Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE redirect from various sites


  • This topic is locked This topic is locked
31 replies to this topic

#1 BSAC

BSAC

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, Texas, USA
  • Local time:11:33 AM

Posted 04 August 2004 - 03:23 PM

Several times in the last few days while trying to move BACK on a web site, I get redirected to a porn site. When this first happened, I closed the IE but more pages popped open. I have since figured out to "lock" the IE in Zone Alarms firewall and then close the browser. The additional page tries to open, but cannot since I have stopped access to the internet.

How can I locate the IP address of this page (the first one is devilsf&@k.com) and then how can I use my firewall to block it?

BSAC

- spybot finds two DSO exploits every time I run it. Adaware finds nothing. In the event this is a hijacking, here is a log:

Logfile of HijackThis v1.98.0
Scan saved at 4:25:03 PM, on 8/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\uplyr\My Documents\Kevin\Conversion\Hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tampa Electric - Take Home
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: ZoneAlarm Plus.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
Be Strong And Courageous!

Kevin

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 05 August 2004 - 09:53 AM

Is this a full log?

I also responded to your log here:

http://www.bleepingcomputer.com/forums/ind...wtopic=1739&hl=

#3 BSAC

BSAC
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, Texas, USA
  • Local time:11:33 AM

Posted 05 August 2004 - 10:15 AM

Grinler, yes that is a full log. However, between that post and this I had to uninstall and reinstall Adaware 6. I also reinstalled Spybot S&D to include tea timer. Here is a new log:

Logfile of HijackThis v1.98.0
Scan saved at 11:16:42 AM, on 8/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\uplyr\My Documents\Kevin\Conversion\Hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tampa Electric - Take Home
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: ZoneAlarm Plus.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe



The log you linked in your post is for my mother's computer. I haven't gotten to that one yet. Actually I am headed there now.

Thanks, BSAC
Be Strong And Courageous!

Kevin

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 05 August 2004 - 10:35 AM

Thereis nothing bad in this log.

You can fix these entrise if you like, but they are harmless:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Is spybot detecting things when you boot up or open IE?

#5 BSAC

BSAC
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, Texas, USA
  • Local time:11:33 AM

Posted 05 August 2004 - 11:11 AM

No it is not detecting anything. The redirect thing is weird because it is totally random. Usually, the back button on the browser (or mouse) sets it off, but only occassionally. It is uncomfortable though when it does happen.
Be Strong And Courageous!

Kevin

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 05 August 2004 - 11:30 AM

Is it possible its the site you are on?

There are some sites that when you go to them, and you leave the page you are on, it pops up sites like that

#7 BSAC

BSAC
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, Texas, USA
  • Local time:11:33 AM

Posted 05 August 2004 - 11:50 AM

I don't think so. It has happened on many different sites. The first time it happened my wife was on an INS page and hit the back button. It has happened to me from my bank's page, MSN, and others.
Be Strong And Courageous!

Kevin

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 05 August 2004 - 11:52 AM

Lets try this to be safe:

Download VX2Finder from this link:

http://tools.zerosrealm.com/VX2Finder(126).exe

or

http://www.downloads.subratam.org/VX2Finder(126).exe

Run Vx2Finder and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

#9 BSAC

BSAC
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, Texas, USA
  • Local time:11:33 AM

Posted 05 August 2004 - 03:01 PM

Here is the VX2Finder log:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---ckpNotify
Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---NavLogon
Keys Under Notify---PCANotify
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---wzcnotif


Guardian Key--- is called:

User Agent String---

BSAC
Be Strong And Courageous!

Kevin

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 05 August 2004 - 03:58 PM

Nothing there either. I would suggest running both ad-aware and spybot again and seeing if they find anything

#11 BSAC

BSAC
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, Texas, USA
  • Local time:11:33 AM

Posted 05 August 2004 - 06:23 PM

Adaware showed nothing. Spybot found its usual two DSO exploits which reappear all the time. This has happened again this evening to my wife. Is there a way to get the ip address of the web site and block it through the firewall?

BSAC
Be Strong And Courageous!

Kevin

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 06 August 2004 - 08:08 AM

Post another log...theoretically we can block the sites with a hosts file but I am more concerned why we are not seeing the start ups.

With the new log I want you to also paste a startup list:

Could you please download, unzip and run:

http://www.dougknox.com/xp/utils/StartupTracker3.zip

Copy the contents of what it shows here.

#13 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:09:33 AM

Posted 06 August 2004 - 09:49 AM

Grinler,
Shouldn't he run ad-aware and Spybot in safe mode, with System Restore off? I've been told to do this when I had a problem that keeps coming back. It worked for me. Just a thought.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 06 August 2004 - 10:20 AM

System restore should have no bearing. System restore can only affect you if you purposely restore a restore point. W ehave them clear restore points so that can not happen.

Running in safe mode should not matter, could be worse, as some items are not seen in safe mode.

#15 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:09:33 AM

Posted 06 August 2004 - 11:08 AM

Cool! Thanks for the info.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users