TechSpot

Redirect from Web site - National Rail

By charlie muffin
Mar 21, 2008
  1. When i go to check train details through National Rail i get re-directed with the following message;
    Sorry, we couldn't find http://req.connect.wunderloop.net/RQ/143/687/509/if?ord. Here are some related websites:

    Can someone tell me what this means? Am i infected? The last time i visited this site i had a virus which i think we managed to clear up with some patient advice from one of the crew.
     
  2. jobeard

    jobeard TS Ambassador Posts: 9,342   +622

    please post the full url you used when the error occurred.

    Here in the U.S., the one you've shown doesn't help (me at lease) to much
     
  3. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    re-direct from National Rail

    Apologies,
    When i access the address below i encounter the Security Question pop up - "you are about to view pages over a secure connection". At some point from then on, i get the re-direct message.
    Sometimes i get to enter some station details but i get redirected virtually straight away. I've just tried again and i got to choose a leaving and destination and clicked search before it re-routed me.

    http://www.nationalrail.co.uk/

    the URL i posted appears on a Sony Search Page - i don't ever see one of these but i am operating from a Sony Viao. (I'll be updating my system profile later today if that may be relevant.
     
  4. jobeard

    jobeard TS Ambassador Posts: 9,342   +622

    hum; starting with http://www.nationalrail.co.uk/
    set From, To,
    search​
    then arrives upon
    http://ojp.nationalrail.co.uk/en/pj/jp

    which is the same domain, just a different server or server alias

    this is very typical operation.

    you reported a redirection to http://req.connect.wunderloop.net/RQ...7/509/if%3Ford.
    which is very ATYPICALL

    is this 100% repeatable or just periodic?
     
  5. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    re-direct from National Rail

    Yeah, for this site, it is 100% repeatable.
    I've also updated my system specs if that helps any.
     
  6. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    re-direct from National Rail2

    need to add, the only slight inconsistency is how long it takes to re-direct me.
    I don't always follow the path of adding details and searching. The re-direct sometimes whisks me away before i get chance to enter any details.
     
  7. jobeard

    jobeard TS Ambassador Posts: 9,342   +622

  8. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

  9. 1Bruce

    1Bruce TS Rookie

    Hi .
    I am having exactly the same experience - I have MacAfee working, tried SpyWare Doctor and now trying Zone Alarms. I understand its a site that records and traces site interests but I have still to get rid of it!
     
  10. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    re-direct from National Rail

    ok, cleansing results, by actions required.
    i've already gone through these processes to remove some dodgy virus (see previous threads) so followed all steps before and retained all free stuff to keep safe.

    1 - disabled Zone alarm etc.
    2 - already running AVG and Zone Alarm - checked versions ok
    3 - Online scanner - detected vulnerabilities and HTTP Cookies fixed
    4 - version of HJT up to date and called Crusty so skipped 4 and 5
    5 - as above
    6 - same as HJT, 6,7,8 and 9 ensured hold latest versions
    7 -
    8 -
    9 -
    10 - followed the 3 tools download
    11 - Panda Antirootkit - clean
    12 - Combofix file attached
    13 - dss - conflicting instructions here, the thread asks for the files to be attached (main and extra) however the last step clearly doesn't want any damn extra files. I've attached them, ignore if not appropriate.
    14 - ran SS&D, Adware personal se and AVG Antispyware - AVG file attached
    15 - ran HJT - file attached

    tried accessing National Rail URL with same results.
     
  11. 1Bruce

    1Bruce TS Rookie

    Hi
    Clearly we tried along same lines. One Wunderloop web page says ... have not enabled Javascript... Maybe National Rail want this information reported! Yahoo was the same. Anyone know of any other sites. Nearer to a solution?
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Its no big deal, just looking over your logs now, ill post back later.

    teatimer
    Please disable Teatimer as it may interfere with the fix.

    First:
    • Right click on Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your system for the changes to take effect.
    This will be enabled when the system is clean

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:
    Will depend on what HJT interface you are using.
    If yours opens with the Main Menu go to step 3 (untick "Show this window when I start HijackThis" to have HJT open with the scan window)
    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file.
    When you press Save button a notepad will open with the contents of that file.
    Attach that here for me please.

    Finally run HJT again now that teatimer has been disabled and post the log back here.
     
  13. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    re-direct from National Rail

    files attached
     
  14. jobeard

    jobeard TS Ambassador Posts: 9,342   +622

    GoogleDesktopDisplay.exe has been known in the past to allow backdoor entry to systems.
    I know some statisfied users, but frankly, I wouldn't trust it.

    I see you're running sqlservr.exe; This is a security exposure.
    make sure it accepts ONLY connections from your local LAN.

    R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe"
    unless you have a network printer ie one attached to the router with an IP address,
    this service is of no value to you.

    You might EDIT this file C:\WINDOWS\system32\tmp.reg
    to determine what was added to your registry -- could be good or bad
    (DO NOT OPEN; EDIT the file via right-click->edit)
     
  15. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    re-direct from National Rail

    okay,
    - removed googledesktopdisplay,
    - removed bonjour,
    - saved contents of tmp file (attached) - i haven't a clue what it means!
    - need some help with the sqlservr.exe, how do i make sure it only accepts connections from local LAN?
     
  16. 1Bruce

    1Bruce TS Rookie

    I have been following the thread as i am having the same problem. I do not have the Google stuff mentioned and I am not sure if the other references refer to my system. I could not download the HijackThis software but do not know why. I have attached my main.txt and extra.txt to compare. I have picked up a few things in common which may help but I do not know their significants if at all. Comments?

    C:\WINDOWS\ehome\ehmsas.exe
    C:\WINDOWS\ehome\ehrecvr.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe (although I appear to have loads of them)
    C:\WINDOWS\system32\winlogon.exe

    * O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
    * O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    * O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    * O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (although this is a recent instal and I had my similar problem with yahoo before)
    * O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    * O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
    * O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    * O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    * O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    * O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    * O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    * O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe












    *multiple svhost.exe
     
  17. jobeard

    jobeard TS Ambassador Posts: 9,342   +622

    1Bruce; please create your own thread for your issues so as to not confuse
    issues, diagnoses and suggestions. Thanks
     
  18. jobeard

    jobeard TS Ambassador Posts: 9,342   +622

    see this article point #7 TCP port 1433 and UDP port 1434.
    The default rules on a firewall are to DENY, so initially there's nothing to do.
    But after installing SqlServer, you need to be sure that TCP port 1433 and UDP port 1434 were not allowed from the Internet.

    To operate correctly, the server systems must have these ports allowed and the
    clients accessing the server must also.

    You need to add a rule to all systems; you need your lan subnet addresses.
    use run->cmd /k ipconfig
    on the line IP Address there's an address shown as aaa.bbb.ccc.ddd
    the subnet is the aaa.bbb.ccc portion without ddd

    the firewall rule would look like
    allow in/out tcp/udp dest-ip aaa.bbb.ccc.1-aaa.bbb.ccc.254 ports 1433-4134​
    move this rule to point in the list of rules where the rule following is the first deny
     
  19. 1Bruce

    1Bruce TS Rookie

    JoBeard - happy to. Thought that as I am having the same problem as Charlie Muffin the comparison between running programmes would help clarify the one/ones carrying the problem - my mistake!
     
  20. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    re-direct from National Rail

    ok jobeard, when i said help, i REALLY did mean help.
    I've found the IP addresses / subnets using the run command, but applying the rule is rather more complex, i don't know where you are asking me to insert the rule.
    i connect to the net via a NETWARE wireless broadband router. i don't even know if that comment is relevant.
    How do i apply the rule? and where do i apply it?

    PS - problem persists following changes made, will this rule make a difference or just protect me better?
     
  21. jobeard

    jobeard TS Ambassador Posts: 9,342   +622

    rule will ensure that only local systems can access your SQL server

    rule goes into the firewall on the system running the sqlserver , not the router itself.
    This will ensure that someone breaching your router will not get access to the server.
    You need to open the firewall and look at the settings -- which firewall are you using?
     
  22. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    i don't have any special anti-virus or firewall products, just runnng ZoneAlarm and AVG Anti-Spyware.
     
  23. charlie muffin

    charlie muffin TS Rookie Topic Starter Posts: 20

    redirect from National Rail

    Hi,

    I've been working away for the last 2 days and unable to check progress but it appears there has not been any. Can someone give me an update with this thread please?

    Thanks
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...