Browser redirect, yes another one

By Raisen
Sep 30, 2008
  1. Within the past week or so, I’ve been getting redirected whenever I click on the links in my search. It usually links me to ads like working from home, or buying things… and sometimes I usually get sites that try to trick me into downloading whatever it is I’m looking for… But as of lately, it’s been getting worse like timing me out of webpages and such. I did the steps required and it’s still going on.
    Also while scanning for viruses with AntiVir, it picked up two things. One called Agent.B Exploit, and Infected.WebPage.Gen… Anyway, any help is appreciated, thanks!
  2. SpiritWind

    SpiritWind TS Rookie Posts: 164

    Hi :

    The 1st thing I noticed is that you did NOT allow Malwarebytes' Anti-Malware to do
    its job since the Scan results say "No action taken" . So run the program again
    ( "Full Scan" ) and When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, & click "Remove Selected" .

    The 2nd thing I noticed is that you seem to have 2 different antiVIRUS programs
    "running", a security no-no . Since you apparently want AntiVir, you should follow
    the Instructions at .

    3rd : You have the malware-prone Adobe Reader. Recently, Researchers found a new hackertoolkit that uses nothing but Adobe securityleaks in order to infect systems. "PDF Xploit Pack" ( )adds all kind of exploits to PDF-files. When a certain exploit has successfully infected the OS, the IP address is sent to the attackers, so they need to try again. This to reduce the time it takes to manage the bots.

    Use of PDF-files is becoming more and more popular among malcreants, this because other toolkits also have PDF exploits now. A year ago only 3% of the exploits were PDF directed.

    So I recommend you uninstall Adobe and get the safer "Foxit Reader" .

    4th : Your Log shows the Presence of the Bit Comet P2P program; the use of
    these QUADRUPLES the Chances of getting malware on a computer . I
    recommend you uninstall this program and IF you must use a program like this,
    Choose "Shareaza" from .

    Lastly : I see a few "Viewpoint" Items, and unless you use AOL as your ISP, they
    should be uninstalled, primarily from your "Add or Remove Programs" .
  3. Raisen

    Raisen TS Rookie Topic Starter

    Okay well, I ran MBAM again and removed whatever it found. I thought I did that before but I guess not. Anyway... I restarted my comp and when it was starting up AntiVir found something... about 12 of these popped up, "RKIT/Clbd. KR" So I moved it to quarantine and removed it. Just thought I mention that...

    Anyway, I did what you asked, and attached another MBAM/HJT log. Thanks for the help so far!
  4. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    hi raisen :wave:

    figured you deserved the Welcome To Spot wave being knew here.

    Also see why you came!

    If i may suggest, the best approach to your problem is to go through a process which does a thorough scrub of your machine. if u go to look at UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Walk through each step and when done post all the logs back. yoiu can put them in txt files and attach to a post.
  5. momok

    momok TS Rookie Posts: 2,265

    O4 - HKLM\..\Policies\Explorer\Run: [notepad.exe] msmsgs.exe

    This looks extremely fishy. I would highly recommend fixing it.
  6. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Same proxy issue associated with Ads
    momok, what do you think about the above?

    I would love to see the settings for this section of the registry
    What is this?
    Do the following:

    Reset IE Settings to default


    Tools > Internet Options > Programs tab > Click reset web Settings.

    Please install IE7
  7. momok

    momok TS Rookie Posts: 2,265

    HijackThis detects settings for various areas during a system boot. I've did some research on that; that setting is at best harmless. (My system has that set too, just not on bootup. You can check your own registry too) Proxies are often used in anonymizing web surfing or content filtering; whilst I don't know for sure why that setting seems to be often enabled in such infections, it remains harmless.
    Thus I see no need to fix that entry.

    The Aura.exe is simply HJT running, but renamed.
  8. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Yeah I have checked my registry and have seen the proxy setting, but it doesn't show up n my logs, well I guesss there is no point in beating a dead horse.

    Why is Hijackthis.exe renamed to Aura.exe ?
  9. Raisen

    Raisen TS Rookie Topic Starter

    I renamed HJT because I read somewhere that certain things can hide from it, because they recognize the program being executed. Anyway, I removed what you said and things seem to be smoothing out. The redirects have stopped, which is always a good thing.

    As for the whole IE thing, I've been using Firefox for a while now and have only been using IE for the sole purpose of during the whole event, it was the only browser that would connect to the site. Now that it's over... or so I think... I use Firefox for everything else.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...