I've been using 'bleepingcomputer.com' for a few years in trouble shooting all kinds of problems. I ran into one today that's new to
me and a few other people i've talked to.
I had a client get 4 emails concerning her e-mail account being compromised. the email looked 'good' but it had an attachment
to it called 'open.html'. She said she didn't open the attachment before she called me. However, when I checked the computer
out you would get 'browser redirects' intermittantly to porn and other websites.
IE: google search on 'microsoft windows updates'. google would display the choices correctly, however when you clicked on
one of the MS links you would be taken to various other websites, NOT MS website that was displayed by the google search.
Checking IE: "internet options" I had NO proxy server redirects, "HiJackThis" looked good and the "HOSTS" file ONLY had the
"127.0.0.1 localhost" entry. This computer was on a fixed internal IP with the DNS hard coded into the network connection.
The fix was 'good old" combofix.exe. It ran, it found evidence of 'ROOTKIT' activity, rebooted and completed the check. It found
two 'suspecious files that it deleted and found 1 MS file "redbook.sys" infected. It cleaned it and finished the log.
After running combofix I checked the Google Search problem again and it was working correctly. Problem cured.
Thanks for being available everyone, I learned about combofix a year or so ago from this fourm.
Robert Smith Consulting
Edited by na6t, 11 June 2010 - 03:04 AM.