Link redirects

[kuttus]

STEP 1: Run a scan with OTL by OldTimer
<ol><li>Download the OTL utility using the below link :
<><a title="External link" href="http://oldtimer.geekstogo.com/OTL.exe" rel="nofollow external">OTL DOWNLOAD LINK</a> <em>(This link will automatically download OTL on your computer)</em></></li>
<li>Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL-logo.png" alt="" title="OTL-logo" width="106" height="118" class="alignnone size-full wp-image-3946" /></li>
<li>When the window appears, <>underneath Output</> at the top change it to <>Minimal Output</>.</li>
<li>Check the boxes beside <>LOP Check</> and <>Purity Check</>.</li>
<li>Click the<> Run Scan</> button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL.png" alt="" title="OTL" width="658" height="584" class="alignnone size-full wp-image-3945" /></li>
<li>When the scan completes, it will open two notepad windows. <>OTL.Txt</> and <>Extras.Txt</>. These are saved in the same location as OTL.
<>Please post this 2 logs in your first reply.</>.</li></ol>

Settings You need to Select in OTL

1. Click the Scan All Users checkbox.
2. Change Standard Registry to All.
3. Check the boxes beside LOP Check and Purity Check.

<em>Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: <a title="External link" href="http://www.itxassociates.com/OT-Tools/OTL.scr" rel="nofollow external">OTL.scr</a>, or <a title="External link" href="http://oldtimer.geekstogo.com/OTL.com" rel="nofollow external">OTL.com</a>.</em>

<hr />

 

[Charlestongirl]

I'm on my iPad. OTL Scan is running now on my PC. How do I attach logs when finished? Thank you.

 

[kuttus]

Login to http://malwaretips.com from your PC and attach the log files.

 

[Charlestongirl]

Login to http://malwaretips.com from your PC and attach the log files.

I could not find the extras.txt on my computer. I did find this file.

 

[kuttus]

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL

FF - prefs.js..browser.search.defaultengine: "Ask Search"
FF - prefs.js..browser.search.defaultenginename: "Ask Search"
FF - prefs.js..browser.search.order.1: "Ask Search"
FF - prefs.js..extensions.enabledAddons: feedly%40devhd:16.0.528
FF - prefs.js..extensions.enabledAddons: %7B4ec601fd-e9a3-11e2-8276-b8ac6f996f26%7D:3.0.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0
FF - user.js - File not found
[2013/06/27 17:42:22 | 000,000,000 | ---D | M] (Theme Font & Size Changer) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}
[2013/06/26 05:31:26 | 000,027,050 | ---- | M] () (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\feedly@devhd.xpi
[2013/07/26 17:46:06 | 000,450,132 | ---- | M] () (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\toolbar_ORJ-V7@apn.ask.com.xpi
[2013/07/16 22:32:29 | 000,004,007 | ---- | M] () (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\{4ec601fd-e9a3-11e2-8276-b8ac6f996f26}.xpi
[2013/07/02 18:14:11 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/07/11 06:55:07 | 000,000,000 | ---D | C] -- C:\ProgramData\8ed1d9d8-02ff-0000-165f-00001b54a4dc



:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

 

[Charlestongirl]

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL

FF - prefs.js..browser.search.defaultengine: "Ask Search"
FF - prefs.js..browser.search.defaultenginename: "Ask Search"
FF - prefs.js..browser.search.order.1: "Ask Search"
FF - prefs.js..extensions.enabledAddons: feedly%40devhd:16.0.528
FF - prefs.js..extensions.enabledAddons: %7B4ec601fd-e9a3-11e2-8276-b8ac6f996f26%7D:3.0.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0
FF - user.js - File not found
[2013/06/27 17:42:22 | 000,000,000 | ---D | M] (Theme Font & Size Changer) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}
[2013/06/26 05:31:26 | 000,027,050 | ---- | M] () (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\feedly@devhd.xpi
[2013/07/26 17:46:06 | 000,450,132 | ---- | M] () (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\toolbar_ORJ-V7@apn.ask.com.xpi
[2013/07/16 22:32:29 | 000,004,007 | ---- | M] () (No name found) -- C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\atsobenq.default\extensions\{4ec601fd-e9a3-11e2-8276-b8ac6f996f26}.xpi
[2013/07/02 18:14:11 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/07/11 06:55:07 | 000,000,000 | ---D | C] -- C:\ProgramData\8ed1d9d8-02ff-0000-165f-00001b54a4dc



:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

I have attached the file. I am also attaching the ComboFix log from the run I did earlier this evening. Thanks!

 

[kuttus]

Now reboot the computer and work on your computer. If you are still facing the issues please send me a Screenshots of what you are getting on Firefox......

To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay

 

[Charlestongirl]

Hi Kutus, I can get screen shots with Snag-It too.

I have been working for a short while this morning, with no redirects. Actually, I haven't had one since I did the ComboFix run yesterday. I haven't tested long enough to know for sure, though. I will be vigilant and check back in to let you know what's happening (good or bad) - tomorrow if things are going well, or earlier if not.

Thanks!

 

[Charlestongirl]

Unfortunately, I just got redirected. I did a Google search on Cle de Peau Extra Rich Lipstick and got the attached destination.

I was so hopeful because I had gone all day without a redirect. The only thing I did before the redirect was put a memory card in my card reader (drive E).

 

[Charlestongirl]

Happened again. Second time in a row on same search. Usually, the second time, it goes to the intended link. Not this time. Pic attached.

 

[Charlestongirl]

I took the memory card out of the E drive, but still got redirected. I clicked on a beauty link, the home page of Eau d'Italie and was taken here: http://www.calibex.com/Eau-D-Italie/zzcalibex2zB1z0--search-html?nxtg=e6f0a50054c-464EA099017D3522.

 

[kuttus]

Is it redirecting or Trend Micro Blocking your website?

 

[Charlestongirl]

It is redirecting, and in many cases, Trend is blocking the site to which it's trying to go. If you look at the links on the Trend pages, you will see they has nothing to do with what I searched for - and are unrecognizable.

The third one, www.calibex.com, went without Trend blocking, but it wasn't the link I selected.

So crestfallen after a good day!

 

[Charlestongirl]

Sorry...they have nothing to do with my search (above). The URLs Trend stops are often long strings of numbers. The ones it doesn't stop are often e-commerce sites.

 

[kuttus]

Once again may I conform it is happening only in Firefox?

 

[Charlestongirl]

I am not sure. I worked in IE for about an hour one day, when you asked me too, and had no redirects. When I get back from work, I will work in IE to see what happens. If I can stand it. . How about Chrome? I was thinking if installing it. Any better?

 

[kuttus]

Please install it.....

 

[Charlestongirl]

I will install it or use IE for awhile. I have reason to believe someone is spying on my e-mail account. I got a weird bounce notice on an e-mail I didn't receive, and I just got a password change notice from a company that I did not request. I just changed my e-mail password. I hope that solves that!

 

[Charlestongirl]

Kuttus, since I have IE, I will use it for awhile and see how I do. I hate it, but can get used to anything.

 

[Charlestongirl]

Kuttus, regarding the e-mail probs I described above, I got confused while I was in a search and the password change was old and legit. However, I did get the bounce. I don't know if it was legit (meaning phishing) or spam since it had links embedded. That one still worries me, but unless I get another one, I guess I have a assume it was spam. Sorry. I'm getting a bit freaked out with the difficulty of banishing this malware once and for all.