jaberwacky Posted September 3, 2012 Posted September 3, 2012 (edited) As the title suggests I am trying to remove a particularly well hidden redirect virus on my sister's computer. I looked to see if IE were set up to use a proxy, performed a malwarebytes scan, and a MSSE scan. I looked through the program files and other various folders for anything suspicious. Anyone care to hint how I might find this malware? Oops, forgot info: Eee PC, WindowsXP 32, need more? Edited September 3, 2012 by LaCastiglione Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
dany Posted September 3, 2012 Posted September 3, 2012 You could try HijackThis and submit the log at their forum for analysis. [center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF
jaberwacky Posted September 3, 2012 Author Posted September 3, 2012 Great Scott! I'll try it now. Thanks. Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
kaotkbliss Posted September 4, 2012 Posted September 4, 2012 I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided. I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy!
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 (edited) Oh sweet geebus. I hope that aint it but thanks for the heads up! That reminded me that when this comp boots up it says "Atheros boot agent". That might be it. Never heard of this Atheros stuff. Edited September 4, 2012 by LaCastiglione Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
kaotkbliss Posted September 4, 2012 Posted September 4, 2012 Just googled Atheros boot agent, apparently it's for wireless laptop cards. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy!
dany Posted September 4, 2012 Posted September 4, 2012 Atheros is the company that produced the wireless chipset. I've got an Atheros WiFi as well, but Atheros boot agent is afaik only common in Linux distro's... WindowsXP 32 you said? I'd definetely check this out. [center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 I have three partitions on this machine. ONe is the C: drive that we all know and love. The other two are an unlabeled EFI system Partition and the other is an Unknown Partition labeled PE. I think these are common on the Eee PCs. Could there be hidden partitions? Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 OK, Power Quest Partition Table Editor says that the c: drive is the boot drive. So, I think the problem isn't due to a malicious partition. Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 ComboFix.exe has taken care of the issue. It was suggested that a rootkit had taken hold of the computer but I'm not sure since I didn't go through every line of the log file! Thanks for the suggestions! Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 Nope, no it didn't. Oh well. Will pick back up later on. Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 Nope, back again. Seems like combofix really did root it out. I reinstalled Firefox and it hasn't happened in a while. So here's to hoping. Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
trancexx Posted September 4, 2012 Posted September 4, 2012 Redirecting to what, if it's not secret? ♡♡♡ . eMyvnE
JohnOne Posted September 4, 2012 Posted September 4, 2012 Certainly does just sound like a browser hijacking. Did you even run hijackthis? AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans.
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 Certainly does just sound like a browser hijacking.Did you even run hijackthis?Yes.Redirecting to what, if it's not secret?The websites were different every time. Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
JohnOne Posted September 4, 2012 Posted September 4, 2012 How about posting your logfile? AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans.
jaberwacky Posted September 4, 2012 Author Posted September 4, 2012 How about posting your logfile?Because I went through it and nothing stood out. Besides, I think the problem has been fixed. Thanks for offering to research my logfile though. I really do appreciate it. Helpful Posts and Websites: AutoIt Wiki | Can't find what you're looking for on the Forum? My scripts: Guiscape | Baroque AU3 Code Formatter | MouseHoverCalltips | SciTe Customization GUI | ActiveWindowTrack Toy | Monitor Configuration UDF
Chimaera Posted September 4, 2012 Posted September 4, 2012 Have you run Spybot Or Avira Antivirus both are fairly agressive. We generally run spybot scans with malwarebytes to get the stubborn ones If Ive just helped you ... miracles do happen. Chimaera CopyRobo() * Hidden Admin Account Enabler * Software Location From Registry * Find Display Resolution * _ChangeServices()
Tripredacus Posted September 4, 2012 Posted September 4, 2012 I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDsSure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.I fixed an XP system with that type of virus about a month ago. This particular one eventually replaced his shell with some FBI warning screen, and the Safe Mode shell led to a false 0x7B stop error. I ended up removing it mostly from WinPE, but checking the registry's Shell item, as well as some items in Startup. Then I found all the files and deleted them all. After I was able to get into XP again, I only used HJT and Malwarebytes until it was gone. I didn't do anything with the 8MB partition (it was empty) so I just left it. Twitter | MSFN | VGCollect
Emiel Wieldraaijer Posted September 4, 2012 Posted September 4, 2012 I use the following utilsTDSSKillerCombofix Best regards,Emiel Wieldraaijer
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now