Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

bank site being redirected to a malware site

Posted on 2008-10-01
12
Medium Priority
?
758 Views
Last Modified: 2013-12-07
since yesterday I am being redirected to a malware site each time I try to acess a specific bank account.
I run antivirus and anti spyware zonealarm sofware constantley. I downloaded spyeraser and cleaned several infections. I erased my history, cookies,  and personal data from  the browser.
STILL when I try to log in to my account, I am being redirected to a phisshing message screen!
 the bank confimed this is not their message - I cannot find why -how this is happening!!!
I tried reaching my account from anotrher computer and it works fine. I use firefox, but I tried IE and it gives me the same phisshing site. How can I find the damn thing????
0
Comment
Question by:Tulipa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 5

Expert Comment

by:ccns
ID: 22620036
what is the bank website you are trying to log into? possibly have 1 letter out of place and can goto a spyware website... also aids in testing.. please do not post username and password. just a disclaimer from my side.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22620060
You might want to download and run malwarebytes in Safe Mode.
You can get it free from malwarebytes.org
I would also suggest that you download and run hijackthis.
You can get that free from http://www.merijn.org/programs.php
You can post the hijackthis log file for free analysis either here or at:
Hijackthis.de

David
0
 
LVL 13

Expert Comment

by:Mark_FreeSoftware
ID: 22620203
assuming you are on windows, assuming you know what you are doing (u set advanced on this subj)

navigate to : C:\WINDOWS\system32\drivers\etc
open the file named "hosts"
(no extension, and the file and some of its upper diretories could be hidden)

there should be a bunch of lines with a comment sign (#) before it, and only 1 (one) line that doesnt have it.
this line should read exactly:
127.0.0.1       localhost

if you find other lines, please paste them here so we can review them, or remove them yourself if you know what you are doing.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:Tulipa
ID: 22620349
to Mark FreeSoftware

yes i´m on windows and the host file has ONLY the line you mentionned, exactly as above

so it isn´t thru this setting...
0
 

Author Comment

by:Tulipa
ID: 22620383
here is my hijackthis log
there was an error when I ran it: -  I will post it in my next comment
hijackthis.log
0
 
LVL 5

Expert Comment

by:ccns
ID: 22620388
seriosuly check the spelling on the website you are tryign to get to: also see if there is http:// versus https://
0
 
LVL 13

Accepted Solution

by:
Mark_FreeSoftware earned 2000 total points
ID: 22620501
one thing that could be cause this, is the bonjour service and bonjour application running,
i have had this same programs in the past, if i recall correctly apple thinks its funny to give its customers some free crapware but it could also be adobe

install a new browser, for example opera, and see if that has the same problem,
if not it is probably some browser helper object,
if it is, its probably something running at the moment

if opera has the same problem:

this line:
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE43E5CF-087D-4D5E-A6C2-5BA03066DB30}: NameServer = 201.75.76.158,201.75.76.158
it looks like your dns(name)servers are set to a fixed address, did you do that,
if no, backup the addresses and try to change them

example, with example addresses
https://www.opendns.com/homenetwork/start/device/windows-xp

(you could also set this to get from dhcp)


if you think its the bonjour dns thingy:
(FIRST MAKE A SYSTEM RESTORE POINT/BACKUP ALL FILES)
refer to this how to bonjour crapwaret:
http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/

this browser helper object looks suspicious:
O2 - BHO: [G-Buster Defense] - {1E1B2879-88FF-11D3-8D96-D7ACAC959323} - (no file)
maybe you installed it yourself, i dont know ;)
0
 

Author Comment

by:Tulipa
ID: 22620766
Mark, wow, what a mess...
I did not set the dns server to afixed address. I deleted that, and the browser helper object ( was installed by another bank , but spies and keeps constant monitoring sending info to the bank???- dont need that one)

aniway, loks like its better on one front, but I found some more disturbing issues:
when i try to run the google search from my toolbar, a message says that the certificate cannot be checked ( google helper object from sun?)
then zone alarm tells me JAVATMP59870.exe is trying to access 201.6.0.112:DNS
DO i ALLOW THAT ?
and finally my google searches in the firefox toolbar statred returning errors - 404 not found on this server????
now they are back...what gives?
0
 
LVL 13

Assisted Solution

by:Mark_FreeSoftware
Mark_FreeSoftware earned 2000 total points
ID: 22620808
JAVATMP59870.exe
i would not allow that one,

the toolbar, is it an official toolbar, is it the firefox google thingy, where does it come from?

as for firefox, if you did not store any data such as passwords and/or cookies,
you might want to delete your whole profile, as to start over with less crap :)
0
 

Author Comment

by:Tulipa
ID: 22621124
yes the toolbar is the official one, firefox googly thingy in the right corner with options for google, yahoo, and other search engines - I´ve been using it since the beginning with firefox.
Aniway thanks for pointing me in the right direction.
0
 
LVL 13

Expert Comment

by:Mark_FreeSoftware
ID: 22622364
thanks for the grade,
and good luck resolving this!
0
 
LVL 30

Expert Comment

by:Marc Z
ID: 22623706
Tulipa,

I know this question has already been closed, but I can't stress this enough. Get off this computer, go to a clean one, access that bank account AND CHANGE YOUR PASSWORDS and do not access it again on infected machine until you have fully confirmed it is clean of virus/malware.

If you have been redirected away from the banking sites, it is possible the malware got what it wanted - your information.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question