Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nothing Found, but Browser Redirects


  • This topic is locked This topic is locked
9 replies to this topic

#1 Katrex

Katrex

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 03 August 2009 - 12:06 PM

Hello all.

I am running 64-bit Windows Vista Home Premium with all updates installed. My browser is Mozilla Firefox 3.5.

This first happened a few days ago. I tried to go to a website I found with a google search (whose name I can't remember right now) and was redirected to some strange page for this fake antivirus program. I quickly closed out of Firefox, and updated all my Anti-Virus/Spyware programs before unplugging the internet and started scanning with the following programs (both in and out of safe mode):

Ad-Aware Anniversary Edition, Spybot S&D, Malwarebytes Anti-Malware, AVG8.5 Free, Windows Defender and SUPERAntiSpyware Free Edition.

They all came up clean, so I then got online and ran a scan using Kaspersky's Online Scanner - it came up clean too. I figured it was just a bad site.

About 10 minutes ago, I was waiting for my RSS feeds for Kotaku to load, while browisng a site I go to frequently (gaiaonline.com) which I'm certain is safe.. and suddenly one of the tabs was redirected to the following:

"online-pro-antivirus-scanner dot com/1/?sess=" followed by a ton of random numbers/letters.
Then it went to:
"your-bride-pride dot com/go.php?id=" followed by more random characters.

I checked my hosts file, and it looked fine. As well, I have no problem getting to any websites (happens randomly, and twice so far) and aside from that redirecting, everything else appears to be normal. I'm going to run another scan with Kaspersky while I wait for responses, but other then that I have not yet done anything else.

Help? Am I infected? >.<

EDIT:: Forgot to add it was 64-bit..

Edited by Katrex, 03 August 2009 - 01:09 PM.


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 03 August 2009 - 02:53 PM

Hello and welcome. Please run this Rootkit scan.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 03 August 2009 - 03:21 PM

I figured I'd ask before I do anything else -

I installed the program and started it up, however, Running Processes is not selectable. The checkbox is grayed out. Is this only because I've not done the other steps yet? I was going to do them after installing the program, but before scanning.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 03 August 2009 - 03:36 PM

Try it without it and see what we get from a log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 03 August 2009 - 04:45 PM

Alright, a few things:

- When I attempted to clean all temporary internet files in %temp% there was one thing that wouldn't delete - RtkBtMnt.exe. Its' description is "Realtek HD Audio Data Rerouter" It said I needed permission to edit that file, I clicked Yes. Then it popped up saying a program is requesting administrative access (File System, or something?) then I hit yes again, and it came up saying I needed permission to delete it. I hit Try again (options were Try Again or Cancel) and tried a few times, but to no avail.

- For some reason, "Hide Inactive Icons" is no longer working. All my icons by the clock are showing up regardless of them being used or not. == EDIT:: I restarted but it didn't fix, however, when I hid everything then changed then back to "Hide when inactive" it seems to have fixed it.

- Sophos Anti-Rookit only detected 2 things, neither of which were recommended for cleaning so I only restarted to re-enable everything. I have one question though, under Spybot TeaTimer:

"Please download ResetTeaTimer.zip and save to your Desktop. Extract (unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entries set by TeaTimer and it from restoring them upon reactivation)."

What.. exactly does this do? The wording confuses me.

Anyway - the log from %temp%/sarscan.log:


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 03/08/2009 at 16:53:35 PM
User "Reeve" on computer "ANGELA-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\Assemblies\0x00000409
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\ProgramData\AVG Security Toolbar\IEToolbar.dll
Info: Starting disk scan of D: (NTFS).
Stopped logging on 03/08/2009 at 17:28:41 PM

Edited by Katrex, 03 August 2009 - 05:02 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 03 August 2009 - 08:14 PM

For SpyBot... This is done so it can be re-enabled later without problems such as restoring problem files.

I use this..
We need to enable Spybot S&D's "TeaTimer"
Now that we're done with the fix, we should reenable TeaTimer.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click on Posted Image
  • Click on Posted Image
  • Check this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
But due to all this registry difficulty and bad reactions to thes tools you should run HJT/DDS. let them look for hidden malware.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 03 August 2009 - 08:41 PM

Ahh, okay. That makes sense.

When I click on DDS, it brings up the black display box but only says:

"This tool does not support your operating system.
Press any key to continue... "

Should I use HiJackThis (have a link where I can get it?) or a different program?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 03 August 2009 - 09:02 PM

Ok yes if your link works use if not use this.

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 03 August 2009 - 10:24 PM

RSIT worked perfectly.

The topic has been created.

Thanks much for your time and help. :]

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,711 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:40 AM

Posted 03 August 2009 - 11:03 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/246675/possible-hidden-malware/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users