Sign in to follow this  
Followers 0
jaberwacky

Well hidden redirect virus...

26 posts in this topic

#1 ·  Posted (edited)

As the title suggests I am trying to remove a particularly well hidden redirect virus on my sister's computer. I looked to see if IE were set up to use a proxy, performed a malwarebytes scan, and a MSSE scan. I looked through the program files and other various folders for anything suspicious. Anyone care to hint how I might find this malware?

Oops, forgot info: Eee PC, WindowsXP 32, need more?

Edited by LaCastiglione

Share this post


Link to post
Share on other sites



You could try HijackThis and submit the log at their forum for analysis.


[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs

Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.

I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Oh sweet geebus. I hope that aint it but thanks for the heads up!

That reminded me that when this comp boots up it says "Atheros boot agent". That might be it. Never heard of this Atheros stuff.

Edited by LaCastiglione

Share this post


Link to post
Share on other sites

Atheros is the company that produced the wireless chipset. I've got an Atheros WiFi as well, but Atheros boot agent is afaik only common in Linux distro's... WindowsXP 32 you said? I'd definetely check this out.


[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

I have three partitions on this machine. ONe is the C: drive that we all know and love. The other two are an unlabeled EFI system Partition and the other is an Unknown Partition labeled PE. I think these are common on the Eee PCs. Could there be hidden partitions?

Share this post


Link to post
Share on other sites

ComboFix.exe has taken care of the issue. It was suggested that a rootkit had taken hold of the computer but I'm not sure since I didn't go through every line of the log file! Thanks for the suggestions!

Share this post


Link to post
Share on other sites

Redirecting to what, if it's not secret?


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

How about posting your logfile?

Because I went through it and nothing stood out. Besides, I think the problem has been fixed. Thanks for offering to research my logfile though. I really do appreciate it.

Share this post


Link to post
Share on other sites

I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs

Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.

I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.

I fixed an XP system with that type of virus about a month ago. This particular one eventually replaced his shell with some FBI warning screen, and the Safe Mode shell led to a false 0x7B stop error. I ended up removing it mostly from WinPE, but checking the registry's Shell item, as well as some items in Startup. Then I found all the files and deleted them all. After I was able to get into XP again, I only used HJT and Malwarebytes until it was gone. I didn't do anything with the 8MB partition (it was empty) so I just left it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0