Jump to content

Find-All-You-Want browser redirects - can't get rid of it


mrb

Recommended Posts

Hi,

 

I was infected with some sort of malware after opening a Microsoft Word "resume" sent in response to a Craig's List ad I posted offering employment. Uugh. Not only did I not find the job candidate I need, now I have a nasty virus I can't get rid of. Some people really suck.

 

I installed both the Kaspersky and Malwarebytes anti-virus programs to try to detect/clean it (I had been using AVG which allowed the infection to occur). None of these programs can find the malware. Symptoms are as follows:

 

1) Open a browser

2) start clicking links; after the 4th or 5th click, you get re-directed to a shopping site. "Find-all-you-want" appears in the redirection string

 

Any ideas what this is and how to get rid of it? I also tried running Kaspersky's TDSSkiller root kit utility, and it also found nothing. I've reset my Chrome settings, and that didn't resolve it. Upon testing, the issue affects all my installed browsers (Chrome, IE, and Firefox). I'm desperate.

 

Thanks,

 

Heather

Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
     
    
Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

After a preliminary round of testing, you seem to have fixed it. Thank you! I have attached the Fixlog.txt file. Can you help me understand what the issue was and how you fixed it? I will be donating (momentarily) to your Paypal account. Thank you for providing such a valuable service. 

 

Heather

Fixlog.txt

Link to post
Share on other sites

There were some bad files running in background.
 
This was the bad guy:
 
HKU\S-1-5-21-4065172224-1480893673-3259940331-1001\...\Run: [3825872065] => C:\Users\MADRIV~1\AppData\Roaming\mscxngfz.exe
 
 
 

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself :)
 
 

Recommended reading:

 
 
icon_exclaim.gifMUST READ - security tips:

icon_exclaim.gifMUST READ - general maintenance:

The Importance of Software Updating:

 

 
In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.
 
Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

Recommended additional software:

 
 
icon_arrow.gifTFC - to clean unneeded temporary files.
icon_arrow.gifMalwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gifMalwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gifMcShield - to prevent infections spread by removable media.
icon_arrow.gifUnchecky - to prevent from installing additional foistware, implemented in legitimate installations.
icon_arrow.gifAdblock - to surf the web without annoying ads! 
 
 

Post-cleanup procedures:

 

 
Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report. You do not need to attach it.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning. 
 
 
 


My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation: 
btn_donateCC_LG.gif

 

Thank you!

 
 
Stay safe,
TwinHeadedEagle   :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.

  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and attach the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

For example, I just clicked on a URL with link text of "Statement" within a web application one of my restaurant vendor's uses, and it redirected to Fidelity (to this link: https://fixedincome.fidelity.com/ftgw/fi/FILanding#tbindividual-bonds|treasury). It should have taken me to my statement of account with this vendor. So there is definitely something there.... Buggers!!

Link to post
Share on other sites

yes, it happens sporadically, across many websites, and across all browsers I have tested (IE, Firefox, and Chrome, which is my primary browser). This is interesting, I used the Chrome Inspect Element feature and kept clicking that link. Sometimes it goes to the right place, but eventually it re-directs. This is the log from the inspect element feature (see below). In this case, I was redirected to Fresh Books. 

 

Resource interpreted as Script but transferred with MIME type text/plain: "https://privacy-policy.truste.com/privacy-seal/FreshBooks/asc?rid=cf5745b1-68a7-4df0-abe3-99164468a5dc".
 Consider using 'dppx' units, as in CSS 'dpi' means dots-per-CSS-inch, not dots-per-physical-inch, so does not correspond to the actual 'dpi' of a screen. In media query expression: (-webkit-min-device-pixel-ratio: 2), (min-resolution: 192dpi)
analytics.js?rnd=14230834318061:2 Resource interpreted as Script but transferred with MIME type text/html: "http://www.google-analytics.com/gs.js?1&code=54d287a7d5789&title=&keywords=…mccn%3DUS(SEM)-NonBranded%7Cutmcmd%3Dcpc%7Cutmctr%3Dinvoice&bd=&lng=en&bh=".
Link to post
Share on other sites

I kept clicking back, and then re-clicking the same link, over and over... sometimes it goes to the right place, sometimes it re-directs. This last entry is from another redirect. The text I colored red shows the redirection that is occurring. In this case, the URL I ended up at was the Stuccu.com link.

 

 

 Consider using 'dppx' units, as in CSS 'dpi' means dots-per-CSS-inch, not dots-per-physical-inch, so does not correspond to the actual 'dpi' of a screen. In media query expression: only screen and (-webkit-min-device-pixel-ratio: 2), only screen and (min-resolution: 144dpi)
home.aspx:387 Resource interpreted as Image but transferred with MIME type text/html: "http://www.tracsdirect.com/home.aspx".
ads?client=ca-pub-0476046809954606&format=728x90_as&output=html&h=90&slotname=3864427015&adk=790056…:1 Resource interpreted as Image but transferred with MIME type text/html: "http://googleads.g.doubleclick.net/pagead/adview?ai=Crc9c1IjSVMazPLTV0AHVz4…TnglpG32zkuS0SH5BNisZIMFloATahN-ABrj5u5O-642FcaAGIQ&sigh=81XIXcbM5QM&vis=1".
ab?e=wqT_3QLxA_BC6AEAAAIA1gAFCNWRyqYFEMjIsKvYiNiCIxjumMTDhZ-_wxggASotCbnXE8BuOQZAEbnXE8BuOQZAGf7UeO…:1 Resource interpreted as Script but transferred with MIME type text/html: "http://nym1.ib.adnxs.com/rd_log?e=wqT_3QKdCfSIA5QEAAACANYABQjVkcqmBRDIyLCr2…AMAuAMAwAOsAsgDAA..&dlo=1&bdref=http%3A%2F%2Fstuccu.com&bdtop=true&bdifs=2".
click?9ihcj8L1_D_2KFyPwvX8P_7UeOkmMRFAudcTwG45BkC51xPAbjkGQEgkbIVFYAUjbgxxWPj8hhjViNJUAAAAABUbAAC1A…:343 Resource interpreted as Script but transferred with MIME type text/html: "https://amch.questionmarket.com/adscgen/st.php?survey_num=1079731&site=102865140&code=61102646&randnum=1154655919".
click?9ihcj8L1_D_2KFyPwvX8P_7UeOkmMRFAudcTwG45BkC51xPAbjkGQEgkbIVFYAUjbgxxWPj8hhjViNJUAAAAABUbAAC1A…:343 Resource interpreted as Image but transferred with MIME type text/html: "http://googleads4.g.doubleclick.net/pcs/view?xai=AKAOjsty73ncNdcA0dN8-5u4-H…zLWt7uias433quWoowVh20tCqpXqkgtlMyKgAAJ&sig=Cg0ArKJSzBfBjsTMlbW2EAE&adurl=".
analytics.js?rnd=14230837269735:2 Resource interpreted as Script but transferred with MIME type text/html: "http://www.google-analytics.com/gs.js?1&code=54d288d1b8eb1&title=&keywords=…%3D16139%26ts%3D1234_NXNS_01_16&utmcc=__utma%3D%2B__utmz%3D&bd=&lng=en&bh=".
Link to post
Share on other sites

I just replicated it in Firefox with Firebug running. I have a strong suspicion this is a virus related to some Google Analytics add-on. In this case, I was redirected to site: http://www.cpofestool.com/festool.  I see in the Firebug console the following:

 

http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js

http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.3/jquery-ui.min.js

http://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js

http://chanalytics.merchantadvantage.com/inChannel/maq.js

http://content.webcollage.net/cpo/smart-button

http://cts.channelintelligence.com/412861573_landing.js

 

When I click into the last link, the stack trace below presents. So it seems like I still have some sort of ad-ware lurking on my computer.  when you reviewed my files, did you see anything that could be masking itself as being related to Google Analytics? 

 

 

// Copyright Channel Intelligence, Inc. 2002-2013
var ci_vid= 412861573;
var ci_cookieDomain=".cpofestool.com";
var ci_refDomain=".cpofestool.com";
var ci_imgs=[];
 
function ci_FP(ci_pix_url,protocol){var ci_pic=new Image(1,1);ci_pic.src=(protocol!==undefined ? protocol + '://' : (window.location.protocol.toLowerCase() == 'http:' ? 'http://' : 'https://'))+ci_pix_url;ci_imgs[ci_imgs.length]=ci_pic;}
 
function ci_RQV(name,dValue){
    var qArg=new RegExp('[\\?&]'+name+'=?([^]*)','i').exec(window.document.location);
    if(qArg===null){return dValue===undefined?null:dValue;}else if(qArg.length<2){return '';}else{return qArg[1];}
}
function ci_CC(name,value,daysTillExpire){
if (daysTillExpire){
var exDate=new Date();
exDate.setTime(exDate.getTime()+(daysTillExpire*24*60*60*1000));
document.cookie=name+'='+value+'; expires='+exDate.toGMTString()+'; domain='+ci_cookieDomain+'; path=/';
}
}
function CI_GetValue(ci_vName,ci_dValue) {
if (typeof(window[ci_vName])!=="undefined"){return window[ci_vName];}else{return ci_dValue===undefined?null:ci_dValue;}
}
function ci_UID(value){
var today=new Date();
var UID=ci_vid+"-"+value+"-"+Math.floor(Math.random()*9999999999)+today.getFullYear().toString()+today.getMonth().toString()+ today.getDay().toString()+today.getHours().toString()+today.getMinutes().toString()+today.getSeconds().toString()+today.getMilliseconds().toString();
return UID;
}
function ci_PIX(loc,eid,tid,src,sku,tag,avurl){
var url='';
if (loc===2){url=window.location.protocol.toLowerCase()=='http:'?'cts-log.channelintelligence.com?':'ttwbs.channelintelligence.com?';}
if (loc===3){url='rdr.tag.channelintelligence.com/log.aspx?';}
url+='vid='+ci_vid+'&eid='+eid+'&tid='+tid;
if(src!==null){url+='&src='+src;}
if(sku!==null){url+='&sku='+sku;}
if(tag!==null){url+='&tag='+tag;}
url += "&ref="+escape(document.referrer);
return ci_FP(url);
}
try {
var ci_cpncode=ci_RQV('cpncode');
var ci_srccode=ci_RQV('srccode');
var ci_src=ci_RQV('ci_src');
var ci_sku=ci_RQV('ci_sku');
var ci_tag=ci_RQV('ci_tag');
var ci_tid=ci_UID(ci_sku);
 
if(ci_cpncode!==null){
ci_CC('ci_cpncode',ci_cpncode,30);
ci_CC('ci_src',ci_srccode,30);
ci_CC('ci_tid',"",-1);
} else if(ci_src!==null && ci_sku!==null) {
ci_CC('ci_cpncode',"",-1);
ci_CC('ci_tid',ci_tid,30);
ci_CC('ci_src',ci_src,30);
ci_PIX(2,23,ci_tid,ci_src,ci_sku,null,null);
} else if(ci_tag!==null) {
ci_CC('ci_cpncode',"",-1);
ci_CC('ci_tid',ci_tid,30);
ci_PIX(2,7,ci_tid,null,null,ci_tag,null);
}
}catch(err){}
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.