Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

IE redirect, no spyware found

Posted on 2011-03-16
22
Medium Priority
?
615 Views
Last Modified: 2013-11-22
I've run MBAM and HiJackThis with no hits on either. The user has an issue with intermittent redirects. Sometimes it's persistent, sometimes it goes away for awhile. Either way it always ends up coming back.

Scans with MBAM and FSecure don't pick up anything. HiJackThis doesn't pick up anything (at least not to my eye or the analyzer's). Need some help on this one...

System is Windows 7, current updates/SP

Here's the HJT log below:  hijackthis.log
0
Comment
Question by:Haze0830
  • 7
  • 4
  • 2
  • +7
22 Comments
 
LVL 13

Expert Comment

by:mrroonie
ID: 35147789
redirecting from what site?

is the redirect always to the same site?

what is the site you are being redirected to?
0
 
LVL 13

Expert Comment

by:mrroonie
ID: 35147839
this entry looks a bit shady in the HJT log

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

googling sberes4.dll brings up zero results - can be a sign of a virus/spyware giving a random filename

if it were me i'd move that file to another location and reboot, if all is well after a week or so the file can be safely deleted. if something is not right after the reboot boot into safe mode and restore the file.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 35148105
If the redirect is always from the same site, check the hosts file.
0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 
LVL 2

Author Comment

by:Haze0830
ID: 35148351
the redirects are TO various ad sites and FROM various/random sites (all valid/frequently used sites).

sberes.dll seems to be valid...I can't find anything on sberes4.dll though....
0
 
LVL 22

Accepted Solution

by:
optoma earned 500 total points
ID: 35148394
   * Download RogueKiller on your desktop
    * Quit all running programs
    * For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    * When prompted, type 1 and validate
    * The RKreport.txt shall be generated next to the executable.
    * If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

http://www.sur-la-toile.com/RogueKiller/
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe >direct download link
0
 
LVL 22

Expert Comment

by:optoma
ID: 35148431
BTW, Did you run HJT as administrator?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35150341
optoma,
I hope you have actually taken the time to use "RogueKiller" rather than just copying advice you've seen posted by others.

I always find it better to have used a product before recommending it; in case the asker has some procedural questions.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 500 total points
ID: 35150469
Haze0830,

You would be well advised to read the detailed instructions for RogueKiller (from the developer) at this link:
http://www.geekstogo.com/forum/files/file/413-roguekiller/

Depending on the actual infection identified, you will have to take additional actions to effect the repairs.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35151143
Younghv. I already have used it starting  since last week and found it ironic that yourself started posting the use of roguekiller roughly the same day !  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35161239
I've known younghv helping here at EE for years and he's not one that copy someone else's post/advice without giving credit to the original poster, while you optoma had done it a few times, :)


Haze0830,
I'd disable that startup entry that mrroonie had suggested.
Also have you tried any other scanner stated in this article? It is possible to experience a redirect on a clean PC, are you using a router?

“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
0
 
LVL 38

Expert Comment

by:younghv
ID: 35161367
0
 
LVL 38

Expert Comment

by:younghv
ID: 35161498
Haze0830,
You will be best served by following the advice of 'rpggamergirl', but if you want to learn more about RogueKiller (and see what the screens look like), check out my Article here:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922.html
0
 
LVL 22

Expert Comment

by:optoma
ID: 35161517
It will look like that here, but I honestly didn't.
I know i got cautioned recently for a repost. I must have overlooked something in the that thread but I cant recall other times.
Have fun searching if bothered :0)
0
 
LVL 38

Expert Comment

by:younghv
ID: 35164070
<<Have fun searching if bothered :0)>>

You can ":0)" all you want, but you've been copying other Expert's advice (without attribution) since you started posting here on EE and it needs to be pointed out.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 35166706
I did run RogueKiller - which reminds me a lot of ComboFix and it did find something in the TMP files. After removing that the problem has not reproduced itself. I'm still waiting for further feedback from the user. Stand by...
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 35168546
SUGGESTION:

IF RogueKiller doesn't resolve the issue and/or the steps to resolve get whatever; I've found Hitman Pro in Normal Mode to resolve these redirect issues very easily without having to perform additional steps.  Like yourself Haze0830; I've not experienced any success with Combofix/MBAM in regards to the redirects.

0
 
LVL 38

Expert Comment

by:younghv
ID: 35168616
Haze0830,

Also note that in my Article a 'follow up' scan by MBAM is recommended.
Use the "Save As" function to get a clean version of the mbam...setup.exe file.

From:
http://www.experts-exchange.com/A_1940.html

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.
0
 
LVL 1

Expert Comment

by:hank2011
ID: 35170007
please do this go in to your command prompt type netstat -b see what is running when connected to the net than after you verified what in the list isnt post to be in there try this program www.superantispyware.com its known to get out a lot of stuff out of system.
0
 
LVL 2

Expert Comment

by:JohnnyIT
ID: 35193829
Download and run Hitman Pro: http://www.surfright.nl/en/downloads/

But keep in mind that I haven't found it helpful for much other than this particular redirect virus/rootkit, so stick to something like Avira for regular antivirus protection.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35197288
@JohnnyIT,
Please note that using "Hitman Pro" has already been recommended.

http://www.experts-exchange.com/help.jsp#hs=30&hi=416
Are there guidelines for answering questions?
Read previous posts before commenting: It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.

0
 
LVL 2

Expert Comment

by:JohnnyIT
ID: 35199614
Sorry about that.  I now see that BGTSLLC mentioned it.  Just missed it, that's all.
0
 
LVL 1

Expert Comment

by:Tigzy
ID: 35454597
Hello

This:

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

is malware, and will be found by RogueKiller
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question