Question

Locked

Browser hijacking removal help

By rwtodd2007 ·
I have a remote user who is experiencing some sort of browser hijacking attempts. Thank goodness we run content advisor on IE.

The sites that keep trying to load as follows:

ismallgame.com
paystt.com
mulhealth.com
ebibuy.com
unionbizonline.com

I have run the latest version of Spybot, but it hangs towards the end when trying to scan for zlob downloader.bs.

Searching for *.hta or *.js is coming up blank. All *.tmp files have been deleted just in case.

Any suggestions would be appreciated.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Phishing filter

by HimDownStairs In reply to Browser hijacking removal ...

I'd turn on the phishing filter in IE7 and under the privacy setting, block the sites. See if that helps.

Collapse -

Sounds like a job for SmitFraudFix

by robo_dev In reply to Browser hijacking removal ...

The smitFraudFix tool works fairly well.

Obviously be careful downloading free spyware removal tools and set a manual recovery point to be safe.

It looks like zlob tends to mess up spybot scans and zlob is part of smitfruad:

link for zlob manual removal:
http://www.xp-vista.com/spyware-removal/zlob-removal-instructions

good link for using smitfraudfix:
http://www.dslreports.com/faq/13935

Collapse -

Have you

by IC-IT In reply to Browser hijacking removal ...

used the advanced mode in Spybot?
Navigate to Tools, Check the BHO and ActiveX boxes.
In the Left pane, choose BHO (then ActiveX) and verify those displayed. You can also use the left pane to click on the BHO and see more information.
Also check the Startup items.
Consider downloading Autoruns to clean up additional Startup items that are not readily apparent.
Delete your Prefetch, Temp Folder items, (Users) Local Settings Temp folders, Temp Internet Files and Cookies. (don't forget that should Temp Internet files not display any folders, you can type (append the path) Content.IE5 to display these.

Collapse -

If Zlob is as bad as Vundo, then you have to chase down and kill processes

by robo_dev In reply to Have you

It's more than a case of the sniffles, so it won't die easily.

http://en.wikipedia.org/wiki/Zlob_trojan

Some of these can be VERY frustrating to kill since they use all sorts of stealth techniques and reinstall themselves automatically.

Good Article about zlob:
http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=The+ZLOB+Show%3A+Trojan+poses+as+fake+video+codec%2C+loads+more+threats

Collapse -

Thanks Robo

by IC-IT In reply to If Zlob is as bad as Vund ...

I was typing a response and then had to assist a user, so I took about 10 mins to send. Your response to the OP was actually more on target. I have had pretty good success using autoruns/spybot (usually also need to engage the process tab too) to track down the launch points of some types of Virii.
Good read though. :-)

Back to Browser Forum
6 total posts (Page 1 of 1)  

Software Forums