Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Link redirect problem


  • This topic is locked This topic is locked
17 replies to this topic

#1 iumf

iumf

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 10:07 PM

Hello,

I recently was infected with a fake antivirus program. I followed the guides on bleepingcomputer and the fake antivirus does not show up anymore. I have scanned my computer with Malwarebytes Anti-Malware and SuperAntiSpyware and they are unable to detect anything. (rkill does not close any programs and tdsskiller does not detect anything).

However, whenever I click search engine results the links will sometimes redirect me to another website. Please advise me on how to address this problem. Thank you very much for your help.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:36 PM

Posted 05 May 2011 - 10:26 PM

What browser are you using? So we can get onto the right course of troubleshooting.

#3 iumf

iumf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 10:44 PM

I use Firefox

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:36 PM

Posted 05 May 2011 - 10:48 PM

In Firefox 3.6 go to Tools then Options then the Advanced tab and under networking go to Settings and see if there are any proxies.

In the New Firefox go to The Firefox button in the upper left hand corner then options then options and the Advanced portion then Network and Settings.

#5 iumf

iumf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 10:58 PM

it is currently on "use system proxy settings" I am using the newest version of FF.

Edited by iumf, 05 May 2011 - 10:59 PM.


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:36 PM

Posted 05 May 2011 - 11:02 PM

Can you select no proxy? What about the other boxes and Internet Explorer?

#7 iumf

iumf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 11:06 PM

Yes, I am able to select no proxies. I am not sure how to change the IE options because I never use IE.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:36 PM

Posted 05 May 2011 - 11:07 PM

go to Control Panel then Internet Options and go to the Connection Tab then LAN Settings. Nothing should be checked.

#9 iumf

iumf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 11:08 PM

It has "Automatically detect settings" Should I uncheck this?

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:36 PM

Posted 05 May 2011 - 11:12 PM

Uncheck it.

Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#11 iumf

iumf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 11:41 PM

Here is the GMER log:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-05 21:39:16
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.PB2O
Running: i5iny806.exe; Driver: C:\Users\Nguyen\AppData\Local\Temp\kxliqpob.sys


---- System - GMER 1.0.15 ----

SSDT 85337138 ZwAlertResumeThread
SSDT 853371B8 ZwAlertThread
SSDT 853249F8 ZwAllocateVirtualMemory
SSDT 852CCEB8 ZwConnectPort
SSDT 852B8048 ZwCreateMutant
SSDT 853248B8 ZwCreateThread
SSDT 853376E0 ZwFreeVirtualMemory
SSDT 852B8138 ZwImpersonateAnonymousToken
SSDT 8546C0C8 ZwImpersonateThread
SSDT 852BC110 ZwMapViewOfSection
SSDT 85467578 ZwOpenEvent
SSDT 852FF420 ZwOpenProcessToken
SSDT 85469610 ZwOpenThreadToken
SSDT \??\C:\windows\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0x89DDD880]
SSDT 8546B648 ZwResumeThread
SSDT 85340D88 ZwSetContextThread
SSDT 852FF5F0 ZwSetInformationProcess
SSDT 852BC2F8 ZwSetInformationThread
SSDT 85467498 ZwSuspendProcess
SSDT 852AC168 ZwSuspendThread
SSDT 852EDC28 ZwTerminateProcess
SSDT 852BF950 ZwTerminateThread
SSDT 85350320 ZwUnmapViewOfSection
SSDT 852DD1E8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 81A8C589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81AB1092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 81AB8834 8 Bytes [38, 71, 33, 85, B8, 71, 33, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 81AB884C 4 Bytes [F8, 49, 32, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 2DC 81AB88EC 4 Bytes [B8, CE, 2C, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 81AB8928 1 Byte [48]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 81AB8928 4 Bytes [48, 80, 2B, 85] {DEC EAX; SUB BYTE [EBX], 0x85}
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:36 PM

Posted 05 May 2011 - 11:45 PM

Can you create another profile, and see if the redirects happen there?

#13 iumf

iumf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 11:46 PM

I'll make some google searches that I noticed caused redirects. How do things look?

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:36 PM

Posted 05 May 2011 - 11:49 PM

the GMER Scan revealed no rootkits.

#15 iumf

iumf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 05 May 2011 - 11:49 PM

I just had a redirect by clicking on a google search result.

Edited by iumf, 05 May 2011 - 11:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users