Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked is a good word!


  • This topic is locked This topic is locked
25 replies to this topic

#1 IdMnstr

IdMnstr

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 30 June 2009 - 03:02 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/234952/redirecting-got-me-too/ ~ OB

Hi,

I am having trouble with google being redirected to search sites. I will perform a google search. The results are shown to me as links. When I click on a link I am not sent to the site. I am first told I am "Being redirected, Please wait". The netxt thing I see is the search results from another search site, not google.

I have been told I should post the logs from the DDS here. I have attached the files; DDS.txt and Attach.txt.

Regards,
Jim

Attached Files


Edited by Orange Blossom, 30 June 2009 - 08:36 PM.


BC AdBot (Login to Remove)

 


#2 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 03 July 2009 - 03:13 PM

Orange Blossom,

Thank you for correcting my post.

Regards,
Jim

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:57 PM

Posted 04 July 2009 - 02:51 AM

Hello IdMnstr and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 04 July 2009 - 07:38 AM

Hi,

Thank you for responding but I am confused ...

In order to answer your question;
>>If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please follow the link provided when my topic was moved;
>>Referred here from: http://www.bleepingcomputer.com/forums/t/234952/redirecting-got-me-too/ ~ OB

Yes, I see the value of posting another DDS log and I will do so asap. What did the current logs tell you?

Regards,
Jim

#5 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 04 July 2009 - 07:48 AM

Hi,

I am not sure I ran DDS correctly. Here are the steps I used;
1) Clicked on the above links to download DDS.scr and DDS.pif to my desktop.
2) Double clicked on DDS.scr and a window appeared for a minute with the same instructions.
3) This window was replaced with two other windows.
4) I saved the contents of each window to my desktop.
5) I posted the files I created here.

Thanks again for your help on this.

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:57 AM

Posted 07 July 2009 - 05:18 AM

Hi IdMnstr,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please make sure you run ComboFix just once as I see the log of the first run. Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#7 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 July 2009 - 02:54 PM

Hi,

I have downloaded and run ComboFix.

A message prompt appeared that told me to turn off "Malware Catcher 2009".
Here are the steps I took;
1) I selected the"X" on the windows thinking that ComboFix would stop running. It didn't and gave me another message to say that "Malware Catcher 2009" is still running. I did not select OK.
2) I ran "Malwarebytes' AntiMalware 1.38" to attempt to remove "Malware Catcher 2009". It did find something else and removed it but said nothing about "Maleware Catcher 2009".
3) I then slected OK on ComboFix and followed all the prompts.

Thanks again for your help,
Jim

Attached Files

  • Attached File  log.txt   19.95KB   6 downloads


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:57 AM

Posted 07 July 2009 - 03:20 PM

Well done and thanks for the feedback. :thumbup2:

Ifyou get the same notification about Malware Catcher please just neglect it and proceed.
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    SecCenter::
    AV: Malware Catcher 2009 *On-access scanning enabled* (Updated) {A3C22749-8D7C-4349-8B0B-F5139A185A10}
    FW: Malware Catcher 2009 *enabled* {948C3E74-BA0A-4641-BD10-EE2B0E2E7590}
    Folder::
    c:\program files\Coupons
    SkipFix::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download and run Javara for Java update. Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 14. Please uninstall any version remaining versions if the tool could not uninstall them.

  • Tell me if you still get redirected.


#9 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 July 2009 - 04:17 PM

Hi,

Here are the latest log files.

Regards,
Jim

Attached Files



#10 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 July 2009 - 04:20 PM

Hi,

Still being redirected.

Regards,
Jim

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:57 AM

Posted 07 July 2009 - 04:35 PM

  • Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
  • Download regsearch.zip by Bobbi Flekman and Save it to your desktop.
    • Extract it to your desktop. It will extract the zip file to a folder named regsearch.
    • Open the folder and double click regsearch.exe to start the program.
    • Type Catcher in the first row of upper window.
    • Type Malware in the second row of upper window.
    • Click "OK" and Registry Search will search the Registry and report what it finds.
    • Copy and paste the result into your next reply.
  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a "%UserProfile%\recent" > log.txt&log.txt& del log.txt

    A text file (log.txt) will be opened. Please post its content to your reply.
    Note: The search takes a while. If you get notifications of access violation click Ok as many times as it needed.


#12 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 July 2009 - 05:23 PM

Hi,

Here are the requested log files.

Still being redirected.

Regards,
Jim

Attached Files



#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:57 AM

Posted 07 July 2009 - 05:56 PM

Hi Jim,

Please copy and paste the log instead of attaching. Thanks.
  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

  • Tell me if you get redirected in Internet Explorer or Firefox of both.


#14 IdMnstr

IdMnstr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 07 July 2009 - 07:19 PM

Hi,

Here is the log you requested.

Redirected in both.

Thanks again,
Jim
-------------------------------------


Windows IP Configuration



Host Name . . . . . . . . . . . . : IdMonster

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Belkin



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : Belkin

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-0C-F1-86-AB-57

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

Lease Obtained. . . . . . . . . . : Tuesday, July 07, 2009 2:06:54 PM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 11:14:07 PM

Server: UnKnown
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.127.100, 74.125.67.100, 74.125.45.100



Pinging google.com [206.53.61.77] with 32 bytes of data:



Reply from 206.53.61.77: bytes=32 time=41ms TTL=55

Reply from 206.53.61.77: bytes=32 time=41ms TTL=55



Ping statistics for 206.53.61.77:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 41ms, Maximum = 41ms, Average = 41ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c f1 86 ab 57 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.2.3 192.168.2.3 20
192.168.2.0 255.255.255.0 192.168.2.3 192.168.2.3 20
192.168.2.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.3 192.168.2.3 20
224.0.0.0 240.0.0.0 192.168.2.3 192.168.2.3 20
255.255.255.255 255.255.255.255 192.168.2.3 192.168.2.3 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:57 AM

Posted 08 July 2009 - 02:53 AM

We might have found it. This should confirm it:

Go to start > Run copy/paste the following line in the run box and click OK after each line.

notepad C:\windows\system32\drivers\etc\hosts

A text file opens. Please post its content to your reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users