Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Persistant browser hijack asks for atm and pin number

  • Please log in to reply
1 reply to this topic

#1 darkbrooke74


  • Members
  • 1 posts
  • Local time:11:31 PM

Posted 13 March 2010 - 09:18 PM

When logging into either of my two credit unions (with the latest firefox 3.6 or IE6.0) my browser is getting hijacked to an https page with a javascript form that asks for my visa number, ccv number, pin number and expiration date. Based upon looking at the javascript.. with a post the data is then emailed to some 3rd party.

At first I noticed this downloaded and ran a couple spyware utilities:
spybot s&d- running regularly
windows malicious software remover - ran for 12 hours
nortons antivirus
mcaffee stinger...

all found nothing.

So I factory re-imaged the HD with the original operating disks.

The problem remained.

So I factory re-imaged the HD but updated to the latest XPsp3. Still the problem persisted.

Then I rewrote and updated the HP computer's bios. Still the problem persisted.

Qwest cut me off because they detected malicious software from my computer (a zbot or one of the bots). I called them and told them what I did to remove the problem (formatting and factory imaging the hd) and got it restored.

So I ran bothunter and a couple others which aren't coming to mind at this moment and still no success, same problem.

I've been running spybot s&d as well as hijack this to modify the registry.

My browser is still hijacked whenever I try logging into my credit unions. (either of them)

I've looked at the modem settings themselves and no odd redirects there.

I'm wondering if a simple 302 redirect got messed with. But I don't know how to change that.

Anyway, It doesn't feel safe to use my computer for anything right now. I don't even want to log into my email because security is definitely compromised.

The computer beeped strangely a couple times and in some applications the mouse is really delayed unlike before. I'm wondering if the boot sector of C wasn't entirely reimaged with the factory installation disks and there's something hiding there.

Also, I've been trying to stop alg.exe and wuauclt.exe which are both known to be (sometimes) malware. But they keep popping up from the process list. Maybe normal.

Also have tried removing
Any suggestions appreciated.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,566 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:11:31 PM

Posted 14 March 2010 - 03:46 PM

Hello and welcome. Most likely a rootkit that wants to steal financial information.

We need a deeper look , please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users