Redirect Malware on Google links using Firefox and WinXP

Richse1 · April 5, 2011

Hi all,

I am a PC user, WinXP, Firefox. I would like to get some help from the users of this forum as It has been 3 days since I have been redirected to random websites each time I click on on a google link. Looking at few forums I now understand that it is a 'Redirect Malware'.

I ran a few scans with my antivirus 'Avira'. Useless.

Then I the did a scan, in a safe mode, via 'SuperAntispy' - nothing got fixed either.

Then I downlodaded FREE SuperAntispyware. Tried a few times to do a full scan:

Attempt # 1 (normal mode) - the scan froze before being fully complete - duration of the scan 6 hours, 56000 files scanned!

Attempt # 2 (normal mode) - the scan froze before being complete - duration of the scan 4 hours, 48,000 files scanned .

Attempt # 3 (normal mode) - After looking on few forums, I unchecked the DDA option in the Control Scanning section. I then ran another scan and it froze again after not being completed - duration of the scan 2 hours 48,000 fils scanned.

Attempt # 4 (normal mode) - Launched another scan before going to bed. I noticed in the morning that my scan froze again in the middle of the night - duration of the scan 7 hours, file scanned 49,000.

Attempt # 5(safe mode) - I just finished to scan my computer in Safe mode using Superantispyware, leaving the DDA option unchecked.

Results: the scan stopped after it scan aprox 16,000 files, and quarantined 69 viruses.... So, I rebooted. Then I noticed that online NOTHING CHANGED! Sigh... ;(

So I will do an ultimate attempt with Superantispyware, on safe mode, but this time I will make sure the DDA option is checked.

Help please!

R

Seth · April 5, 2011

Welcome to the SAS forum.

Please post the SAS scan log that shows the 69 infections.

Richse1 · April 6, 2011

Hi Seth,

Thanks for your help. I did a full scan with SAS on safe mode. Here is the Scan log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 04/06/2011 at 07:38 PM

Application Version : 4.50.1002

Core Rules Database Version : 6752

Trace Rules Database Version: 4557

Scan type : Complete Scan

Total Scan Time : 02:27:23

Memory items scanned : 227

Memory threats detected : 0

Registry items scanned : 6826

Registry threats detected : 0

File items scanned : 54955

File threats detected : 40

Adware.Tracking Cookie

C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@adtech[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@solvemedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@specificclick[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt

.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.bouyguestelecom.solution.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.smartadserver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.tradedoubler.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.doubleclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.collective-media.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.kontera.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

Trojan.Agent/Gen-Kazy

C:\SYSTEM VOLUME INFORMATION\_RESTORE{668477DC-0168-463C-90CE-C5FA71396F1C}\RP646\A0139458.EXE

Trojan.Agent/Gen-FakeAV

C:\SYSTEM VOLUME INFORMATION\_RESTORE{668477DC-0168-463C-90CE-C5FA71396F1C}\RP646\A0141441.EXE

Trojan.Agent/Gen-FakeAlert

C:\SYSTEM VOLUME INFORMATION\_RESTORE{668477DC-0168-463C-90CE-C5FA71396F1C}\RP650\A0151516.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{668477DC-0168-463C-90CE-C5FA71396F1C}\RP650\A0151517.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{668477DC-0168-463C-90CE-C5FA71396F1C}\RP650\A0151518.EXE

Richse1 · April 6, 2011

By the way I quarantined the 69 infected files from the scan in safe mode BUT the DDA option was unchecked. That was yeasterday afternoon.

However, I ran another scan yesterday evening but with the DDA option checked. It founds 40 intected files, and that's the scan log I posted above.

Not sure if this clarifiaction is helpful, but I thought I should tell you.

Seth · April 6, 2011

You're welcome.

The log helped a great deal, and I see what's going on now.

Unfortunately, I only have a minute to post right now, but I'll be back later with some suggestions.

Richse1 · April 6, 2011

I m glad the log gives you a better idea of the situation.

Sure, get back to me when you have a chance.

Thanks!

Seth · April 6, 2011

Ok, I'm sneaking this in...

Some infections are in your System Restore folder. It's difficult for any antimalware program to remove those infections, as that folder is protected by Windows. I suggest you clear the restore points by disabling then enabling System Restore.

The other "infections" are cookies, and technically not threats. In fact, many (including myself) turn off cookie detection. This is SAS's official response in regards to cookies:

This subject has been the debate of many newsgroups and online forums. Cookies are simply text files stored on your hard drive and cannot themselves harm your computer in any way. Typically cookies are used to remember logins and keep track of user settings on web-sites.
Cookies can be used to track your movement on the Internet ONLY if a site is aware of the cookies and is designed to use the specific cookies. Because of their use in tracking, many feel that this constitutes spyware.

We do not consider cookies to be threats of anywhere near the same level of severity as actual malware threats that can steal real personal information, serve ads, or render a computer unusable.

SUPERAntiSpyware will detect tracking cookies as "Adware.Tracking Cookies" and you can choose to remove them or leave them on your system. You may turn off this feature in the Preferences -> Scanning Control tab of SUPERAntiSpyware should you not wish cookies to be scanned, detected and removed.

I'll be back later to discuss your scan time and DDA.

Seth · April 6, 2011

Continued from above:

Are you still getting redirects? If so, submit a Customer Support Request and SAS can run diagnostics on your system. Mention this thread in the request.

Here's the link for the request: https://www.superantispyware.com/precreateticket.html

SAS Customer Service · April 6, 2011

Continued from above:

Are you still getting redirects? If so, submit a Customer Support Request and SAS can run diagnostics on your system. Mention this thread in the request.

Here's the link for the request: https://www.superantispyware.com/precreateticket.html

Way to go Seth! Thanks for your devotion to the issue!

Richse1 · April 7, 2011

Hi Seth,

I am sorry I couldn't reply to you earlier. Thanks a lot for your messages.

So here is what I did:

1) I deleted the restore points following these instructions from Windows.com.

http://windows.microsoft.com/en-US/windows-vista/Delete-a-restore-point

Although the instructions are for Windows Vista, I suspected this would still apply for the Windows XP version I am on.

2) Then, in order to make sure I really cleared these restore points I found another way to do it (precisely for Windows XP) on this link i.e. Disabled and enabled them.

http://support.microsoft.com/kb/310405

3) I restarted the computer in Safe mode and ran a scan with the DDA checked and "Scan tracking cookies" checked. Here is the scan

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 04/08/2011 at 10:30 AM

Application Version : 4.50.1002

Core Rules Database Version : 6752

Trace Rules Database Version: 4557

Scan type : Complete Scan

Total Scan Time : 00:59:24

Memory items scanned : 226

Memory threats detected : 0

Registry items scanned : 6832

Registry threats detected : 0

File items scanned : 20527

File threats detected : 226

Adware.Tracking Cookie

C:\Documents and Settings\LocalService\Cookies\system@247realmedia[2].txt

C:\Documents and Settings\LocalService\Cookies\system@optimize.indieclick[1].txt

C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt

C:\Documents and Settings\LocalService\Cookies\system@www.adtrak[1].txt

C:\Documents and Settings\LocalService\Cookies\system@overture[2].txt

C:\Documents and Settings\LocalService\Cookies\system@advertise[2].txt

C:\Documents and Settings\LocalService\Cookies\system@adserving.ezanga[2].txt

C:\Documents and Settings\LocalService\Cookies\system@indieclick[2].txt

C:\Documents and Settings\LocalService\Cookies\system@apmebf[1].txt

C:\Documents and Settings\LocalService\Cookies\system@click.blue-square-media[2].txt

C:\Documents and Settings\LocalService\Cookies\system@ru4[1].txt

C:\Documents and Settings\LocalService\Cookies\system@adviva[2].txt

C:\Documents and Settings\LocalService\Cookies\system@invitemedia[2].txt

C:\Documents and Settings\LocalService\Cookies\system@click.fastpartner[2].txt

C:\Documents and Settings\LocalService\Cookies\system@burstnet[1].txt

C:\Documents and Settings\LocalService\Cookies\system@media6degrees[2].txt

C:\Documents and Settings\LocalService\Cookies\system@mediaplex[1].txt

C:\Documents and Settings\LocalService\Cookies\system@www.findlouisiana[2].txt

C:\Documents and Settings\LocalService\Cookies\system@bs.serving-sys[1].txt

C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt

C:\Documents and Settings\LocalService\Cookies\system@user.lucidmedia[1].txt

C:\Documents and Settings\LocalService\Cookies\system@myroitracking[1].txt

C:\Documents and Settings\LocalService\Cookies\system@content.yieldmanager[3].txt

C:\Documents and Settings\LocalService\Cookies\system@fastclick[1].txt

C:\Documents and Settings\LocalService\Cookies\system@zedo[2].txt

C:\Documents and Settings\LocalService\Cookies\system@findology[2].txt

C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[2].txt

C:\Documents and Settings\LocalService\Cookies\system@pro-market[1].txt

C:\Documents and Settings\LocalService\Cookies\system@serving-sys[1].txt

C:\Documents and Settings\LocalService\Cookies\system@www.burstnet[2].txt

C:\Documents and Settings\LocalService\Cookies\system@clickbank[1].txt

C:\Documents and Settings\LocalService\Cookies\system@revsci[1].txt

C:\Documents and Settings\LocalService\Cookies\system@eas.apm.emediate[1].txt

C:\Documents and Settings\LocalService\Cookies\system@specificclick[1].txt

C:\Documents and Settings\LocalService\Cookies\system@mediabrandsww[1].txt

C:\Documents and Settings\LocalService\Cookies\system@imrworldwide[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@optimize.indieclick[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@clicks.fastgetonline[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@kontera[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@clicksor[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@overture[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.bighealthtree[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@analytics.roimedia.co[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@adserving.ezanga[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@indieclick[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@click.blue-square-media[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91497.information-seeking[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@bizrate.co[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@technoratimedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@onlineadtracker.co[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@media.dx.hwpub[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@adserving.greenadvertizing[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@adviva[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.financialcontent[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.e-planning[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.cpxcenter[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@audience2media[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@p353t1s3119119.kronos.bravenetmedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@audience2media[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@tacoda.at.atwola[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@bizrate[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@clickpayz2.91497.information-seeking[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@liveperson[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@pro-market[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@xml.happytofind[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@www.ist-track[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@eas.apm.emediate[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@tradedoubler[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@clickpayz7.91462.information-seeking[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@statse.webtrendslive[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@masseysmedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91462.information-seeking[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@www.cpcadnet[1].txt

www.googleadservices.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.doubleclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.clubmed.solution.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.adtech.de [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.advertise.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.content.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.apmebf.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.mediaplex.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.cofidis2.solution.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.smartadserver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.bouyguestelecom.solution.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.mm.chitika.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.kontera.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.xiti.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.at.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.tacoda.at.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.at.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.tacoda.at.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.collective-media.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.media6degrees.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.ru4.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.mediabrandsww.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.adserver.adtechus.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.a1.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.interclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.ar.atwola.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.collective-media.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.kontera.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

www.cpcadnet.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.adviva.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.ads.adviva.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.bs.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.bnpparibasnet.solution.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.tradedoubler.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.ru4.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.bizzclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

www.cpcadnet.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.adinterax.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.solution.weborama.fr [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

fr.sitestat.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.findology.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

.content.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\06it9hri.default\cookies.sqlite ]

5) Finally, I am still redirected. Nothing changed unfortunately... ;(

What do you think of this scan?

Is there anyhthing else you can think of?

I guess, I will also check the link you posted to see if Customer Support Request and SAS can run diagnostics on my system.

Thanks,

R

Richse1 · April 7, 2011

While I am waiting for more instruction from you end Seth, I have also sent a full diagnostic to the SAS team following the instruction of your link.

Seth · April 7, 2011

You did clear the restore points successfully, and your complete scan time of 59 minutes is within range. Good job.

I suspect that if you re-enabled DDA, the scan time won't increase significantly. It seems as though your previous System restore points were giving DDA a problem.

Did you read the comments on cookies? Note that cookies are created as soon as you open web pages.

The Customer Support Request will allow the SAS team to find out why you're getting the redirects.

Richse1 · April 7, 2011

Hi Seth,

Thank you for you reply and you encouraging comment!

Yes I did read the note on the cookies. Next times I won't include them in the scan.

Is there anything else I can do in between, or should I let the SAS team get back to me?

I would also like to inform you and the SAS team of a few other types of symptoms:

1) My computer is a bit slower than it use to be.

2) Over the last 2 or 3 days I noticed that it took much more time to switch on the computer and get my windows desktop loaded. Similarly, the lack of speed is the same when I want to switch the computer off.

3) In fact, between yesterday and today I had to do a 'hard switch it off' (excuse my english on this one - I don't know the expression! ) I mean switch off by pressing the ON/OFF button of my CPU. I know this is not good.

4) It just happened a 20 mins ago, when starting the computer, during he launching phase of Windows ( with the logo etc) my computer got stuck 3 times on the blue page where the mention 'Welcome' is displayed. Once again I had to reboot in hard 3 times.

5) Over the last two days, while surfing on the web, Firefox just randomly open a brand new web page on a random website. This occurred perhaps 3 times.

That's it you know everything. Let me know I can do anything else while waiting for the SAS team.

Thanks

R

Seth · April 7, 2011

Once SAS determines and rectifies the infection that's causing the redirects, we can address those issues if they continue.

Richse1 · April 11, 2011

Hi again Seth,

I am still waiting for the SAS team to get back to me. Over the week-end and especially the situation worsened a little more: the computer is slower, I can't swith it off unless in Hard, more pop up etc... This morning and had a recurrent warning from my Antivrus (i.e. Antivir) telling me that a Trojan needs to be quaratined ...

So I did another scan in safe mode (as you recommended, I didn't scan the cookies)

Here is my Scan log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 04/12/2011 at 01:40 PM

Application Version : 4.50.1002

Core Rules Database Version : 6752

Trace Rules Database Version: 4557

Scan type : Complete Scan

Total Scan Time : 01:02:32

Memory items scanned : 221

Memory threats detected : 0

Registry items scanned : 7499

Registry threats detected : 2

File items scanned : 23312

File threats detected : 2

Malware.Trace

C:\WINDOWS\TASKS\{22116563-108C-42c0-A7CE-60161B75E508}.job

C:\WINDOWS\TASKS\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

HKU\.DEFAULT\Software\NtWqIVLZEWZU

HKU\S-1-5-18\Software\NtWqIVLZEWZU

I hope this could give more insight to you & the SAS team on how things are evolving over here.

Let me know I you have any recommendation.

Thank you,

R

rise · April 11, 2011

Hi

I can help you fixing your computer, just let me know if you want to

Richse1 · April 12, 2011

Hi

I can help you fixing your computer, just let me know if you want to

Sure any help is Welcome. Thanks!

What do you recommend?

rise · April 12, 2011

First do like in this post https://forums.superantispyware.com/index.php?app=forums&module=forums&section=findpost&pid=21037

Then

-Download aswMBR.exe from here: http://public.avast.com/~gmerek/aswMBR.exe and save it to your Dekstop

-Double click the aswMBR.exe to run it

-Click the "Scan" button to start scan

-On completion of the scan click save log, save it to your desktop and post in your next reply

anrose · April 15, 2011

Hi everyone,

I would suggest that you try to use Dr.Web Anti Virus for Windows 4.44. This antivirus really works for me it will also works for you. Hope it will help you solve your problems.

Midnite · April 17, 2011

Hello all - I also have this nasty annoying infection ... apparently so do many many many others on the net ... I have found posts about this dated back to 2010 and I am surprised that no one has a solution yet ... I have run almost every possible scan on my PC and I am clean all aroung except for this DAMN redirect on search malware / trojan which is at this point driving me NUTS ... if anyone has any idea how to remove this PLEASE post something here and let us know ... I am sending in a request as well to the staff ( experts ) here as well per the post above to see if anyone can help solve this ... PLEASE I am ready to pull out what hair I have left and to be honest that is not ALOT

rise · April 17, 2011

Hello all - I also have this nasty annoying infection ... apparently so do many many many others on the net ... I have found posts about this dated back to 2010 and I am surprised that no one has a solution yet ... I have run almost every possible scan on my PC and I am clean all aroung except for this DAMN redirect on search malware / trojan which is at this point driving me NUTS ... if anyone has any idea how to remove this PLEASE post something here and let us know ... I am sending in a request as well to the staff ( experts ) here as well per the post above to see if anyone can help solve this ... PLEASE I am ready to pull out what hair I have left and to be honest that is not ALOT

Hi

Download OTL from here: http://oldtimer.geekstogo.com/OTL.exe to your Dekstop.

Double click on the icon to run it select All users then under the Custom/scans fixes copy/paste the following:

netsvcs

drivers32

%SYSTEMDRIVE%\*.*

%systemroot%\Fonts\*.com

%systemroot%\Fonts\*.dll

%systemroot%\Fonts\*.ini

%systemroot%\Fonts\*.ini2

%systemroot%\Fonts\*.exe

%systemroot%\system32\spool\prtprocs\w32x86\*.*

%systemroot%\REPAIR\*.bak1

%systemroot%\REPAIR\*.ini

%systemroot%\system32\*.jpg

%systemroot%\*.jpg

%systemroot%\*.png

%systemroot%\*.scr

%systemroot%\*._sy

%APPDATA%\Adobe\Update\*.*

%ALLUSERSPROFILE%\Favorites\*.*

%APPDATA%\Microsoft\*.*

%PROGRAMFILES%\*.*

%APPDATA%\Update\*.*

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\System32\config\*.sav

%PROGRAMFILES%\bak. /s

%systemroot%\system32\bak. /s

%ALLUSERSPROFILE%\Start Menu\*.lnk /x

%systemroot%\system32\config\systemprofile\*.dat /x

%systemroot%\*.config

%systemroot%\system32\*.db

%PROGRAMFILES%\Internet Explorer\*.dat

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x

%USERPROFILE%\Desktop\*.exe

%PROGRAMFILES%\Common Files\*.*

%systemroot%\*.src

%systemroot%\install\*.*

%systemroot%\system32\DLL\*.*

%systemroot%\system32\HelpFiles\*.*

%systemroot%\system32\rundll\*.*

%systemroot%\winn32\*.*

%systemroot%\Java\*.*

%systemroot%\system32\test\*.*

%systemroot%\system32\Rundll32\*.*

%systemroot%\AppPatch\Custom\*.*

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Now click Quick scan.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.

Post both logs in your reply.

Then

-Download aswMBR.exe from here: http://public.avast.com/~gmerek/aswMBR.exe and save it to your Dekstop

-Double click the aswMBR.exe to run it

-Click the "Scan" button to start scan

-On completion of the scan click save log, save it to your desktop and post in your next reply

Redirect Malware on Google links using Firefox and WinXP

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in