Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Catastropic Redirect problem - Search Engine/browser


  • This topic is locked This topic is locked
20 replies to this topic

#1 stedmakr

stedmakr

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 29 December 2009 - 09:56 PM

This problem came up yesterday and has brought my computer to its knees. I'm at the verge of a very unpleasant reinstall.

I run XP(SP3). When I access google or bing from a browser I get a different web site than the one that I entered. I am also getting multiple high threat warnings from Norton Internet Security 2009 stating that it is blocking threats. I run norton internet security all the time. It was running when I picked up this virus/malware. I ran a full system scan and it did not find a virus. I've also run Malwarebytes' anti-malware program and it also does not show a virus. I have disconnected the affected computer from the internet.

Is there anything I can do besides reinstalling and reformatting.


Thanks,

Keith

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 29 December 2009 - 09:58 PM

Hello and welcome to Bleeping Computer. My name is Computer Pro and I will be helping you with your issues.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.



Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#3 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 30 December 2009 - 04:55 AM

Computer Pro,
Thanks for helping me. Per your statement, "Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet." I've downloaded the program and am waiting further guidance.

Keith

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 30 December 2009 - 02:58 PM

Now you may go ahead and follow the instructions on how to scan.
Computer Pro

#5 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 30 December 2009 - 09:59 PM

Computer pro,
I downloaded the progam and got to the fourth step, " If prompted to dowload the Full version Free Trial, ignore and click the X to close the window" and the window didn't close. The hour glass was on as was the hard drive. The hard drive light was on for 5.5 hours. After it went off I waited another 30 minutes and nothing happened. The computer is locked up. Ctrl-Alt-Del doesn't do anything and the hour glass is still on.

What would you recommend that I do next?

Thanks,

Keith

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 31 December 2009 - 11:42 AM

Please try to run it again
Computer Pro

#7 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 31 December 2009 - 12:48 PM

Computer pro,
I did run it again. Last night I ran it in safe mode and its still running - a period of 12 plus hours. The disk drive light has been on constantly since that time. I'm still at the same place I was previously. The program doesn't get past step 4.

Vr,

Keith

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 01 January 2010 - 01:00 PM

Did it ever finish running?
Computer Pro

#9 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 01 January 2010 - 01:16 PM

Computer pro,
No, I stopped it at approximately 14 hours.

Keith

#10 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 02 January 2010 - 02:32 PM

Computer pro,

Still no luck attempting to run Dr. Web. The computer totally locks up within a couple of minutes everytime I attempted to use the program in normal or safe mode. I saw one of your responses for another user and ran ATF and SAS. The log is below. I have two desktops and both logs are listed. SAS picked up several tracking cookies and a virus called Adware Vuno Virus. After running SAS, I again tried to run Dr. Web in both regular and the safe mode - again the computer locked up.

Are there other alternatives besides Dr. Web.

Thanks,

Keith

I ran ATF and SAS.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/02/2010 at 09:42 AM

Application Version : 4.32.1000

Core Rules Database Version : 4440
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 01:51:07

Memory items scanned : 578
Memory threats detected : 0
Registry items scanned : 6237
Registry threats detected : 0
File items scanned : 99081
File threats detected : 21

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@247realmedia[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@6161.partners.findology[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[4].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.addynamix[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adserver.adtechus[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adserver.adtechus[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@click.fastpartner[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickpayz2.91462.blueseek[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@collective-media[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@content.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@content.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@dc.tremormedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@dc.tremormedia[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@google.lucidmedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@icityfind[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@lucidmedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@realmedia[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.adbrite[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.icityfind[1].txt

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/02/2010 at 12:56 PM

Application Version : 4.32.1000

Core Rules Database Version : 4440
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 00:38:50

Memory items scanned : 565
Memory threats detected : 0
Registry items scanned : 6592
Registry threats detected : 1
File items scanned : 26943
File threats detected : 2

Adware.Vundo Variant
HKU\S-1-5-21-329068152-776561741-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@9264.partners.findology[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickpayz6.91462.blueseek[2].txt

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 02 January 2010 - 03:13 PM

Please update and run Malwarebytes. Then post back the log.
Computer Pro

#12 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 02 January 2010 - 08:14 PM

Computer pro,
I ran malwarebytes and the results are listed below.

Malwarebytes' Anti-Malware 1.43
Database version: 3482
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2010 8:10:12 PM
mbam-log-2010-01-02 (20-10-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 233789
Time elapsed: 1 hour(s), 31 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:49 PM

Posted 03 January 2010 - 06:24 AM

When I access google or bing from a browser I get a different web site than the one that I entered. I am also getting multiple high threat warnings from Norton Internet Security 2009 stating that it is blocking threats.

Can you provide some more information about the above items.
  • When searching with Google, what do you see? What is this "different web site" or sites, that you are taken to?
  • What information/What threats is Norton blocking? You might have to look at a log file of these blocked threats within Norton, to get a list of these?
I am hoping this information might point us in the right direction.


Please perform a scan with Eset OnlineScanner (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Install ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab).
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the OnlineScanner will now prepare itself for running on your PC)
  • To do a full-scan, check "Remove found threats" and "Scan potentially unwanted applications"
  • Click Scan to start the online scan. (this could take some time to complete)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now go to Start > Run > and type C:\Program Files\EsetOnlineScanner\log.txt and then press the <ENTER> key.
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn it back on after you are finished.

Edited by AustrAlien, 03 January 2010 - 06:28 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 03 January 2010 - 12:12 PM

AustrAlien,

When I scan with a search engine there are various results. Examples of the last 4 searches follow:

[url=http://businesslistingsearch.net/websearch.php?search=sheik&btns=search]http://businesslistingsearch.net/websearch...amp;btns=search[/url]
[url=http://thewebsitesurvey.com/?c=11374&kw=google.com]http://thewebsitesurvey.com/?c=11374&kw=google.com[/url]
[url=http://tiborreels.com/search.php]http://tiborreels.com/search.php[/url]
[url=http://chameleonsearch.com/tbredir.php?url=uggc%3a%2f%2fjfpyvpx.vasbfacnpr.pbz%2fpyvpxfreier%2f_vp]http://chameleonsearch.com/tbredir.php?url...vpxfreier%2f_vp[/url]
As far as threats, I took the affected computer off line when I started getting threats every couple of hours. Since I have put the computer on line Norton Internet Security shows a bunch of medium but know high threats. The high threats that I was receiving prior to going off line were, HTTPS Tidserv C and C Domain Request, An intrusion attempt by 212,117.174.177 was blocked. I received multiple attacks of this type over a 2 day period.

The ESET Scanlog is listed below. It identified and deleted one virus, but after reboot I still have the problem.



ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c05f4fba1c33814995ce3ff735a793d9
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-03 12:42:52
# local_time=2010-01-03 07:42:52 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 306601 306601 0 0
# compatibility_mode=2560 16777191 100 0 0 0 0 0
# compatibility_mode=3588 16777189 100 96 2873798 10674176 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=8845
# found=0
# cleaned=0
# scan_time=1133
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c05f4fba1c33814995ce3ff735a793d9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-03 04:37:42
# local_time=2010-01-03 11:37:42 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 309153 309153 0 0
# compatibility_mode=2560 16777191 100 0 0 0 0 0
# compatibility_mode=3588 16777189 100 96 2876350 10676728 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=101842
# found=1
# cleaned=1
# scan_time=12671
C:\Documents and Settings\Keith\My Documents\Downloads\freedvdripperSetup.exe Win32/TrojanClicker.Agent.NIF trojan (deleted - quarantined) 00000000000000000000000000000000 C

Edited by Orange Blossom, 08 January 2010 - 09:18 AM.
Deactivate links. ~ OB


#15 stedmakr

stedmakr
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 05 January 2010 - 11:44 AM

AustrAlien or Computer Prog,
I haven't heard anything since I supplied the previous response. Can you please identify the appropriate next step?

Thanks,

Keith




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users