Like others, when I click on a clean link in a Google search I am being redirected to malicious sites. Avast pops up with the Red Malicious window, etc. My OTS scan results attached. When you do offer help bear in mind I am techno challenged…thanks!

Essexboy is notified…he arrives here late uk time…

I have to ask but I’ve seen multiple topic posts now about people getting affected by the Google redirect/hijack.

What’s happening? Is there something going around that is not getting picked up by avast! ?

The Redirect Virus – What It Is, And Why Virus Protection Won’t Get Rid Of It
http://redirectvirus.org/

There is a suspect redirect (WOT warning) if you use the >>>>> Click Here for a quick, easy way to remove the redirecting virus <<<<< link on that page.

Interesting when it is all about the google redirecting virus, then it redirects through a sub-domain of a sub-domain, hop.clickbank.com which has a poor reputation.

Almost makes me thing they were trying a Proof of Concept to show how easily you could be infected ;D

Needless to say I declined the redirection.

Report 2011-06-29 23:58:30 (GMT 1)
Website redirectvirus.org
Domain Hash 20558ac915adaed08499400c3b54ee63
IP Address 174.122.148.189 [SCAN]
IP Hostname bd.94.7aae.static.theplanet.com
IP Country US (United States)
AS Number 21844
AS Name THEPLANET-AS - ThePlanet.com Internet Service…
Detections 0 / 23 (0 %)
Status CLEAN

Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender CLEAN
Scanning site with: DNS-BH CLEAN
Scanning site with: DShield SDL CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: joewein.de LLC CLEAN
Scanning site with: Malc0de CLEAN
Scanning site with: Malware Domain List CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MyWOT UNRATED
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SCUMWARE CLEAN
Scanning site with: SpamhausDBL CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: Trend Micro Site Safety Center CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: VSCAN CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN

Report 2010-12-15 07:43:42 (GMT 1)
Website fixredirectvirus.org
Domain Hash fa8c3954aa7c742462ed6f82f4170c2b
IP Address 174.120.97.98 [SCAN]
IP Hostname carrol.site5.com
IP Country US (United States)
AS Number 21844
AS Name THEPLANET-AS - ThePlanet.com Internet Service…
Detections 1 / 17 (6 %)
Status SUSPICIOUS

Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender CLEAN
Scanning site with: DNS-BH CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: joewein.de LLC CLEAN
Scanning site with: Malware Domain List CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MyWOT UNRATED
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation DETECTED
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN

and when testing it at Trend Micro Site Safety Center

Because you were curious about this website, Trend Micro will now check it for the first time. Thanks for mentioning it!

Yes that is for that site but not where the actual redirect is trying to take you (see my image, hop.clickbank.com).

Now I don’t know if this is simply for them to obtain stats of those going to that page, but there has to be easier ways to achieve this without the redirect. Especially when you consider the whole thing is about redirection and then they employ redirection themselves. I told you I was a trusting sort NOT.

Could you confirm that the redirects are firefox only

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (CLTNetCnService) Symantec Lic NetConnect service [Auto | Stopped] -> 
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\Elizabeth\AppData\Roaming\Mozilla\FireFox\Profiles\lddwr2fj.default\prefs.js
YN -> browser.search.defaultthis.engineName -> "Thirty Day Challenge Customized Web Search"
< FireFox Extensions [Program Folders] > -> 
YY -> XULRunner -> C:\USERS\ELIZABETH\APPDATA\LOCAL\{C4E3A2BA-90DE-4EDD-8C13-8BF2B41BB33A}
[Files - No Company Name]
NY ->  Nnemesikomej.dat -> C:\Users\Elizabeth\AppData\Local\Nnemesikomej.dat
NY ->  Szulejopevog.bin -> C:\Users\Elizabeth\AppData\Local\Szulejopevog.bin
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Ok, have run the fix and from what I can tell the redirect has been killed! Yes it did seem to only happen in Firefox but I just briefly tested Chrome after your question. Here are the results:

All Processes Killed
[Win32 Services - Safe List]
Service CLTNetCnService stopped successfully!
[Registry - Safe List]
Prefs.js: “Thirty Day Challenge Customized Web Search” removed from browser.search.defaultthis.engineName
C:\USERS\ELIZABETH\APPDATA\LOCAL{C4E3A2BA-90DE-4EDD-8C13-8BF2B41BB33A}\chrome\content folder moved successfully.
C:\USERS\ELIZABETH\APPDATA\LOCAL{C4E3A2BA-90DE-4EDD-8C13-8BF2B41BB33A}\chrome folder moved successfully.
C:\USERS\ELIZABETH\APPDATA\LOCAL{C4E3A2BA-90DE-4EDD-8C13-8BF2B41BB33A} folder moved successfully.
[Files - No Company Name]
C:\Users\Elizabeth\AppData\Local\Nnemesikomej.dat moved successfully.
C:\Users\Elizabeth\AppData\Local\Szulejopevog.bin moved successfully.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Elizabeth\Desktop\Redirect Virus Fix\cmd.bat deleted successfully.
C:\Users\Elizabeth\Desktop\Redirect Virus Fix\cmd.txt deleted successfully.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Elizabeth
->Temp folder emptied: 1648584621 bytes
->Temporary Internet Files folder emptied: 222479000 bytes
->Java cache emptied: 932791 bytes
->FireFox cache emptied: 289690044 bytes
->Google Chrome cache emptied: 376757672 bytes
->Flash cache emptied: 60433 bytes

User: Guest
->Temp folder emptied: 218876 bytes
->Temporary Internet Files folder emptied: 33886 bytes
->FireFox cache emptied: 4143534 bytes
->Flash cache emptied: 42054 bytes

User: Public

User: Rachael
->Temp folder emptied: 74436 bytes
->Temporary Internet Files folder emptied: 2490016 bytes
->Google Chrome cache emptied: 31493631 bytes
->Flash cache emptied: 4692 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 231757515 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 1206829 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 6361793 bytes

Total Files Cleaned = 2,686.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Elizabeth
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: Public

User: Rachael
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 08112011_135247

Files\Folders moved on Reboot…
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

OK final step I feel

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Hi

Just ran the Malwarebytes scan (ran one yesterday that didn’t pick up anything)results here:

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7437

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

8/11/2011 3:26:06 PM
mbam-log-2011-08-11 (15-26-06).txt

Scan type: Quick scan
Objects scanned: 194742
Time elapsed: 12 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

How is your computer now ? Behaving itself

Seems to be ok! Thank you so much.

As we only used OTS

Run OTS and hit the cleanup button to remove it and the files we quarantined

Hi again essexboy…

Something that has occurred in the past few days (started just prior to cleaning out the redirect virus) Avast now pops up with a window that says Some files could not be scannedWhen I open the window it shows a list of files with the Status error: archive is password protected I have never password protected the archive and have been using Avast free and then paid version for several years and this is a first. Guessing it has to do with damage from the redirect virus. Also have lost access to Market Samurai, and all programs previously would show up from the Start menu now have disappeared and I am having a hell of a time trying to find my system tools, etc. Don’t suppose you can help???

@ elliec
Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

If you can give some examples of those file names, the locations and reason given why it can’t be scanned might help us further ?

####
In order to be getting this password protected archive can’t be scanned you generally have to have elected to scan archives ?
Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast’s Standard Shield should have scanned them and before an executable is run that is scanned.

Those are probably definitions for either MBAM or Windows Defender. Password protected files are not a problem. Once they are opened then Avast will scan them. But, as I say they are of no real concern