Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Hijack? Aredirect?


  • Please log in to reply
5 replies to this topic

#1 mjd123

mjd123

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 06 May 2007 - 07:37 AM

I know this has been done to death, but I can't fix this after several days trying.....

In Google, do a search, click on a link, and it takes you somewhere else. Go back to google, click on the same link and it takes you to the right place the seccond time you try. Anoying!

So I have read all I can on this board and followed all the instructions.

I have run HJT and can find no entries which require removal according to this (And several other) BB's.
I have run ccleaner and can find no funnies....
I have run spybot S&D and Adaware SE, removed all nasties, rebooted.....
I have done a full virus scan with Norton - nothing found (Defs up to date too)
I have checked my network setup and it is correct, and ipconfig /all shows all the right network settings too.

So I am stumped.

I did read somewhere that there was hijacking of Google, but I get the correct URL on the search results. IE - the text in green (eg www.bbc.co.uk/whatever) is correct for the link, but when I click on it I will be taken to a link which looks like this

http://ck.maxifiles.com/xml/redir.php?redir=3%7C8002%7Cuk%7C1%7CaHR0cDovL3d3dy5mcmVzaC13ZWF0aGVyLmNvbS9tdC5waHA%2Fc2Vzcz1hSFIwY0RvdkwzSmpOaTV2ZG1WeWRIVnlaUzVqYjIwdlpDOXpjaTglMkZlR0Z5WjNNOU1UVkxVR3BuTVVsa1UyODFXSGxzSlRWR2NuVk9UR0pZVlRaSVpHaEJkRTlwYzJwdGJ6UktkMWhOTkd0c0pUSkVVblUyVnpGelZIVmtKVEpFWW5JM1EyNXpUamxVSlRWR1JtczFkMlpaTUZCTFRDVTFSbkZvTUdWaFpXa3ljVGRhVm01MlVVRlJZa3hFVDBnMVoyTjVSMjFLTkNVeVJGRjJabXhJV2taVGFHSlpkblFsTlVZbE5VWnliVFJSTkc1Rk9ERkpWSFpuVHpSSWJWaGtWRk5hV1RGa1JGVTFPWEpOY0dSdmJuRmFia3BCZEc1d2VuQnRZVXBFVkhWaFNtdFJNRGwyZW1KUmRHRnJNbk5QUWpSM05XNVpaVXR2U1VkdlJtZEpXWHBsTVcxWVJFMTJZbWNsTWtSMVp6SjZOaVUxUm1kWlYwcEhUV2xQVXpKcE9VODVVbkpXV201Uk1uazJKVFZHV1dadmJGTTNVSGt5T1hKNWIwZ2xOVVppSlRKRU5rbHpZazVXVEVnbE1rUm1WbWsyUVdwR2VFZ2xNa1JoZW05T2JVNVllVWRwVEhSUWVGWk5SVk5oYVZCWmVubHpKVFZHVVhCamNuRnlaR2tsTlVabVdWQTBjSFYyZWxkMldEY2xNa1JDVmtoNk1sa3dXalpsYTBwNlZYRjJkVXRuTTFSV2JVMDVOakl5UkdNbE1rUkNRVUpOY1hWcGVYRWxOVVpqY1dabVFVTkNNMVZ0VFhJM2RFc3lVSE5qUkRWdWFreDVSSGcwVlZkMVVWVk5OMkYxVTJST1RqVmFjakZDSlRWR01TVTFSako1UmpocmRIZG9kamx4T1V0WFFXVkthRlkxV1hwRWRWaFFjVU16TlZSelVYRjVjRFJwY2xKTWJrUTFaelJHT1ZoWmJTVTFSaVV5UkZwUFJXOUJXbmMyYjBzMWJqQlROM3BtV1d4S2VVTWxNa1J2VW1kd1NUUTBOSFV5VjJ4WWJFaHJUM0pxUzJ0a01GcHlVR05LVVVadFREaE5iV05DVDJkSWIyNDFUV05NUW5kR1JVOVRRbTlTUzBOMlpDVTFSaVV5Ukdwdk0xSnVaVEIyYkdoR1QweEZNa1l3Y25OVmRISk5SMEpyWkVGRk5UVnlUMVp4WTJKNGJrTnViMFJGZFVweVdHRk1RMHhQVVNVMVJsVlhNSHB6ZUhWRWJrTkhNRXA0WnpVd2VYUXpkakJrVG1kNGJIVWxOVVp3VlhoaU1FZDJNRmxSV1V0M1NtZDVlRTFvY0ZSdFF6SjViMEZrVEhaNWRHWWxOVVpwYVhGaWJHSnhVbkZQVGpWMlpEUmtOMjlRYW1KcWR5VXlSU1o1WVhKbmN6MTNkM2N1WldKaGVTNWpieTUxYXclM0QlM0Q%3D%7CMA%3D%3D

before ending up at a completely unrelated web page.

The last test I did I ended up going to the link pasted above, which redirected to

http://www.fresh-weather.com/mt.php?sess=aHR0cDovL3JjNi5vdmVydHVyZS5jb20vZC9zci8%2FeGFyZ3M9MTVLUGpnMUlkU281WHlsJTVGcnVOTGJYVTZIZGhBdE9pc2ptbzRKd1hNNGtsJTJEUnU2VzFzVHVkJTJEYnI3Q25zTjlUJTVGRms1d2ZZMFBLTCU1RnFoMGVhZWkycTdaVm52UUFRYkxET0g1Z2N5R21KNCUyRFF2ZmxIWkZTaGJZdnQlNUYlNUZybTRRNG5FODFJVHZnTzRIbVhkVFNaWTFkRFU1OXJNcGRvbnFabkpBdG5wenBtYUpEVHVhSmtRMDl2emJRdGFrMnNPQjR3NW5ZZUtvSUdvRmdJWXplMW1YRE12YmclMkR1ZzJ6NiU1RmdZV0pHTWlPUzJpOU85UnJWWm5RMnk2JTVGWWZvbFM3UHkyOXJ5b0glNUZiJTJENklzYk5WTEglMkRmVmk2QWpGeEglMkRhem9ObU5YeUdpTHRQeFZNRVNhaVBZenlzJTVGUXBjcnFyZGklNUZmWVA0cHV2eld2WDclMkRCVkh6MlkwWjZla0p6VXF2dUtnM1RWbU05NjIyRGMlMkRCQUJNcXVpeXElNUZjcWZmQUNCM1VtTXI3dEsyUHNjRDVuakx5RHg0VVd1UVVNN2F1U2ROTjVacjFCJTVGMSU1RjJ5RjhrdHdodjlxOUtXQWVKaFY1WXpEdVhQcUMzNVRzUXF5cDRpclJMbkQ1ZzRGOVhZbSU1RiUyRFpPRW9BWnc2b0s1bjBTN3pmWWxKeUMlMkRvUmdwSTQ0NHUyV2xYbEhrT3JqS2tkMFpyUGNKUUZtTDhNbWNCT2dIb241TWNMQndGRU9TQm9SS0N2ZCU1RiUyRGpvM1JuZTB2bGhGT0xFMkYwcnNVdHJNR0JrZEFFNTVyT1ZxY2J4bkNub0RFdUpyWGFMQ0xPUSU1RlVXMHpzeHVEbkNHMEp4ZzUweXQzdjBkTmd4bHUlNUZwVXhiMEd2MFlRWUt3Smd5eE1ocFRtQzJ5b0FkTHZ5dGYlNUZpaXFibGJxUnFPTjV2ZDRkN29QamJqdyUyRSZ5YXJncz13d3cuZWJheS5jby51aw%3D%3D


which then redirected to an Ebay search results page. http://search.ebay.co.uk/bun_W0QQfcclZ1QQf...QfsooZ1QQfsopZ1

I had clicked on

Bun - Wikipedia, the free encyclopediaA bun is a sweet or plain small bread or a round roll. It can be consumed as-is, made into a sandwich, or designed to be cut in half and filled with ...
en.wikipedia.org/wiki/Bun - 20k - Cached - Similar pages

If I go back to Google (Which is hard as clicking back just redirects you again so you have to use the drop down menu under the back button to select Google) and try again I end up at wikipedia as expected.

This happens 100% of searches in Google and Yahoo. Regardless of the search subject, the sight you try to connect to, etc....

HELP, It is driving me crazy! :thumbsup:

If any more info is required just ask!

Many thanks

Quick Edit - My wife installed Selteco Bannershop GIF Animator 5 which came with a "Easy GIF Animator Toolbar" which plugged itself into IE - I can't remove it - could it be this?

Matt

Edited by mjd123, 06 May 2007 - 07:42 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,307 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:55 PM

Posted 06 May 2007 - 10:04 AM

I think you have a Vundo infection. Depending on whether the program that your wife installed was free, a crack or paid for would help determine if the malware came with it. Use the directions in the link below for running Vundofix.exe.
http://www.atribune.org/content/view/24/2/

Post a Hijack This log in the Hijack This Forum by following the directions in the link below. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 mjd123

mjd123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 06 May 2007 - 01:17 PM

Thanks Buddy,

I have run the vundofix and it found nothing.

I have posted my HJT log for you in the usuall place.

The toolbar which my wife installed came with some rather expensive software (Selteco Bannershop GIF Animator 5). I have told her time and time again to let me do the installs, and NEVER install a toolbar, but hey ho - I've also told my cats not to cr*p on the lawn, but does any one ever listen to me?

Many thanks for you help,

Matt

#4 buddy215

buddy215

  • Moderator
  • 13,307 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:55 PM

Posted 06 May 2007 - 01:46 PM

Just a reminder not to bump the log you posted. Wait till the Hijack This team responds.
Also, cats are easy to get rid of.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 mjd123

mjd123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 06 May 2007 - 02:55 PM

Just a reminder not to bump the log you posted. Wait till the Hijack This team responds.
Also, cats are easy to get rid of.



I didn't bump anything?

Matt

#6 Laurentiu

Laurentiu

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 15 May 2009 - 07:38 PM

i know it is 2 years later but i have the same problem, can you advise if you found any solution? thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users