Questions

Browser hijacking removal help

Tags:
+
0 Votes
Locked

Browser hijacking removal help

rwtodd2007
I have a remote user who is experiencing some sort of browser hijacking attempts. Thank goodness we run content advisor on IE.

The sites that keep trying to load as follows:

ismallgame.com
paystt.com
mulhealth.com
ebibuy.com
unionbizonline.com

I have run the latest version of Spybot, but it hangs towards the end when trying to scan for zlob downloader.bs.

Searching for *.hta or *.js is coming up blank. All *.tmp files have been deleted just in case.

Any suggestions would be appreciated.
  • +
    0 Votes
    HimDownStairs

    I'd turn on the phishing filter in IE7 and under the privacy setting, block the sites. See if that helps.

    +
    0 Votes
    robo_dev

    The smitFraudFix tool works fairly well.

    Obviously be careful downloading free spyware removal tools and set a manual recovery point to be safe.

    It looks like zlob tends to mess up spybot scans and zlob is part of smitfruad:

    link for zlob manual removal:
    http://www.xp-vista.com/spyware-removal/zlob-removal-instructions

    good link for using smitfraudfix:
    http://www.dslreports.com/faq/13935

    +
    0 Votes
    IC-IT

    used the advanced mode in Spybot?
    Navigate to Tools, Check the BHO and ActiveX boxes.
    In the Left pane, choose BHO (then ActiveX) and verify those displayed. You can also use the left pane to click on the BHO and see more information.
    Also check the Startup items.
    Consider downloading Autoruns to clean up additional Startup items that are not readily apparent.
    Delete your Prefetch, Temp Folder items, (Users) Local Settings Temp folders, Temp Internet Files and Cookies. (don't forget that should Temp Internet files not display any folders, you can type (append the path) Content.IE5 to display these.

    +
    0 Votes
    robo_dev

    It's more than a case of the sniffles, so it won't die easily.

    http://en.wikipedia.org/wiki/Zlob_trojan

    Some of these can be VERY frustrating to kill since they use all sorts of stealth techniques and reinstall themselves automatically.

    Good Article about zlob:
    http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=The+ZLOB+Show%3A+Trojan+poses+as+fake+video+codec%2C+loads+more+threats

    +
    0 Votes
    IC-IT

    I was typing a response and then had to assist a user, so I took about 10 mins to send. Your response to the OP was actually more on target. I have had pretty good success using autoruns/spybot (usually also need to engage the process tab too) to track down the launch points of some types of Virii.
    Good read though. :-)

    +
    0 Votes
    robo_dev

    The smitFraudFix tool works fairly well.

    Obviously be careful downloading free spyware removal tools and set a manual recovery point to be safe.

    It looks like zlob tends to mess up spybot scans and zlob is part of smitfruad:

    link for zlob manual removal:
    http://www.xp-vista.com/spyware-removal/zlob-removal-instructions

    good link for using smitfraudfix:
    http://www.dslreports.com/faq/13935

    +
    0 Votes
    IC-IT

    used the advanced mode in Spybot?
    Navigate to Tools, Check the BHO and ActiveX boxes.
    In the Left pane, choose BHO (then ActiveX) and verify those displayed. You can also use the left pane to click on the BHO and see more information.
    Also check the Startup items.
    Consider downloading Autoruns to clean up additional Startup items that are not readily apparent.
    Delete your Prefetch, Temp Folder items, (Users) Local Settings Temp folders, Temp Internet Files and Cookies. (don't forget that should Temp Internet files not display any folders, you can type (append the path) Content.IE5 to display these.

  • +
    0 Votes
    HimDownStairs

    I'd turn on the phishing filter in IE7 and under the privacy setting, block the sites. See if that helps.

    +
    0 Votes
    robo_dev

    The smitFraudFix tool works fairly well.

    Obviously be careful downloading free spyware removal tools and set a manual recovery point to be safe.

    It looks like zlob tends to mess up spybot scans and zlob is part of smitfruad:

    link for zlob manual removal:
    http://www.xp-vista.com/spyware-removal/zlob-removal-instructions

    good link for using smitfraudfix:
    http://www.dslreports.com/faq/13935

    +
    0 Votes
    IC-IT

    used the advanced mode in Spybot?
    Navigate to Tools, Check the BHO and ActiveX boxes.
    In the Left pane, choose BHO (then ActiveX) and verify those displayed. You can also use the left pane to click on the BHO and see more information.
    Also check the Startup items.
    Consider downloading Autoruns to clean up additional Startup items that are not readily apparent.
    Delete your Prefetch, Temp Folder items, (Users) Local Settings Temp folders, Temp Internet Files and Cookies. (don't forget that should Temp Internet files not display any folders, you can type (append the path) Content.IE5 to display these.

    +
    0 Votes
    robo_dev

    It's more than a case of the sniffles, so it won't die easily.

    http://en.wikipedia.org/wiki/Zlob_trojan

    Some of these can be VERY frustrating to kill since they use all sorts of stealth techniques and reinstall themselves automatically.

    Good Article about zlob:
    http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=The+ZLOB+Show%3A+Trojan+poses+as+fake+video+codec%2C+loads+more+threats

    +
    0 Votes
    IC-IT

    I was typing a response and then had to assist a user, so I took about 10 mins to send. Your response to the OP was actually more on target. I have had pretty good success using autoruns/spybot (usually also need to engage the process tab too) to track down the launch points of some types of Virii.
    Good read though. :-)

    +
    0 Votes
    robo_dev

    The smitFraudFix tool works fairly well.

    Obviously be careful downloading free spyware removal tools and set a manual recovery point to be safe.

    It looks like zlob tends to mess up spybot scans and zlob is part of smitfruad:

    link for zlob manual removal:
    http://www.xp-vista.com/spyware-removal/zlob-removal-instructions

    good link for using smitfraudfix:
    http://www.dslreports.com/faq/13935

    +
    0 Votes
    IC-IT

    used the advanced mode in Spybot?
    Navigate to Tools, Check the BHO and ActiveX boxes.
    In the Left pane, choose BHO (then ActiveX) and verify those displayed. You can also use the left pane to click on the BHO and see more information.
    Also check the Startup items.
    Consider downloading Autoruns to clean up additional Startup items that are not readily apparent.
    Delete your Prefetch, Temp Folder items, (Users) Local Settings Temp folders, Temp Internet Files and Cookies. (don't forget that should Temp Internet files not display any folders, you can type (append the path) Content.IE5 to display these.