Getting Re-directed

[chrissib]

I recently thought I was having a problem with Internet Explorer, as the links listed in search engines, were not working. When I click the blue underlined hi-lighted links, I either get misdirected to some other obscure sponsored type links or other search entities, or completely different pages, or sometimes I am just left hanging with errors.

 

I thought after reading up, this might be a problem with IE8, but after ditching this and trying Firefox, the same thing is happening again. I have used virus checkers and they have supposedly cleaned up the system, but the problem still occurs.

 

The only way I can get around the problem is to ignore the links, and cut and paste the actual URL into a web page. This then goes directly to the page in question.

 

I have a feeling there is some kind of option in play here which should be turned off, but any help would be appreciated.

[KenB]

If you are getting re-directed then this could be malware on your system.

 

Download MBAM from here: click on "Products" - you want the free version.

click here

You may get redirected to a mirror site - this is OK.

 

Install > Update > Run

It will produce a log in Notepad.

Copy all of this and post it here please.

 

We may need to ask one of our security experts to take a look.

[Starbuck]

I have used virus checkers and they have supposedly cleaned up the system, but the problem still occurs.

What programs did you use and what was found?

[chrissib]

ok the 2 problems may be related technically, but they are not on the same machine. The internet problem where I am getting re-directed or errored, is on a PC, and the drivers; network card not recognized issue, is on a laptop.

 

I used MBAM to virus check, found some stuff, but still get the redirection or errors (on my PC)

 

..and I still have the driver/ network card issue on my laptop.

[KenB]

I used MBAM to virus check, found some stuff, but still get the redirection or errors (on my PC)

I didn't suggest that MBAM would solve your problem - It would be helpful if you posted the log so that our security staff could see what is on your system.

[chrissib]

last scan log

 

Malwarebytes Anti-Malware 1.60.0.1800

http://www.malwarebytes.org

 

Database version: v2012.02.18.03

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 6.0.2900.5512

Lissadell :: CHRIS-9991AD7BA [administrator]

 

18/02/2012 14:33:15

mbam-log-2012-02-18 (14-33-15).txt

 

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 791274

Time elapsed: 2 hour(s), 59 minute(s), 31 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 9

HKCR\CLSID\{CC0B082D-A7FB-11D3-BC35-00C04F79E594} (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\TypeLib\{5328A245-A8B6-11D3-BC35-00C04F79E594} (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\MsoLang.LanguageResources.1 (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\MsoLang.LanguageResources (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\CLSID\{CD000001-8B95-11D1-82DB-00C04FB1625D} (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\CDO.Message.1 (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\CDO.Message (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\TypeLib\{CD000000-8B95-11D1-82DB-00C04FB1625D} (Virus.Ramnit) -> Quarantined and deleted successfully.

HKCR\Interface\{CD000020-8B95-11D1-82DB-00C04FB1625D} (Virus.Ramnit) -> Quarantined and deleted successfully.

 

Registry Values Detected: 23

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{49821817-80DE-B02F-52E8-9AEF007C13E4} (Trojan.Cryptbel.Gen) -> Data: "C:\Documents and Settings\Lissadell\Application Data\Ybozbo\geubgoz.exe" -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOSTYLE.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\1033\MSOLANG.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFKODAK.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFPCX14NU.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFPDF14NU.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFPNG14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLTDIS14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLTFIL14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLTKRN14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLTWVC14NU.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\VC9.0_XERCES-C_2_8.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFBMP14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFCMP14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFFAX14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFFPX14NU.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFGIF14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPLFJBG14NU.DLL (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\PLAYER\FLASHPLA.EXE (Virus.Ramnit) -> Data: 2 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CDO\CDOEX.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\REFERENCE TITLES\MSREFTL.DLL (Virus.Ramnit) -> Data: 1 -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Lissadell\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Lissadell\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 50

C:\Documents and Settings\Lissadell\Application Data\Ybozbo\geubgoz.exe (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Office\Office10\BIDI32.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Office\Office10\MSOSTYLE.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Office\Office10\WDBIMP.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Office\Office10\1033\MSOLANG.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\atl71.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfkodak.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfpcx14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfpdf14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfpng14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hpltdis14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hpltfil14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hpltkrn14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hpltwvc14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\libexpatw.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\vc8_xerces-c_2_7.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\vc9.0_xerces-c_2_8.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfbmp14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfcmp14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplffax14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplffpx14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfgif14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\bin\hplfjbg14nu.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\HP\Digital Imaging\help\player\FlashPla.exe (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\AVG\AVG2012\avgmfapxmgr.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\Microsoft Shared\CDO\CDOEX.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\Microsoft Shared\Office10\UCS20.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\Microsoft Shared\Proof\MSTHES3.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSREFTL.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Esl\AiodLite.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\Acrofx32.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\AdobeLinguistic.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\AdobeXMP.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\adobe_epic.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\adobe_eula.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\AGM.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\ahclient.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\AXE8SharedExpat.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\AXSLE.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\BIB.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\BIBUtils.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\CoolType.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\icucnv34.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\JP2KLib.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Program Files\Adobe\Reader 8.0\Reader\rt3d.dll (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lissadell\Local Settings\Temp\1EB.tmp (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lissadell\Local Settings\Temporary Internet Files\Content.IE5\L0B40Y0B\pp[1].exe (Spyware.Password) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lissadell\Local Settings\Temporary Internet Files\Content.IE5\L0B40Y0B\scandsk[1].exe (Trojan.FakeAlert.FS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lissadell\Local Settings\Temporary Internet Files\Content.IE5\XUBTATUQ\mt77[1].exe (Virus.Ramnit) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lissadell\Local Settings\Temporary Internet Files\Content.IE5\XUBTATUQ\sony[1].exe (Trojan.Cryptbel.Gen) -> Quarantined and deleted successfully.

 

(end)

[KenB]

You have quite a few problems here.

Our security experts are going to be busy.

[Starbuck]

Our security experts are going to be busy.

Actually we won't.

 

I'm sorry to have to tell you this, but this system is now a lost cause.

As you can see from the MBAM report, you have a Ramnit infection.

This infects many of your programs as well.

This can also be seen in the report.

This infection is near on impossible to remove manually because of the all the extra programs it infects.

The only course of action is a full reformat and a reinstall of the operating system.

 

You should also change any passwords you have saved on this system.... especially if you do any type of online banking or online payments.

Stealing your passwords is what this infection is all about.

 

Win32/Ramnit is a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker.

So it's best not to try and save anything that isn't backed up already.

Even then, if your removable drives are infected.... so could any backups.

 

Because this infection has the ability to infect your Windows exe. files..... trying to manually remove it may make the system unbootable.