Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijacked: Clickfraudmanager


  • This topic is locked This topic is locked
5 replies to this topic

#1 huntedwumpus

huntedwumpus

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 26 February 2009 - 01:09 AM

Hello guys, I've been lurking for some time and I HATE to register with a problem (doesn't everybody?) but as I've found, I can't shake this monkey off my back.

The Problem: Say I go to Google.com and do a search, say for "hi there" and I decide to click the third link down (this happens REGARDLESS of what link I actually click)

I get bounced to:
http://clickfraudmanager.com/check.php?t=82b5954b0c49597107f6d19bf5c04743&q=hi+there&p=ff&a=998&s=3&e=google&v=icv270109ff&f=income&b=0.0176&u=http://t.websearchmaster.net/?d=rAbgyR3CtebPuU8DlDh0DBavYOEESNFHomLaHScSONHRtsQwe8x9lJFFFM7SMOMGedXVxYDPIMGK84AVwvLfd_NatC8oRNDfNXNVtbjuJYAQqFfB9lrct39JuWRdHIxtYXZFlNHOPDcGNILHVi2R_uKyK5DHDNEHSNlWBp5yFITOFttNzWVIXdh4Hii9QCrQ3m5hS77fIHGCe-5R0l43jnOqo9sdbu1GQE43eJsd3jX3B5J7NLs2XOb_Etucj1xIQNfdfxcgWdV9dSKS_xuOebYY6ZCCEXBujjA-wVA5gJ37mgeGbnJujAEtVA39pL_8ImEL5GoBEK6_pjsWmXVlD2aQVzgO2kuWTXI63glpwnT9ijJU3MW28FnOmFyc75Ax7QrsLwn3fIot_dIUrwTptyEfaVBHZNCFH9LpsKK0covK5W1gwjHpC42oH996rsAP6buxo-Mb9k7c-hwYGyqJ-tRC4gLo1PICXmqguB-lfJgS_V14R9Ea0HSB0XmlURtKvt7IYfCaMPXmxGLO_74X9pn4irrQ4rszVJo1y-DaJvYttryZppNZrmcpLS5lKEYDnY4szlM-qoqrQjjSildro43iu5CeIa_K_KmwyYklb25Q2mYEn5n95qWcZ0UUiUVIw6QkwR4sCyDYKeLzl9AUA8MjnNgQg78zwCkSawBoLjorlhj9q-ouhuhjsllO690i389vFdL7Rsg0Gy6CmFCqcvmH8VoFAZz0iwsBgnZiWlw0i27B3ewehltVk_CtqRlfVnv9OOPikmqradf5snPweV6h90kBZ9iPVAkn3rK8UA8fCqrCbBlXYEXMr5FIZoWvqOcQhuEpMix8q7p1j4c0h0W8lvtUU8689m-E4fow5jSFcrBT03xBk8J7pg_JeHFmiPJ71-wiqG0fn4MBmg2QE50s2PpXk6znfXUB_GThjiB1l-laORL2XnkQLlIYavumOkppQBsGLLhsY4vxCAA5g79XSxoNfewNuJ9mUTyGDYIwvd9GA-aT49ovSrVP0eggt6Myj1bJXfiRMZ8sGHy77hoS48keb_uoHIxZq79bkA1ykLf1E3KLJBr4HEj-VBLjI3m_GIDfgw3rcxeTu4You1YYwwpUNLp7ZSib7p3OUsXe1w4D-cDK7-WOQK59qmzWB3KdHhA-5M9f-KEkru86_ziU_CqFrQYKpL-K-nomUO9yhEwSQypMIvaB0Mh9-kNcpwDXSvbk9z7__Q4S_XatG8GtQjeeddc_dilU4E9N6l-PADQuaqG2l6egZo_8rNyuNAssuFU1EjteKZy_FAdRDjXi7kkVDkoWqs794ENXPtRxxjwVcMlVTRbfc0mPZvWPIcQ_NrJVcnt---AwDhZGRkYwR5Av4kZGpiLl5jnUN/p3jlAmt4sQA8AwNjsTucVUEbMKWysQRjZGZ5ZKj1sQZ5ZmN5sQD5LGLlMzZ0sQH4AGH1MQSvsQO8ZTEvAmuvBGW8AQt1ZzZjZJI8p2IupzAbMaIhL3Eco24hnJ5zoj==---5436c1ee0904&rf=http://searchfunction.info/?qa=hi+there
Yeah. Clickfraudmanager.com Not sure what to do there, but it runs me through an infinite variety of websites, least of all was about cows.

The bouncing only happens for about 6 clicks - so I tend to just open 6 tabs, close them all, and then go on about my business. This however is taxing on my finger, my mouse and my patience.

To Smite the problem I've used:

Avast! Free Edition: Found a few cookies, nothing big
Malware Bytes: Found a file that is a 'virus' that has been on my PC since it was turned on, so no help.
AVG (Free Edition): Combination of the two.
HijackThis: Found nothing obviously dangerous to me, which was odd.
SuperAntiSpyware: FINDS NOTHING BECAUSE IT CRASHES WHILE SCANNING. :-(
AdAware (Free Edition): Found spyware, but nothing that could cause my problem.
SpyBoy: Nothing.
I had been Using Zone Alarm Firewall for a LONG time, but the moment the virus got through it, I installed new stuff (Avast, MALBYTES, SuAntSpy, and AVG) and axed Zone Alarm.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:28 AM, on 2/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Valve\Steam\steam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

My HJT logs are usually short, because I keep them that way. Minimal things on the browser usually... Here you go.

Also- Mucho thanks in advance to whomever decides to help me out, I hope one day Karma will allow me to return the favor.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5878 bytes


Thanks!

Edited by Orange Blossom, 11 February 2013 - 03:57 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 AM

Posted 26 February 2009 - 02:51 PM

Hi,

Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Check for redirects after running this.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 huntedwumpus

huntedwumpus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 01 March 2009 - 07:12 PM

Many thanks, so far looks like you've solved my problem good sir.

I included the report below.

MANY thanks. Freaking Pesky no good *grumbles*.

You rock: :thumbup2:


GooredFix v1.91 by jpshortstuff
Log created at 19:08 on 01/03/2009 running Option #2 (Admin)
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{66BF42C5-FD78-4947-8D15-AD2D0A0CF517}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 AM

Posted 02 March 2009 - 02:26 AM

Glad I could help :thumbup2:

Any other problems or can we wrap this one up?

Edited by jpshortstuff, 02 March 2009 - 02:26 AM.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 huntedwumpus

huntedwumpus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 04 March 2009 - 02:32 PM

I got another virus ( I surmise the past one let the most recent one in the backdoor ), but I handled that with a simple MalwareBytes scan. (It was the one that changes your background and asks you to by Antivirus XP Pro, or something dumb)

I'd consider this topic closed :-)

Many Thanks!

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:24 AM

Posted 04 March 2009 - 05:27 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users