Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

IE Redirector

Posted on 2011-09-06
15
Medium Priority
?
525 Views
Last Modified: 2013-11-22
Ok i'm gonna try to make a long story short, i have a client that got some malware on their pc. it made all their files disappear. I ran Malware bytes which found a few items. i ran unhide to get the files to reappear, i copied the start menu files back to the proper location from appdata\temp\smtmp etc. all seems good except that they still have some kind of redirector on their PC. searches and even directly typing in URL's get redirected. i have checked to see if the malware had put in any proxy settings, but it doesn't appear so. So, getting to the point, how do i remove an IE redirector. i have run a few more scans from Maleware bytes and not found anything.
0
Comment
Question by:Rebol
  • 5
  • 2
  • 2
  • +6
15 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 36491726
Check C:\Windows\System32\Drivers\Etc\Hosts to insure no foreign host entries have been added.
Check what the IE search provider is set to - this often gets hijacked by malware.
Which piece of malware did Malwarebytes identify?
0
 
LVL 4

Expert Comment

by:raremind
ID: 36491752
Most likely it's a rootkit Try this:
first
Start > All Programs > Accessories > System Tools > Disk Cleanup. keep all the automatically ticked items checked and delete all those files.

While this usually fixes it alone, still run this:

http://support.kaspersky.com/faq/?qid=208283363

This works about 85% of the time when I find a redirect in IE

Let us know if it worked. If not I can suggest a few more things to try.
0
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36491757
have you tried running malwarebytes in safemode with networking?

when I have malware I run -

malwarebytes
superantispywareonline
ccleaner
tfc cleaner
rkill
hijackthis - be careful with this
autoruns
microsofts safety.live.com
defraggler
windows defrag
manually go through the rest of the temp files and delete
check the hosts file as mentioned above
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 38

Expert Comment

by:younghv
ID: 36491806
Often re-directors are accompanied by rootkits.
you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
***********

Please do NOT delete any Temp files until you are sure the system is clean. Some variants of malware will 'move' folders from your profile into the Temp Directory.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36491968
If you have run multiple scans which have found nothing, and your hosts file is OK, then there is also the possibility that your router may be infected.  There is a good article about that here:

 http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_5327-Infected-router-Google-search-redirects-even-on-a-clean-system.html?sfQueryTermInfo=1+10+30+infect+router

The resolution is basically to reset the router.  If you have any other pc's connected to the router, they should be cleaned too before a reset.

Good luck!!!
0
 

Author Comment

by:Rebol
ID: 36492452
I checked hosts and found hundreds, so I deleted all but the 127.0.0.0
I checked the search provider, it was set to bing but i disabled it anyway.
It is still being redirected.
I ran the tdsskiller app and it found a couple items, which it removed, I then did a reboot and it seemed to be ok  until after one more reboot it started redirecting again. I found a common file that was being found after several kaspersky scans, it was an all numeric named .exe file. It was in system32, I renamed it because it wasn't an exact match for the file found in kaspersky, then reran kaspersky, it didn't find and new threats, but I am still getting redirected.
I also was unable to uninstall AVG, so I tried to reinstall it which failed swell.(maybe a separate issue)
I have noticed that when I am being redirected it goes through "excelentsearchserver.com" don't know if that helps. Yes I did run malware bytes from safe mode, in fact I installed it from safe mode with networking and did the update.  Any more ideas?
0
 

Author Comment

by:Rebol
ID: 36492461
Also I noticed that malware bytes wouldn't run, anymore it would error out. So I removed it and reinstalled in in regular mode, it install fine and updates but when you run it, it just disappears and doesn't actually scan.
0
 

Author Comment

by:Rebol
ID: 36492472
I just found the file that kaspersky detected in the task manager but when I do a search for it in windows it doesn't find a match. The file name is 3663438854.4183532581.exe
0
 

Author Comment

by:Rebol
ID: 36492485
Correction the file name is 3663438854:4183532581.exe
0
 
LVL 6

Expert Comment

by:K_Wilke
ID: 36492493
Yes the TDSSKiller will fix the redirection thing.
Thanks,
Kelly W.
0
 
LVL 6

Accepted Solution

by:
K_Wilke earned 2000 total points
ID: 36492504
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36492512
@K_Wilke,

Please read the foregoing suggestions from experts.  I already linked to rpg's article above.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36495109
Sounds like it comes with Zero.Access rootkit as well.
download and run AntiZeroAccess, if it doesn't find the infection run ComboFix.
HitmanPro also claims to detect and remove zeroaccess but haven't used it personally. Let us know if tools won't run.

1. Download AntiZeroAccess to Desktop
http://anywhere.webrootcloudav.com/antizeroaccess.exe

Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Type y and press enter to run the scan


2. HitmanPro:
http://www.surfright.nl/en/downloads


3. ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36499279
You have already tried TDSSKiller but have you tried FixTDSS.exe as suggested by Younghv above? (ID: 36491806)
0
 

Author Closing Comment

by:Rebol
ID: 36593875
The combofix did it, thanks.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question