Posted 15 November 2010 - 04:50 PM
Hello all, long time viewer here, not (m)any posts. Most of the time our 2-man team is able to figure out our problems on our own, with the help of a tool or two, like rkill and MAM. Still we lurk here for specific tips and just to see what the current procedures are, in case we miss something.
With that said, we've run into a bit of a pickle. Thankfully this wasn't a critical system, or even one that had data we had to worry about. We started getting redirected to random web sites every time we clicked a link, using both IE and Firefox. After our standard gauntlet of cleaning tools, and a good look at the HJT log, it seemed to be clean, but we still got redirected on EVERY link we clicked.
Not wanting to waste time trying to clean an infected system, we tried a format/reinstall. Still got redirected. Then my partner here got a little frustrated. He turned off the modem and router, erased all the partitions on the drive, erased and re-created the MBR, and then used a tool to write zeros to the drive. Then he powered everything off, disconnected the hard drive, and flashed the bios to the latest version.
Then he reconnected the hard drive, and did a clean install of Windows 7 32-bit using the Dell disk that came with the system. On the first boot, the start page was Dell's MSN page. He clicked the address bar and entered "www.google.com", google's page came up, and he searched "combofix". Then clicked the link to "A guide and tutorial on using ComboFix", and was redirected to some survey site. Subsequent searches were all re-directed to somewhere else.
This one has us perplexed. Where could the problem be coming from? The router it's behind is a Linksys WRT54G. The Windows 7 firewall is on. Nothing was installed. After this, we installed MWB, but it wouldn't let us update. We ran rkill, and it showed nothing. We did a full scan with the Trend Internet Security that we bought, and it comes back clean. We checked the hosts file, looks normal.
Any help would be appreciated, the only problem is I don't currently have direct access to the machine. Any requested logs or scans will take a couple of days to get back, but we're not that concerned with having someone fix it for us, we'd rather know if anyone has ever seen this type of behavior, and if so, what was the cause.