Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website being hijacked by another website


  • Please log in to reply
9 replies to this topic

#1 Cuessane

Cuessane

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Silverdale, WA
  • Local time:12:48 AM

Posted 02 March 2009 - 05:15 PM

I recently attempted to go to a website (Redtube.com) : yes it is pornographic, yes I'm a bad person. When it loaded up however, it was a different site (http://www.brazzersmobile.com/tour/?nats=Mzk1ODE2OjQzNToxMTI,0,0,0,0). At first, I thought it had just been purchased by them, but then my wife tried it on her computer, and was not redirected.

I immediately ran every program I could think of, and a few more I had to search for (Avast, SpyBot S&D, Windows Live OneCare, CCleaner, CWShredder, Malwarebytes, ComboFix, and of course HiJackThis), to see if any of those spotted anything out of the ordinary. They found a couple of tracking cookies, 1 bad file (a keygen I downloaded, due to losing my serial# during a move), cleaned all my temp files, reset all my IE settings to default, and yet the website is still being hijacked.

I downloaded the Beta of Safari, and the website does not get redirected using Safari. This tells me that it changed a setting somewhere having specifically to do with Internet Explorer. I tried everything I could think of, and am now turning to you for help. I appreciate any advice/help in advance.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:48 AM

Posted 02 March 2009 - 06:08 PM

Have you had any recent infections where this might be a leftover from cleanup?

Have you looked in manage addons?
Chewy

No. Try not. Do... or do not. There is no try.

#3 Cuessane

Cuessane
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Silverdale, WA
  • Local time:12:48 AM

Posted 02 March 2009 - 06:17 PM

Yes, I checked my AddOns for IE, nothing looked suspicious, all had verified companies listed. I have not had any infections on this computer since I built it (Have caught some trying, but Avast was installed on day 1, and has caught everything in the act as far as I know). All of my programs are up to date, and everything else is running normally, other than this one website redirect. The only thing I could think of is that the redirected site somehow entered a script onto Redtube. I uninstalled and reinstalled Java just in case that was the problem, but still no luck.

It isnt even so much the fact that I can not access Redtube.com. Its the fact that there is something on my PC, doing something that it shouldnt be doing. Again, any help or advice is appreciated.

#4 Cuessane

Cuessane
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Silverdale, WA
  • Local time:12:48 AM

Posted 02 March 2009 - 10:35 PM

No one with any other ideas? lol

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:48 AM

Posted 02 March 2009 - 10:45 PM

With all the scripts running there, it may have just been a rogue browser exploit, no one want to goe to a website like that with IE 6 or 7, many of these scripts may just hose your browser, it would be best to uninstall and reinstall IE

Use firefox with noscript in the future for your dangerous browsing
Chewy

No. Try not. Do... or do not. There is no try.

#6 Cuessane

Cuessane
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Silverdale, WA
  • Local time:12:48 AM

Posted 02 March 2009 - 11:07 PM

I guess my thought is, if a script did this, then there has to be something changed somewhere, something that I could change back, or fix somehow. I have done a search through the registry, but didnt see anything that screamed "I did it, I did it!". Hosts file is clean, just cant think of anything or anywhere else to look.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:48 AM

Posted 02 March 2009 - 11:20 PM

I can see your logic, however something's funny about that site, in the past I have noticed a lot of complaints on certain sites which hosed browsers(IE)

You are putting too much faith in IE, try to repair it or reinstall

http://www.siteadvisor.com/sites/redtube.c...;os_ver=5.1.3.0

Browser exploit (15)

porn site advertisers are probably some of the most inept programmers in the world

Edited by DaChew, 02 March 2009 - 11:23 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 Cuessane

Cuessane
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Silverdale, WA
  • Local time:12:48 AM

Posted 03 March 2009 - 11:22 PM

I now have another small problem, which I do not know if it is related, or not. I am now unable to create a new shortcut on the desktop through the right-click menu options. When I click New --> Shortcut, nothing happens. The registry entry that determines whether you can create a new shortcut is intact, and I even ran the command from the 'Run' command to be sure that appwiz.cpl was still intact, and I was not in need of a SFC. I used the RUN: rundll32.exe appwiz.cpl,NewLinkHere %userprofile%\desktop\ command line, and the New Shortcut Wizard opens just fine when the command line is run.

I have used every scan I could think of, but nothing is coming up with any problems, other than tracking cookies. SUPER AntiSpyWare, HiJackThis, Spybot S&D, RootkitBuster, CCleaner, MBAM, several online scans, as well as having Avast and Windows Defender running 24/7.

These are only slightly annoying problems, but I fear that there could be a more serious cause behind these small problems. Any advice or recommendations would be appreciated.

#9 Cuessane

Cuessane
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Silverdale, WA
  • Local time:12:48 AM

Posted 06 March 2009 - 09:08 PM

I used the RUN: rundll32.exe appwiz.cpl,NewLinkHere %userprofile%\desktop\ command line, and the New Shortcut Wizard opens just fine when the command line is run.


I just fully tested the command line fully, attempting to create a new test shortcut, and it will not work. At first, it would allow me to enter the path, then when I tried to name the shortcut, it would just not do anything. Now, even the command line will not work to open the wizard. I checked the registry location, (HKEY_CLASSES_ROOT\.lnk\ShellNew) and they appear to be the correct entries.

Again, ANY help would be appreciated, or should I move on to posting a HJT log in the other forum?

#10 Cuessane

Cuessane
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Silverdale, WA
  • Local time:12:48 AM

Posted 07 March 2009 - 10:07 PM

Since I havent received much feedback so far, I figured I would do a little searching on my own, go through my running processes and services a bit. Between my Task Manager and www.processlibrary.com, I did a systematic search of the processes I wasnt familiar with. Ran across MobSync.exe which "is used to synchronize the offline pages you have chosen to be stored locally with the matching online pages." I stopped the process tree, and lo and behold, the webpage misdirect was gone. The problem I see, is that I had cleared my history and cache several times. Not sure why it was still being misdirected, or how to prevent the problem in the future. I will keep checking around, to try and locate the rogue file, see if I cant put an end to its mischief.

Now, the remaining problem is my inability to create a new shortcut, anywhere, at all. Still looking for any advice as to what would cause this.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users