Solved

IE redirect, no spyware found

Posted on 2011-03-16
22
609 Views
Last Modified: 2013-11-22
I've run MBAM and HiJackThis with no hits on either. The user has an issue with intermittent redirects. Sometimes it's persistent, sometimes it goes away for awhile. Either way it always ends up coming back.

Scans with MBAM and FSecure don't pick up anything. HiJackThis doesn't pick up anything (at least not to my eye or the analyzer's). Need some help on this one...

System is Windows 7, current updates/SP

Here's the HJT log below:  hijackthis.log
0
Comment
Question by:Haze0830
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +7
22 Comments
 
LVL 13

Expert Comment

by:mrroonie
ID: 35147789
redirecting from what site?

is the redirect always to the same site?

what is the site you are being redirected to?
0
 
LVL 13

Expert Comment

by:mrroonie
ID: 35147839
this entry looks a bit shady in the HJT log

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

googling sberes4.dll brings up zero results - can be a sign of a virus/spyware giving a random filename

if it were me i'd move that file to another location and reboot, if all is well after a week or so the file can be safely deleted. if something is not right after the reboot boot into safe mode and restore the file.
0
 
LVL 29

Expert Comment

by:Thomas Zucker-Scharff
ID: 35148105
If the redirect is always from the same site, check the hosts file.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 2

Author Comment

by:Haze0830
ID: 35148351
the redirects are TO various ad sites and FROM various/random sites (all valid/frequently used sites).

sberes.dll seems to be valid...I can't find anything on sberes4.dll though....
0
 
LVL 22

Accepted Solution

by:
optoma earned 125 total points
ID: 35148394
   * Download RogueKiller on your desktop
    * Quit all running programs
    * For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    * When prompted, type 1 and validate
    * The RKreport.txt shall be generated next to the executable.
    * If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

http://www.sur-la-toile.com/RogueKiller/
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe >direct download link
0
 
LVL 22

Expert Comment

by:optoma
ID: 35148431
BTW, Did you run HJT as administrator?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35150341
optoma,
I hope you have actually taken the time to use "RogueKiller" rather than just copying advice you've seen posted by others.

I always find it better to have used a product before recommending it; in case the asker has some procedural questions.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 125 total points
ID: 35150469
Haze0830,

You would be well advised to read the detailed instructions for RogueKiller (from the developer) at this link:
http://www.geekstogo.com/forum/files/file/413-roguekiller/

Depending on the actual infection identified, you will have to take additional actions to effect the repairs.
0
 
LVL 22

Expert Comment

by:optoma
ID: 35151143
Younghv. I already have used it starting  since last week and found it ironic that yourself started posting the use of roguekiller roughly the same day !  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35161239
I've known younghv helping here at EE for years and he's not one that copy someone else's post/advice without giving credit to the original poster, while you optoma had done it a few times, :)


Haze0830,
I'd disable that startup entry that mrroonie had suggested.
Also have you tried any other scanner stated in this article? It is possible to experience a redirect on a clean PC, are you using a router?

“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
0
 
LVL 38

Expert Comment

by:younghv
ID: 35161367
0
 
LVL 38

Expert Comment

by:younghv
ID: 35161498
Haze0830,
You will be best served by following the advice of 'rpggamergirl', but if you want to learn more about RogueKiller (and see what the screens look like), check out my Article here:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922.html
0
 
LVL 22

Expert Comment

by:optoma
ID: 35161517
It will look like that here, but I honestly didn't.
I know i got cautioned recently for a repost. I must have overlooked something in the that thread but I cant recall other times.
Have fun searching if bothered :0)
0
 
LVL 38

Expert Comment

by:younghv
ID: 35164070
<<Have fun searching if bothered :0)>>

You can ":0)" all you want, but you've been copying other Expert's advice (without attribution) since you started posting here on EE and it needs to be pointed out.
0
 
LVL 2

Author Comment

by:Haze0830
ID: 35166706
I did run RogueKiller - which reminds me a lot of ComboFix and it did find something in the TMP files. After removing that the problem has not reproduced itself. I'm still waiting for further feedback from the user. Stand by...
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 35168546
SUGGESTION:

IF RogueKiller doesn't resolve the issue and/or the steps to resolve get whatever; I've found Hitman Pro in Normal Mode to resolve these redirect issues very easily without having to perform additional steps.  Like yourself Haze0830; I've not experienced any success with Combofix/MBAM in regards to the redirects.

0
 
LVL 38

Expert Comment

by:younghv
ID: 35168616
Haze0830,

Also note that in my Article a 'follow up' scan by MBAM is recommended.
Use the "Save As" function to get a clean version of the mbam...setup.exe file.

From:
http://www.experts-exchange.com/A_1940.html

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.
0
 
LVL 1

Expert Comment

by:hank2011
ID: 35170007
please do this go in to your command prompt type netstat -b see what is running when connected to the net than after you verified what in the list isnt post to be in there try this program www.superantispyware.com its known to get out a lot of stuff out of system.
0
 
LVL 2

Expert Comment

by:JohnnyIT
ID: 35193829
Download and run Hitman Pro: http://www.surfright.nl/en/downloads/

But keep in mind that I haven't found it helpful for much other than this particular redirect virus/rootkit, so stick to something like Avira for regular antivirus protection.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35197288
@JohnnyIT,
Please note that using "Hitman Pro" has already been recommended.

http://www.experts-exchange.com/help.jsp#hs=30&hi=416
Are there guidelines for answering questions?
Read previous posts before commenting: It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.

0
 
LVL 2

Expert Comment

by:JohnnyIT
ID: 35199614
Sorry about that.  I now see that BGTSLLC mentioned it.  Just missed it, that's all.
0
 
LVL 1

Expert Comment

by:Tigzy
ID: 35454597
Hello

This:

O4 - HKCU\..\Run: [pwxrf] rundll32 "C:\Users\rreynolds\AppData\Roaming\sberes4.dll",Kdtbd

is malware, and will be found by RogueKiller
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question