jaberwacky Posted September 3, 2012 Share Posted September 3, 2012 (edited) As the title suggests I am trying to remove a particularly well hidden redirect virus on my sister's computer. I looked to see if IE were set up to use a proxy, performed a malwarebytes scan, and a MSSE scan. I looked through the program files and other various folders for anything suspicious. Anyone care to hint how I might find this malware? Oops, forgot info: Eee PC, WindowsXP 32, need more? Edited September 3, 2012 by LaCastiglione Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
dany Posted September 3, 2012 Share Posted September 3, 2012 You could try HijackThis and submit the log at their forum for analysis. [center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF Link to comment Share on other sites More sharing options...
jaberwacky Posted September 3, 2012 Author Share Posted September 3, 2012 Great Scott! I'll try it now. Thanks. Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
kaotkbliss Posted September 4, 2012 Share Posted September 4, 2012 I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDs Sure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided. I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy! Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 (edited) Oh sweet geebus. I hope that aint it but thanks for the heads up! That reminded me that when this comp boots up it says "Atheros boot agent". That might be it. Never heard of this Atheros stuff. Edited September 4, 2012 by LaCastiglione Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
kaotkbliss Posted September 4, 2012 Share Posted September 4, 2012 Just googled Atheros boot agent, apparently it's for wireless laptop cards. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy! Link to comment Share on other sites More sharing options...
dany Posted September 4, 2012 Share Posted September 4, 2012 Atheros is the company that produced the wireless chipset. I've got an Atheros WiFi as well, but Atheros boot agent is afaik only common in Linux distro's... WindowsXP 32 you said? I'd definetely check this out. [center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 I have three partitions on this machine. ONe is the C: drive that we all know and love. The other two are an unlabeled EFI system Partition and the other is an Unknown Partition labeled PE. I think these are common on the Eee PCs. Could there be hidden partitions? Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 OK, Power Quest Partition Table Editor says that the c: drive is the boot drive. So, I think the problem isn't due to a malicious partition. Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 ComboFix.exe has taken care of the issue. It was suggested that a rootkit had taken hold of the computer but I'm not sure since I didn't go through every line of the log file! Thanks for the suggestions! Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 Nope, no it didn't. Oh well. Will pick back up later on. Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 Nope, back again. Seems like combofix really did root it out. I reinstalled Firefox and it hasn't happened in a while. So here's to hoping. Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
trancexx Posted September 4, 2012 Share Posted September 4, 2012 Redirecting to what, if it's not secret? ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
JohnOne Posted September 4, 2012 Share Posted September 4, 2012 Certainly does just sound like a browser hijacking. Did you even run hijackthis? AutoIt Absolute Beginners  Require a serial  Pause Script  Video Tutorials by Morthawt  ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 Certainly does just sound like a browser hijacking.Did you even run hijackthis?Yes.Redirecting to what, if it's not secret?The websites were different every time. Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
JohnOne Posted September 4, 2012 Share Posted September 4, 2012 How about posting your logfile? AutoIt Absolute Beginners  Require a serial  Pause Script  Video Tutorials by Morthawt  ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
jaberwacky Posted September 4, 2012 Author Share Posted September 4, 2012 How about posting your logfile?Because I went through it and nothing stood out. Besides, I think the problem has been fixed. Thanks for offering to research my logfile though. I really do appreciate it. Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
Chimaera Posted September 4, 2012 Share Posted September 4, 2012 Have you run Spybot Or Avira Antivirus both are fairly agressive. We generally run spybot scans with malwarebytes to get the stubborn ones If Ive just helped you ... miracles do happen. Chimaera CopyRobo() * Hidden Admin Account Enabler * Software Location From Registry * Find Display Resolution * _ChangeServices() Link to comment Share on other sites More sharing options...
Tripredacus Posted September 4, 2012 Share Posted September 4, 2012 I can't remember what I had used on my GF's pc not that long ago, but it led me to check the partitions on her HDsSure enough, there was a seperate 10MB partition on the main HD that was set to active and boot and this is where the virus resided.I had to delete that partition, re-adjust the old partition, then reinstall windows to fix it to boot correctly.I fixed an XP system with that type of virus about a month ago. This particular one eventually replaced his shell with some FBI warning screen, and the Safe Mode shell led to a false 0x7B stop error. I ended up removing it mostly from WinPE, but checking the registry's Shell item, as well as some items in Startup. Then I found all the files and deleted them all. After I was able to get into XP again, I only used HJT and Malwarebytes until it was gone. I didn't do anything with the 8MB partition (it was empty) so I just left it. Twitter | MSFN | VGCollect Link to comment Share on other sites More sharing options...
Emiel Wieldraaijer Posted September 4, 2012 Share Posted September 4, 2012 I use the following utilsTDSSKillerCombofix Best regards,Emiel Wieldraaijer Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now