Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Links HIjacked

  1. #1
    5 Star Lounger
    Join Date
    May 2003
    Location
    Sterling Heights, Michigan, USA
    Posts
    633
    Thanks
    0
    Thanked 1 Time in 1 Post
    Friend of mine's XP Pro machine has gotten something really nasty. Any hyperlink that is clicked on takes you somewhere other than the link's address. This happens in both Internet Explorer and Firefox. PC has ZoneAlarm Security Suite installed. Doing a full virus/malware scan with it finds nothing. Malwarebytes' Anti-Malware found a couple pieces of adware and a single trojan, killed them all. Ad-Aware found two pieces of adware, killed them. Not seeing anything strange in the IE or FF add-ons. Can't run an online scan with something like Trend Micro's Housecall, because clicking on a link to it takes me somewhere else Any suggestions?

  2. #2
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Vienna, Wien, Austria
    Posts
    5,009
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by JJDetroit View Post
    .......Can't run an online scan with something like Trend Micro's Housecall, because clicking on a link to it takes me somewhere else Any suggestions?
    What happens when Internet addresses are manually typed into the address bar of a browser?
    Gre

  3. #3
    3 Star Lounger HeyJude's Avatar
    Join Date
    Dec 2009
    Location
    Ohio, USA
    Posts
    332
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Have you tried going into Safe Mode and running Trend Micro from there? Safe Mode is usually reached by tapping the F8 key continuously before the Windows screen comes up after rebooting. Once you get the screen, choose Safe Mode With Networking and you will be able to access the internet and try running TM from there.

    Hey Jude
    Take a sad song and make it better

  4. #4
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    Take a look at the HOSTS file. Located at C:\WINDOWS\system32\drivers\etc. The file has no extension but is only a text file and can be opened with Notepad. After all the lines that start with #, there generally should only be one entry:

    127.0.0.1 localhost

    If there's more, then probably some malware or trojan added its own lines to this file to redirect traffic to malicious servers.
    Chuck

  5. #5
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts

    Wink

    I highly recommend your friend seek the assistance of the experienced,
    CERTIFIED, Volunteer "Malware Removal Specialists" on the Geeks To
    Go Forums at http://www.geekstogo.com/forum/forums.html ,
    SPECIFICALLY in their "Virus, Spyware and Trojan Removal" forum .
    They have a "Malware Cleaning Guide" and I recommend your friend
    starts by posting Logs of the "GMER Rootkit Scanner" and "OTL"
    as mentioned in the "Guide" .
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  6. #6
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts
    Quote Originally Posted by Robin Taylor View Post
    I highly recommend your friend seek the assistance of the experienced,
    CERTIFIED, Volunteer "Malware Removal Specialists"
    on the Geeks To
    Go Forums at http://www.geekstogo.com/forum/forums.html ,
    SPECIFICALLY in their "Virus, Spyware and Trojan Removal" forum .
    They have a "Malware Cleaning Guide" and I recommend your friend
    starts by posting Logs of the "GMER Rootkit Scanner" and "OTL"
    as mentioned in the "Guide" .
    Agree with Robin on this; it reads like a possible TDSS infection but my choice of help forum would be Majorgeeks. Malware cleaning guide, read it carefully, write down any errors encountered and good luck

  7. #7
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Before running through hoops trying to manually fix something like this, I would consider your
    friends system as compromised. The only 100% way to be sure is a clean instal.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  8. #8
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts
    Quote Originally Posted by CLiNT View Post
    Before running through hoops trying to manually fix something like this, I would consider your
    friends system as compromised. The only 100% way to be sure is a clean instal.
    If there's an MBR infection, even that may not be enough and perhaps render the drive completely inaccessible; I prefer to find the problem then decide how to deal with it.

  9. #9
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    I miss something?
    A complete format will wipe everything, including MBR.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  10. #10
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts
    Quote Originally Posted by CLiNT View Post
    I miss something?
    A complete format will wipe everything, including MBR.
    You may think so, yes - but if the MBR infection has moved the actual boot data and linked to it instead, breaking that link by replacing the MBR with a normal MBR can lead to inacessable data or a write-protected drive. If an infected MBR uses encryption, similar result. MBR virusses have been rare since W85/98; Vista/7 use different boot techniques leading to new infection explorations.

    Best to diagnose correctly before writing the prescription.

  11. #11
    5 Star Lounger
    Join Date
    May 2003
    Location
    Sterling Heights, Michigan, USA
    Posts
    633
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Malcolm Wagner View Post
    What happens when Internet addresses are manually typed into the address bar of a browser?
    I get to the right site that way. Almost ready for the "nuke it" solution: Hosts file is OK, HIjackThis didn't find anything, and HouseCall didn't either. If I can find a way to recover the XP Pro product key, I'll just save his files to an external hard drive and wipe and reinstall XP.

  12. #12
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts
    Quote Originally Posted by JJDetroit View Post
    I get to the right site that way. Almost ready for the "nuke it" solution: Hosts file is OK, HIjackThis didn't find anything, and HouseCall didn't either. If I can find a way to recover the XP Pro product key, I'll just save his files to an external hard drive and wipe and reinstall XP.
    Have you used something like Autoruns for Windows to see what is getting started when you boot the system?

    Have you checked the file association for the type .url?

    Joe
    Joe

  13. #13
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts

  14. #14
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    Quote Originally Posted by Andy Rowlands View Post
    You may think so, yes - but if the MBR infection has moved the actual boot data and linked to it instead, breaking that link by replacing the MBR with a normal MBR can lead to inacessable data or a write-protected drive. If an infected MBR uses encryption, similar result. MBR virusses have been rare since W85/98; Vista/7 use different boot techniques leading to new infection explorations.

    Best to diagnose correctly before writing the prescription.
    This is way out there, extremely rare, a little too sophisticated for your average rootkit. Like grasping at straws, not to mention a waste of time.
    If you have to time and zeal to look into, fine. Otherwise nuke it and be done with it. Consider the system compromised.
    DRIVE IMAGING
    Invest a little time and energy in a well thought out BACKUP regimen and you will have minimal down time, and headache.

    Build your own system; get everything you want and nothing you don't.
    Latest Build:
    ASUS X99 Deluxe, Core i7-5960X, Corsair Hydro H100i, Plextor M6e 256GB M.2 SSD, Corsair DOMINATOR Platinum 32GB DDR4@2666, W8.1 64 bit,
    EVGA GTX980, Seasonic PLATINUM-1000W PSU, MountainMods U2-UFO Case, and 7 other internal drives.

  15. #15
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by JJDetroit View Post
    Doing a full virus/malware scan with it finds nothing. Malwarebytes' Anti-Malware found a couple pieces of adware and a single trojan, killed them all. Ad-Aware found two pieces of adware, killed them. Any suggestions?
    Focusing on what has been accomplished, I would say first try the suggestion about emptying your Hosts File. If the redirect goes away, then the removals did their job, but did not restore the Hosts File. That can happen.

    But if the problem goes away and then returns, or doesn't go away at all, the next step is a Safe Mode scan with the two programs you have tried. Before doing this, try to get new updates for Malwarebytes. If this does not succeed (server cannot be reached), then I would go straight to a wipe and reinstall.

    The point is, if the malware is still able to block or redirect access to antivirus update servers, you probably have a deeply embedded Trojan which will resist all efforts to remove it. That's when it is safest to do the wipe/reinstall routine.

    Magic Jellybean is a good product key recovery tool for Windows XP. If this was an original manufacturer install of Windows XP, the Product Key should also be printed on a sticker on the side or back (bottom if this is a laptop) of the computer.

    If you suspect that MBR information has been messed with, go to a local INDEPENDENT PC service shop (NOT any Big Box Store!), tell them what happened, and ask for "low-level reformatting". This is the equivalent of running a disk wiping (not just reformatting) program like Darik's Boot And Nuke, but you will not have to do this difficult and time-consuming operation yourself. It would be well worth the money to leave low-level reformatting to the Pros. The shop can probably also recover your Product Key and reinstall Windows XP and most of your software and updates as part of their service. You could then rest assured that your refreshed Windows XP installation is clean and safe.

    If you have an Image Backup for your system, do not use it -- that backup could have preserved the infection. Delete all recent backup files, if there are any.

    (By "you" I mean of course your friend.)
    -- Bob Primak --

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •