Jump to content
Sign in to follow this  
stukintx

Browsers Redirecting

Recommended Posts

Firefox and IE redirect when I click on a link in a search.

If I click on a bookmark or previous link in my history it goes there but if I do a search in Yahoo or Google and click on the link I'm redirected to various different sites.

I've scanned for viruses, maleware, spyware and adware but the scans say I'm clean. I've checked my host file and there are no entries in it. I'm stumped. Superantispyware reported several things but I think they were traces of old infections I had a while back. Just to be on the safe side I removed it but I'm still experiencing the redirects.

I also discovered that if I get a redirect to a link I click on I can copy and paste that link in my address bar and I'll go to it just fine. Next time I click on that link in the search it will also go there. It appears that the redirects are for sites I've never visited.

Strange but true. Any help would be greatly appreciated.

Thanks...

Share this post


Link to post
Share on other sites

I too have run a full updated scan with multiple programs as well as superantispyware and come up clean, only to have my IE browser "yahoo and google" results be redirected to random sites such as asklots.com and others

Share this post


Link to post
Share on other sites

what is combofix?

You can also try uninstalling java then re-installing. I have seen this alot lately where scans with sas, mbam and hjt are returning clean results but the pop-ups and redirects remain. So far, uninstalling java has solved the issue.

Share this post


Link to post
Share on other sites

You can also try uninstalling java then re-installing. I have seen this alot lately where scans with sas, mbam and hjt are returning clean results but the pop-ups and redirects remain. So far, uninstalling java has solved the issue.

I've seen that as well lately, but I didn't try re-installing Java. I used ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Share this post


Link to post
Share on other sites

I've seen that as well lately, but I didn't try re-installing Java. I used ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I only re-install java after I am certain the pop-ups and redirects have ceased. The faux java application runs from the wrong location. HJT will inform you of this. Alot of forums have stopped using HJT in the recent months. I still find it very helpful in the initial analyzation of a computer's issues.

Share this post


Link to post
Share on other sites

i will have to give this java thing a try. i have tryed ,panda antivirus, mcafee antispyware/antivirus, spydoctor,cws shredder, combofix, malwarebytes, superantispyware, spybot, gooredfix, spysweeper, and my hijackthis scan shows nothing out of place, and a few other scans that i cant even remember the name of. i have turned off system restore and disabled network shareing since both computers in my house are infected. i will post back with results of a java cleansing. redireced site is mainly "gathi.asklots.com" but others have poped up.

Share this post


Link to post
Share on other sites

i will have to give this java thing a try. i have tryed ,panda antivirus, mcafee antispyware/antivirus, spydoctor,cws shredder, combofix, malwarebytes, superantispyware, spybot, gooredfix, spysweeper, and my hijackthis scan shows nothing out of place, and a few other scans that i cant even remember the name of. i have turned off system restore and disabled network shareing since both computers in my house are infected. i will post back with results of a java cleansing. redireced site is mainly "gathi.asklots.com" but others have poped up.

If you have HJT it should show you that java is running from the wrong location if, in fact, it is actually java causing the issue. It very well could be another application. I'm not sure of the outlook on this forum for uploading hjt logs and I certainly have no intention of starting a habit of doing so but, if you want to upload your log I will take a look at it for you since you have received a number of replies and still have the issue.

Share this post


Link to post
Share on other sites

If you have HJT it should show you that java is running from the wrong location if, in fact, it is actually java causing the issue. It very well could be another application. I'm not sure of the outlook on this forum for uploading hjt logs and I certainly have no intention of starting a habit of doing so but, if you want to upload your log I will take a look at it for you since you have received a number of replies and still have the issue.

That's because the poster hasn't yet tried any of the suggestions :rolleyes:

Anyway, there's no problem in requesting a HijackThis log.

Share this post


Link to post
Share on other sites

well java has been uninstalled and that was not the problem, all scans still turn up clean.

hijackthislog

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Ralink\Common\RaRegistry.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\Ralink\Common\ApUI.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\God311\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/'>http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\ApUI.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1106352840390

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265335871972

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6059/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\Ralink\Common\RaRegistry.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 8918 bytes

Share this post


Link to post
Share on other sites

Your HJT log is clean. I done a little research on your issue and it seems this is a very difficult spyware to locate. It eludes HJT and most other scanners. Most suggest scanning with DDS to get a deeper look. I even read one forum where they claim it hides within your router...

Share this post


Link to post
Share on other sites

here is an article that talks about fixing problems with "google-redirects":

http://www.geekstogo.com/forum/topic/267407-how-to-fix-google-redirects/

note that the article says to use kaspersky's "TDSSKiller" to fix the problem.. there is a link for downloading "TDSSKiller" in the article..

here is kaspersky's webpage for "tdsskiller":

http://support.kaspersky.com/viruses/solutions?qid=208280684

Share this post


Link to post
Share on other sites

well after running all scans known to man and all comming up clean i decided to dig even deeper. since both computers at my home were infected i decided to check the Router. Browsing the settings of my router i noticed my primary and secondary DNS server option had an address that looked odd, Primary DNS: 213.109.68.8 Secondary DNS: 213.109.75.92. i looked them up and thay seem to track back to Russia, i cleard them and now my searches appear to be clean. so anyone who is having trouble clearing out a browser redirection problem and all scans come back clean, check your router settings. ill give it a day of searching then repost with a final verdict.

Share this post


Link to post
Share on other sites

well after running all scans known to man and all comming up clean i decided to dig even deeper. since both computers at my home were infected i decided to check the Router. Browsing the settings of my router i noticed my primary and secondary DNS server option had an address that looked odd, Primary DNS: 213.109.68.8 Secondary DNS: 213.109.75.92. i looked them up and thay seem to track back to Russia, i cleard them and now my searches appear to be clean. so anyone who is having trouble clearing out a browser redirection problem and all scans come back clean, check your router settings. ill give it a day of searching then repost with a final verdict.

Thanks.

A tech friend called me a couple of days ago with the same router DNS issue.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×