Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 527
  • Last Modified:

IE Redirector

Ok i'm gonna try to make a long story short, i have a client that got some malware on their pc. it made all their files disappear. I ran Malware bytes which found a few items. i ran unhide to get the files to reappear, i copied the start menu files back to the proper location from appdata\temp\smtmp etc. all seems good except that they still have some kind of redirector on their PC. searches and even directly typing in URL's get redirected. i have checked to see if the malware had put in any proxy settings, but it doesn't appear so. So, getting to the point, how do i remove an IE redirector. i have run a few more scans from Maleware bytes and not found anything.
0
Rebol
Asked:
Rebol
  • 5
  • 2
  • 2
  • +6
1 Solution
 
WalkaboutTiggerCommented:
Check C:\Windows\System32\Drivers\Etc\Hosts to insure no foreign host entries have been added.
Check what the IE search provider is set to - this often gets hijacked by malware.
Which piece of malware did Malwarebytes identify?
0
 
raremindCommented:
Most likely it's a rootkit Try this:
first
Start > All Programs > Accessories > System Tools > Disk Cleanup. keep all the automatically ticked items checked and delete all those files.

While this usually fixes it alone, still run this:

http://support.kaspersky.com/faq/?qid=208283363

This works about 85% of the time when I find a redirect in IE

Let us know if it worked. If not I can suggest a few more things to try.
0
 
madhatter5501Commented:
have you tried running malwarebytes in safemode with networking?

when I have malware I run -

malwarebytes
superantispywareonline
ccleaner
tfc cleaner
rkill
hijackthis - be careful with this
autoruns
microsofts safety.live.com
defraggler
windows defrag
manually go through the rest of the temp files and delete
check the hosts file as mentioned above
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
younghvCommented:
Often re-directors are accompanied by rootkits.
you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
***********

Please do NOT delete any Temp files until you are sure the system is clean. Some variants of malware will 'move' folders from your profile into the Temp Directory.
0
 
phototropicCommented:
If you have run multiple scans which have found nothing, and your hosts file is OK, then there is also the possibility that your router may be infected.  There is a good article about that here:

 http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html?sfQueryTermInfo=1+10+30+infect+router

The resolution is basically to reset the router.  If you have any other pc's connected to the router, they should be cleaned too before a reset.

Good luck!!!
0
 
RebolAuthor Commented:
I checked hosts and found hundreds, so I deleted all but the 127.0.0.0
I checked the search provider, it was set to bing but i disabled it anyway.
It is still being redirected.
I ran the tdsskiller app and it found a couple items, which it removed, I then did a reboot and it seemed to be ok  until after one more reboot it started redirecting again. I found a common file that was being found after several kaspersky scans, it was an all numeric named .exe file. It was in system32, I renamed it because it wasn't an exact match for the file found in kaspersky, then reran kaspersky, it didn't find and new threats, but I am still getting redirected.
I also was unable to uninstall AVG, so I tried to reinstall it which failed swell.(maybe a separate issue)
I have noticed that when I am being redirected it goes through "excelentsearchserver.com" don't know if that helps. Yes I did run malware bytes from safe mode, in fact I installed it from safe mode with networking and did the update.  Any more ideas?
0
 
RebolAuthor Commented:
Also I noticed that malware bytes wouldn't run, anymore it would error out. So I removed it and reinstalled in in regular mode, it install fine and updates but when you run it, it just disappears and doesn't actually scan.
0
 
RebolAuthor Commented:
I just found the file that kaspersky detected in the task manager but when I do a search for it in windows it doesn't find a match. The file name is 3663438854.4183532581.exe
0
 
RebolAuthor Commented:
Correction the file name is 3663438854:4183532581.exe
0
 
K_WilkeCommented:
Yes the TDSSKiller will fix the redirection thing.
Thanks,
Kelly W.
0
 
K_WilkeCommented:
0
 
phototropicCommented:
@K_Wilke,

Please read the foregoing suggestions from experts.  I already linked to rpg's article above.
0
 
rpggamergirlCommented:
Sounds like it comes with Zero.Access rootkit as well.
download and run AntiZeroAccess, if it doesn't find the infection run ComboFix.
HitmanPro also claims to detect and remove zeroaccess but haven't used it personally. Let us know if tools won't run.

1. Download AntiZeroAccess to Desktop
http://anywhere.webrootcloudav.com/antizeroaccess.exe

Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Type y and press enter to run the scan


2. HitmanPro:
http://www.surfright.nl/en/downloads


3. ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
Sudeep SharmaTechnical DesignerCommented:
You have already tried TDSSKiller but have you tried FixTDSS.exe as suggested by Younghv above? (ID: 36491806)
0
 
RebolAuthor Commented:
The combofix did it, thanks.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 2
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now