Solved

IE redirect, no spyware found

Posted on 2011-03-16
22
603 Views
Last Modified: 2013-11-22
I've run MBAM and HiJackThis with no hits on either. The user has an issue with intermittent redirects. Sometimes it's persistent, sometimes it goes away for awhile. Either way it always ends up coming back.

Scans with MBAM and FSecure don't pick up anything. HiJackThis doesn't pick up anything (at least not to my eye or the analyzer's). Need some help on this one...

System is Windows 7, current updates/SP

Here's the HJT log below:  hijackthis.log
0
Comment
Question by:Haze0830
  • 7
  • 4
  • 2
  • +7
22 Comments
 
LVL 13

Expert Comment

by:mrroonie
ID: 35147789
redirecting from what site?

is the redirect always to the same site?

what is the site you are being redirected to?
0
 
LVL 13

Expert Comment

by:mrroonie
ID: 35147839
this entry looks a bit shady in the HJT log

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

googling sberes4.dll brings up zero results - can be a sign of a virus/spyware giving a random filename

if it were me i'd move that file to another location and reboot, if all is well after a week or so the file can be safely deleted. if something is not right after the reboot boot into safe mode and restore the file.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 35148105
If the redirect is always from the same site, check the hosts file.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 35148351
the redirects are TO various ad sites and FROM various/random sites (all valid/frequently used sites).

sberes.dll seems to be valid...I can't find anything on sberes4.dll though....
0
 
LVL 22

Accepted Solution

by:
optoma earned 125 total points
ID: 35148394
   * Download RogueKiller on your desktop
    * Quit all running programs
    * For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    * When prompted, type 1 and validate
    * The RKreport.txt shall be generated next to the executable.
    * If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

http://www.sur-la-toile.com/RogueKiller/
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe >direct download link
0
 
LVL 22

Expert Comment

by:optoma
ID: 35148431
BTW, Did you run HJT as administrator?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35150341
optoma,
I hope you have actually taken the time to use "RogueKiller" rather than just copying advice you've seen posted by others.

I always find it better to have used a product before recommending it; in case the asker has some procedural questions.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 125 total points
ID: 35150469
Haze0830,

You would be well advised to read the detailed instructions for RogueKiller (from the developer) at this link:
http://www.geekstogo.com/forum/files/file/413-roguekiller/

Depending on the actual infection identified, you will have to take additional actions to effect the repairs.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35151143
Younghv. I already have used it starting  since last week and found it ironic that yourself started posting the use of roguekiller roughly the same day !  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35161239
I've known younghv helping here at EE for years and he's not one that copy someone else's post/advice without giving credit to the original poster, while you optoma had done it a few times, :)


Haze0830,
I'd disable that startup entry that mrroonie had suggested.
Also have you tried any other scanner stated in this article? It is possible to experience a redirect on a clean PC, are you using a router?

“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
0
 
LVL 38

Expert Comment

by:younghv
ID: 35161367
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 38

Expert Comment

by:younghv
ID: 35161498
Haze0830,
You will be best served by following the advice of 'rpggamergirl', but if you want to learn more about RogueKiller (and see what the screens look like), check out my Article here:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922.html
0
 
LVL 22

Expert Comment

by:optoma
ID: 35161517
It will look like that here, but I honestly didn't.
I know i got cautioned recently for a repost. I must have overlooked something in the that thread but I cant recall other times.
Have fun searching if bothered :0)
0
 
LVL 38

Expert Comment

by:younghv
ID: 35164070
<<Have fun searching if bothered :0)>>

You can ":0)" all you want, but you've been copying other Expert's advice (without attribution) since you started posting here on EE and it needs to be pointed out.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 35166706
I did run RogueKiller - which reminds me a lot of ComboFix and it did find something in the TMP files. After removing that the problem has not reproduced itself. I'm still waiting for further feedback from the user. Stand by...
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 35168546
SUGGESTION:

IF RogueKiller doesn't resolve the issue and/or the steps to resolve get whatever; I've found Hitman Pro in Normal Mode to resolve these redirect issues very easily without having to perform additional steps.  Like yourself Haze0830; I've not experienced any success with Combofix/MBAM in regards to the redirects.

0
 
LVL 38

Expert Comment

by:younghv
ID: 35168616
Haze0830,

Also note that in my Article a 'follow up' scan by MBAM is recommended.
Use the "Save As" function to get a clean version of the mbam...setup.exe file.

From:
http://www.experts-exchange.com/A_1940.html

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.
0
 
LVL 1

Expert Comment

by:hank2011
ID: 35170007
please do this go in to your command prompt type netstat -b see what is running when connected to the net than after you verified what in the list isnt post to be in there try this program www.superantispyware.com its known to get out a lot of stuff out of system.
0
 
LVL 2

Expert Comment

by:JohnnyIT
ID: 35193829
Download and run Hitman Pro: http://www.surfright.nl/en/downloads/

But keep in mind that I haven't found it helpful for much other than this particular redirect virus/rootkit, so stick to something like Avira for regular antivirus protection.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35197288
@JohnnyIT,
Please note that using "Hitman Pro" has already been recommended.

http://www.experts-exchange.com/help.jsp#hs=30&hi=416
Are there guidelines for answering questions?
Read previous posts before commenting: It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.

0
 
LVL 2

Expert Comment

by:JohnnyIT
ID: 35199614
Sorry about that.  I now see that BGTSLLC mentioned it.  Just missed it, that's all.
0
 
LVL 1

Expert Comment

by:Tigzy
ID: 35454597
Hello

This:

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

is malware, and will be found by RogueKiller
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now