Solved

Internet explorer Redirector

Posted on 2011-03-09
23
1,108 Views
Last Modified: 2012-05-11
Within internet explorer, when searching on google, yahoo, bing...etc. After the search list comes up and I click on an result, it is redirecting to various add sites. Nothing is coming up on the virus scans. I have ran multiple spyware/malware scanners and nothing is coming up (hitmanpro,spybot, &malwarebytes). Is there anything else I can do to remove this without reinstalling the operating system?

0
Comment
Question by:jnewburn
  • 12
  • 5
  • 2
  • +4
23 Comments
 
LVL 3

Expert Comment

by:CarlsbergFTW
ID: 35083212
fist try un-installing any toolbars,addons that you believe are not supposed to be there , and maybe reinstall IE or try using firefox and test if this also happens when using other prowser.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35083222
For Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 35083223
Have you tried resetting internet explorer and deleting all cooking and temporary internet files? Also, try deleting all temp files from your system.

You can also download hijackthis which is a free tool and then run this tool and examine the output. You can download hijackthis from the internet.

Also, check the hosts file on your system c:\windows\system32\drivers\etc\hosts
and see if this has been edited in any way.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35083243
After running TDSSKiller, you may need to use a couple more common tools. Please note the "Save As" instructions for Malwarebytes - it can be critical to download it with a random name that malware won't recognize.


Download, install, and run
CCleaner (www.ccleaner.com)
Doing this will clean out all of the Temp/Junk files from your browser.

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.

IF NEEDED, we may ask you do download ComboFix (using the same "Save As" process).
0
 
LVL 4

Expert Comment

by:WhiteSeed
ID: 35083254
i think you can a malware
-When you use your browser to view Web sites, other instances of your browser open to display Web site advertisements
use the official microsoft tutorial:
http://answers.microsoft.com/en-us/windows/forum/windows_vista-security/how-to-get-rid-of-malware/ba80504b-61f1-4d71-960f-b561798b7b42
 
0
 
LVL 38

Expert Comment

by:younghv
ID: 35083265
@JBond2010,
If you are going to post advice in the malware Zones, you will need to quit posting generic comments and offer specifics.

Telling someone to 'reset', 'download', or 'check' has no value unless you take the time to offer some specific guidance and instruction.
0
 
LVL 5

Expert Comment

by:Iekos
ID: 35083342
You have Malware / Spyware.

Try and get (from another PC if you have to):

Malwarebytes
Spybot search and destroy

This should defo help.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35083359
@WhiteSeed,
I see that you are a brand new member, so welcome to Experts-Exchange.

Our Premium Service members pay a fee to get advice from Experts here, so you really don't want to ship them off to some other web site.

The symptoms being discussed in this question have been solved many times here, so we need to 1 - identify the malware and 2 - provide targeted advice to resolve it.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35083381
Gosh, you people are really coming out of the woodwork today.
Iekos - read the prior posts so you don't duplicate advice already given:

http://www.experts-exchange.com/help.jsp#hs=30&hi=416

"Are there guidelines for answering questions?"
Read previous posts before commenting: It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.


0
 

Author Comment

by:jnewburn
ID: 35085446
Thanks everyone for the expediated responses. This is my first post so bear with me. To answer some of the responses...yes I have cleared the temp files, and reset IE to default settings. I have also ran the Malware bytes and spybot seak and destroy allready and have came up short.
As "younghv" suggested, I ran the tdsskiller and it found no infection (log file attached). I then ran hijackthis and at the beginning of the scan it said that hijackthis was denied access to the hosts file? It then kept going and finished (log file attached). I also ran the ccleaner and malwarebytes. Malwarebytes found no infection (log file attached).  Please review....thanks
TDSSKiller.2.4.20.0-09.03.2011-1.txt
hijackthis.log
mbam-log-2011-03-09--12-34-09-.txt
0
 
LVL 38

Expert Comment

by:younghv
ID: 35085532
HJT should be run from a folder in the root drive, not your profile:
C:\Users\admin\Desktop\HijackThis.exe

Are you running both AVG and some version of Norton/Symantec?
If so, you need to pick one and fully remove the other - details to follow, if needed.

Did you install and run CCleaner?
It is a great tool for removing all the junk/temp files that acculate.

Did you use the 'Save As' function when you downloaded MBAM?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:jnewburn
ID: 35085707
I moved HJT to a folder in the root drive and reran. I got the same error with the host fileand then it coninued. (new log attached). I removed the norton online scanner (the laptop is using AVG).

I did run the CCleaner as well..and used the saveas function when downloading MBAM
hijackthis.log
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 35085724
Use the instructions at this site to see if you can replace the HOSTS file:
http://www.mvps.org/winhelp2002/hosts.htm
0
 
LVL 38

Expert Comment

by:younghv
ID: 35085734
Also - are you being re-directed to the same site consistently?
If so, that might give us a clue about which flavor of malware you have.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 35085788
This issue keeps coming up. Here is a recent thread showing that it could be an infected router:  http://www.experts-exchange.com/expertsZone.jsp
0
 
LVL 38

Expert Comment

by:younghv
ID: 35085842
The actual link is here:
http://www.experts-exchange.com/Q_26864096.html

@jnewburn,
Look at the "HOSTS" file displayed in that question and compare it to yours.
0
 

Author Comment

by:jnewburn
ID: 35085887
younghv,
the redirected sites vary (infomash.com,grooveswish.com,scour.com...etc). Also there is not a "hosts" file. The one listed in that directory is "lmhosts.sam". Is this the correct one?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 35085983
younghv:  ty.  I have over multitasking this morning so I simply did what I usually do and copied the address bar.   :(

0
 
LVL 38

Expert Comment

by:younghv
ID: 35086073
pony - been there np
:)

Jnewburn,
You will have to have the 'system' files set to display in Windows Explorer.
It is there:

Windows 7/Vista/XP    = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC

Have to catch a meeting - back in about an hour.
0
 

Author Comment

by:jnewburn
ID: 35088053
younghv

I compared the host file to the one mentioned in your post above and it was similiar. So I used the inormation there to reset the host file . I rebooted and the redirection is gone!   If there is anything else I need to do let me know, but if not thank-you for all your help.

0
 
LVL 38

Expert Comment

by:younghv
ID: 35088162
If you don't mind, let's look at a couple of other things before closing this out.
(Better safe than sorry.)*

1. Is this a home or work environment?
2. In either case, are you connecting to the Internet through a 'router' (NOT just a modem).
3. If you have a clean computer, go back up to Malwarebytes (link above) and download the executable again (*). Make sure you rename it (Save As) before it touches any computer to which it is being downloaded.
4. Run the install again (don't need to uninstall the old).
5. Check the "Perform Full Scan" and let it run. If any malware is found let MBAM do the repairs.

Post back and let me know.

Thanks.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35088187
Wow!
7+ years membership and this is your first question.

Cool!
0
 

Author Comment

by:jnewburn
ID: 35090063
... Yeah, first timer for the question post.  I use this site frequently it has a pretty good variety of information.

The laptop is used for both home and work and it is connecting through a router for both situations. I downloaded and installed again with the "save as" command and ran the program. Nothing found!!

I do appreciate all of your help on this... it's experts like yourself that make this site valuable.

Best Regards

0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now