Solved

IE Redirector

Posted on 2011-09-06
15
513 Views
Last Modified: 2013-11-22
Ok i'm gonna try to make a long story short, i have a client that got some malware on their pc. it made all their files disappear. I ran Malware bytes which found a few items. i ran unhide to get the files to reappear, i copied the start menu files back to the proper location from appdata\temp\smtmp etc. all seems good except that they still have some kind of redirector on their PC. searches and even directly typing in URL's get redirected. i have checked to see if the malware had put in any proxy settings, but it doesn't appear so. So, getting to the point, how do i remove an IE redirector. i have run a few more scans from Maleware bytes and not found anything.
0
Comment
Question by:Rebol
  • 5
  • 2
  • 2
  • +6
15 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 36491726
Check C:\Windows\System32\Drivers\Etc\Hosts to insure no foreign host entries have been added.
Check what the IE search provider is set to - this often gets hijacked by malware.
Which piece of malware did Malwarebytes identify?
0
 
LVL 4

Expert Comment

by:raremind
ID: 36491752
Most likely it's a rootkit Try this:
first
Start > All Programs > Accessories > System Tools > Disk Cleanup. keep all the automatically ticked items checked and delete all those files.

While this usually fixes it alone, still run this:

http://support.kaspersky.com/faq/?qid=208283363

This works about 85% of the time when I find a redirect in IE

Let us know if it worked. If not I can suggest a few more things to try.
0
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36491757
have you tried running malwarebytes in safemode with networking?

when I have malware I run -

malwarebytes
superantispywareonline
ccleaner
tfc cleaner
rkill
hijackthis - be careful with this
autoruns
microsofts safety.live.com
defraggler
windows defrag
manually go through the rest of the temp files and delete
check the hosts file as mentioned above
0
 
LVL 38

Expert Comment

by:younghv
ID: 36491806
Often re-directors are accompanied by rootkits.
you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
***********

Please do NOT delete any Temp files until you are sure the system is clean. Some variants of malware will 'move' folders from your profile into the Temp Directory.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36491968
If you have run multiple scans which have found nothing, and your hosts file is OK, then there is also the possibility that your router may be infected.  There is a good article about that here:

 http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html?sfQueryTermInfo=1+10+30+infect+router

The resolution is basically to reset the router.  If you have any other pc's connected to the router, they should be cleaned too before a reset.

Good luck!!!
0
 

Author Comment

by:Rebol
ID: 36492452
I checked hosts and found hundreds, so I deleted all but the 127.0.0.0
I checked the search provider, it was set to bing but i disabled it anyway.
It is still being redirected.
I ran the tdsskiller app and it found a couple items, which it removed, I then did a reboot and it seemed to be ok  until after one more reboot it started redirecting again. I found a common file that was being found after several kaspersky scans, it was an all numeric named .exe file. It was in system32, I renamed it because it wasn't an exact match for the file found in kaspersky, then reran kaspersky, it didn't find and new threats, but I am still getting redirected.
I also was unable to uninstall AVG, so I tried to reinstall it which failed swell.(maybe a separate issue)
I have noticed that when I am being redirected it goes through "excelentsearchserver.com" don't know if that helps. Yes I did run malware bytes from safe mode, in fact I installed it from safe mode with networking and did the update.  Any more ideas?
0
 

Author Comment

by:Rebol
ID: 36492461
Also I noticed that malware bytes wouldn't run, anymore it would error out. So I removed it and reinstalled in in regular mode, it install fine and updates but when you run it, it just disappears and doesn't actually scan.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Rebol
ID: 36492472
I just found the file that kaspersky detected in the task manager but when I do a search for it in windows it doesn't find a match. The file name is 3663438854.4183532581.exe
0
 

Author Comment

by:Rebol
ID: 36492485
Correction the file name is 3663438854:4183532581.exe
0
 
LVL 6

Expert Comment

by:K_Wilke
ID: 36492493
Yes the TDSSKiller will fix the redirection thing.
Thanks,
Kelly W.
0
 
LVL 6

Accepted Solution

by:
K_Wilke earned 500 total points
ID: 36492504
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36492512
@K_Wilke,

Please read the foregoing suggestions from experts.  I already linked to rpg's article above.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36495109
Sounds like it comes with Zero.Access rootkit as well.
download and run AntiZeroAccess, if it doesn't find the infection run ComboFix.
HitmanPro also claims to detect and remove zeroaccess but haven't used it personally. Let us know if tools won't run.

1. Download AntiZeroAccess to Desktop
http://anywhere.webrootcloudav.com/antizeroaccess.exe

Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Type y and press enter to run the scan


2. HitmanPro:
http://www.surfright.nl/en/downloads


3. ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 36499279
You have already tried TDSSKiller but have you tried FixTDSS.exe as suggested by Younghv above? (ID: 36491806)
0
 

Author Closing Comment

by:Rebol
ID: 36593875
The combofix did it, thanks.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now