bank site redirecting 1

[Sparkspnt]

Hello
I have a computer that when the user accesses 53.com or scottrade.com it takes you to the login but as soon as enter any account info and password and hit "login" it takes you to another site where it proceeds to ask for all kinds of personal info. These fake sites claim to be using the same SSL certificate. I have scanned this system till I am blue with all the known engines (sophos, panda, trend micro, f-secure, Oncare and a few others) I also ran several of the rootkit revealers. I ran Combofix. Found nothing out of the oridinary with hijackthis that I can see. The system comes up clean over and over. This only pertains to IE, it does not do this with any other browser. I did remove all addon also. All updates are current with windows XP sp3 and IE 7.0

I really would like to know if this is a common bug and anyone else seen this. I don't know where else to look.

Thanks sparkspnt

 

[harebrain]

This might be legit. Call the financial institution in question to find out.

Many banks, etc., are now asking for the answers to questions that only you would know. Later, if they suspect someone is trying to impersonate you with a stolen login, they can ask those "security" questions.

 

[Sparkspnt]

I wish it was but the computer next to it does not do this and it asks for the full SS# ATM pin #, credit card number associated with it mothers maiden name. it also does this on scottrade but when it goes to the fake page you can tell the logo is not right.

 

[cmeagan656]

The programs that you listed as having run - sophos, panda, trend micro, f-secure, etc. - are mainly antivirus programs and may not detect spyware or other forms of malware.

I'd do the following:

1. Delete all cookies
2. Delete all temporary internet files
3. Boot into safe mode with networking
4. Download the following from download.com:


Malwarebytes
Spybot S&D
AdAware

5. Update all the programs in #4 using the update process for each one.
6. Disconnect yourself from the internet
7. Run all 3 programs, one at a time.
8. Run hijack this while in safe mode and post it to this thread.
9. Reconnect to the Internet and reboot into normal mode.

Cheers.

 

[Diancecht]

Check your hosts file or try to access the web by numerical IP (this web[/web]) can provide it.

You can also use a sniffer like HttpWatch to check where the packets are actually travelling.

And don't discard and external system (router, firewall)

Cheers,
[url=http://ferdiad.blogspot.com]Dian

 

[Sparkspnt]

Here is my recent update a hijack log will follow

I ran spybot and adaware on system (in safe Mode) nothing came up. Interestingly in safe mode - networking it still does the same thing as far as the redirect.

I did check the host file and nothing is in there. I am currently running the SDfix on it right now. I will be loading the log file next.

thanks John

 

[Sparkspnt]

It is fixed. All those scans did'nt find it. It was a MBR virus. I ran MBR.exe and it cleaned it.


Thanks for all your time and effort.

John

 

[djmarco0314]

John,
I have the same problem - MBR virus - master boot record virus right? - you ran MBR.exe? this fixed it? whaaa? how???

help!

thanks

 

[Sparkspnt]

Hello djmarco0314


I downloaded mbr.exe from

http://www2.gmer.net/mbr/mbr.exe

and ran it. It took just a minute or two and then had to restart and it was gone. you can also run gmer and it will detect it.


Good luck,
sparkpnt

 

[kjv1611]

Sparkspnt,

Thanks for your follow-ups, so we all can benefit from your experience - IF the need arises.

The information listed on the AV page prior to that download page for MBR.exe is quite interesting as well:

http://www2.gmer.net/mbr

--

"If to err is human, then I must be some kind of human!" -Me