Stubborn IE Browser Redirect

[PorterComp]

Hi All, need a little help. It's not normal that I can't clean a machine, however this one is kicking my arse. A few weeks ago it had 'something' on it making it bluescreen, I ran system restore and it came up fine. As this was one of my business clients machines I left it at that instead of doing a proper clean. A couple weeks went by and all was well, then client calls and says he can hear "talk radio" over the speakers and IE would just close for no reason and when you click on a link it redirects somewhere else. You can put a link in the addresss bar and it goes just fine, but links redirect.

I have Run combofix, malwarebytes, roguefix, a couple rootkit fixers, spyware s&d, spyware term, ccleaner, hijackthis, autoruns, AVG and Kaspersky rescue discs, ATF Cleaner, and went digging through the registry and files and removed anything that I thought might have been causing that problem, but it still exists. I have found quite a bit of stuff and removed it, however I still have the original problem.

Ideas?

 

[PorterComp]

BTW, It does it in Chrome too I just discovered...Ugg

 

[ProTech Support]

Sounds like it may be DNS related. Many times infections will change the systems DNS as to redirect you somewhere else. Check the properties of the network adapter and make sure they are correct. Also check in IE to see if the option to use a proxy server is turned on under "LAN Settings" on the "Advanced" tab.

Also, verify that the host file is in tact, if not, reset it:

http://support.microsoft.com/kb/972034

 

[PorterComp]

Checked, DNS is fine. Checked IE settings, they are default.

When I go to IE, Advanced tab, then "Reset" it gives me the error message "Before you can reset IE settings, you must first close other open windows and programs". I can close the browser and go to Control panel IE options and reset then.

However, I have to close IE from Task Manager as there seems to be another iexplore.exe running even after closing the windows...I'm assuming this is some kind of malware as well. Hopefully this might help?

 

[FoolishTech]

I believe if DNS or hosts file were the issue it would not only effect links but typing directly in the address bar.

Sounds to me like you're missing either a rogue DLL or infected legitimate DLL in \Windows\System32 possibly loaded as a service. I've seen these hook into the OS and intercept hyperlink clicks, but not direct typing in the address bar.

Just a thought...

 

[TLE]

Failing Protech's advice can your post you HiJackThis log? or even better, use OTL as HiJackThis is a little outdated now.

 

[ProTech Support]

OhI apologize, I mis-read that, did not realize it was only when you clicked links. The HJT logs would definitely help and I would still check that host file.

 

[Slaters Kustum Machines]

I would bet Hijackthis has one or more bad 01 Hosts entries.

 

[othersteve]

Two things to try:

1. Absolutely run TDSSKiller if you have not already. This is a hallmark symptom of TDL4.
2. Run an OTL scan and ensure you aren't dealing with a more recent variant of -- surprise! -- Vundo, which likes to take legitimate service names and create a like-named DLL which actually is Vundo instead.
3. Command Prompt as admin > ipconfig /flushdns

Let me know if you want me to look over your OTL log for you.

 

[PorterComp]

I think I got it now. Thanks to the OTL recommendation, I hadn't heard of that one. Great tool.

After running OTL I found several files that were created recently in the sys32folder. Stuff like srchsts.exe, iedfix.c.exe, o4patch.exe, agent.omz.fix.exe. All these files had old modified dates, but recent (today) created dates. I found a few others in other folders and empty folders that were created today as well. I removed all that stuff and things seem to be running ok for now. I'll know after a couple reboots and plenty of testing. If it resurfaces, then I'll let you guys/gals know.

Thanks for all your help!

 

[TLE]

OTL is indeed a great tool, glad you managed to resolve it.

 

[PorterComp]

Well, after many reboots and tests, it looked like it was ok. I shut the machine down, moved it, put it back in place. Then I ran the TDSSKiller and it found a rootkit. Rebooted and all seems fine....For now..We'll see how the day goes. Thanks for your help! Crazy.

 

[Xander]

FWIW, I was seeing TDSS rootkits on about every 5th XP machine for a short time. I decided to add TDSSkiller to my standard set of tools. It's a one minute scan and is worth knowing that it's not there. (Same with running a quick check with CrystalDisk/HDTune for the hard drive)

 

[PorterComp]

As will I. Anytime I get my hands on something I haven't heard of I add it to my arsenal as well.