all wireless. So far I have only experienced this issue on 2 of the laptops and both times my method resolved it.

Keep us posted.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I'm trying to think of how ANY router infection could modify the HOSTS file on a Windows system, but Lord knows anything is possible.

What is there about the Admin Account on a router that would allow access to the computer?

I tend to learn a lot more than I teach around here, so this would be good information to learn today.

ALSO:
My favorite program for cleaning Temp/Junk files from your system is CCleaner (www.ccleaner.com).
0
 

Author Closing Comment

by:ainsworth_mis
Comment Utility
I was surprised to find out, yes, the router was in fact infected..
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
@ainsworth_mis,
I read through the article about infected routers and it appears to me that you were also required to disinfect your computers after doing the router repair.

If you used any of the Expert's comments posted to repair your computers, you should rightfully have split points with those Experts.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
How to remove the ad in PC win8? 7 61
blocking vbs 2 79
Botnet C&C DNS response Malicious Traffic 28 147
Endpoint security products 4 43
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now