Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being Redirected, Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 btcomm

btcomm

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 31 May 2008 - 02:23 PM

Computer was infested with malware.


Removed the majority of it.

When I scan with superantispyware, I don't come up with anything in memory or registry.

When I use internet explorer and search for something on google like superantispyware I click on the link and I get redirected to

If I copy the links before I click on them they are

<http://gload.info/mfeed/click.php?data=e700407fbdf195e7be20e79c0dbd4677&PHPSESSID=e077703ddf49975cd6c0c4bbd984a45d>

When I click on it, the page will not load, just can't be displayed and this is the address that shows up.

<http://208.122.40.114/klik.php?data=eecfOgARKLtElUNhVduhenWQKwICjBC3kdxGghzTdxwV6IVoe76kV3cxleKfOl%2Fp9x%2BCBkb0%2B81VD7Kqo9PANZX9PdlS%2Bfj9hSYaGMBR7fYk6DR5re9Wkf4kn4STynyCmyd0jzxVKskm7j4z961xf1zWmehsAB8DZQMoPgN%2F9ZMEcSsfh%2Fod%2FoazAA5cxMz3np3fLuhrdfqmYvfJBYJRHwHCSqoNAKzTUV1Q2AW8B2hJjpUnPd0mtZP9sNZWGSpxGVwBSiWhrPIRyYm5Zo%2FayEyaQJFuLLxl9SVdoJxnwpxsVeVaZp3Zs93RT%2BwcSL5TYMjr8FyBfiPx3DnKhmrLuan81I2D50jK%2FT03MFuF3olmaEeOmewZfPQyDjbaeHpWRjv2pIg1GIbDraufl5p%2BFP5oN6GdBAimDlaJ3u8uRPgxJTfmslgYPUDbJIWo%2FVuEdh6YtaoDJsMzXc80qsAKArW1AFea%2F9OMFYILO7vrwlnzyxDcIjLwIgkB501VRVbibzH8%2FfbF15J9LuFmY1MclkSTNvkI%2B6MT64OwYv5LESU4og89BAVXL457i4NwutLBD8KQrwDfmJItUta7ZkLhqoue%2FY1qaeinIhxU77lEiEQxJrhuBB9xsQsgh%2F2QKUnjsBqENEvZpUGBN6iX1NQJhLXvaXWH%2FE9dJO3JvdjquXZ%2BWfjh9hN%2B2Vf44tXvYpSoDv317aB4w85HkGZW7jvqunKTB7rF6ERH7HDzk5pNac7%2F6f%2BFvetF3%2FPRopWLlN0MJ%2FM2JcXWcF9vrfE0qnOl3wGYFAb%2BzygKst5BBfkxwH%2FgsN%2B0hJCO%2ButTaqsBAW%2BRhOutauAhNrcNBUpOID3nAoNX6X4wKUOe>

When I search for something on yahoo, it won't even bring up results and shows this as the address.

<http://www.yahoo.com/r/sx/*-http://search.yahoo.com/search?p=test&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8>

On the page is shows this.

Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

This is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:14 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HiJackThis_v2.exe
D:\Tools\PrcView_5_2_15\PrcView.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Jose\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 1909 bytes



I have tried running internet explorer with no add ons and the same thing happens.

Now when I use firefox this does not happen so I don't think it's hosts file or DNS.

I have seen this issue once before and I wasn't able to find out what was causing it.

Anyone see this before or know what would cause this?

I would figure some BHO in IE but there really isn't much in there.

Edited by Orange Blossom, 31 May 2008 - 08:16 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 28 June 2008 - 12:16 PM

Hello Btcomm.

If you still need help, please post a fresh HijackThis log back here :thumbsup:
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:30 AM

Posted 05 July 2008 - 03:16 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users