Links HIjacked

Topic

New Reply

Friend of mine’s XP Pro machine has gotten something really nasty. Any hyperlink that is clicked on takes you somewhere other than the link’s address. This happens in both Internet Explorer and Firefox. PC has ZoneAlarm Security Suite installed. Doing a full virus/malware scan with it finds nothing. Malwarebytes’ Anti-Malware found a couple pieces of adware and a single trojan, killed them all. Ad-Aware found two pieces of adware, killed them. Not seeing anything strange in the IE or FF add-ons. Can’t run an online scan with something like Trend Micro’s Housecall, because clicking on a link to it takes me somewhere else 🙁 Any suggestions?

Reply | Quote

Replies

…….Can’t run an online scan with something like Trend Micro’s Housecall, because clicking on a link to it takes me somewhere else 🙁 Any suggestions?

What happens when Internet addresses are manually typed into the address bar of a browser?

Reply | Quote

What happens when Internet addresses are manually typed into the address bar of a browser?

I get to the right site that way. Almost ready for the “nuke it” solution: Hosts file is OK, HIjackThis didn’t find anything, and HouseCall didn’t either. If I can find a way to recover the XP Pro product key, I’ll just save his files to an external hard drive and wipe and reinstall XP.

Reply | Quote

I get to the right site that way. Almost ready for the “nuke it” solution: Hosts file is OK, HIjackThis didn’t find anything, and HouseCall didn’t either. If I can find a way to recover the XP Pro product key, I’ll just save his files to an external hard drive and wipe and reinstall XP.

Have you used something like Autoruns for Windows to see what is getting started when you boot the system?

Have you checked the file association for the type .url?

Joe

--Joe

Reply | Quote

Have you tried going into Safe Mode and running Trend Micro from there? Safe Mode is usually reached by tapping the F8 key continuously before the Windows screen comes up after rebooting. Once you get the screen, choose Safe Mode With Networking and you will be able to access the internet and try running TM from there.

Hey Jude

Reply | Quote

Take a look at the HOSTS file. Located at C:WINDOWSsystem32driversetc. The file has no extension but is only a text file and can be opened with Notepad. After all the lines that start with #, there generally should only be one entry:

127.0.0.1 localhost

If there’s more, then probably some malware or trojan added its own lines to this file to redirect traffic to malicious servers.

Reply | Quote

I highly recommend your friend seek the assistance of the experienced,
CERTIFIED, Volunteer “Malware Removal Specialists” on the Geeks To
Go Forums at http://www.geekstogo.com/forum/forums.html ,
SPECIFICALLY in their “Virus, Spyware and Trojan Removal” forum .
They have a “Malware Cleaning Guide” and I recommend your friend
starts by posting Logs of the “GMER Rootkit Scanner” and “OTL”
as mentioned in the “Guide” .

Reply | Quote

I highly recommend your friend seek the assistance of the experienced,
CERTIFIED, Volunteer “Malware Removal Specialists” on the Geeks To
Go Forums at http://www.geekstogo.com/forum/forums.html ,
SPECIFICALLY in their “Virus, Spyware and Trojan Removal” forum .
They have a “Malware Cleaning Guide” and I recommend your friend
starts by posting Logs of the “GMER Rootkit Scanner” and “OTL”
as mentioned in the “Guide” .

Agree with Robin on this; it reads like a possible TDSS infection but my choice of help forum would be Majorgeeks. Malware cleaning guide, read it carefully, write down any errors encountered and good luck 🙂

Reply | Quote

Before running through hoops trying to manually fix something like this, I would consider your
friends system as compromised. The only 100% way to be sure is a clean instal.

Reply | Quote

Before running through hoops trying to manually fix something like this, I would consider your
friends system as compromised. The only 100% way to be sure is a clean instal.

If there’s an MBR infection, even that may not be enough and perhaps render the drive completely inaccessible; I prefer to find the problem then decide how to deal with it.

Reply | Quote

I miss something?
A complete format will wipe everything, including MBR.

Reply | Quote

I miss something?
A complete format will wipe everything, including MBR.

You may think so, yes – but if the MBR infection has moved the actual boot data and linked to it instead, breaking that link by replacing the MBR with a normal MBR can lead to inacessable data or a write-protected drive. If an infected MBR uses encryption, similar result. MBR virusses have been rare since W85/98; Vista/7 use different boot techniques leading to new infection explorations.

Best to diagnose correctly before writing the prescription.

Reply | Quote

You may think so, yes – but if the MBR infection has moved the actual boot data and linked to it instead, breaking that link by replacing the MBR with a normal MBR can lead to inacessable data or a write-protected drive. If an infected MBR uses encryption, similar result. MBR virusses have been rare since W85/98; Vista/7 use different boot techniques leading to new infection explorations.

Best to diagnose correctly before writing the prescription.

This is way out there, extremely rare, a little too sophisticated for your average rootkit. Like grasping at straws, not to mention a waste of time.
If you have to time and zeal to look into, fine. Otherwise nuke it and be done with it. Consider the system compromised.

Reply | Quote

Magical Jelly Bean Keyfinder

Reply | Quote

Magical Jelly Bean Keyfinder

I fixed your link, which was broken. The Magical Jelly Bean Keyfinder is used to recover the XP Pro product key.

Reply | Quote

I fixed your link, which was broken. The Magical Jelly Bean Keyfinder is used to recover the XP Pro product key.

I used that program to recover the XP Pro product key, and have the new hard drive installed, Windows Update churning away, and getting ready to put the old hard drive in an external enclosure and transfer the data files to the new setup. When I fired up the PC to do the product key recovery, the onboard VGA port decided to stop working, so I had to dig up an AGP video card, too 🙁

Reply | Quote

When I fired up the PC to do the product key recovery, the onboard VGA port decided to stop working, so I had to dig up an AGP video card, too 🙁

A driver update for your VGA might help recover the onboard port. You can go to the manufacturer’s web site once you know which vendor made your VGA or your motherboard. This information can be found by using Belarc Advisor.

-- rc primak

Reply | Quote

Doing a full virus/malware scan with it finds nothing. Malwarebytes’ Anti-Malware found a couple pieces of adware and a single trojan, killed them all. Ad-Aware found two pieces of adware, killed them. 🙁 Any suggestions?

Focusing on what has been accomplished, I would say first try the suggestion about emptying your Hosts File. If the redirect goes away, then the removals did their job, but did not restore the Hosts File. That can happen.

But if the problem goes away and then returns, or doesn’t go away at all, the next step is a Safe Mode scan with the two programs you have tried. Before doing this, try to get new updates for Malwarebytes. If this does not succeed (server cannot be reached), then I would go straight to a wipe and reinstall.

The point is, if the malware is still able to block or redirect access to antivirus update servers, you probably have a deeply embedded Trojan which will resist all efforts to remove it. That’s when it is safest to do the wipe/reinstall routine.

Magic Jellybean is a good product key recovery tool for Windows XP. If this was an original manufacturer install of Windows XP, the Product Key should also be printed on a sticker on the side or back (bottom if this is a laptop) of the computer.

If you suspect that MBR information has been messed with, go to a local INDEPENDENT PC service shop (NOT any Big Box Store!), tell them what happened, and ask for “low-level reformatting”. This is the equivalent of running a disk wiping (not just reformatting) program like Darik’s Boot And Nuke, but you will not have to do this difficult and time-consuming operation yourself. It would be well worth the money to leave low-level reformatting to the Pros. The shop can probably also recover your Product Key and reinstall Windows XP and most of your software and updates as part of their service. You could then rest assured that your refreshed Windows XP installation is clean and safe.

If you have an Image Backup for your system, do not use it — that backup could have preserved the infection. Delete all recent backup files, if there are any.

(By “you” I mean of course your friend.)

-- rc primak

Reply | Quote