Redirected links (hijacked), can't solve it.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by eddie, Jun 2, 2004.

  1. eddie

    eddie Private E-2

    I'm accessing the homepage of my ISP, and there's one link called "my account details" which i am always taken to some other page. I've ran spybot & adaware (latest updates...i also use spywareblaster 3.1) and found nothing. Here's my log file...

    Logfile of HijackThis v1.97.7
    Scan saved at 10:17:09 PM, on 2/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\sstray.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\Winamp\winampa.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
    C:\Documents and Settings\dang\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.motherboards.org/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38067.9077083333
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au

    I've tried removing the bottom 6 (017) entries but no success, so i restored them. Mozilla firefox is my default browser, but this problem also occurs with IE6.

    Would greatly appreciate any help.
    Thankyou,
    ft
     
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    nothing immediatly pops out and says hijack!


    whats your ISP ( im guessing > BIGPOND? )

    and what page do you get re-directed too?




    only thing you seem to have in that HJT log is a few startup items that can go as they serve no major purpose....
     
  3. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    addendum to the above if you ISP is BigPond and you get redirected when you login to My Account to Telstra.com then this is normal as Telstra own Bigpond.


    the botton 6 entries in HJT would be needed I guess for internet access using your ISP.


    and WELCOME to Majorgeeks :)
     
  4. eddie

    eddie Private E-2

    yes ISP is Bigpond

    I'm getting redirected to here

    http://wwwdb.web.cern.ch/wwwdb/objectivity/howto/faqs/faq4.html

    same page everytime.

    I'm in a section where i have to log in to access my account details (forgot to mention - i'm already logged in). Even when i put my mouse over the "account details" link it comes up with

    https://ams-server:1081/cgi-bin/ams_client/cmd_process

    on the status bar...which is incorrect, because there's also other similar "account" links that show

    https://bcoba-server.bigpond.net.au:8443/rhwc/spci

    I'm no expert at HJT, but i also thought that my logfile looked fine... i'm baffled.
     
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    I can not find anything on this. Have you contacted your ISP and asked them about it?
     
  6. eddie

    eddie Private E-2

    Yeah i rang 'em up and all they said was that it was spyware.
     
  7. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    well thats a NEW one... your log looks clean!

    and the re-direct takes you to a part of the CERN website... CERN if you didnt know is its possibly the worlds largest physics center and the birthplace of the WWW and no way a malicious site.

    as to why your getting re-directed to the database and server info part of there website... I have no clue but download this hosts file reader and look for the links you are being re-directed to in there.

    info on Hosts file http://www.dslreports.com/faq/10131


    the link to hostsfilereader is dead in the above so I attached it..... if your not sure on what to delete post a copy of your hosts file here and we can look at it.. that app allows you to save your hosts file as a backup.
     
    Last edited: May 28, 2007
  8. eddie

    eddie Private E-2

    Thanks for that Halo, but the hostreader did not come up with anything (besides the localhost of course).

    Do you think it's possible this problem may be on the ISP's side of things rather than something on my machine?
     
  9. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    certainly now looks that way eddie.

    You have tried all that I would have run AdAware, HJT and looked at the hosts file, I would suspect ISP issues now... if they think its spyware ask them what type it is as I think alot of us would like to know as this is new ( well to me anyway )



    hope you get it sorted eddie and keep us informed on your progress ;)
     
  10. eddie

    eddie Private E-2

    I got it all fixed up. It turned out to be issues with the DNS settings, however i still have no idea why it went to the CERN page. Anyhow, all is good. Thankyou Halo for your help. Much appreciated.

    Great site btw.
     
  11. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    glad you got it sorted eddie.

    so did you flush your DNS cache or was this with help from ISP? ( just curious to how you fixed this as it may help someone else with same issue at a later date )
     
  12. eddie

    eddie Private E-2

    Contacted my ISP again and explained EVERYTHING to 'em...and they were helpful.

    Internet protocol(TC/IP) settings > advanced > DNS

    In the DNS tab theres an option "append these DNS suffixes (in order)"

    And the value was "vic.bigpond.net.au" (vic = Victoria)

    However i'm from Sydney, which is in NSW; which is a different state. So i was instructed to add the entry "nsw.bigpond.net.au"

    I have no idea why it was "vic" in the first place and not "nsw"
     
  13. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    cool... cheers for update!

    its always good to have a resolution to an issue especially a weird one like yours, this info will at some point help someone else.

    hope you stick around as this place is a good one for info and a bit of fun in the lounge and arcade ( plus there are a few other Aussies here as well :) )
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds