Jump to content
Sign in to follow this  
jaberwacky

Well hidden redirect virus...

Recommended Posts

jaberwacky

As the title suggests I am trying to remove a particularly well hidden redirect virus on my sister's computer. I looked to see if IE were set up to use a proxy, performed a malwarebytes scan, and a MSSE scan. I looked through the program files and other various folders for anything suspicious. Anyone care to hint how I might find this malware?

Oops, forgot info: Eee PC, WindowsXP 32, need more?

Edited by LaCastiglione

Share this post


Link to post
Share on other sites
kaotkbliss

I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs

Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.

I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites
jaberwacky

Oh sweet geebus. I hope that aint it but thanks for the heads up!

That reminded me that when this comp boots up it says "Atheros boot agent". That might be it. Never heard of this Atheros stuff.

Edited by LaCastiglione

Share this post


Link to post
Share on other sites
kaotkbliss

Just googled Atheros boot agent, apparently it's for wireless laptop cards.


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites
dany

Atheros is the company that produced the wireless chipset. I've got an Atheros WiFi as well, but Atheros boot agent is afaik only common in Linux distro's... WindowsXP 32 you said? I'd definetely check this out.


[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites
jaberwacky

I have three partitions on this machine. ONe is the C: drive that we all know and love. The other two are an unlabeled EFI system Partition and the other is an Unknown Partition labeled PE. I think these are common on the Eee PCs. Could there be hidden partitions?

Share this post


Link to post
Share on other sites
jaberwacky

ComboFix.exe has taken care of the issue. It was suggested that a rootkit had taken hold of the computer but I'm not sure since I didn't go through every line of the log file! Thanks for the suggestions!

Share this post


Link to post
Share on other sites
trancexx

Redirecting to what, if it's not secret?


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
jaberwacky

Certainly does just sound like a browser hijacking.

Did you even run hijackthis?

Yes.

Redirecting to what, if it's not secret?

The websites were different every time.

Share this post


Link to post
Share on other sites
jaberwacky

How about posting your logfile?

Because I went through it and nothing stood out. Besides, I think the problem has been fixed. Thanks for offering to research my logfile though. I really do appreciate it.

Share this post


Link to post
Share on other sites
Tripredacus

I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs

Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.

I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.

I fixed an XP system with that type of virus about a month ago. This particular one eventually replaced his shell with some FBI warning screen, and the Safe Mode shell led to a false 0x7B stop error. I ended up removing it mostly from WinPE, but checking the registry's Shell item, as well as some items in Startup. Then I found all the files and deleted them all. After I was able to get into XP again, I only used HJT and Malwarebytes until it was gone. I didn't do anything with the 8MB partition (it was empty) so I just left it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.