Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox redirects to fwdservice.com when I click on hyperlinks in email


  • Please log in to reply
10 replies to this topic

#1 Dstev

Dstev

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 August 2013 - 01:00 PM

Running Windows 7 Home Premium.

 

I clicked on an aweber link in my email that resolves to blogcreationdomination.com, but redirects to fwdservice.com.

 

The blogcreationdomination.com website doesn't seem to be inflicted with malware according to this site: http://sitecheck.sucuri.net/results/blogcreationdomination.com

 

I have already reset firefox, to no avail.

 

Edit: Internet Explorer also redirects to this site, and it also redirects when i type the domain in the address bar.

 

Please advise.


Edited by Dstev, 12 August 2013 - 01:08 PM.


BC AdBot (Login to Remove)

 


#2 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:44 PM

Posted 12 August 2013 - 01:43 PM

Running Windows 7 Home Premium.

 

I clicked on an aweber link in my email that resolves to blogcreationdomination.com, but redirects to fwdservice.com.

 

The blogcreationdomination.com website doesn't seem to be inflicted with malware according to this site: http://sitecheck.sucuri.net/results/blogcreationdomination.com

 

I have already reset firefox, to no avail.

 

Edit: Internet Explorer also redirects to this site, and it also redirects when i type the domain in the address bar.

 

Please advise.

 

blogcreationdomination.com is doing a javascript redirect to fwdservice.com

From there... it looks like a Google domain parking page for blogcreationdomination.com

- Possibly the site has been removed or isn't up yet.

 

At any rate, the redirect from blogcreationdomination.com to fwdservice.com isn't caused by a trojan.  It's just a standard javascript redirect.

 

-Mz



#3 Dstev

Dstev
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 August 2013 - 01:46 PM

Ok. Thanks.

 

How do you know that it's just a redirect on the site may I ask?



#4 Dstev

Dstev
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 August 2013 - 01:52 PM

Maybe I should have prefaced by saying that when I initially went to the site, I was prompted to update my flashplayer; I clicked on update, and then it brought a popup window up for me to download some type of program. Definitely not flashplayer. I didn't download it, but after that was when I got redirected to fwdservice.com.



#5 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:44 PM

Posted 12 August 2013 - 02:42 PM

I looked at the HTML, then visited with javascript enabled.  I got the redirect of course, and a cookie and one of those dumb pages of links at fwdservice.com.

 

Was the link in the email http://www.blogcreationdomination.com or more?  Without the "more" all I can look at is the index.html



#6 Dstev

Dstev
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 August 2013 - 02:46 PM

I looked at the HTML, then visited with javascript enabled.  I got the redirect of course, and a cookie and one of those dumb pages of links at fwdservice.com.

 

Was the link in the email http://www.blogcreationdomination.com or more?  Without the "more" all I can look at is the index.html

No, the link was actually cloaked via Aweber: http://clicks.aweber.com/y/ct/?l=NIFnU&m=1oegtx7j7FQvVj&b=HEbahaaqKTatrpFQ_5H8jw



#7 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:44 PM

Posted 12 August 2013 - 03:00 PM

Same thing, different links displayed in the end.  You may have something not related to that site.  Have you gotten it any more?  It wouldn't hurt to run a scan with updated Malwarebytes and post the log.



#8 Dstev

Dstev
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 August 2013 - 03:04 PM

Yeah, it's still doing it. Running MBAM now



#9 Dstev

Dstev
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 August 2013 - 03:18 PM

Yeah, it's still doing it. Running MBAM now

Here's the log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.12.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Owner :: OWNER-PC [administrator]

8/12/2013 4:03:43 PM
MBAM-log-2013-08-12 (16-17-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216860
Time elapsed: 4 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\Owner\AppData\Local\Temp\F8mdrOHN.exe.part (PUP.Optional.AirInstaller) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\OzN4up0R.exe.part (PUP.Optional.BundledToolBar.A) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\_lkTyGCH.exe.part (PUP.Optional.BundledToolBar.A) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\ct3239904\ffLogic.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Owner\AppData\Local\Temp\ct3239904\statisticsStub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Owner\Downloads\PCPerformerSetup.exe (PUP.Optional.InstallBrain) -> No action taken.
C:\Users\Owner\Downloads\SFInstaller_SFFZ_filezilla_8706467_.exe (PUP.Optional.BundledToolBar.A) -> No action taken.
C:\Users\Owner\Downloads\TVSetup.exe (PUP.Optional.Inbox) -> No action taken.
C:\Users\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZBQ2WYOR\statisticsstub[1].exe (PUP.Optional.Conduit.A) -> No action taken.

(end)
 



#10 Dstev

Dstev
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 August 2013 - 03:36 PM

well, ran mban, removed what it found, restarted....typed blogcreationdomination.com into address bar....redirected to this: http://download.wwwqwikster.com/?sov=256134906&hid=bfdrdrdfljfptdrjf&ctrl1=noiframe&id=aROs-verid46, again telling me to update my flashplayer

 

Btw, that was the initial site that it took me to where I clicked the "update" button, but then closed the download promt, and then it took me to fwdservices.com


Edited by Dstev, 12 August 2013 - 03:56 PM.


#11 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:44 PM

Posted 12 August 2013 - 06:18 PM

At this point, I think that is the result of your problem, not the cause.  The cause could be many days before you first noticed, maybe even the other side of your last computer restart.  Usually, something with a name like "BundledToolBar" came with a program you downloaded on purpose.  Many times free programs use these to make money.

 

I'm about at the end of what I'm allowed to do here, aside from offering AdwCleaner and Junkware Removal Tool

 

It doesn't look like your stopped download caused any problems, but you might want to start an additional subject to confirm cleanliness when done with those.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users