Have I got a virus please!)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Can anyone help?
For the last two days I find that on my PC (using XP), whenever I use
Yahoo or  Google search, and using either MSIE or Firefox, I am
redirected to pages that do not seem to be the one listed on the
search engines and tend to be commercially-based.
The uurls of gallane.com, bediidle.com, and xalab.com seem
to appear a lot in the bottom line of the browser while the search
engines works.

For example, on typing Buddhism in Yahoo, one of the early options
listed by Yahoo is:

BBC - Religion & Ethics - Buddhism  
Guide to Buddhism, a tradition of personal spiritual development,
including ... The history of Buddhism is the story of one man's
spiritual journey to ...
www.bbc.co.uk/religion/religions/buddhism - Cached

I am then redirected to
http://www.meditations-uk.com/main/learn_meditation_machines.html

And yet on doing this on an old PC, I click on the Yahoo listing and
go to:
http://www.bbc.co.uk/religion/religions/buddhism /

Have I got a virus or something nasty on my PC?

I have done umpteen scans using AVG and Avast! and both report there
are no viruses.

Am I going nuts?

Cheers

David


Re: Have I got a virus please!)

On Fri, 16 Jan 2009 10:49:51 +0000, nospam@nospam.noway wrote:

Quoted text here. Click to load it

It is suggested to run only (1) 'real-time' AV application on an operating
system.

1.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive
(presumably WinXP (C:) and click OK.

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

5.Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Additional references:

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php

For additional assistance in relation GMER scan results consult either
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17
--or--
http://www.thespykiller.co.uk/index.php?board=3.0

CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ... (*Tune out the registry scanning/fixing option!*)
http://www.ccleaner.com/download/builds/downloading-slim
If Windows Defender is utilized go to Applications, under Utilities uncheck
"Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.
Setup CCleaner to Automatically Run Each Night in Vista or XP
http://www.howtogeek.com/howto/windows-vista/setup-ccleaner-to-automatically-run-each-night-in-vista-or-xp /

Got SP3 yet?
Why Service Packs are Better Than Patches.
http://www.microsoft.com/technet/archive/community/columns/security/essays/srvpatch.mspx?mfr=true

Good luck :)

Re: Have I got a virus please!)

@operamail.com says...
Quoted text here. Click to load it

Kayman - you should really link to their download page so that people=20
can read about their product. Linking to a exe file teaches people to=20
click on things that could be malicious with .exe extensions.

By linking to the following http://www.malwarebytes.org/mbam.php the=20
reader will be taken to a page that shows the product information,=20
download button, and even possibly a BUY or DONATE link to help the=20
author of quality software stay in business - a direct link to the exe=20
does not provide any benefit and teaches people to trust links to exe=20
files.


--=20
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a=20
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Have I got a virus please!)



Quoted text here. Click to load it

Is there any difference between linking to a PHP file or an exe ?



Re: Have I got a virus please!)

GJ wrote:

[Leythos wrote:]
Quoted text here. Click to load it

Now that's a hard question to answer...   :-/

The "PHP file" is a web page. It explains the program.
The .exe file is a direct Windows executable file.

--
   -bts
   -Friends don't let friends drive Windows

Re: Have I got a virus please!)

someone@microsoft.com says...
Quoted text here. Click to load it

Yep, a exe may run on their system without much other explanation, a PHP
or ASP, or HTML file would take them to a PAGE that Might contain
something bad, but it's bad form to provide direct links to EXE/COM/BAT
files - it also subverts the owners right to inform people of the
product.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Have I got a virus please!)

On Fri, 16 Jan 2009 11:30:53 -0500, Leythos wrote:
 
Quoted text here. Click to load it

You really should mind your own fricken business!
I intensely dislike braggarts, purists, wishful moralists, born-again
Christians, self-appointed wannabe net-cops (i.e. hypocrites) especially
the ones who are sitting on that imaginary high horse.
 
Quoted text here. Click to load it

It doesn't seem to perturb the makers of this software.  
The authors of mbam can withdraw the direct download link at their will and
at any time.

Quoted text here. Click to load it

Your presumptuousness is staggering!

http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
--and--
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
--or--
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

The above cited links do provide immense benefit for users in need!

Quoted text here. Click to load it

They can trust the links I post[Period]!

Since you're acting as a mouth piece you may wish to contact the
author/owner of:
http://www.bleepingcomputer.com/malware-removal/remove-spyware-guard-2008
and berate them as well.
OAO

Re: Have I got a virus please!)

@operamail.com says...
Quoted text here. Click to load it

No high horse, just years of experience where people like you teach
people to compromise their computers by following bad practices.

Quoted text here. Click to load it
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Quoted text here. Click to load it

The above links to the actual program don't provide the authors site
information, they just provide a quick download without the person
actually seeing the SITE content.

Quoted text here. Click to load it

Why? How do they know you're any more trusted than anyone else?

Quoted text here. Click to load it

It was a suggestion, one you took as an attack and then attacked me for.

Posting links to exe files is a bad thing - it teaches people that exe
files are not to be suspect, to bad you can't see that over your own
ego.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Have I got a virus please!)

Kayman wrote:
[snip]
Quoted text here. Click to load it

'they can trust me because i say so!'

wow, all leythos was doing was pointing out that you were taking
advantage of a lack of healthy skepticism rather than fostering such...

maybe if you don't like self-appointed 'important people' you shouldn't
act like one yourself...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Have I got a virus please!)

Yes, you have a redirection virus.
I had this around October and it required a complete reinstallation of my
system.

There are forum messages with solutions but they seem to be very involved
and not very systematic, suggesting you install one virus cleaner after
another until it goes, but respondees usually said it didn't work.

This virus actually gets into your router too and changes the  settings. If
you go into a command box and type ipconfig you usually find that instead of
your local ip address being 192.168.0.2 or similar, the last part will be a
high number like 231 instead of 2. Your DNS settings will also be different.

You need to reset your router and change the password to something tricky.

I think it depends on finding the password left at the manufacturers
default.

Then you need to rebuild your system to be completely free of it.

Here is a more recent forum note which might help

http://www.techspot.com/vb/topic116002.html

GJ
Quoted text here. Click to load it



Re: Have I got a virus please!)


Quoted text here. Click to load it

H,

Many thanks for these answers. I freely admit 99% of this is way
beyond me

Firstly, I have a modem - NETGEAR - is this inefcted?
Secondly, would I solve the problem by reformmating HD and
reinstalling XP?

Thanks

Re: Have I got a virus please!)

nospam@nospam.noway wrote:

Quoted text here. Click to load it

Did you mean a router?  Be sure to set the admin account with a strong
password. You might want to reset it to its default settings (there's a
little button for that - see documentation), then immediately add the
password.

Quoted text here. Click to load it

That's one way. Unfortunately, you will still be stuck with an
infectible computer, if you don't immediately begin to practice Safe
Hex.

--
   -bts
   -Friends don't let friends drive Windows

Re: Have I got a virus please!)


On Fri, 16 Jan 2009 11:57:23 +0000, nospam@nospam.noway wrote:

Quoted text here. Click to load it


It's probably massive overkill to do a full reinstall and it's very
unlikely to require such a measure to get rid of the problem.

If you don't have any success with malwarebytes or other such
programs, it's fairly easy to check dns settings and for spurous
running processes manually. You can always ask a friend to do it if
you don't feel comfortable doing it yourself.

Download autoruns and process explorer from sysinternals
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Run process explorer first to find and stop offending running
processes, then run autoruns which monitors automatic startups and
clear out anything that looks suspicious from there.

It's very unlikely that the router is causing the problem if, as you
said, an old pc doesn't get re-directed in the same way. However, I
would still switch upnp off on the router unless you specifically need
it for something.


Jim.


Re: Have I got a virus please!)

Sadly, yes. I checked your blood work and it appears that you do. I am
going to refer you to your PCP as soon as possible.

Come back in three months.

Otis

Re: Have I got a virus please!)

nospam@nospam.noway wrote:
Quoted text here. Click to load it

You have the Google redirect virus which I've also just got rid of. It
wasn't very hard to remove but I'm damned if I can remember exactly what I
did because I was also working on the much more tricky undeletable DLL file
trojan in the thread above. On my pc it reset the default page in IE to
google rather than blank and gave the same redirect to spam websites problem
as you're getting. That also makes it a bit hard to search for solutions in
Google :) I found that going to Google's own cached pages worked better than
trying the main links.

Look in the windows\system32 directory and see if you have a file with a
name similar to "__c007c321.dat".

That's two underscore characters followed by the alpha numeric code which I
suspect is not the same in every infection. I think Malwarebytes sorted it
out. You'll find plenty of forum threads about it if you search for "google
redirect virus". It's been knocking around in various forms for years.
--
Dave Baker



Site Timeline