www.ads234.com and other redirects

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Frustrated in OH, Sep 9, 2004.

  1. Frustrated in OH

    Frustrated in OH Private E-2

    When I'm on the internet I'm am constantly being redirected through other sites including:

    ads234.com
    64.05.76.7
    207.68.172.239

    In an effort to fix this (I'm not sure if spyware is my only problem or viruses too), I went through each step of the "Getting Prepared 1-6". Numerous viruses were found in step 5 through both TrendMicro and PandaSoftware (I also used Bitdefender). I then did "Time to Start Scanning and Cleaning" - steps 1-3. I have not used Hijack This yet since the tutorial told me not to use it (or at least not to attach the logfile) until I have posted my symptoms.

    Any idea how to stop this problem?

    Thanks!
     
  2. Kodo

    Kodo SNATCHSQUATCH

    What operating system are you using please?
     
  3. Frustrated in OH

    Frustrated in OH Private E-2

  4. Kodo

    Kodo SNATCHSQUATCH

    go to start.. run.. type

    notepad c:\windows\system32\drivers\etc\hosts

    your host file should like this


    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    if there is anything below the LOCALHOST line, delete it. then save the document and test your surfing.
     
  5. Frustrated in OH

    Frustrated in OH Private E-2

    I deleted about 360 lines that were below 127.0.0.1 local host!

    I think that fixed it - I haven't been redirected and things move SO much faster.

    THANKS SO MUCH!!!!!!!!!!!!

    P.S.
    I have another machine with Windows 98 - would the same thing work for that operating system.
     
  6. Kodo

    Kodo SNATCHSQUATCH

    yes, but the hosts file is located someplace else.. I think it's C:\windows\system don't recall. It's been a long since I cared about win9x. Do a search for it.
     
  7. Frustrated in OH

    Frustrated in OH Private E-2

    The ads234.com is back again. There are no new lines under the 127.0.0 1 local host. Any other suggestions?
     
  8. Kodo

    Kodo SNATCHSQUATCH

  9. Frustrated in OH

    Frustrated in OH Private E-2

    Yes, I followed the steps in the Read Me First. If you scroll down to the original message I noted which steps I did.
     
  10. Kodo

    Kodo SNATCHSQUATCH

    yes, you did.. I apologize.. long day.
    Please go ahead and post your HijackThis log file as an attachment.
     
  11. Frustrated in OH

    Frustrated in OH Private E-2

    I attached the hijack this log as a document file. I hope I did it right.
     

    Attached Files:

  12. Frustrated in OH

    Frustrated in OH Private E-2

    Is there anything in my log file that I should delete?
     
  13. I.M.O.G.

    I.M.O.G. Private E-2

    I think you cheated, or did not have the latest updates. ;)

    I have had weeks at work when I had to fix this exact redirect to ads234 every single day on a different persons computer. We use Websense so when someone is getting redirected to junk sites all the time, their internet explorer basically gets shut down. :rolleyes:

    You must go into safe mode and run the scans for this. You must clear all temporary files and disable system restore - if you are unable to delete a temporary file, it is likely due to the process being currently engaged (this is likely why the infection was not cleaned, scans were not run from safemode). You must check your running processes, and make sure you end task on any exe's with an apparently randomly generated filename. You then must find that file on your system and delete it (it will usually reside in temp files, or windows folders, and the process must be killed before you will be able to delete it).

    In hijackthis, these entries must die, DIE, DIE! *IMOG inserts evil cackle*

    *Starred entries may not need to die, but they would be fun to kill, while not causing damage. ;)

    C:\documents and settings\jcostello\local settings\temp\98KqA2.exe
    C:\documents and settings\jcostello\local settings\temp\98KqA2.exe
    C:\documents and settings\jcostello\local settings\temp\gPcJ3.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    *N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JCostello\Application Data\Mozilla\Profiles\default\0ru7nbnk.slt\prefs.js)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\JCostello\Local Settings\Temp\bttw.dll

    *IMOG gasps for breath*

    O4 - HKLM\..\Run: [OH] C:\documents and settings\jcostello\local settings\temp\OH.exe
    O4 - HKLM\..\Run: [98KqA2] C:\documents and settings\jcostello\local settings\temp\98KqA2.exe
    O4 - HKLM\..\Run: [OH.exe] C:\documents and settings\jcostello\local settings\temp\OH.exe
    O4 - HKLM\..\Run: [98KqA2.exe] C:\documents and settings\jcostello\local settings\temp\98KqA2.exe
    O4 - HKLM\..\Run: [gPcJ3.exe] C:\documents and settings\jcostello\local settings\temp\gPcJ3.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\JximoD.exe
    O4 - HKLM\..\Run: [t72g32h] shgfos.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
    O4 - HKCU\..\Run: [cwtmRSNmh] shrfilt.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    *O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    *O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

    There are also some 016 entries I would get rid of, but they may break some functionality you want, but I think is junk:

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab

    Any file listed here which resides in a directory with C somewhere, needs to be manually found and its grim demise ensured - fixing these entries with hijackthis will clean your registry but any actual remaining files on your hard drive can lead to future reincarnations.

    Until you are clean, your hosts file will likely be continually reinfected likely.

    P.S. Welcome to the forums, OH. I'm from north east, and work in Cleveland. How bout them buckeye's? I hope every loose sorority girl on campus finds her way to nugent's room - that is one loved kicker. He had the distance for 60 yards. :)
     
  14. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I would leave some of the 016 in there for functionality:

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/.../soesysinfo.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yah...ebio5_0_2_7.cab


    The other 2 are questionable!
     
  15. Frustrated in OH

    Frustrated in OH Private E-2

    Thanks IMOG (and Major Attitude) for your help. I was sure to run the scans and delete the hijackthis entries in safe mode. I ran hijackthis again so I can be sure that the bad files are gone. I have attached the log file.

    IMOG - I'm in the Columbus area. I guess people go crazy over the Buckeyes throughout the state - not just here. I'm an import though (originally from NY) and my husband is a Penn Stater so it's been fun out here in Buckeye land. ;) Thanks again for your help.
     

    Attached Files:

  16. I.M.O.G.

    I.M.O.G. Private E-2

  17. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    NY? Where abouts? Were in the Syracuse area, or were you in the other NY, the big city? ;)

    Im with IMOG, looks good, but that one line is questionable. Your stiull running it from a temp directory, so you may not have backups. Move the executable to C:\HijackThis or something, remove that line so you have a backup.
     
  18. Frustrated in OH

    Frustrated in OH Private E-2

    Major Attitude - I grew up on Long Island but went to college at Geneseo. I was in Syrucase once while touring colleges and once for a Billy Joel concert at the Carrier Dome (amazing concert).

    Thanks again for your help with the ads234 problem. I'm having the xlime.offer problem now but I'm pretty sure I'll be able to get rid of it by following your steps from last time.
     
  19. mianatw

    mianatw Private E-2


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds