Intermittent browser redirects

canadian69

Distinguished
May 1, 2010
9
0
18,520
I have the most persistent browser redirect issue I have ever experienced. I have run scans with Spyware Doctor, Superantispyware, MalwareBytes and Symatec antivirus. Nothing cleans this out. A couple of the scanners required reboots to remove particular files, but the problem keeps coming back.

I have done all the typical spyware removal processes
ccleaner (cleaned out everything)
hijackthis, nothing in the log I dont recognize
process explorer, no unknown processes running, not even anything disguised
manually searched the %profile% application data, local settings folders, searched the system32 and all the temp folders

There are no processes running that shouldnt be, there is nothing out of the ordinary in the startup or services (msconfig).

I am absolutely stumped. I am using Avant Browser which is essentially a IE shell.

Basically the problem is that I will get these redirects, usually about 3-4 in a row, then I can brows normally for awhile, then 3-4 redirect in a row again. Happens in Firefox too.

If anyone has some suggestions on additional software or processes I would appreciate it.

The redirects send the browser off to one of the following, bogus searches which then redirect to a random advertising site of one form or another.

DO NOT FOLLOW THESE LINKS!!!
nicael.com/search.php
hvacjob.com/search.php
kc.yiu.eduzone.com/search.php
ohgui.com/search.php
inakax.com/search.php
hsst.com/search.php
hollland.com/search.php
 

canadian69

Distinguished
May 1, 2010
9
0
18,520
What a freaken nightmare this was. Turns out to be a rootkit disguised as svchost.exe process. I also ran Dr. Web standalone June 6 ver, Security Task Manager and dds.scr and gmer.exe for auditing. Nada!

Running Combofix from safemode seems to have done the trick.
Files involved seemed to be:
c:\windows\system32\4190609439.dat
c:\windows\system32\st322000.dll
c:\windows\system32\drivers\dmload.sys

Very nasty piece of work this one. Thanks for the help.

P.S.(as for the suggestion to disable system restore, I don't use system restore personally, but if I did disabling it and then accidentally deleting some system file while hunting this malware down or having a scanner make some sort of irreprable change would leave you in a pickle, the better advice would be to disable/flush previous restore points once the problem was irradicated, then enable it again. I use Acronis and have external backups, which I find more reliable than Windows system restore.)
 

ohiou_grad_06

Distinguished
Dec 19, 2006
145
0
18,660
Exactly the reason I'm grabbing an external to pull data before doing malware scans from just in case...lol Glad to hear you got it going. Only thing about Combofix is that I've heard it may potentially take out important things. So while it worked, I would only do it as a last resort, though sounds like you were about there anyway.