Because computers don't fix themselves

Posts Tagged ‘redirect virus’

Redirect virus

I’ve been struggling with a pretty nasty bit of spyware which has hit a few client computers recently. Tonight, I think I figured out the bugger.

It’s a typical fake “your computer has problems” spyware, which puts dozens of “corrupt hard drive” messages on the screen and generally is very annoying. If left long enough, it will also disable most anti-virus programs as well as make your desktop black, and hide not only all the icons on your desktop and your start menu, but also hide all the files on your computer.

However, all of those symptoms are typical. This one goes one step further. It actually creates a 1 megabyte extra partition on your hard drive, flags it as bootable, and then has some malicious code in that partition which makes sure that the virus is still alive on your computer because it re-initiates itself every time you reboot the computer.

I’ve been able to remove all the above symptoms with either combofix, or malwarebytes, and then using unhide, getting computers back up and running. But, the code in the partition causes a browser redirect which is so far un-stoppable with any of my usual tools. Only ESET online scanner even recognized it as a rootkit, but still couldn’t fix it. The rest couldn’t even see it.

So, long story short, I was able to use UBCD 5 to boot to Parted Magic. From there, I could delete the rogue partition, and flag the main OS partition as bootable again. Reboot, and voila! We win. I still have to use malwarebytes and unhide, but that’s still better than a reformat, which is what I wound up doing before I figured this trick out.

So, if you had spyware on your computer, thought you removed it, but you have a persistent browser redirect, this trick might work for you.