Browser redirector? Plus....

Hi all. Haven't been able to access MG and several other sites all week, using Firefox, boo ted IE to see if it was a Firefox issue, and noticed that my IE homepage seems to be running through a redirector. Home page (with IE) looks normal, but the normal http://.xxxxxxx.net is now http://xxxxxxxx.net/s/s.dll?spage=hb/index.htm . Changing it in Options, even to About.blank, doesn't take; it reverts to the long url as soon as I close the options. Firefox URLs don't change, but loading pages is semi-crippled even with FF.

I use AVG and Webroot Spy Sweeper all the time; scans show nothing. Trend's HouseCall sweep showed something like "all2010search" briefly, but I lost it off-screen before writing it down, and second sweep didn't show it. AdAware and Spybot also show nothing.
Does that redirector data or the action suggest anything to you guys?

Again, I can't log on from home. I'll check back here before leaving work this evening.

TIA.

 

You say you have updated and ran Spy Sweeper? Have you tried Ewido Anti Malware?

 

Yeah, all programs & sweeps have been latest versions and updats. Haven't tried Ewido; will try that tonight. Thanks.

 

Okay, try Ewido and if that doesn't work we can try a few utils that dig deep and look for hidden items. I can't believe that SS didn't find anything related.

 

Me too; Spy Sweeper is rated highly. (shrug)

 

OK, I'm back normally from home. Windows Firewall/ICS service was set to manual, instead of Automatic, and enabling it allowed me to resume normal surfing, including HERE. (yay). I didn't change any services recently, so either something changed it, or it's been working fine in manual mode and some requirements from possibly my ISP now make it necessary? I dunno, but it's fixed the surfing. All scans (including Ewido) have come back negative except for that one that Trend Housecall found early on (and I DO remember it was listed as an ad-server, with only a "medium" threat rating). Possibly it cleaned it but left the homepage locked in the Registry?. Since all other scans have come back clean, I'm going to assume I'm clean, except for a locked homepage. Nothing is trying to dial out (using ZoneAlarm firewall), nothing is loading that shouldn't and I'm not getting any suspicious looking ads or behavior, and even with IE, other than that locked homepage URL, all other pages load properly with the proper URLs, so it's not affecting any other pages.

Do you concur, or do you think I need to keep looking?

Do you know how to manually unlock the IE homepage setting in Registry, or should I ask that over in the general software section? (WinXP Pro SP2 BTW; forgot to mention that up front.)

And thanks for your help.

 

Gary,

Sounds like a drive by attempt at a Browser Hijack. What's your HiackThis log look like?

 

I was about to ask for a HJT log SPD If you will attach a current HJT log so we can check for anything suspicious or anything keeping the IE settings locked.

Is it greyed out in IE settings?

 

Limping along...
Found an MS KB article pointing to the registry settings relating to home page. Found the home page locked (unlocked it), found the bogus home page URLs and deleted them, and IE home page is now settable properly. Definitely got hit by SOMETHING.

STILL having intermittent problems accessing MG, with Firefox or IE (Firefox preferred). When Firefox stalls out on the main MG page, hitting refresh shows "Transferring data from pagead2.googlesyndication.com..." at the bottom of the screen, and stops there; never loads the page . At the forum main page, hitting refresh brings up "Looking up a.tribalfusion.com..." and stalls out there forever. (3 Meg DSL connection; shouldn't take any time.)

For grins, while I could last access Mg, downloaded CWShredder. CWShredder showed nothing, but linked to Trend's Anti-Spyware page, so I ran that online, and it found "Adware_2020Search, referenced one file, and removed that. Description here:
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADWARE%5F2020SEARCH

Still having massive problems accessing MG and some others, but all seem to be stalling out while accessing routine ads that the sites use. Checked Windows Hosts file, it's empty. Been struggling to get back here, and just now opened the HJT program, NOT running it, just open, and I can instantly accerss MG again. Have no idea why. HJT log attached.

 

HJT log looks good, if you will relocate HJT to C:\Program Files\HJT and rename HijackThis.exe to analyze.exe and then attach a new HJT log. Reason is because there is a few infections that are hiding from HJT, renaming it solves the issue.

Also, I would like you to do the following to confirm nothing is hiding around.

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

Click the image below and run the TrendMicro Spyware Scan and see if it removes anything.

http://www.trendmicro.com/spyware-scan/images/tmas-scan.gif

Once you complete this scan attach the log along with the new HJT log. Hopefull they will come back clean.

 

Thanks BJG. Will tweak and re-run HJT, and run Hoster. May take a while; haven't been able to access MG at all today (at a neighbor's right now), and am in the processs of transferring all components to a new cooler running case, which may take a while. Old case didn't move enough air, and was slow-cooking all my hot components.

If NOTHING shows up, I may take the simple way out and nuke C: and just do a clean install, but will give Hoster a try and see if I can get you a new HJT log.

 

Okay, If possible attach the log from the TrendMicro Spyware Scan, it usually does a good job in detecting hidden items.

 

Relocated and renamed HJT, and re-ran; log file looked good to me. Most all things I recognized, and the rest easily verifiable as benign. (Sorry, I didn't save it.) Hoster showed the same thing I saw when looking at the Hosts file in Notepad, and didn't change anything on it's restore function. Re-ran all scans, online and off, including Rootkit Revealer, and still came up clean, and still had problems loading pages with ad servers, including here.

Gave up and nuked the C drive, after saving personal info, and am in the process of rebuilding it. Pages load properly again. LOL. Reinstalling is no biggie; I know how to save my data and get back on my feet. I'm assuming whatever hit me (likely that Adware_2020Search, which was the ONLY thing to ever be found), crippled something in basic Windows files, since I had the same problem in IE and Firefox.

Ah well, thanks for your help.

 

Not a problem, we would have got it sooner or later

I wanted to mention, I had a homepage hijacker a few years back that all it was a hidden DLL in the system32 directory locked by a simple registry entry. It took about a week to figure out but we finally got it removed.