Jump to content

Nasty redirect hollowed out process, files attached.

Recommended Posts

I have recently been infected with a malware that redirects your webpage to other pages usually while visiting pages on Ebay. 

I discovered that this is due to a hollowed out ntdll.dll process while scanning with zemana anti malware. It tries to remove the process and then it reappears. 

Tried rkill, tdsskiller, kaspersky tdsskiller and zemana anti malware. Only Zemana discovers the harmful process, tries to remove it, but it reappears. 

As a last resort, I wiped the hard drive and re-installed windows. After about 1 hour, the infection reappears. 

Thanks for your help. 

Addition_26-02-2017 08.42.52.txt

FRST_26-02-2017 08.42.52.txt

Link to post
Share on other sites

Found it.


Zemana AntiMalware (Portable)

Scan Result            : Completed
Scan Date              : 2017/2/26
Operating System       : Windows 10 64-bit
Processor              : 4X Intel(R) Core(TM) i5-4690K CPU @ 3.50GHz
BIOS Mode              : UEFI
CUID                   : 12A9A1F4C41336AC75B336
Scan Type              : System Scan
Duration               : 0m 44s
Scanned Objects        : 33569
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects

Status             : Scanned
Object             : %systemroot%\system32\ntdll.dll
MD5                : 45198B71B548B113A18ACD0D9DF7F686
Publisher          : Microsoft Windows
Size               : 1886344
Version            : 6.3.14393.479
Detection          : Hollow Process
Cleaning Action    : Repair
Related Objects    :
                Process - 7984 - \\Diskstation\home\Utilities\A new build software\Zemana.AntiMalware.Portable.exe
                File - %systemroot%\system32\ntdll.dll

Link to post
Share on other sites

30 minutes ago, redirectbug said:

It redirects in Chrome and firefox. Seems to only redirect when visiting Ebay. Testing internet explorer as we speak. 

So the hollow process isn't causing this?

Seems the bug also appears on another pc I reformatted last night. Maybe it's attached to extensions in Chrome?

I don't think hollow process is causing this.

1 minute ago, redirectbug said:

Doesn't seem to appear in internet explorer, so it looks more like a firefox/chrome redirect malware. 

Do you have a home router/modem?

Link to post
Share on other sites

There are several possible scenarios for redirecting malware (if this is caused by malware) to survive system reinstall.

1) Infected router --> How to reset it - setuprouter.com/networking/how-to-reset-your-router/

2) For Chrome it can be synchronized back when you log into your Google account.

3) For Firefox, I am not sure if it is possible unless you import data from already infected Chrome.

4) Install uBlock extension, perhaps it helps stopping the problem - https://www.ublock.org/


What I would do is the first and fourth step first.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.