Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP SP3 Search redirects, and MBAM IP warnings


  • Please log in to reply
1 reply to this topic

#1 gromittoo

gromittoo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 10 June 2011 - 06:34 PM

Our home computer gets a lot of useage, and I have gotten infected 4 times in the past 6 months with different scare-ware virus programs, in spite of having active MacAffee AV. I am smart, the default user on this computer does not have Admin privileges. This has allowed me to remove the viruses by loging in as Administrator, and using Malwarebytes. I am so pleased with MalwareBytes, so I bought the pro edition.

My Macaffee was about to expire, and I wasn't going to $40 for a program that didn't seem to portect our computer from 3rd part Facebook apps. About 3 weeks ago, I decided to switch to the free Norton that Comcast offers. It comes bundled with "Constant Guard". I don't like Norton, as it doesn't tell me what it found. It makes a difference to me if it deleted 10 tracking cookies, or found and deleted 10 traces of AntiVirus2011.

My Problem:

For the past 6 weeks, I have noticed that the first search made from either IE or Firefox was getting redirected to sites like ForexAmbush.com. Scans from both Malwarebytes and Norton are clean. I have also noticed that MalwareBytes protection sometimes pops up a warning that access to a potentially harmful IP address was blocked (Outgoing).

I started copying the redirected web addresses, and changing my hosts file to point to 0.0.0.0. This causes the redirecting virus I have to fail. Now I get a dialog from the browser about a bad IP address when click on the first search in Yahoo or Google. I click a second time, and I get the correct site. Here is what I have blocked so far:

0.0.0.0 tags.expo9.exponential.com mimsearch.com
0.0.0.0 bestsearchgroup.com
0.0.0.0 MonsterMarketplace.com
0.0.0.0 searchpp.net sisearch.net
0.0.0.0 feed.bizzclick.com
0.0.0.0 dc2w.3vg58t1.com

The computer sometimes loses access to the alpha keys on the keyboard, or all letters type in numbers. This started when I installed Comcast's "Constant Guard" which I had to take with Comcast's free Norton. I have read that this may happen when Constant guard is trying to block a keylogger. A reboot is required (note Control alt delete and tab still work).

My administrator account was clean, until I caught my wife on FaceBook while I had the computer logged in as Administrator doing a scan. I recently tried running MBR from my administrator account, but it cant open the "user" boot record. I don't know if the virus is doing this, or Constant guard. I used to be able to do this.

C:\>embre
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully

Tell me what logs I need to get. I will do an MBAM scan right know.

BC AdBot (Login to Remove)

 


#2 gromittoo

gromittoo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 11 June 2011 - 09:51 AM

After I left the post above, I logged in as administrator, and ran a Malwarebytes deep scan. About 20 minutes into the scan, Norton put up a "File Inght" 37db3fe2-45172543 message about a downloader that was removed. (I will attatch a screen capture). I let Malwarebytes finish (it found nothing), and I shut down the computer.

This morning, I logged into the default user, and Malwarebytes protection but up a message about a corrupted definitions file. I had to log in as administrator and unistall / reinstall MBAM. I am currently running another scan. I am wondering if the file that Norton "quarenteened" was actually the MBAM definitions file. So far, all is well.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users