Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirection Problem


  • Please log in to reply
25 replies to this topic

#1 Jordan2112

Jordan2112

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 04 August 2009 - 03:07 PM

Hi,

I've been visiting the website www.interpals.net for a long time now but since the last few weeks I keep getting random re-directs to websites such as;

*PLEASE DO CLICK THE FOLLOWING LINKS UNLESS YOU KNOW WHAT YOU'RE DOING WITH THEM AS I WOULD HATE TO BE HELD RESPONSIBLE FOR ANYONE ELSE'S COMPUTER BEING INFECTED*

<a href="http://www.austincoins.com/%5b/url" target="_blank" rel="nofollow">

www.searchswitch.com/jump1/?affilia...5yd3d3LvoDc0RHa</a>

[atl.xmlsearch.miva.com/bin/findwhat...%2DB4A1D00A291F

and my Internet browsing history now contains a link to a website titled findwhat.dll from the website above, this one particularly scares me.

Although not tonight I've also being redirected to the "sex museum" page of ChinaOnTv which a quick Google search confirms is quite a common problem but there are no clear cures out there from what I've seen!

I'm particularly concerned about my problem because it seems most people being directed, especially to the ChinaOnTv website are being hit when visiting common search engines like Google and MSN whereas I'm only being affected on www.interpals.net I'm 99% sure this isn't a problem with the Interpals website as literally thousands of people are online there at any given time and I've never heard anyone else complain. Therefore I see the problem being with my computer. I understand since Interpals seems like a non-essential website to visit that avoiding it completely is a solution but I do have friends that I speak to exclusively on there and have no other way of keeping contact with.

I have already performed full scans using antivirus software and found nothing of note as well as trying to browse the site on Internet Explorer as well as Firefox which has the same result; a seemingly redirect within around thirty minutes of being on the website.

The redirect often occurs when I attempt to visit a new page on the website. My browser freezes for approximately 10-20 seconds and I can see a bunch of websites links running through in the corner of my browser before it settles on a particular one and loads up which usually causes me to panic and immediately close the website.

Any help is much appreciated!!!

{MOD EDIT: Disabled dangerous links~~boopme}

Edited by boopme, 04 August 2009 - 03:12 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:21 PM

Posted 04 August 2009 - 03:15 PM

Hello and welcome.. I didabled the links for others safety. I do appreciate your warning..

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jordan2112

Jordan2112
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 04 August 2009 - 03:52 PM

Thanks! Here's my results and I'm just going to restart my computer as instructed by MBAM.

Malwarebytes' Anti-Malware 1.40
Database version: 2560
Windows 5.1.2600 Service Pack 3

04/08/2009 21:50:38
mbam-log-2009-08-04 (21-50-38).txt

Scan type: Quick Scan
Objects scanned: 107046
Time elapsed: 21 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nordbull (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Any user\Local Settings\Temp\oldprcon.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:21 PM

Posted 04 August 2009 - 03:57 PM

Looking good. hopefully we run these and it's clean.. This may take an hour.
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jordan2112

Jordan2112
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 05 August 2009 - 07:07 AM

Hi, here's my SAS results. I didn't really understand the note "SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account." so please note I've only performed one scan. Should I be logging in as each member of my family and performing the full scan on each of their accounts despite the fact I saw the program scanning their files too - for example iTunes folders under their name?

Anyway here's the result;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/05/2009 at 12:56 PM

Application Version : 4.27.1000

Core Rules Database Version : 4037
Trace Rules Database Version: 1977

Scan type : Complete Scan
Total Scan Time : 02:27:58

Memory items scanned : 228
Memory threats detected : 0
Registry items scanned : 4677
Registry threats detected : 0
File items scanned : 30434
File threats detected : 0

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:21 PM

Posted 05 August 2009 - 10:06 AM

In other words It needs to be run on all users if there is more than one.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Jordan2112

Jordan2112
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 05 August 2009 - 10:09 AM

In other words It needs to be run on all users if there is more than one.


Okay so you'd like me to re-enter safe mode and do full scans from within the other user's accounts and posting logs for them too? Also when I go into safe mode an extra user called Administrator appears that isn't normally visable, should I run a scan from there as well?

Edited by Jordan2112, 05 August 2009 - 10:19 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,058 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:21 PM

Posted 05 August 2009 - 10:20 AM

Yes.. we only need logs that have more than tracking cookies,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Jordan2112

Jordan2112
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 05 August 2009 - 12:49 PM

More indentical no infection found scans.

Is this to say the initial MBAM rid me of what was causing the problem (I haven't attempted to return to the problem website yet) or is there still more to come?

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:21 PM

Posted 05 August 2009 - 01:09 PM

You can always run a complete scan with MBAM and see if it comes back all clean?
Chewy

No. Try not. Do... or do not. There is no try.

#11 Jordan2112

Jordan2112
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 05 August 2009 - 02:58 PM

You can always run a complete scan with MBAM and see if it comes back all clean?


Doing so now and then if I'm clean the big moment... attempting to revisit the website. Fingers crossed! Will report back/make my thank you speech soon!

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:21 PM

Posted 05 August 2009 - 03:06 PM

http://www.mywot.com/en/scorecard/interpals.net

The site seems safe enough but there were a lot of activex scripts trying to run when i visited there with FireFox and noscript.

All it takes is one bad ad and some vulnerability and you can be infected?

Have you had your shots? (analogy)
Chewy

No. Try not. Do... or do not. There is no try.

#13 Jordan2112

Jordan2112
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 05 August 2009 - 03:12 PM

http://www.mywot.com/en/scorecard/interpals.net

The site seems safe enough but there were a lot of activex scripts trying to run when i visited there with FireFox and noscript.

All it takes is one bad ad and some vulnerability and you can be infected?

Have you had your shots? (analogy)


Sorry, your post doesn't make much sense to me, I'm not very smart with computers.

I'm not even sure I got the virus from that particular website I just know that's the only one where my browser was redirected whilst visiting!

So what are you recommending (if anything) I do to be safer on there? Any more magic programs in store?

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:21 PM

Posted 05 August 2009 - 03:20 PM

Social network sites like that one are always a risk, you have to be very careful and take precautions.
Chewy

No. Try not. Do... or do not. There is no try.

#15 Jordan2112

Jordan2112
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 05 August 2009 - 04:01 PM

Social network sites like that one are always a risk, you have to be very careful and take precautions.


Thanks for the advice.

I just completed the full MBAM scan by the way and came back completely clean so I guess the only thing left to do is try out the website.

I'll post back how it goes after I've got a result.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users