Internet Explorer redirecting itself to stupid sites :(

Hi all,

Ever since my computer got infected with the boot.com worm yesterday... that I had to manually remove from my registry yesterday (that is to say, I had to remove any trace of a "resycled" folder, any "autorun.inf", and any "boot.com" files... well... now whever I click on any searched link in Google it takes me to some "free videos" website or shopping website instead of the link I actually clicked on. When the page tries to load the link I want, there is some kind of re-direct command that changes the web address.

Please can somebody with some know-how and experience with this kind of thing help me to get rid of this annoyance?!

Many thanks in advance. I'll be sure to +rep any truly helpful responses.

 

Could you download and run hijackthis?

Then post the logs here.

http://www.techsupportforum.com/security-center/hijackthis-log-help/

Someone should be able to help you there.

 

Did you try to restore the computer to a previous date in time using System Restore?

 

D/L both SuperAntiSpyware and MalwareBytes'AntiMalware.
Make sure both programs are fully updated before you run them in safe-mode.
If that doesn't offer a solution, run Combofix before posting a Hijackthis log.
Cheers.

 

post a HiJackThis log!

We can help you from there and help you manually rid yourself of this if your anti-malware/spyware/virus programs arent picking up anything.

 

Posted log on HijackThis. Thanks for the suggestions. I think my user name on there is set up the same as on here. Hope you can help.

 

Use AVG 8 Free, Comodo Firewall Pro, Firefox 3, and Ablock Plus. No probs. :yes:

 

or Opera or any other alternative browser, which is not being a target of exploit writers so often. And, added to that, keep your windows updated too (and your windows will like you... non-patched security holes are used pretty often by virus authors).

by the way, it is that ******* known also as Trojan Horse SHeur.CODS?

edit: after googling a little more... about that redirecting, try correcting DNS servers in your internet connection settings (i guess it is changed by the virus), if it stays fixed or if it reverts back to the malicious servers..?

 

I am now test-driving Google Chrome on recommendation of somebody not on these forums. It looks really good and super-fast. Any problems with malware and this browser? Is anybody using this?

I've noticed the redirection issue present in all three of my current browsers... IE, Firefox, and this new Google platform.

Something is up... Entropy, I would check my DNS but I am on my laptop at the mo and I connect worelessly. I'm not that thencical when it comes to the whole DNS thing. I always assumed the DNS was something to do with the computer that connect via Ethernet cable through the router...?

Meh.

 

You could also try creating a new account, and seeing if the problem exists in that one.

 

GC, it looks like you have taken all steps to remove the infected files as described in this Bleepingcomputer forum post.
Another poster wrote those steps also resolved his problem, so just asking if you had followed all these steps.
Have you seen this suggestion on the Avast forum to run Flash Drive Disinfector?
Make sure to use it to clean any USB sticks etc.
Cheers.

 

imo the best stand alone removal tool out there av wise is from dr web. i have seen it remove literally everything others could not. they dont have the best detection from their av but their removal is second to none. kaspersky has a great removal tool also but not as good as the dr.'s...

i HIGHLY RECC a program called smitfraudfix seriously try it out its fantastic and fast does a fantastic job at removal.

also malwarebytes is awesome at removal as well.

 

google found this picture-guide about how to set it:
http://www.mediacollege.com/computer/network/dns.html
it is for xp, i'm not sure which OS you're running, but in vista it would probably be similar.

to find out what values are used recently, you can also do this:
click Start -> Run... -> type "cmd" (without quotes) and confirm
a black window will pop up, type following in it:
ipconfig /all
and hit enter to confirm again, information about your current connection will show up

 

You may be infected with malware!

 

On your recommendation, I've been using the trial of Kaspersky and I LOVE it!!! I've been running CCleaner alongside it (also love that application). And as for your Malwarebytes suggestion... well, I read on a tech support forum that somebody suggested installing Malwarebytes if they are infected with redirecting websites from search engines. I've installed it, run a scan, and it has indeed detected Trojans... I think they were called Trojan DNS Changer or something, and there were lots of them in the HKEY folders!!!!

As far as I know, these have now been removed. I'll be thoroughly testing the search engines on my IE, Firefox, and Chrome browsers to make sure everything is okay.

 

As some trojans can also mess up your router, make sure to reset it (if applicable) and use a non-standard username and password.
Cheers.

 

please download this and run this for me... http://siri.urz.free.fr/Fix/SmitfraudFix.exe

if anything is left this will KILL IT i have not steered you wrong yet lol.. please let me know if i can help you out further

now with kaspersky's real time http scanning you will not have that issue again it will scan the page and literally will alert you if the page is infected before hand..

 

Done. Didn't find anything when doing the "1) Search"; or 5) Cleaning DNS Hijack stuff.
The DNS before and after were the same values.

Does that mean that nothing has been altered?

 

run the clean option as well i think number 2 after the search and if it doesnt remove anything
it means you should be free of any nasties now as long as no more browser issues ... any thing else i can do lmk

 

I'll do that now, thanks. Just a question... when I ran the DNS check option on this laptop, it said "invalid something-or-other" in a command line, yet still gave me an end report log where everything looked okay, DNS before and after wise.

Did the same on my desktop and that says "provider failure" in a command line when the DNS clean thing is run.


Providing I still get an end report log and the DNS look fine... does that mean that it ran okay?

Just gonna try out the clean now.

 

I'm not that comprehending of the log you get at the end. If there was something to worry about, or something found... where would it state that and how?

EDIT: Have restarted after running the "clean" option and now have a solid blue screen for my desktop wallpaper (same colour as the blue screen of death)!! My regular desktop wallpaper has disappeared!!! Should that happen?

 

very possible it was a infected file. or that it simply reset it back to oem windows. but just set it back to what it was and you should be fine.

the log at the end simply lists the files and if they are infected or not. if you already ran the clean option dont worry about it.. smitfraudfix rocks its a awesome little program

 

you should be fine.. a great test for re-direct is to open ie and go to google. search for antivirus. now on the results list click on the different sites for like avg, mcafee, kaspersky etc and see if you get redirected or you go to the actual sites, searching antivirus is usually one of the first things that gets hijacked..

 

Hi all. I'm having a similiar issue. I would really appreciate some assistance.

Running XP with SP 2, with a cable modem, no router.

The probelm(s):

redirect to different websites, especially with search engines.
unable to access any AV websites.

I had Mcafee installed, tried AVG, and Superantispyware. Unfortunately, I can't get updated files because of the redirect. I've tried a few of the fixes I've seen on webboards, but no luck.


I've looked at the DNS Server numbers...all appear ok.

I CAN get to the websites if I go through AOL, but not able to do any updates. I'm stuck and extremely frustrated.

I'm grateful for any help.

Thanks in advance.

FM

 

flyerman , first you need download HijackThis and then post the results here also boot into safe mode then look into the hosts file in your system

Code:

Notepad %SystemRoot%\system32\drivers\etc\hosts

just copy & paste the above line in the run command and now look @ the content of the file and it should look like this

Code:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost

but if it has more lines then delete all other lines other than localhost entires in it ,that should allow you to update your AntiVirus

 

Vinumsv -

Thanks for the reply.

Here is the HijackThis file:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:43:31, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\AOL\1149710910\ee\AOLSoftware.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
c:\program files\common files\aol\1149710910\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1149710910\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T6538
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149710910\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\b22a73de-5da5-400f-b754-0ee70750a5c2.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225573975640
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1AB9078-2387-47B4-8C53-32F0B0E22AA4}: NameServer = 68.87.73.28,68.87.73.242
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 11086 bytes
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

and here is the "Hosts" file.
I booted in safe mode and mine looked exactly like yours, with the exception of the dates at the top. There were no additional lines after 'localhost'....


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Additonally, althought I can not update AVG, when I do a Rootkit scan, I get these results....

10 rootkits

"c:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X0S18GJI\TDSSpqlt[1].htm";"Hidden file";"Object is hidden"

"C:\WINDOWS\system32\drivers\TDSSpqlt.sys";"Hidden driver";"Object is hidden"
"c:\WINDOWS\system32\drivers\TDSSpqlt.sys";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\TDSScrxx.dll";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\TDSSitpe.dll";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\TDSSmxoe.dat";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\TDSSoiqh.dll";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\TDSSotpa.dll";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\TDSSsahc.log";"Hidden file";"Object is hidden"
"c:\WINDOWS\system32\TDSSyavu.dll";"Hidden file";"Object is hidden"


Thanks,

FM

 

Wow 10 Rootkits Bro , Try these Links

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75926

and remove all trace of the file in the locations specified in the above link

 

lol wow.. try the dr web cureit. its free and you can run it from a usb stick or disc.. its very good at cleaning..

 

as you mention the rootkit scan, you don't have the free version, therefore you can use the official AVG support. send them an e-mail and ask them for the tool for removing this TDSS thing, so that you don't need to mess with it manually (hidden drivers etc). if you send the query from C:\Program Files\AVG\AVG8\avgdiag.exe, they will directly get all the data, including the scan results. attaching the hjt output may be a good idea too.

regarding updating... can you edit back your DNS settings? (rightclick your internet connection - properties - select TCP/IP - hit properties again - and look what's in the DNS servers, if its some 85.xxx.xxx.xxx, make sure that you fix it and then check back if the correct values are still there. the infection may change it back to the malicious servers addresses though.)

vinumsv, this TDSS bast... ehm, thing is usually creating that many files. if the "author" of this will ever get caught... i don't wanna be in his shoes.

 

smit fraud fix has a dns search and clean hijack feature use it and scan then use option 5. see if that works:
http://siri.geekstogo.com/SmitfraudFix.php

 

I'm having similar issues, I keep getting redirected to some site called pc.com or something, so this is probably something up with my pc, not with this forum right?

 

If it happened while viewing NBR, then its probably recent issues regarding spammers using hidden images with malicious scripts to redirect users to other sites in an attempt to steal private information etc.

If you get redirected while viewing a thread, please report( ) the thread so that we can take care of the user.

 

Have you tried some of the programs mentioned in this thread?
SmitFraudFix; zfactor already posted on how to use it's option nr. 5 to clean a DNS hijack.
Some others;
Dr. Web CureIt!
MBAM
Cheers.

 

I had this issue (as you're probably aware, as I started this thread) and I share your pain.

Here's what I did to cure it...

First, I obviously posted on here, then a very kind and helpful somebody (dtwn83) recommended that I post my issue on the technsupportforum (here's the link to my problem and eventual solution http://www.techsupportforum.com/sec...results-being-redirected-any-web-browser.html)

During the course of opening that thread, though, I had Googled my issue and found that many people suggested that it might be the resycled/boot.com worm that is causing it. When you insert a USB stick or other removable storage media does it tell you that it can't autorun? LIke it is disabled? If so, it might be that you have the boot.com worm.

If you do two separate searches in your Regedit for resycled and boot.com then try this link to talk you through getting rid of them: http://www.precisesecurity.com/blogs/2008/09/20/resycledbootcom/

Please, please, please install Malwarebytes' Anti-Malware. I feel that this program completely solved my issue of site redirection. http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm