Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google-analytics.com redirects Help!


  • This topic is locked This topic is locked
89 replies to this topic

#1 Dorkmaster

Dorkmaster

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 20 October 2010 - 12:06 AM

Hi there, everyone!

First off, I'm a total noob, so I apologize in advance for my total lack of knowledge. I'm comfortable with a lot of jargon but in terms of security applications and such, I'm completely inexperienced, so please, do not be afraid to treat me like your grandma who just got on the internet, even though I'd consider myself savvier than that. I'll let you know if I've tried what you've suggested, but please do not assume so. Thanks!

Okay, so here's the deal... for a couple of months now, randomly, and often, links will redirect to places other than their target. I'm not frequenting strange sites or "bad" sites like porno or warez or something, so that shouldn't be an issue. However, places like hulu.com or something equally typically harmless, even clicking on the "home page" logo (their name, top-left) will freeze that site, and pop up a new tab with a new, undesired page.

Other times, I'll click a link, say trying to open a Wired.com article or something equally harmless, and that page, instead of going forward to the article, will pause for a second at google-analytics.com, or say, results5.google.com and then redirect to another page entirely. Usually the resulting page is pretty harmless itself (seemingly). It seems like a simple hijack to boost page rank or something to me, but who knows?

Also, sites like Vimeo, for example, will load only briefly and then blink out, constantly loading. Nothing ever resolves, nor do I get any imagery whatsoever after that first blink.

Anyway, I have MSE installed and have for some time (since before the issue), it is up to date, and I run scans frequently. Nothing serious has come up anytime lately. I also have run MBAM scans (full and quick) with current updates and have had zero causes for alarm there.

I installed Hijack This, but haven't really done anything further than a scan, since I'm not experienced and know enough that I don't want to bork my computer removing something I shouldn't.

Basic info:
Running Windows Vista Home Premium, 64-bit (SP2)
Wired Internet connection, (although it's through a wireless router that I use for my Wii as well, which is running wirelessly)
Typically use Google Chrome 7.0.517.41 beta, but also Firefox 3.6.10 (3.6.11 is currently downloading... I don't use it much.) :)

Installed AV/AntiMalware:
Microsoft Security Essentials (Current and scans as clean)
MalwareBytes Anti-Malware (Current and scans as clean)
HiJackThis (current, but again, just scanned with no idea as to what the results are really telling me)

Looking around here earlier, I saw some mention of my HOSTS file. I've found it, and while I can view it in Notepad, apparently I can't modify or save it in any way. It's protected somehow. Which is fishy. The only entries on it are as follows:


127.0.0.1 localhost
::1 localhost

I don't know if that means anything, but since it's short and sweet, and since it's locked from my editing, which seemed strange, I thought I'd post it.

Let me know if there's anything else I can do that would help, or if I'm doing something wrong.

Thanks.

(Oh, and for the record, I am pretty sure I'm posting something fairly original... I did search and while I found variants of this situation, most posters' issues seemed to originate only from search results links, or resulted in antivirus or antimalware sites or programs to be blocked, which isn't the case for me...I did try to be thorough, and I don't want to waste anyone's time!)

Additional note that may be of interest:

All ads that get served to me seem to be from CLICKSOR. It's annoying. Anyway, that's a fairly new occurrence. Also, sometimes I get ad audio without a visible ad which I can block. Don't know if it's related, but regardless, would love to kill that system-wide too. Doesn't seem to matter what site I visit...it's always CLICKSOR ads.

As an example, which I clicked "Publish Post" here, just now, I had a new tab pop up that directed to: http://www.1-click-fix.com/?hop=brite25

Edited by jgweed, 22 October 2010 - 07:52 AM.
added example from reply to post.jgw


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:52 PM

Posted 22 October 2010 - 05:50 PM

http://voices.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

Are you familiar with this article and securing your router?
Chewy

No. Try not. Do... or do not. There is no try.

#3 Dorkmaster

Dorkmaster
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 24 October 2010 - 05:09 PM

I was not aware of that, however, I have just checked my router and settings appear (again, to a fairly competent, but still security-wise noobish eyes) unchanged.

#4 Dorkmaster

Dorkmaster
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 25 October 2010 - 08:18 PM

Soooo... Any advice? I mean no disrespect, but what you pointed out is useful to an extent, but not very helpful to fix anything in my current state.

I really need help here! Please! Posted Image

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:52 PM

Posted 25 October 2010 - 08:34 PM

My apologies, the new forum software has my threads all mixed up. You have reset your router and entered a strong password?

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Chewy

No. Try not. Do... or do not. There is no try.

#6 Dorkmaster

Dorkmaster
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 27 October 2010 - 02:58 AM

First off, I appreciate your assistance. I just wanted to be sure I've said that to you. It's really awesome what you do.

Secondly, I've changed the password to my administration access to the router, and I've ensured that settings are as they were intended when I set up the network. So as far as my router is concerned, nothing appears to malicious there. However, I didn't reset the router, because then I'd lose all of my settings, correct? Meaning, my passwords/etc would be factory-install, which is less secure than my own ID and password, correct? I've reset the connection though, and as I said, my admin access password is secure and new. (And I've turned off SSID Broadcasting as well).


Finally, I've also run the ESET online scanner and here is the log of the results:
C:\Users\Larry\AppData\Local\Temp\npsC480.tmp	JS/Exploit.Pdfka.OAF trojan

Edited by Dorkmaster, 27 October 2010 - 09:20 AM.


#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:52 PM

Posted 28 October 2010 - 02:15 PM

For All Other Users:
Go to Control Panel>Network Connections and select your local network.
Click Properties, then select Internet Protocol (TCP/IP).
Click Properties.

You will see a window - this is the Internet Protocol window. Select "Obtain DNS server automatically" and press OK

now go to start/run & type cmd press OK

when the black screen opens type this exactly including all spaces

ipconfig /flushdns and press OK then close that black screen

reboot

now go to start/run & type cmd press OK

when the black screen opens type this exactly including all spaces

ipconfig /flushdns and press OK then close that black screen

reboot
Chewy

No. Try not. Do... or do not. There is no try.

#8 Dorkmaster

Dorkmaster
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 29 October 2010 - 01:15 AM

It won't let me do the "ipconfig /flushdns" part.

It returns text to me saying "The requested operation requires elevation".

Is this an administrator privilege thing? I'm running as administrator, but is there a command in "DOS" that requires processing prior to the dns flushing?


#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:52 PM

Posted 29 October 2010 - 06:24 AM

Launch the cmd prompt - Make sure you select, 'Run as administrator'
Chewy

No. Try not. Do... or do not. There is no try.

#10 Dorkmaster

Dorkmaster
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 29 October 2010 - 12:39 PM

Posted Image Thank you for the clarification, re: running as admin.

I have done everything as you outlined.

What's next?

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:52 PM

Posted 29 October 2010 - 12:54 PM

How is Firefox doing with these redirects?

We need to narrow this down before digging deeper, Chrome may have been corrupted earlier.
Chewy

No. Try not. Do... or do not. There is no try.

#12 Dorkmaster

Dorkmaster
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 29 October 2010 - 10:10 PM

Still happening to Firefox too (and yes, I'm current on updates and all, nothing fishy, with extensions and such (same with Chrome, by the way).

Also happens in Safari (although I never use it, really...just as an alternative for once in a while.

And Internet Explorer as well.

So every browser I have experiences the same problem (although in Chrome, it opens a new tab, whereas in Firefox, IE and Safari, it opens a new window. Don't think that helps any, but just to give you thorough info...)

Apparently, no change after ensuring the router is secure and the DNS is flushed and refreshed.

Sorry. :(




#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:52 PM

Posted 29 October 2010 - 10:49 PM

I am going to ask someone to take a look at this thread, Vista 64 bit machines were
immune to rootkits until recently, it will take specialized tools and training if that is the case?
Chewy

No. Try not. Do... or do not. There is no try.

#14 Dorkmaster

Dorkmaster
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 October 2010 - 02:28 AM

Thanks, and I will await anything you or anyone else can find.

As of right now, it's a pain, but it's simply scary not knowing if my computer is a zombie for someone else's botnet, or if people are currently trying to get my personal data. :(

But I'm so very appreciative of your help! Thanks!

#15 WastingSanity

WastingSanity

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 30 October 2010 - 04:00 AM

The google-analytics, was it happening with all sites or just one site? I had it happen with just one site (chat site main page) and I can surf everywhere else without google-analytics.com popping up in the load area.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users