Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Search Engine Redirect Problem 2/ Moved


  • Please log in to reply
2 replies to this topic

#1 dolbs

dolbs

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 11 March 2009 - 10:20 AM

This posting is in reference to:

http://www.bleepingcomputer.com/forums/t/206743/unknown-malware-search-engine-redirect-problem/

I am an IT consultant that had a customer bring the exact same problem up to me as described in the previous topic. The system is running Windows XP Pro. Be aware that this issue came up in the same time frame. I also tried several removal tools - ComboFix (would not run due to CMD problem in regular or safe mode), MalwareBytes (no detection), etc. My customer has current Kaspersky Corporate with current virus definitions. I decided to run a full anti-virus scan and found the following files were infected (from the System Restore):

A0039364.sys -> Rookit.Win32.Agent.fwt
A0034455.sys -> Rookit.Win32.Agent.eoj
A0039365.sys -> Rookit.Win32.Agent.hss

After rebooting the machine the problem with CMD, REGEDIT, and browser redirection continued. This was expected since nothing was found outside of the System Volume Information folders.

The redirected website is (not posting direct link) webstabilityscan.com.dontuse. This appears to be another fake virus scanning site. It is important to note that browser redirection appears to be completely random. Several different sites can be visited without problem.

I'm currently running GMER, as suggested in the previous posting, under normal mode with Kaspersky protection disabled. I will post my results of the scan soon.

BC AdBot (Login to Remove)

 


#2 dolbs

dolbs
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 11 March 2009 - 10:53 AM

* UPDATE *

After running GMER in normal mode with no success, I decided (as instructed in the previous posting) to run GMER in safe mode without protection running. Same error and only able to scan Services, Registry, and Files.

GMER stated that no system modifications were found


* NOTE *
When REGEDIT is attempted to run, the screen flashes with a red background briefly before Explorer starts. You can also see the red background option when looking at Display Properties "Desktop" tab. This displays only briefly and easier to detect when in Safe Mode due to the slower performance. The "Color" setting is also set to bright red. Attempts to change the background color (regardless of background image) causes the setting to revert bad to red after opening the Display Properties again.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:19 PM

Posted 11 March 2009 - 10:05 PM

Hello dolbs and welcome to BC :thumbsup:

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users