Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects


  • Please log in to reply
13 replies to this topic

#1 JLowder8

JLowder8

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 13 April 2009 - 08:00 PM

Hi:

I appear to have a browser hijacker that is not showing up on any scans. When I run a Google search, the site cl-searc.com is occasionally contacted. Then, when I click on the search results I am sometimes redirected to sites such as toseeka.com, shopica.com, bizrate.com, and even pctools. There doesn't appear to be a pattern to when I get redirected, but the redirects themselves often seem connected to the search phrase I originally entered.

So a search for a certain Kodak camera model will turn up an appropriate list of results on Google. The first will be the specs page for the camera model at the Kodak site. However, when I click on that link, I'm directed not to Kodak but to a Bizrate.com listing for the same camera model on sale. If I back up to the search results and click on the Kodak site link again, I will go there as intended.

I'm running Windows XP. My typical browser is Firefox. Spyware Doctor and Registry Mechanic are my usual main scanning tools, but I also use several other tools on a weekly basis.

I've run full scans with the latest updates for Malwarebytes, SuperAntispyware, Spybot, Ad-Aware, as well as the Kaspersky online (critical areas only) and Spyware Doctor (IntelliScan). They've found nothing of note, just tracking cookies that come from legit sites I've visited (like Kaspersky) and places like pricegrabber that must be related to the redirects.

Thanks in advance for your assistance.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 PM

Posted 13 April 2009 - 11:37 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Chewy

No. Try not. Do... or do not. There is no try.

#3 JLowder8

JLowder8
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 14 April 2009 - 03:08 AM

Hi, Chewy:

Google searches still producing the action "waiting for cl-searc.com". Ran full Spyware Doctor scan, which came up clean.

Here's the SmitFraudFx log

SmitFraudFix v2.408

Scan done at 2:59:05.76, Tue 04/14/2009
Run from C:\Documents and Settings\Jim Lowder\My Documents\Download Files\Virus Scans\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\APLicensing.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jim Lowder\My Documents\Download Files\Virus Scans\SmitFraudFix\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Jim Lowder


C:\DOCUME~1\JIMLOW~1\LOCALS~1\Temp


C:\Documents and Settings\Jim Lowder\Application Data

C:\Documents and Settings\Jim Lowder\Application Data\Skinux FOUND !

Start Menu


C:\DOCUME~1\JIMLOW~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.10
DNS Server Search Order: 65.24.7.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F5CD2B5-5F95-4F58-8488-491AAA0A9B4D}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3F5CD2B5-5F95-4F58-8488-491AAA0A9B4D}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3F5CD2B5-5F95-4F58-8488-491AAA0A9B4D}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11


Scanning for wininet.dll infection


End

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 PM

Posted 14 April 2009 - 05:34 AM

Let's see if a proxy server was set

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Please reply and report whether this worked or not.


Was your router secured with a strong password?

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Chewy

No. Try not. Do... or do not. There is no try.

#5 JLowder8

JLowder8
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 14 April 2009 - 11:03 AM

Hijack still occurring this morning. Hijack sites still connected to keyword in search phrase.

I checked the proxy settings in both IE and Firefox. Under LAN settings in IE, there were no boxes checked. In Firefox, "No Proxy" was selected.

I believe the password for the router is strong, in terms of number of characters and variety.

Here's the GooredFix log:

GooredFix v1.92 by jpshortstuff
Log created at 10:58 on 14/04/2009 running Option #1 (Jim Lowder)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{D9A5623E-4ABA-47D2-94A0-9B4EB0F859EE}"="C:\Documents and Settings\Jim Lowder\Local Settings\Application Data\{D9A5623E-4ABA-47D2-94A0-9B4EB0F859EE}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{D9A5623E-4ABA-47D2-94A0-9B4EB0F859EE}"="C:\Documents and Settings\Jim Lowder\Local Settings\Application Data\{D9A5623E-4ABA-47D2-94A0-9B4EB0F859EE}"

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 PM

Posted 14 April 2009 - 11:10 AM

I have asked for a consultation

We will wait
Chewy

No. Try not. Do... or do not. There is no try.

#7 JLowder8

JLowder8
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 14 April 2009 - 11:14 AM

Thanks, Chewy. I appreciate the help.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 PM

Posted 14 April 2009 - 11:28 AM

That was fast

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

I was just walking out the door

Edited by DaChew, 14 April 2009 - 11:30 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#9 JLowder8

JLowder8
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 14 April 2009 - 12:23 PM

Here's the log:

GooredFix v1.92 by jpshortstuff
Log created at 12:20 on 14/04/2009 running Option #2 (Jim Lowder)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{D9A5623E-4ABA-47D2-94A0-9B4EB0F859EE}"="C:\Documents and Settings\Jim Lowder\Local Settings\Application Data\{D9A5623E-4ABA-47D2-94A0-9B4EB0F859EE}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Jim Lowder\Local Settings\Application Data\{D9A5623E-4ABA-47D2-94A0-9B4EB0F859EE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 PM

Posted 14 April 2009 - 04:18 PM

Did it work?
Chewy

No. Try not. Do... or do not. There is no try.

#11 JLowder8

JLowder8
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 14 April 2009 - 11:10 PM

That seems to have done it. Google is infinitely faster and I'm not getting any indication that c-searc is being contacted. I have not had a redirect since we ran the last fix.

Two questions:

Should I now reboot my machine to doublecheck that the hijacker is not reloading? If so, anything special I should set before I reboot?

And, immediately after I ran the fix, I launched Firefox and was greeted with a notice that the NoScript update 1.9.1.9 was available. I didn't update it. Should I be wary of these automatic updates, given the infection?

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 PM

Posted 15 April 2009 - 12:02 AM

Just make sure teatimer doesn't stop any fixes you have done.

I doubt that noscript had anything to do with your infected FF addon/extension

That's the first GooredFix for me so I am clueless here

I just try to go with the force and let it be my guide.

Having the author available is one of the reason's Bleepin is what it is.
Chewy

No. Try not. Do... or do not. There is no try.

#13 JLowder8

JLowder8
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 15 April 2009 - 12:53 AM

Got it. Thanks very much, Chewy.

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:46 PM

Posted 15 April 2009 - 06:53 AM

You are welcome
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users