Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


XP SP3 Search redirects, and MBAM IP warnings

  • Please log in to reply
1 reply to this topic

#1 gromittoo


  • Members
  • 2 posts
  • Local time:10:41 AM

Posted 10 June 2011 - 06:34 PM

Our home computer gets a lot of useage, and I have gotten infected 4 times in the past 6 months with different scare-ware virus programs, in spite of having active MacAffee AV. I am smart, the default user on this computer does not have Admin privileges. This has allowed me to remove the viruses by loging in as Administrator, and using Malwarebytes. I am so pleased with MalwareBytes, so I bought the pro edition.

My Macaffee was about to expire, and I wasn't going to $40 for a program that didn't seem to portect our computer from 3rd part Facebook apps. About 3 weeks ago, I decided to switch to the free Norton that Comcast offers. It comes bundled with "Constant Guard". I don't like Norton, as it doesn't tell me what it found. It makes a difference to me if it deleted 10 tracking cookies, or found and deleted 10 traces of AntiVirus2011.

My Problem:

For the past 6 weeks, I have noticed that the first search made from either IE or Firefox was getting redirected to sites like ForexAmbush.com. Scans from both Malwarebytes and Norton are clean. I have also noticed that MalwareBytes protection sometimes pops up a warning that access to a potentially harmful IP address was blocked (Outgoing).

I started copying the redirected web addresses, and changing my hosts file to point to This causes the redirecting virus I have to fail. Now I get a dialog from the browser about a bad IP address when click on the first search in Yahoo or Google. I click a second time, and I get the correct site. Here is what I have blocked so far: tags.expo9.exponential.com mimsearch.com bestsearchgroup.com MonsterMarketplace.com searchpp.net sisearch.net feed.bizzclick.com dc2w.3vg58t1.com

The computer sometimes loses access to the alpha keys on the keyboard, or all letters type in numbers. This started when I installed Comcast's "Constant Guard" which I had to take with Comcast's free Norton. I have read that this may happen when Constant guard is trying to block a keylogger. A reboot is required (note Control alt delete and tab still work).

My administrator account was clean, until I caught my wife on FaceBook while I had the computer logged in as Administrator doing a scan. I recently tried running MBR from my administrator account, but it cant open the "user" boot record. I don't know if the virus is doing this, or Constant guard. I used to be able to do this.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully

Tell me what logs I need to get. I will do an MBAM scan right know.

BC AdBot (Login to Remove)


#2 gromittoo

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:41 AM

Posted 11 June 2011 - 09:51 AM

After I left the post above, I logged in as administrator, and ran a Malwarebytes deep scan. About 20 minutes into the scan, Norton put up a "File Inght" 37db3fe2-45172543 message about a downloader that was removed. (I will attatch a screen capture). I let Malwarebytes finish (it found nothing), and I shut down the computer.

This morning, I logged into the default user, and Malwarebytes protection but up a message about a corrupted definitions file. I had to log in as administrator and unistall / reinstall MBAM. I am currently running another scan. I am wondering if the file that Norton "quarenteened" was actually the MBAM definitions file. So far, all is well.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users