• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Redirected from one website to another

G`day

I was redirected to this website:

[Removed]

Also here is my HiJackThis Log File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:13 PM, on 09/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MTS Accelerator\PropelAC.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Allan\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\MTSACC~1\PRPL_I~1.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VSOSplash] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" 103 vsoui.dll::splash.htm
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\MTS Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\MTS Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\MTS Accelerator\pac-image.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099066353671
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179861932625
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FAD686F-D3DC-4B9E-8188-AA215618B268}: NameServer = 142.161.130.154 142.161.2.154
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: comHost - Symantec Corporation - C:\Program Files\Norton Internet Security\AddOns\Norton Security Inspector\Engine\5.0.0.24\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 10345 bytes

[edit: Please do not post hazardous links per the Participation Guidelines and Terms of Service.]

Message Edited by shannons on 05-09-2009 08:01 PM
Computer #1 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand) #2 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand)

Replies

Kudos0

Re: Redirected from one website to another

<< I was redirected to this website >>

 

As a matter of interest, by whom were you directed here?

Hugh
Kudos0

Re: Redirected from one website to another

G`day: huwyngr

This morning, I was checking out a few websites, then was suddenly redirected to this website `A` below:

`A`  [Removed]

Within a few second`s of being on the redirected website `A` above, it had 6 plus infections / trojans, on some kind of meter.

 

I shut it down fast, and did Full System Scan`s with:

NIS 2009

Malwarebytes

SAS   

 

[edit: Please do not post links to hazardous websites per the Participation Guidelines and Terms of Service.]

Message Edited by shannons on 05-09-2009 08:04 PM
Computer #1 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand) #2 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand)
Kudos1 Stats

Re: Redirected from one website to another

Bowwie:

Please do not post links to these kinds of sites.  It would be most appropriate to send this information to Symantec using the appropriate venues.

http://www.threatexpert.com/submit.aspx

https://submit.symantec.com/websubmit/retail.cgi

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Redirected from one website to another

OK I understand now -- hang on since we have some good helpers on HiJackThis.

Would you click on NIS 2009's Help / About and give the version ID -- formatted like nn.nn.nn.nnn

Thanks.

Hugh
Kudos0

Re: Redirected from one website to another

Thanks -- I didn't think of the dangers .... I've flagged it.
Hugh
Kudos0

Re: Redirected from one website to another

Hi

The link posted in post one is a sire trying to get you to download a slightly new variant of Rogue. Personal Antivirus. looks different than the one on Bleeping PC

Just installed, says I have over 3000 infections hahaha 

With Hijackthis remove these , Tick beside

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

Now, Click "Fix Checked"

I am going to Update Malwarebytes and run a full scan to see if that removes the Progam.

Quads 

Kudos2 Stats

Re: Redirected from one website to another

Hi

There could be a file active when you are using your browser, so you should clean out your browser cache /temp file, you could use like CCleaner.

Malwarebytes does detect the Malware under different names when I updated the defintion database and ran a Full Scan.

"Trojan.fakealert", 2 registry entries (one being an BHO) and  a file in the "System32" folder

"Rogue Installer" , one in the Browser Cache,

"Rogue.Personal.Antivirus,      5 Files  

I haven't got there yet but it could also be possible that there are entries in the "Hosts" file.

Added on

SuperAntispyware detects the Browser Hijacker and rogue security program as


 Rogue.PersonalAntiVirus

[PAV] D:\PROGRAM FILES\PAV\PAV.EXE

D:\PROGRAM FILES\PAV\PAV.EXE

D:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PAV\PERSONAL ANTIVIRUS.LNK

D:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PAV\UNINSTALL.LNK

D:\DOCUMENTS AND SETTINGS\JOHN\DESKTOP\PERSONAL ANTIVIRUS.LNK

D:\PROGRAM FILES\COMMON FILES\UNINSTALL\PAV\UNINSTALL.LNK

D:\WINDOWS\Prefetch\PAV.EXE-149E87F9.pf

Browser Hijacker.FakeAlert/SHCWC

HKLM\Software\Classes\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}\InprocServer32

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}\InprocServer32#ThreadingModel

D:\WINDOWS\SYSTEM32\WINEXPLORER.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E59498D-7E44-4452-9044-0973B080B9E8}

HKU\S-1-5-21-484763869-1275210071-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E59498D-7E44-4452-9044-0973B080B9E8}


Quads 

Message Edited by Quads on 05-10-2009 02:12 PMMessage Edited by Quads on 05-10-2009 02:12 PM
Kudos1 Stats

Re: Redirected from one website to another

Here is a screenshot of the Rogue.PersonalAntivirus that installed from the link that was in Post #1

So people in the future can maybe use it as a guide to maybe what they have.

Quads 

Kudos0

Re: Redirected from one website to another

Quads

I`ve performed Full System Scans with NIS2009, SAS and Malwarebytes in Normal Mode and Safe Mode,

all came up clean.

But will look into further when I get time.

Thank`s for your intellect. 

Computer #1 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand) #2 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand)
Kudos0

Re: Redirected from one website to another

Quads,

Could you clarify something, please:  It appears that in order to be infected from the page in question, you needed to manually initiate the download of the rogue program.  In other words, this was not a drive-by download, and so if Bowwie merely visited the site, he probably did not pick up any malware and this is why all scans are coming up clean on his system.  Is that a correct interpretation?  The 6 infections Bowwie mentions were, of course, not real , but merely a ploy to make downloading the rogue program seem like a good idea.

Message Edited by SendOfJive on 05-10-2009 09:43 AM
Kudos0

Re: Redirected from one website to another


SendOfJive wrote:

Quads,

Could you clarify something, please:  It appears that in order to be infected from the page in question, you needed to manually initiate the download of the rogue program.  In other words, this was not a drive-by download, and so if Bowwie merely visited the site, he probably did not pick up any malware and this is why all scans are coming up clean on his system.  Is that a correct interpretation?  The 6 infections Bowwie mentions were, of course, not real , but merely a ploy to make downloading the rogue program seem like a good idea.

Message Edited by SendOfJive on 05-10-2009 09:43 AM

You can get Infected just by visiting a Web Page, but, it may be the case that this is not the case in this Case as the User's Scans are coming up Clean.

___________________________________

Bowwie: were you dis-connected from the Internet when Running the Full Scans?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Redirected from one website to another

Floating_Red

Yes, I was disconnected from Internet when I ran the Scans.

A friend on mine suggested me to use this:

 http://www.bitdefender.com/scan8/ie.htmlMessage Edited by Bowwie on 05-10-2009 03:29 PMMessage Edited by Bowwie on 05-10-2009 03:29 PM
Computer #1 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand) #2 - Windows 7 Home Premium 64-bit SP1 IE11 NIS Version: 22.5.5.15 Malwarebytes`Anti-Malware - free (on demand) SAS - free (on demand)
Kudos0

Re: Redirected from one website to another


SendOfJive wrote:

Quads,

Could you clarify something, please:  It appears that in order to be infected from the page in question, you needed to manually initiate the download of the rogue program.  In other words, this was not a drive-by download, and so if Bowwie merely visited the site, he probably did not pick up any malware and this is why all scans are coming up clean on his system.  Is that a correct interpretation?  The 6 infections Bowwie mentions were, of course, not real , but merely a ploy to make downloading the rogue program seem like a good idea.

Message Edited by SendOfJive on 05-10-2009 09:43 AM
Hi
 
The Browser Hijacker as detected by SAS with the latest definitions as

Browser Hijacker.FakeAlert/SHCWC

HKLM\Software\Classes\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}\InprocServer32

HKCR\CLSID\{2E59498D-7E44-4452-9044-0973B080B9E8}\InprocServer32#ThreadingModel

D:\WINDOWS\SYSTEM32\WINEXPLORER.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E59498D-7E44-4452-9044-0973B080B9E8}HKU\S-1-5-21-484763869-1275210071-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E59498D-7E44-4452-9044-0973B080B9E8} 

Appear to download when visiting the website, that way also the "online scan" can also detect and show what drives you have on your PC.

SAS updated the defs for this detection only like 2 days ago.

Yes you are correct though, when it comes to the actual rogue.PersonalAntivirus, you have to download and install it. Which SAS detects seperately. Two seperate detections.

The browser Hijack does not affect Google Chrome. 

Quads 

Kudos0

Re: Redirected from one website to another


Bowwie wrote:

Floating_Red

Yes, I was disconnected from Internet when I ran the Scans.

A friend on mine suggested me to use this:

 http://www.bitdefender.com/scan8/ie.htmlMessage Edited by Bowwie on 05-10-2009 03:29 PMMessage Edited by Bowwie on 05-10-2009 03:29 PM
 
Or you could try the Kaspersky Online Scan.
 
Quads 
Kudos0

Re: Redirected from one website to another


Quads wrote:

Bowwie wrote:

Floating_Red

Yes, I was disconnected from Internet when I ran the Scans.

A friend on mine suggested me to use this:

 http://www.bitdefender.com/scan8/ie.htmlMessage Edited by Bowwie on 05-10-2009 03:29 PMMessage Edited by Bowwie on 05-10-2009 03:29 PM
Or you could try the Kaspersky Online Scan.
Quads 

Since the Threat may be affecting your installed Norton Product, you could try symantec Security Check: http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&plfid=23&pkj=ONVTAFRBWQAMUJBJIDV.

Message Edited by Floating_Red on 05-10-2009 10:28 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Redirected from one website to another

At the moment Norton does not detect the Browser Hijacker, The installed rogue, or the downloaded installer.

Quads 

Kudos0

Re: Redirected from one website to another

Update

When using Internet Explorer and going to the Symantec Website, I got redirected to this page

And you get redirected to the personalAV website,  

When starting browsing the file,

Trojan.Agent/Gen-WinExp

D:\WINDOWS\SYSTEM32\WINEXPLORER.DLL

D:\WINDOWS\SYSTEM32\WINEXPLORER.DLL 

Becomes a running process and downloads files to the "Temporary Internet Files" folder,

SAS removes the Files and removes the running process above, having to restart the PC.  I kept IE open and did the SAS scan.

Quads 

This thread is closed from further comment. Please visit the forum to start a new thread.