Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why Am I Being Redirected To Bleepingcomputer?


  • Please log in to reply
3 replies to this topic

#1 czetie

czetie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 27 January 2006 - 02:39 PM

OS: WinXP with SP2 and all patches

Browser: Firefox 1.5 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5). No Extensions installed or downloaded

When I attempt to visit a particular page on my corporate intranet, I am getting redirected to bleepingcomputer.com, specifically to URL

http://www.bleepingcomputer.com/startups/p...1.exe-9066.html

The page in question does attempt to run a legitimate exe called psoft1. Before this happened I had never heard of bleepingsoftware and have not installed anything that would enable bleepingcomputer to intercept downloads etc., as far as I know.

If I go to the same intranet page in IE, it loads fine.

I have updated and run both Spybot S&D and Ad-Aware SE and didn't see any issues beyond the usual tracking cookies. I also have the corporate edition of Symantec AV fully updated and it says my PC is clean. I am also running Cisco Security Agent.

Any suggestions of how this happened and, more importantly, how to disable it would be very welcome!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:42 PM

Posted 27 January 2006 - 05:15 PM

Are you at liberty to say what page you are trying to go to that redirects to bleeping? Also there is nothing on that page that would install an exe.


Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers, Malware, & Spyware

#3 czetie

czetie
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 27 January 2006 - 09:01 PM

Here's the logfile. I can't give you the link that causes this because its on my intranet. But the page is just a "loader" page that causes a Java applet to be launched via an executable called psoft1.exe. What then *appears* to happen is that something on my computer catches the exe download, decides (wrongly, as it happens) that its malware, blocks it, and redirects the browser to the bleepingcomputer page for psoft1.exe presumably to provide an explanation.

As mentioned before this only happens if I visit that internal page in Firefox, not in IE. Is there some Firefox addon/plugin perhaps that "helpfully" tries to block malware and redirects the user to your site for info?



Logfile of HijackThis v1.99.1
Scan saved at 8:53:02 PM, on 1/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
C:\Program Files\Cisco\CSAgent\bin\okclient.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
c:\program files\yahoo!\yahoo! desktop search\textExtractor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\czetie\My Documents\home office\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forrester.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Startup: Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco\CSAgent\bin\okclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PeopleSoft Java Client v7.59i - http://psoft1.gigaweb.com/javaclient/javaclient_idu.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://camb-ssl.forrester.com/postauthI/epi.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133555988568
O16 - DPF: {C5BA5176-CBED-4C17-9F41-64BE36914472} (Siebel High Interactivity Framework) - http://siebel.forrester.com/sales_enu/1832...x_HI_Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://skywaysoftware.webex.com/client/v_m...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = forrester.loc
O17 - HKLM\Software\..\Telephony: DomainName = forrester.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{4651C903-15F6-47E5-9260-B8E6412A2B06}: Domain = forrester.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{4651C903-15F6-47E5-9260-B8E6412A2B06}: NameServer = 63.76.254.31,63.76.254.32
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = forrester.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = forrester.loc
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = forrester.loc
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:42 PM

Posted 27 January 2006 - 10:34 PM

Your log is clean..I see the java script here:

O16 - DPF: PeopleSoft Java Client v7.59i - http://psoft1.gigaweb.com/javaclient/javaclient_idu.cab


There is no software out there that has ever notified me that they redirect users to my startup database based on certain criteria, so I am not sure why that is happening. THe only thing I see that "may" be doing this is the cisco security agent, but this is a first time I have heard something like this.

Something else you can try is to start firefox in safe mode. There should be an icon for this under the mozilla firefox group in your start menu. Lets see if the behaviour continues in that mode.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users