Our home computer gets a lot of useage, and I have gotten infected 4 times in the past 6 months with different scare-ware virus programs, in spite of having active MacAffee AV. I am smart, the default user on this computer does not have Admin privileges. This has allowed me to remove the viruses by loging in as Administrator, and using Malwarebytes. I am so pleased with MalwareBytes, so I bought the pro edition.
My Macaffee was about to expire, and I wasn't going to $40 for a program that didn't seem to portect our computer from 3rd part Facebook apps. About 3 weeks ago, I decided to switch to the free Norton that Comcast offers. It comes bundled with "Constant Guard". I don't like Norton, as it doesn't tell me what it found. It makes a difference to me if it deleted 10 tracking cookies, or found and deleted 10 traces of AntiVirus2011.
For the past 6 weeks, I have noticed that the first search made from either IE or Firefox was getting redirected to sites like ForexAmbush.com. Scans from both Malwarebytes and Norton are clean. I have also noticed that MalwareBytes protection sometimes pops up a warning that access to a potentially harmful IP address was blocked (Outgoing).
I started copying the redirected web addresses, and changing my hosts file to point to 0.0.0.0. This causes the redirecting virus I have to fail. Now I get a dialog from the browser about a bad IP address when click on the first search in Yahoo or Google. I click a second time, and I get the correct site. Here is what I have blocked so far:
0.0.0.0 tags.expo9.exponential.com mimsearch.com
0.0.0.0 searchpp.net sisearch.net
The computer sometimes loses access to the alpha keys on the keyboard, or all letters type in numbers. This started when I installed Comcast's "Constant Guard" which I had to take with Comcast's free Norton. I have read that this may happen when Constant guard is trying to block a keylogger. A reboot is required (note Control alt delete and tab still work).
My administrator account was clean, until I caught my wife on FaceBook while I had the computer logged in as Administrator doing a scan. I recently tried running MBR from my administrator account, but it cant open the "user" boot record. I don't know if the virus is doing this, or Constant guard. I used to be able to do this.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfullyuser: error reading MBR
kernel: MBR read successfully
Tell me what logs I need to get. I will do an MBAM scan right know.