Jump to content

Well hidden redirect virus...


jaberwacky
 Share

Recommended Posts

As the title suggests I am trying to remove a particularly well hidden redirect virus on my sister's computer. I looked to see if IE were set up to use a proxy, performed a malwarebytes scan, and a MSSE scan. I looked through the program files and other various folders for anything suspicious. Anyone care to hint how I might find this malware?

Oops, forgot info: Eee PC, WindowsXP 32, need more?

Edited by LaCastiglione
Link to comment
Share on other sites

I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs

Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.

I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.

010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Link to comment
Share on other sites

Oh sweet geebus. I hope that aint it but thanks for the heads up!

That reminded me that when this comp boots up it says "Atheros boot agent". That might be it. Never heard of this Atheros stuff.

Edited by LaCastiglione
Link to comment
Share on other sites

Atheros is the company that produced the wireless chipset. I've got an Atheros WiFi as well, but Atheros boot agent is afaik only common in Linux distro's... WindowsXP 32 you said? I'd definetely check this out.

[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Link to comment
Share on other sites

I have three partitions on this machine. ONe is the C: drive that we all know and love. The other two are an unlabeled EFI system Partition and the other is an Unknown Partition labeled PE. I think these are common on the Eee PCs. Could there be hidden partitions?

Link to comment
Share on other sites

ComboFix.exe has taken care of the issue. It was suggested that a rootkit had taken hold of the computer but I'm not sure since I didn't go through every line of the log file! Thanks for the suggestions!

Link to comment
Share on other sites

Certainly does just sound like a browser hijacking.

Did you even run hijackthis?

Yes.

Redirecting to what, if it's not secret?

The websites were different every time.
Link to comment
Share on other sites

How about posting your logfile?

Because I went through it and nothing stood out. Besides, I think the problem has been fixed. Thanks for offering to research my logfile though. I really do appreciate it.
Link to comment
Share on other sites

Have you run Spybot Or Avira Antivirus both are fairly agressive.

We generally run spybot scans with malwarebytes to get the stubborn ones

Link to comment
Share on other sites

I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs

Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.

I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.

I fixed an XP system with that type of virus about a month ago. This particular one eventually replaced his shell with some FBI warning screen, and the Safe Mode shell led to a false 0x7B stop error. I ended up removing it mostly from WinPE, but checking the registry's Shell item, as well as some items in Startup. Then I found all the files and deleted them all. After I was able to get into XP again, I only used HJT and Malwarebytes until it was gone. I didn't do anything with the 8MB partition (it was empty) so I just left it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...