Questions

In IE, I sometimes get redirected to sites where I don't want to go.

+
0 Votes
Locked

In IE, I sometimes get redirected to sites where I don't want to go.

jimepdx
I'm using IE7 on XP Pro SP3, but have the same problem when I use Firefox.

Here's an example of what happens: I go to www.microsoft.com, and click on the link to Microsoft updates. My computer brings me to www.google.com.

It's acting like I got infected by some virus, but I've scanned the computer with 3 different anti-virus programs, and nothing was found.

Any suggestions?
  • +
    0 Votes
    ThumbsUp2

    You've got one or more of the browser redirecting virus/malware/spyware.

    How long has it been since you ran a FULL system scan while in Safe Mode? Never? Time to start.

    +
    0 Votes
    Jacky Howe

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers.

    Removing malware from System Restore points
    To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

    Default Start Menu XP
    If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

    Classic Start Menu XP
    If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

    Vista
    Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

    Click Start, Run type msconfig and press Enter.

    Now if you have the Configuration Utility open.
    Configure selective startup options
    In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
    Click to clear the Process SYSTEM.INI File check box.
    Click to clear the Process WIN.INI File check box.
    Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
    Click the Services tab.
    Click to select the Hide All Microsoft Services check box.
    Click Disable All, and then click OK.
    When you are prompted, save the settings and restart the PC.
    When the System is disinfected re-run the Configuration Utility and in the System Configuration Utility dialog box, click the General tab, and then click Normal Startup.

    Download Malwarebytes Anti-Malware, install it and update it.

    Click this link<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>malwarebytes</u></a>


    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Just to be on the safe side when you finish do an online scan with Bitdefender. Or Google for an online scanner.

    Click this link <a href="http://www.bitdefender.com/scan8/ie.html" target="_blank"><u>bitdefender</u></a>

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM.

    From another PC download and install Spybot, update it and copy the the installed folders to a USB Stick.

    Restart the PC in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Also run this Rootkit Revealer GMer

    Click this <a href="http://www.gmer.net/index.php" target="_blank"><u>gmer</u></a>

    FAQ

    Click this <a href="http://www.gmer.net/faq.php" target="_blank"><u>link</u></a>

    BleepingComputer
    Click this <a href="http://www.bleepingcomputer.com/malware-removal/" target="_blank"><u>bleepingcomputer</u></a>

    How to check the Host file

    Step 1: Click the Start button and select Run. Now type the following text in that Run box and press Enter:

    notepad c:\WINDOWS\system32\drivers\etc\hosts

    Step 2: You will see a new notepad window on your screen containing some information. You should have a single entry of 127.0.0.1 localhost. If there are any other entries in there it means that those sites are being blocked and it is probably due to an infection.

    If it is the DNS changer fixwareout will remove this.

    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).

    VARIANT: Trojan.Win32.DNSChanger.al

    Update your Antivirus software.
    </br>

    +
    0 Votes
    jimepdx

    Thanks, Jacky. Sounds like it might take a while, but it'll be worth it.

    Jim

    +
    0 Votes
    Jacky Howe

    but once you do it a couple of times it gets easier. Good Luck.

  • +
    0 Votes
    ThumbsUp2

    You've got one or more of the browser redirecting virus/malware/spyware.

    How long has it been since you ran a FULL system scan while in Safe Mode? Never? Time to start.

    +
    0 Votes
    Jacky Howe

    Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers.

    Removing malware from System Restore points
    To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

    Default Start Menu XP
    If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

    Classic Start Menu XP
    If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

    Vista
    Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


    After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

    Click Start, Run type msconfig and press Enter.

    Now if you have the Configuration Utility open.
    Configure selective startup options
    In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
    Click to clear the Process SYSTEM.INI File check box.
    Click to clear the Process WIN.INI File check box.
    Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
    Click the Services tab.
    Click to select the Hide All Microsoft Services check box.
    Click Disable All, and then click OK.
    When you are prompted, save the settings and restart the PC.
    When the System is disinfected re-run the Configuration Utility and in the System Configuration Utility dialog box, click the General tab, and then click Normal Startup.

    Download Malwarebytes Anti-Malware, install it and update it.

    Click this link<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>malwarebytes</u></a>


    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.

    I would keep scanning with it until it is clean by closing out and rebooting and running it again.

    Just to be on the safe side when you finish do an online scan with Bitdefender. Or Google for an online scanner.

    Click this link <a href="http://www.bitdefender.com/scan8/ie.html" target="_blank"><u>bitdefender</u></a>

    If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM.

    From another PC download and install Spybot, update it and copy the the installed folders to a USB Stick.

    Restart the PC in Safe Mode, navigate to the USB stick and run Spybot.

    Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

    Also run this Rootkit Revealer GMer

    Click this <a href="http://www.gmer.net/index.php" target="_blank"><u>gmer</u></a>

    FAQ

    Click this <a href="http://www.gmer.net/faq.php" target="_blank"><u>link</u></a>

    BleepingComputer
    Click this <a href="http://www.bleepingcomputer.com/malware-removal/" target="_blank"><u>bleepingcomputer</u></a>

    How to check the Host file

    Step 1: Click the Start button and select Run. Now type the following text in that Run box and press Enter:

    notepad c:\WINDOWS\system32\drivers\etc\hosts

    Step 2: You will see a new notepad window on your screen containing some information. You should have a single entry of 127.0.0.1 localhost. If there are any other entries in there it means that those sites are being blocked and it is probably due to an infection.

    If it is the DNS changer fixwareout will remove this.

    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).

    VARIANT: Trojan.Win32.DNSChanger.al

    Update your Antivirus software.
    </br>

    +
    0 Votes
    jimepdx

    Thanks, Jacky. Sounds like it might take a while, but it'll be worth it.

    Jim

    +
    0 Votes
    Jacky Howe

    but once you do it a couple of times it gets easier. Good Luck.