Getting Redirected to

Anytime i click a link brought to be by a search engine such as google or yahoo, I get redirected to which then redirects me to some apparently random page. What do I do about this? I realize I haven’t given you much to go on so please ask away.

Welcome. :slight_smile:

What web browser are you using? This looks like typical malware behavior. You might want to check this page out.

I’m using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009060215 Firefox/3.0.11

Should I be concerned about typing passwords?

Until you are sure its not something else, I would be. It’s always better to be safe than sorry. What security software are you currently using?

I have Comodo CIS that I installed yesterday after I found this problem. It found three problem files and deleted them.

Do a system scan with SuperAntispyware or Malwarebyte’s AntiMalware. Or both.
They are free for personal use.

I did a scan with SUPERAntispyware. It found 50 tracking cookies, 3 rootkits, a trojan, and a cydoor cookie. Malwarebyte’s AntiMalware is running now and it found 5 infected objects within the first minute. Bitdefender keeps failing to start.

All three of them and Safsurf had problems updating. SUPERAntispyware and Malwarebyte’s AntiMalware eventually were able to update.

Did the scanning by Malwarebytes Antimalware finish? Is the redirection gone?

When having lot of stuff on your computer it is wise to try a bunch of scanners (recently found five malwares using four scanners at one of my housemate’s computers). Try the following in addition:
Bitdefender online scan: Bitdefender Free Antivirus - Download Software for Windows
Spybot Search and Destroy": Download Spybot Search and Destroy for Windows -
A squared Free (beware of false positives; let it quarantaine all it finds):

What version of Comodo are you running? When you are running 3.9 you can uninstall Safesurf as the BO protection is now integrated in v3.9.

Malwarebytes got rid of it. Log:

Malwarebytes’ Anti-Malware 1.37
Database version: 2290
Windows 5.1.2600 Service Pack 3

6/16/2009 10:17:58 PM
mbam-log-2009-06-16 (22-17-58).txt

Scan type: Full Scan (C:|D:|H:|)
Objects scanned: 429572
Time elapsed: 3 hour(s), 33 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) → Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmena (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} (Adware.NetPumper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} (Adware.NetPumper) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} (Adware.NetPumper) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmenadrv (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar{c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} (Adware.NetPumper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks{c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} (Adware.NetPumper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{c4225628-e1f3-4fd1-ab0b-b24c84bcf12f} (Adware.NetPumper) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) → Delete on reboot.

Files Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) → Delete on reboot.
c:\documents and settings\bobo\local settings\temporary internet files\Content.IE5\HRNKSKLJ\pdrv[1].exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\documents and settings\bobo\local settings\temporary internet files\Content.IE5\HRNKSKLJ\pdrv[2].exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\program files\d’accord_music_software\tbD’Ac.dll (Adware.NetPumper) → Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv551243194785.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\program files\podmena\podmena.sys (Trojan.Downloader) → Quarantined and deleted successfully.
c:\documents and settings\bobo\Start Menu\Programs\Startup\rncsys32.exe (Trojan.Agent) → Delete on reboot.
c:\documents and settings\bobo\Application Data\wiaserva.log (Malware.Trace) → Quarantined and deleted successfully.
c:\WINDOWS\zaponce53290.dat (Worm.Koobface) → Quarantined and deleted successfully.
c:\WINDOWS\zaponce53652.dat (Worm.Koobface) → Quarantined and deleted successfully.

As there was a lot of malware, you could post a HijackThis log which could show if there are any things left now.

Click here to download HJTsetup.exe and download the installer.
[]Save HJTsetup.exe to your desktop.
]Double click on the HJTsetup.exe icon on your desktop.
[]By default it will install to C:\Program Files\Hijack This.
]Click on the Do a system scan and save a log file button. It will scan and then the log will open in notepad.
[]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Done. Here is the result.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:07 AM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\livePCsupport\ELPS.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\RSSoft\RedSwoosh.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ 3\program\soffice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ 3\program\soffice.bin
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: NetAnts.IE.Monitor - {57E91B41-F40A-11D1-B792-444553540000} - C:\Program Files\NetAnts\AntAPI.dll
O2 - BHO: Comodo VerificationEngine Browser Helper NEW - {a968a4b4-c492-4834-b651-17602c3885c8} - C:\Program Files\Comodo\VEngine\VEngineIE32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO SafeSurf] “C:\Program Files\COMODO\SafeSurf\cssurf.exe” -s
O4 - HKLM..\Run: [COMODO livePCsupport] C:\Program Files\COMODO\livePCsupport\ELPS.exe
O4 - HKLM..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender10\bdmcon.exe” /reg
O4 - HKLM..\Run: [BDAgent] “C:\Program Files\Softwin\BitDefender10\bdagent.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: 3.0.lnk = C:\Program Files\ 3\program\quickstart.exe
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
O9 - Extra ‘Tools’ menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O15 - Trusted Zone:
O15 - Trusted Zone: *
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) -
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c9e433b497fa76) (gupdate1c9e433b497fa76) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (livesrv) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (vsserv) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS
O23 - Service: BitDefender Communicator (xcomm) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

End of file - 7191 bytes

Presumably you are unable to run windows updates?

The solution to what is showing in your log involves removal of a rootkit and editing of your registry and any mistake could make your computer unbootable.

Unless you have the experience to do this, I would suggest you post on a specialised HijackThis help forum where they have trained registry editors to guide you through.

Windows update shows up every once in a while. I haven’t seen ti recently. Hijackthis is saying that I can’t run it?

Go to your start menu and try to run Windows Update.

When I click windows update, all I get is an hour class cursor for a few seconds.

That is because the registry paths to Windows Update and BITS have been corrupted by malware, which is what I found from reading your log.

You need to do what I said before, you can pm me for a recommendation for a help forum if you like.

Otherwise you have Comodo Live PC Support available so why not ask them about it?

As this is not a well known malware problem they may not recognise it immediately, so you could link to this topic and I can provide more information if needed.