Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


IE Redirector

Posted on 2011-09-06
Medium Priority
Last Modified: 2013-11-22
Ok i'm gonna try to make a long story short, i have a client that got some malware on their pc. it made all their files disappear. I ran Malware bytes which found a few items. i ran unhide to get the files to reappear, i copied the start menu files back to the proper location from appdata\temp\smtmp etc. all seems good except that they still have some kind of redirector on their PC. searches and even directly typing in URL's get redirected. i have checked to see if the malware had put in any proxy settings, but it doesn't appear so. So, getting to the point, how do i remove an IE redirector. i have run a few more scans from Maleware bytes and not found anything.
Question by:Rebol
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +6
LVL 15

Expert Comment

ID: 36491726
Check C:\Windows\System32\Drivers\Etc\Hosts to insure no foreign host entries have been added.
Check what the IE search provider is set to - this often gets hijacked by malware.
Which piece of malware did Malwarebytes identify?

Expert Comment

ID: 36491752
Most likely it's a rootkit Try this:
Start > All Programs > Accessories > System Tools > Disk Cleanup. keep all the automatically ticked items checked and delete all those files.

While this usually fixes it alone, still run this:

This works about 85% of the time when I find a redirect in IE

Let us know if it worked. If not I can suggest a few more things to try.
LVL 11

Expert Comment

ID: 36491757
have you tried running malwarebytes in safemode with networking?

when I have malware I run -

tfc cleaner
hijackthis - be careful with this
windows defrag
manually go through the rest of the temp files and delete
check the hosts file as mentioned above
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 38

Expert Comment

ID: 36491806
Often re-directors are accompanied by rootkits.
you might want to start with TDSSKILLER found here:

* Download the file and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

You can also try FixTDSS.exe from Symantec:

Please do NOT delete any Temp files until you are sure the system is clean. Some variants of malware will 'move' folders from your profile into the Temp Directory.
LVL 23

Expert Comment

ID: 36491968
If you have run multiple scans which have found nothing, and your hosts file is OK, then there is also the possibility that your router may be infected.  There is a good article about that here:

The resolution is basically to reset the router.  If you have any other pc's connected to the router, they should be cleaned too before a reset.

Good luck!!!

Author Comment

ID: 36492452
I checked hosts and found hundreds, so I deleted all but the
I checked the search provider, it was set to bing but i disabled it anyway.
It is still being redirected.
I ran the tdsskiller app and it found a couple items, which it removed, I then did a reboot and it seemed to be ok  until after one more reboot it started redirecting again. I found a common file that was being found after several kaspersky scans, it was an all numeric named .exe file. It was in system32, I renamed it because it wasn't an exact match for the file found in kaspersky, then reran kaspersky, it didn't find and new threats, but I am still getting redirected.
I also was unable to uninstall AVG, so I tried to reinstall it which failed swell.(maybe a separate issue)
I have noticed that when I am being redirected it goes through "" don't know if that helps. Yes I did run malware bytes from safe mode, in fact I installed it from safe mode with networking and did the update.  Any more ideas?

Author Comment

ID: 36492461
Also I noticed that malware bytes wouldn't run, anymore it would error out. So I removed it and reinstalled in in regular mode, it install fine and updates but when you run it, it just disappears and doesn't actually scan.

Author Comment

ID: 36492472
I just found the file that kaspersky detected in the task manager but when I do a search for it in windows it doesn't find a match. The file name is 3663438854.4183532581.exe

Author Comment

ID: 36492485
Correction the file name is 3663438854:4183532581.exe

Expert Comment

ID: 36492493
Yes the TDSSKiller will fix the redirection thing.
Kelly W.

Accepted Solution

K_Wilke earned 2000 total points
ID: 36492504
LVL 23

Expert Comment

ID: 36492512

Please read the foregoing suggestions from experts.  I already linked to rpg's article above.
LVL 47

Expert Comment

ID: 36495109
Sounds like it comes with Zero.Access rootkit as well.
download and run AntiZeroAccess, if it doesn't find the infection run ComboFix.
HitmanPro also claims to detect and remove zeroaccess but haven't used it personally. Let us know if tools won't run.

1. Download AntiZeroAccess to Desktop

Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Type y and press enter to run the scan

2. HitmanPro:

3. ComboFix by sUBs: 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36499279
You have already tried TDSSKiller but have you tried FixTDSS.exe as suggested by Younghv above? (ID: 36491806)

Author Closing Comment

ID: 36593875
The combofix did it, thanks.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question