Sign in with
Sign up | Sign in
Your question
Solved

Intermittent browser redirects

Last response: in Antivirus / Security / Privacy
Share
June 6, 2010 10:36:05 PM

I have the most persistent browser redirect issue I have ever experienced. I have run scans with Spyware Doctor, Superantispyware, MalwareBytes and Symatec antivirus. Nothing cleans this out. A couple of the scanners required reboots to remove particular files, but the problem keeps coming back.

I have done all the typical spyware removal processes
ccleaner (cleaned out everything)
hijackthis, nothing in the log I dont recognize
process explorer, no unknown processes running, not even anything disguised
manually searched the %profile% application data, local settings folders, searched the system32 and all the temp folders

There are no processes running that shouldnt be, there is nothing out of the ordinary in the startup or services (msconfig).

I am absolutely stumped. I am using Avant Browser which is essentially a IE shell.

Basically the problem is that I will get these redirects, usually about 3-4 in a row, then I can brows normally for awhile, then 3-4 redirect in a row again. Happens in Firefox too.

If anyone has some suggestions on additional software or processes I would appreciate it.

The redirects send the browser off to one of the following, bogus searches which then redirect to a random advertising site of one form or another.

DO NOT FOLLOW THESE LINKS!!!
nicael.com/search.php
hvacjob.com/search.php
kc.yiu.eduzone.com/search.php
ohgui.com/search.php
inakax.com/search.php
hsst.com/search.php
hollland.com/search.php
June 7, 2010 12:37:51 AM

Disable system restore, run all your scans, then enable it again. It could be some of the infections are hiding in restore points and keep restoring themselves after you delete disable them.
m
0
l

Best solution

Anonymous
a b 8 Security
June 7, 2010 10:49:51 AM

Try ComboFix.
Share
Related resources
June 7, 2010 4:59:42 PM

What a freaken nightmare this was. Turns out to be a rootkit disguised as svchost.exe process. I also ran Dr. Web standalone June 6 ver, Security Task Manager and dds.scr and gmer.exe for auditing. Nada!

Running Combofix from safemode seems to have done the trick.
Files involved seemed to be:
c:\windows\system32\4190609439.dat
c:\windows\system32\st322000.dll
c:\windows\system32\drivers\dmload.sys

Very nasty piece of work this one. Thanks for the help.

P.S.(as for the suggestion to disable system restore, I don't use system restore personally, but if I did disabling it and then accidentally deleting some system file while hunting this malware down or having a scanner make some sort of irreprable change would leave you in a pickle, the better advice would be to disable/flush previous restore points once the problem was irradicated, then enable it again. I use Acronis and have external backups, which I find more reliable than Windows system restore.)
m
0
l
June 7, 2010 5:00:42 PM

Best answer selected by canadian69.
m
0
l
June 7, 2010 7:06:13 PM

Exactly the reason I'm grabbing an external to pull data before doing malware scans from just in case...lol Glad to hear you got it going. Only thing about Combofix is that I've heard it may potentially take out important things. So while it worked, I would only do it as a last resort, though sounds like you were about there anyway.
m
0
l
!