Hi,
I hope someone can help me. I have my own website and have recently been having redirection problems. First, I was redirected to a Chinese Sex Museum site. When I blocked the content of this site things were ok for a while then I was redirected to something called Jokeroo. In addition, several of my friends tell me they have been experiencing the same thing when trying to view my site and one has been warned about a J S Downloader as well.
I had online advice, from a so called 'expert', who recommended I download Malwarebytes which I have run several times and it has found nothing. Nor has Spybot S&D or Crapcleaner (which, I see, is in your 8 step removal programme!)
I have started your 8 step removal programme but faltered at step 3 as my Norton 360 Antivirus will not let me alter any settings. All the options in the settings section are greyed out except the Identity Protection one.
I can't complete the 8 steps if I can't turn Norton off so can any one tell me what to do?
Cheers, B.

There is misunderstanding about this: you do NOT have to disable the AV and other security for these preliminary scans. The only thing we've asked to be disabled are the parts of the programs referred to as 'Real Time Protection'. For Norton, that would only be SYMANTEC ENDPOINT PROTECTION
Right click on the icon in the Taskbar notification area & select "Disable Symantec EndPoint Protection".


We are considering omitting that section in the future because of this misunderstanding. We surely don't ant you active on the internet with no AV! There are later program that require security to be shut down, but we tell you when and how to do it safely. Okay?

IF you have this 'endpoint' and can shut it down as above, okay. If not, please just go ahead with the rest of the steps.

Hi,
I have now completed all steps of the 8 step programme and logs are attatched. Norton AV scan found one moderate threat which I have removed and Super Anti Spyware found some tracking cookies, also removed. Nothing detected by Malwarebytes.
Cheers B.

Attached Files

	SUPERAntiSpyware Scan Log - 03-16-2010 - 22-36-49.log (3.3 KB, 2 views)
	mbam-log-2010-03-16 (20-51-11).txt (867 Bytes, 2 views)
	hijackthis.log (12.2 KB, 1 views)

Okay, I have a couple of questions for you:

Regarding JS.Downloader.Trojan [Symantec]: Various worms and Backdoor Trojans use JS.Downloader.Trojan to spread themselves over the Internet. JS.Downloader.Trojan may access and download files from a variety of sites.

Regarding the redirects: are you being redirected when you use your computer to search for and choose a site? Any site or just if you try to go to your own site?

It sounds like the site itself has been hacked. So although you have 'your own site' it sound like it's that site, not your computer. The programs you ran for the logs> they were run on your computer system, right? So they could still be clean and the site could have malware> does that make sense?

You have a huge amount of processes running. I didn't find anything questionable in 'these' logs except for the Name-Server. There are 3 different IP addresses:
One for netname: CW-EUROPE-NET
descr: Cable & Wireless Telecommunication Services GmbH
country: DE
------------------------
Another for netname: H3GUK
descr: NAT Pool for Mobiles
country: GB
----------------------
And a third for netname: EU-EN-961107
descr: Cable & Wireless Telecommunication Services GmbH
descr: PROVIDER Local Registry
country: EU (non-country internet domain European Union

Are you actively using all three of these?
What type of security do you have on the site itself.
I can have you run additional programs, but they wouldn't be for the site.

Hi Bobbye,
Thanks for your reply.
To answer your questions - I have been redirected only when trying to view my own site not any others. My friends have also been redirected when trying to view my site. This would support your theory that my site has been hacked and it's not my computer.
The site was built for me and is administrated by my brother. I did mention this problem to him when it first started happening, he went on it and had no problems. I have just spoken to him again and he had another look and found something called Break Soft? He said he will look into it and fix it. Is there anything you can tell me that I can pass on to him?
With regard to me having 3 IP addresses I have no idea about these being a bit of a computer novice. How can this happen? I use 3 G Mobile internet as I live on a narrowboat.
Cheers B.

I did a search for "Break Soft", setting it up as the name of something. I found this site:

Password Break Soft Wear: http://www.filebuzz.com/findsoftware...ft_Wear/1.html
But I don't have enough information to tell you if this is what your brother sees.
I would say that if he is hosting this site for you, it's his responsibility to do what is needed to keep it secure. And if you have evidence as it would seem you do now, that the site has been hacked, he needs to use his responsibility as administrator, locate the hack and try to remove it.

I don't know what kind of arranngement you have with him, but I can't run site security from your computer and your computer is what we would work on in this forum.

As for the 3 IP addresses, you need to contact 3G Mobile- whoever you pay for your service, tell them you have these 3 Name-Servers on your system, ask which they use, then have us remove any they don't.

The best advice I can give you about the site is to tell your brother to put a firewall up. That won't remove malware but it can prevent accessing some of the sites you mentioned. If you note the URL when you get redirected, it can be added to the firewall and blocked. He can also shut it down until the breach has been found and fixed. I don't know the nature of the site- personal, business or whatever, but you already have other people telling you they are being warned.

Hi Bobbye,
Thanks for all your efforts on my behalf, I really appreciate your time.
I have been in further contact with my brother and he has fixed the problem with my website. Now he knows what it is he can keep an eye on it. I will certainly tell him about setting up a firewall too.
I will also get in touch with Three and find out which IP address is theirs so the other two can be removed by you.
Cheers B.

Hard to believe he set up a site without a firewall!

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to [b] > System Tools.
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let us know if you need help in the future. since the problem has been resolved, I'm going to close this thread.