IE redirect, no spyware found

I've run MBAM and HiJackThis with no hits on either. The user has an issue with intermittent redirects. Sometimes it's persistent, sometimes it goes away for awhile. Either way it always ends up coming back.

Scans with MBAM and FSecure don't pick up anything. HiJackThis doesn't pick up anything (at least not to my eye or the analyzer's). Need some help on this one...

System is Windows 7, current updates/SP

Here's the HJT log below:  hijackthis.log
LVL 2
Haze0830Asked:
Who is Participating?
Advertise Here
 
optomaConnect With a Mentor Commented:
   * Download RogueKiller on your desktop
    * Quit all running programs
    * For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    * When prompted, type 1 and validate
    * The RKreport.txt shall be generated next to the executable.
    * If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

http://www.sur-la-toile.com/RogueKiller/
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe >direct download link
0
 
mrroonieCommented:
redirecting from what site?

is the redirect always to the same site?

what is the site you are being redirected to?
0
 
mrroonieCommented:
this entry looks a bit shady in the HJT log

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

googling sberes4.dll brings up zero results - can be a sign of a virus/spyware giving a random filename

if it were me i'd move that file to another location and reboot, if all is well after a week or so the file can be safely deleted. if something is not right after the reboot boot into safe mode and restore the file.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Learn More!
 
Thomas Zucker-ScharffSystems AnalystCommented:
If the redirect is always from the same site, check the hosts file.
0
 
Haze0830Author Commented:
the redirects are TO various ad sites and FROM various/random sites (all valid/frequently used sites).

sberes.dll seems to be valid...I can't find anything on sberes4.dll though....
0
 
optomaCommented:
BTW, Did you run HJT as administrator?
0
 
younghvCommented:
optoma,
I hope you have actually taken the time to use "RogueKiller" rather than just copying advice you've seen posted by others.

I always find it better to have used a product before recommending it; in case the asker has some procedural questions.
0
 
younghvConnect With a Mentor Commented:
Haze0830,

You would be well advised to read the detailed instructions for RogueKiller (from the developer) at this link:
http://www.geekstogo.com/forum/files/file/413-roguekiller/

Depending on the actual infection identified, you will have to take additional actions to effect the repairs.
0
 
optomaCommented:
Younghv. I already have used it starting  since last week and found it ironic that yourself started posting the use of roguekiller roughly the same day !  
0
 
rpggamergirlCommented:
I've known younghv helping here at EE for years and he's not one that copy someone else's post/advice without giving credit to the original poster, while you optoma had done it a few times, :)


Haze0830,
I'd disable that startup entry that mrroonie had suggested.
Also have you tried any other scanner stated in this article? It is possible to experience a redirect on a clean PC, are you using a router?

“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
0
 
younghvCommented:
0
 
younghvCommented:
Haze0830,
You will be best served by following the advice of 'rpggamergirl', but if you want to learn more about RogueKiller (and see what the screens look like), check out my Article here:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922.html
0
 
optomaCommented:
It will look like that here, but I honestly didn't.
I know i got cautioned recently for a repost. I must have overlooked something in the that thread but I cant recall other times.
Have fun searching if bothered :0)
0
 
younghvCommented:
<<Have fun searching if bothered :0)>>

You can ":0)" all you want, but you've been copying other Expert's advice (without attribution) since you started posting here on EE and it needs to be pointed out.
0
 
Haze0830Author Commented:
I did run RogueKiller - which reminds me a lot of ComboFix and it did find something in the TMP files. After removing that the problem has not reproduced itself. I'm still waiting for further feedback from the user. Stand by...
0
 
BGTSLLCCommented:
SUGGESTION:

IF RogueKiller doesn't resolve the issue and/or the steps to resolve get whatever; I've found Hitman Pro in Normal Mode to resolve these redirect issues very easily without having to perform additional steps.  Like yourself Haze0830; I've not experienced any success with Combofix/MBAM in regards to the redirects.

0
 
younghvCommented:
Haze0830,

Also note that in my Article a 'follow up' scan by MBAM is recommended.
Use the "Save As" function to get a clean version of the mbam...setup.exe file.

From:
http://www.experts-exchange.com/A_1940.html

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.
0
 
hank2011Commented:
please do this go in to your command prompt type netstat -b see what is running when connected to the net than after you verified what in the list isnt post to be in there try this program www.superantispyware.com its known to get out a lot of stuff out of system.
0
 
JohnnyITCommented:
Download and run Hitman Pro: http://www.surfright.nl/en/downloads/

But keep in mind that I haven't found it helpful for much other than this particular redirect virus/rootkit, so stick to something like Avira for regular antivirus protection.
0
 
younghvCommented:
@JohnnyIT,
Please note that using "Hitman Pro" has already been recommended.

http://www.experts-exchange.com/help.jsp#hs=30&hi=416
Are there guidelines for answering questions?
Read previous posts before commenting: It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.

0
 
JohnnyITCommented:
Sorry about that.  I now see that BGTSLLC mentioned it.  Just missed it, that's all.
0
 
TigzyCommented:
Hello

This:

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

is malware, and will be found by RogueKiller
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.