Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Google redirect issue


  • Please log in to reply
16 replies to this topic

#1 Digitaldj

Digitaldj

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 27 May 2013 - 02:29 AM

I have a weird issue with Google that I just noticed mid last week when searching for a particular site for the companies phone number. I ran a the following Google search "Bike shops in White Rock" and received the usual response. It happens that the site i was looking for was the top link "Peninsula Cycles". When I click the link it redirects me to wwwnt.vizvaz.com and a Black Jack Search. It sometime with spawn another link to another site search site.

The weird part is that if I type www.peninsulacycles.com into the url bar the site loads normally and any other link above or below the peninsula link works as normal. In fact any other search I do for anything else works normally. This action is the same in all browsers i have on my computer.

 

A couple of times the link tried to start Java so I disabled Active Scripts in IE which stopped the issue so am i wrong in thinking that the problem is with the site and a script that’s running on the server side?

 

Any help would be great and appreciated. I have also run MalwareBytes and cleaned out any suspicious files, registry entries etc, rebooted again and re-ran the scan with no additional baddies present. I also ran TDSSKiller and the only thing that comes up is a med risk sptd.sys which i think loads as a part of Damon Tools or Alcohol.

 

Again thanks in advance for the assistance.

 

Dave.

 

PS: I'm running Windows XP Professional  SP-3



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:17 PM

Posted 27 May 2013 - 07:39 AM

Hello Digitaldj -

 

The Peninsula Cycles site is rated by WOT as a ( ? ) Suspect site, but this may also be due to advertising on the particular site.

 

These are ratings for vizvaz.com from 2 of the better Antivirus programs -
Ratings from Virus Total - Analysis date:  2013-05-19 22:30:12 UTC ( 1 week ago )

BitDefender - Malware site
BitDefender, domain information = The URL domain/host was seen to host badware at some point in time

Sophos -  Malicious site
Sophos, URL description = URL subjected to threat Mal/HTMLGen-A.

 

These 2 programs have not yet rated it -

Kaspersky - Unrated site
Fortinet - Unrated site

 

Please download Screen317 Security Check from Here or Here and save it to your Desktop.
*Double-click SecurityCheck.exe
*Follow the onscreen instructions inside of the black box.
*A Notepad document should open automatically called checkup.txt;
*Please Copy / Paste the contents of that document back here.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.

 

You have Malwarebytes AntiMalware installed, so please Update it and run a Full scan and Copy / Paste the result back here.

 

Please download SUPERAntiSpyware to desktop. Check for latest updates if not done during the download.
You can check "Remove" for any infections found, and the program may ask you to Reboot if several infections are found.
Run a Full Scan and Copy / Paste the Report log back here when finished -

 

I would then like you to run an Online scan with ESET Scanner

1. Hold down Control key and click on This Link to open ESET OnlineScan in a new window.
2. Click the ESET Online Scanner button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

*1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
*2. Double click on the ESET icon on your desktop.

 

4. Check "YES, I accept the Terms of Use."

5. Click the Start button.
6. Accept any security warnings from your browser.
7. Under scan settings, check "Scan Archives" and "Remove found threats"
8. Click Advanced settings and select the following:
◦ Scan potentially unwanted applications
◦ Scan for potentially unsafe applications
◦ Enable Anti-Stealth technology
9. ESET will then download updates for itself, install itself, and begin scanning your computer.

Please be patient as this will take some time if it is a first time scan. (1 hour or more is not unusual).
10. When the scan completes, click List Threats
11. Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Click the Back button.
13. Click the Finish button.
NOTE: Sometimes if ESET finds no infections it will not create a log.

 

Thank You -



#3 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 27 May 2013 - 11:05 AM

Wow that looks comprehensive. Thanks for the quick reply. It may take a little while but ill get right on it and post the results.

Thanks.

Dave.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:17 PM

Posted 27 May 2013 - 05:53 PM

Hi Dave -

Take your time, and post any results when you have the time to do them.

 

Your problem sounded a bit odd and that was why I checked your given link, found the site online myself, plus the other bits about the infection that I posted -

 

Regards -



#5 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 28 May 2013 - 02:38 PM

Noknojon here is the first of the scans. Doesn't seem to be anything unusal. Just waiting for the SuperantiSpyware to finish its run.  

 

 

Results of screen317's Security Check version 0.99.64 
 Windows XP  x86  
 Out of date service pack!!
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
ESET Smart Security 6.0  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner (remove only)  
 Java™ 6 Update 31 
 Java 7 Update 21 
 Adobe Flash Player  11.7.700.202 
 Adobe Reader XI 
 Mozilla Firefox 20.0.1 Firefox out of Date! 
 Google Chrome 26.0.1410.64 
 Google Chrome 27.0.1453.94 
````````Process Check: objlist.exe by Laurent```````` 
 ESET NOD32 Antivirus egui.exe 
 ESET NOD32 Antivirus ekrn.exe 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:17 PM

Posted 28 May 2013 - 06:11 PM

Hi -
Can you please do 2 things for me to double check the Security Report -

Due to the notice (Windows XP x86  Out of date service pack!!), can you please go to Control Panel and open Add / Remove to look for XP SP3. Make sure the box at the top for "Show Updates" is also ticked.

If installed, it will be listed near the very bottom of the installed programs.

 

The second item is, while in Add / Remove, please uninstall Java™ 6 Update 31 (all old versions should be removed if they exist), you are current with Java 7 Update 21.

 

Thank You -



#7 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 28 May 2013 - 06:16 PM

Will do, in the mean time here is the SuperAntiSpyware log.

 

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/28/2013 at 03:49 PM

Application Version : 5.6.1020

Core Rules Database Version : 10453
Trace Rules Database Version: 8265

Scan type       : Complete Scan
Total Scan Time : 03:10:20

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 759
Memory threats detected   : 0
Registry items scanned    : 48089
Registry threats detected : 0
File items scanned        : 303309
File threats detected     : 5

Trojan.Agent/Gen-Nullo[Short]
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{5766B6DF-3847-4B62-9D16-1D9162974213}\RP258\A0076316.EXE
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{5766B6DF-3847-4B62-9D16-1D9162974213}\RP258\A0076317.EXE
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{5766B6DF-3847-4B62-9D16-1D9162974213}\RP258\A0076318.EXE
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{5766B6DF-3847-4B62-9D16-1D9162974213}\RP258\A0076325.EXE
 D:\SYSTEM VOLUME INFORMATION\_RESTORE{5766B6DF-3847-4B62-9D16-1D9162974213}\RP258\A0076320.EXE



#8 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 28 May 2013 - 06:23 PM

Windows XP Service Pack 3 is present in the Add or Remove Programs and I have removed Java 6. Just running the Eset scan.

 

Cheers



#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:17 PM

Posted 29 May 2013 - 01:06 AM

You are doing great, just post as you have time -

 

Re: Trojan.Agent/Gen-Nullo[Short] - This is a "Generic" name for several, mostly minor, items.

Can you go back to look in Control Panel > Add Remove and see if Dealio toolbar is listed, as Trojan.Agent/Gen-Nullo seems to be a part of this toolbar.

 

If not, only once you finish, here are a few quick Cleanup scanners -

 

Please download AdwCleaner to desktop.
Temporary disable your Antivirus while the program runs
NOTE: Close all other running programs including your browser, as your computer will be rebooted after the scan.
Double click on the AdwCleaner icon to run the program
Vista or Win7 users Right click and select Run as Administrator

Select DELETE from the menu
Confirm with OK when asked.
A logfile will be produced after the reboot, please post it back here -

 

Download Junkware Removal Tool
Again disable your Antivirus while the program runs, just to avoid conflicts
Double click on the new icon to start the program
Vista or Win7 users Right click and select Run as Administrator

Follow the directions in the Black box and the program will run
Your computer will not be rebooted, but a logfile will be produced
Please post it back here -

 

Make sure you enable your Antivirus when completed

 

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
NOTE - TFC will close all running programs, and it may ask you to restart computer.

 

By now you should be able to give me a report on how your browser is running -

 

Thanks -



#10 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 29 May 2013 - 09:02 AM

Below is the results of the scan with Eset Online. I checked for the toolbar that you described but it doesn’t exist. I also tried the "bike shops in white rock" search again for peninsula cycles and receive the same results. Malwarebytes blocks the loading because its a potentially malicious site. The ip indicated is 94.242.251.250 and it’s the same each time. Again not sure whether or not it’s an issue on my end or theirs. Seems odd that when I type in the site name it goes directly to the site and Malwarebytes does not issue a warning.

 

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Z1HNMLS3\UtilityChest[1].exe Win32/AdInstaller application cleaned by deleting - quarantined
C:\Documents and Settings\David Johnson\Application Data\0D1C1L2X1P1C0G2Y1L1Q1P\BH 21 and others Driver Download Packages\uninstaller.exe a variant of Win32/InstallCore.AZ application cleaned by deleting - quarantined
C:\Documents and Settings\David Johnson\Application Data\e\.wf\78bc9941 PHP/Obfuscated.F application cleaned by deleting - quarantined
C:\Documents and Settings\David Johnson\Application Data\e\.wf\9f612db7 PHP/Obfuscated.E application cleaned by deleting - quarantined
C:\Documents and Settings\David Johnson\Desktop\Creavision.ca\backup-creavision.ca-5-30-2012.tar.gz PHP/Obfuscated.E application deleted - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP209\A0059963.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP217\A0061175.dll Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP217\A0061176.dll Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP217\A0061177.dll Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP217\A0061183.dll Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP217\A0061184.dll Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP217\A0061185.dll Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5766B6DF-3847-4B62-9D16-1D9162974213}\RP224\A0061864.exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined
D:\Web sites\creavisi\Shell.php PHP/Obfuscated.E application cleaned by deleting - quarantined
D:\Web sites\Web site backups\Creavisi\backup-6.15.2011_12-08-38_creavisi.tar.gz PHP/Obfuscated.F application deleted - quarantined
D:\Web sites\Web site backups\Creavisi\backup-creavision.ca-10-9-2011.tar.gz PHP/Obfuscated.F application deleted - quarantined
 



#11 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 29 May 2013 - 12:42 PM

AdwCleaner

 

 AdwCleaner v2.301 - Logfile created 05/29/2013 at 08:06:25
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : David Johnson - DIGITAL-GBI5CJ7
# Boot Mode : Normal
# Running from : C:\Documents and Settings\David Johnson\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\David Johnson\Application Data\Mozilla\Firefox\Profiles\l6b7df9j.default\jetpack
Folder Deleted : C:\Documents and Settings\David Johnson\Application Data\OpenCandy
Folder Deleted : C:\Documents and Settings\David Johnson\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\David Johnson\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\David Johnson\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\David Johnson\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Installer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1A03F196-9617-4CA0-842B-A83CEECB022B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2998365
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Documents and Settings\David Johnson\Application Data\Mozilla\Firefox\Profiles\l6b7df9j.default\prefs.js

C:\Documents and Settings\David Johnson\Application Data\Mozilla\Firefox\Profiles\l6b7df9j.default\user.js ... Deleted !

Deleted : user_pref("CT2998365_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("CT329536.CTID", "CT329536");
Deleted : user_pref("CT329536.EMailNotifierPollDate", "Sun Jul 29 2007 01:04:42 GMT-0700 (Pacific Daylight Tim[...]
Deleted : user_pref("CT329536.ExternalComponentPollDate128227671964994584", "Sat Jul 28 2007 09:59:31 GMT-0700[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825239", "Mon Oct 30 2006 22:48:12 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825240", "Mon Oct 30 2006 22:48:12 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825241", "Mon Oct 30 2006 22:48:13 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825242", "Mon Oct 30 2006 22:48:13 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825243", "Mon Oct 30 2006 22:48:13 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825244", "Mon Oct 30 2006 22:48:13 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825245", "Mon Oct 30 2006 22:48:13 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate127969101330825246", "Mon Oct 30 2006 22:48:14 GMT-0800 (Pacific Sta[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675351", "Sun Jul 29 2007 00:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675352", "Sun Jul 29 2007 00:03:27 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675353", "Sat Jul 28 2007 23:58:27 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675354", "Sun Jul 29 2007 00:58:27 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675355", "Sun Jul 29 2007 00:38:27 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675356", "Sun Jul 29 2007 00:08:27 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675357", "Sun Jul 29 2007 00:33:29 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675358", "Sun Jul 29 2007 00:58:31 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675359", "Sun Jul 29 2007 00:58:32 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675360", "Sun Jul 29 2007 01:00:33 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675361", "Sun Jul 29 2007 00:13:35 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675362", "Sun Jul 29 2007 00:33:34 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675363", "Sat Jul 28 2007 23:58:34 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675364", "Sat Jul 28 2007 23:58:36 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675365", "Sun Jul 29 2007 00:58:36 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675366", "Sun Jul 29 2007 00:58:36 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675367", "Sat Jul 28 2007 23:58:36 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675368", "Sat Jul 28 2007 23:28:37 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675369", "Sun Jul 29 2007 00:58:37 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675370", "Sun Jul 29 2007 00:28:37 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675371", "Sat Jul 28 2007 23:58:37 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675372", "Sat Jul 28 2007 23:58:38 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675373", "Sun Jul 29 2007 00:58:38 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675374", "Sat Jul 28 2007 23:58:38 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063845476675375", "Sat Jul 28 2007 23:18:39 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894155", "Sun Jul 29 2007 00:38:25 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894156", "Sun Jul 29 2007 00:38:25 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894157", "Sun Jul 29 2007 00:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894158", "Sun Jul 29 2007 00:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894159", "Sat Jul 28 2007 23:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894160", "Sun Jul 29 2007 00:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894161", "Sun Jul 29 2007 00:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894162", "Sun Jul 29 2007 00:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128063850015894163", "Sun Jul 29 2007 00:58:26 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819665", "Sun Jul 29 2007 00:58:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819666", "Sun Jul 29 2007 00:38:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819667", "Sat Jul 28 2007 23:58:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819668", "Sat Jul 28 2007 22:58:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819669", "Sat Jul 28 2007 23:58:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819670", "Sun Jul 29 2007 00:58:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819671", "Sat Jul 28 2007 23:18:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819672", "Sun Jul 29 2007 00:08:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819673", "Sun Jul 29 2007 00:58:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819674", "Sat Jul 28 2007 22:38:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819675", "Sat Jul 28 2007 23:18:49 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819676", "Sat Jul 28 2007 23:58:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819677", "Sun Jul 29 2007 00:38:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819678", "Sat Jul 28 2007 21:28:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819679", "Sat Jul 28 2007 21:58:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819680", "Sat Jul 28 2007 22:28:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819681", "Sat Jul 28 2007 22:43:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819682", "Sat Jul 28 2007 22:58:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819683", "Sat Jul 28 2007 23:28:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819684", "Sat Jul 28 2007 23:43:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819685", "Sat Jul 28 2007 23:58:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819686", "Sun Jul 29 2007 00:28:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819687", "Sun Jul 29 2007 00:58:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819688", "Sat Jul 28 2007 20:18:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819689", "Sat Jul 28 2007 20:28:50 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819690", "Sat Jul 28 2007 20:48:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819691", "Sat Jul 28 2007 20:58:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128221049659819692", "Sat Jul 28 2007 21:08:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625789", "Sat Jul 28 2007 23:18:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625790", "Sun Jul 29 2007 00:08:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625791", "Sat Jul 28 2007 22:38:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625792", "Sun Jul 29 2007 00:08:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625793", "Sat Jul 28 2007 23:18:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625794", "Sat Jul 28 2007 23:58:51 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625795", "Sat Jul 28 2007 18:18:52 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625796", "Sat Jul 28 2007 21:28:52 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625797", "Sat Jul 28 2007 21:59:40 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625798", "Sat Jul 28 2007 22:28:52 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FeedPollDate128287241266625799", "Sat Jul 28 2007 23:18:52 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT329536.FirstTime", true);
Deleted : user_pref("CT329536.Initialize", true);
Deleted : user_pref("CT329536.LanguagePackLastCheckTime", "Sat Jul 28 2007 09:58:30 GMT-0700 (Pacific Daylight[...]
Deleted : user_pref("CT329536.LanguagePackReloadInterval", "24");
Deleted : user_pref("CT329536.LastLogin", "Sat Jul 28 2007 09:58:23 GMT-0700 (Pacific Daylight Time)");
Deleted : user_pref("CT329536.Locale", "en-US");
Deleted : user_pref("CT329536.LoginCache", "3");
Deleted : user_pref("CT329536.SHRINK_TOOLBAR", 1);
Deleted : user_pref("CT329536.SearchEngine", "bitTorrent||hxxp://www.bittorrent.com/search_result.myt?search=U[...]
Deleted : user_pref("CT329536.Server", "hxxp://users.effectivebrand.com");
Deleted : user_pref("CT329536.SettingsLastUpdate", "1185408209");
Deleted : user_pref("CT329536.ThirdPartyComponentsInterval", "24");
Deleted : user_pref("CT329536.ThirdPartyComponentsLastCheck", "Mon Oct 30 2006 23:09:19 GMT-0800 (Pacific Stan[...]
Deleted : user_pref("CT329536.ThirdPartyComponentsLastUpdate", "1162217461");
Deleted : user_pref("CT329536.UserID", "UN20060719225430500");
Deleted : user_pref("CT329536.components.102", true);
Deleted : user_pref("CT329536.components.103", true);
Deleted : user_pref("CT329536.components.104", false);
Deleted : user_pref("CT329536.components.127928121821100639", true);
Deleted : user_pref("CT329536.components.127943416806019034", false);
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT2998365&octid=CT299836[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "Trustworthy Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2998365[...]
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT2998365");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.defaultthis.engineName", "Trustworthy Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2998365&CUI[...]
Deleted : user_pref("gm-notifier.ui.counter.showInbox", true);
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2998365&SearchSource=2&CU[...]
Deleted : user_pref("smartbar.machineId", "KCNJQVOKLKQKYXRKXZYTGPRIIP9UH9VEGXIYJ7HGVOG71HHKDY9G0AMGIVVAIG9TT7F[...]

-\\ Google Chrome v27.0.1453.94

File : C:\Documents and Settings\David Johnson\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.4537] : urls_to_restore_on_startup = [ "hxxp://www.google.com", "hxxp://search.conduit.com/?ctid=CT29[...]

*************************

AdwCleaner[S1].txt - [16883 octets] - [29/05/2013 08:06:25]

########## EOF - C:\AdwCleaner[S1].txt - [16944 octets] ##########



#12 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 29 May 2013 - 12:53 PM

Junkware remover

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by David Johnson on 29/05/2013 at 10:49:31.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AA0CE2F7-884F-40BE-89F1-9BD42DAD8CDD}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C9155E08-DB72-4791-B8A4-820A214FDB5C}

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 29/05/2013 at 10:56:19.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#13 Digitaldj

Digitaldj
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:White Rock BC Canada
  • Local time:06:17 AM

Posted 29 May 2013 - 01:09 PM

Browser is still acting the same as before with that one link to the bike shop.



#14 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:17 PM

Posted 29 May 2013 - 06:36 PM

Most of the items returned from ESET scan were "minor, but they can still be trouble if left on your system long enough and not removed -

 

I have done a scan for 94.242.251.250 IP address information and this was the best result I found.

 

Latest VirusTotal's URLs hosted in this IP address detected by at least one or more URL scanner or malicious URL dataset.

3/39 2013-05-29 14:18:43 http://wwwnt.vizvaz.com/
6/38 2013-05-21 08:33:57 http://net.vizvaz.com/
5/39 2013-05-17 08:32:55 http://fpert.qpoe.com/
4/39 2013-05-16 19:39:03 http://poasm.qpoe.com/
2/37 2013-05-03 08:05:49 http://notfound.iownyour.org/
2/35 2013-04-15 13:56:05 http://asfhwqkopg.qpoe.com/fine/contactus.php?if=33:1k:1i:31:30
1/36 2013-04-15 04:22:15 http://asfhwqkopg.qpoe.com/fine/contactus.php?if=33:1k:1i:31:30&ce=1g:1n:1o:30:1g:2w:33:1k...
1/36 2013-04-14 23:18:25 http://asfhwqkopg.qpoe.com/fine/contactus.php
2/35 2013-04-13 18:59:30 http://sfafhjirdbn.25u.com/fine/contactus.php

The first number in each line is the number of Antivirus / Antimalware programs that found the sites as "not suitable" or as "bad / infected" sites. From this you can read the top 2 listings as your "problem site", and the others are also "unsuitable" sites.

NOTE: Not all scanners above always check for bad URLs, only about half of them do. Virus Total has not returned with the programs that listed the sites, so it will always cause problems.

 

I think we have removed the minor infections left by the redirecting sites, but your bike shop rents an IP that is shared by these other sites.

 

The final result is to type the name directly each time and hope you get directly through, or tell the shop these results to see if they will move IP (usually cheap site rental, so I would say they will not move).

 

Apart from that you are now clean, and the IP can be added to Exclusions in Malwarebytes Pro version if you wish, but that is your choice, and you will still get these redirects and may be back asking the same question.

This just proves that your MBAM is doing its job and working 100%.

 

Thank you for following all of those cleaning directions. You are well protected and now know why these items popped up.

 

Regards -

 

P.S. Post back here if you do have further questions, and we will try to answer them. :)



#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:17 PM

Posted 29 May 2013 - 08:21 PM

As a final clean-up here are a few items to remove from your desktop now.

You can Right Click to remove screen317's Security Check and JRT scanner.

Open AdwCleaner and there is a button to remove/uninstall it as you can not update the program, so you reload each time for latest definitions.
ESET scanner can remain on your computer as it will be easier to update if it is used again, and it will just stay idle.
SUPERAntiSpyware can remain, but be sure to update it if you ever scan with it (I use it weekly).
TFC can remain if you would like it as it is a decent Temp File Cleaner (your choice, I use it weekly).

 

I think that covers all of the items we loaded to clean up the problem.

 

Safe Surfing -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users