Something hijacking URLs and directing browser to porno site

[Shirley Worrall]

Can anyone tell me how to sort this out? Something in my computer
fires up from time to time when I click on a perfectly innocent URL
and directs the browser to a porno site instead. Down at the bottom of
the browser in the taskbar it says ***Porno-Finder***.

I've run checks with NOD32 (up to date) and Ad-Aware SE but they find
nothing.

It's been there for a couple of months but the problem only crops up
from time to time.

Please tell me how to get rid of it!

 

[David H. Lipman]

From: "Shirley Worrall" <[email protected]>

| Can anyone tell me how to sort this out? Something in my computer
| fires up from time to time when I click on a perfectly innocent URL
| and directs the browser to a porno site instead. Down at the bottom of
| the browser in the taskbar it says ***Porno-Finder***.
|
| I've run checks with NOD32 (up to date) and Ad-Aware SE but they find
| nothing.
|
| It's been there for a couple of months but the problem only crops up
| from time to time.
|
| Please tell me how to get rid of it!

Please Try...

SpyBot Search and Destroy v1.4
http://security.kolla.de/

BHODemon v2.x
http://www.definitivesolutions.com/bhodemon.htm

 

[Default NG ID]

| Can anyone tell me how to sort this out? Something in my computer
| fires up from time to time when I click on a perfectly innocent URL
| and directs the browser to a porno site instead. Down at the bottom of
| the browser in the taskbar it says ***Porno-Finder***.
|
| I've run checks with NOD32 (up to date) and Ad-Aware SE but they find
| nothing.
|
| It's been there for a couple of months but the problem only crops up
| from time to time.
|
| Please tell me how to get rid of it!

Please Try...

SpyBot Search and Destroy v1.4
http://security.kolla.de/

BHODemon v2.x
http://www.definitivesolutions.com/bhodemon.htm

Many thanks for helping so quickly, but unfortunately they've not
solved it. I installed and ran SpyBot v.1.4 first and it found a
number of problems, but after that I tried to go to the page (just a
blog) that triggered the problem earlier and it happened again.

I then installed and rang BHODemon v2.0.0.23 but the only BHO it finds
is SpyBot S&D.

Do you have any other ideas, please? This is really driving me mad!

Thanks again.

 

[Beauregard T. Shagnasty]

Default NG ID wrote:

Are you Shirley Worrall?

Many thanks for helping so quickly, but unfortunately they've not
solved it. I installed and ran SpyBot v.1.4 first and it found a
number of problems, but after that I tried to go to the page (just
a blog) that triggered the problem earlier and it happened again.

So that we can see (if possible) what is causing this, post the link
to the page, but MUNG the link so it is not clickable, i.e.
hXXp://blog.example.com/

I then installed and rang BHODemon v2.0.0.23 but the only BHO it
finds is SpyBot S&D.

Do you have any other ideas, please? This is really driving me mad!

What browser are you using? IE? Perhaps a modern, secure browser will
help.
http://home.rochester.rr.com/bshagnasty/tips.html

Oh, you only need to post your question once.

 

[Default NG ID]

Default NG ID wrote:

Are you Shirley Worrall?
Yes.

So that we can see (if possible) what is causing this, post the link
to the page, but MUNG the link so it is not clickable, i.e.
hXXp://blog.example.com/

meerkitty.blogspot.com

It seems to load, but then it diverts to a porno site. This is the one
I happened to click on this evening, but it's happened on a number of
other occasions with equally innocuous looking URLs.

What browser are you using? IE? Perhaps a modern, secure browser will
help.
http://home.rochester.rr.com/bshagnasty/tips.html

Thanks - I'll take a look. I was trying Firefox a while ago, but I had
problems making it work with a walking forum I read.

Oh, you only need to post your question once.

Of course: unfortunately, though, I forgot to mung my name and email
address when I first posted, so I tried to recall it and start again.
Sorry about that.

 

[Beauregard T. Shagnasty]

meerkitty. blogspot. com

That would have been: hXXp://meerkitty.blogspot.com/

It seems to load, but then it diverts to a porno site. This is the
one I happened to click on this evening, but it's happened on a
number of other occasions with equally innocuous looking URLs.

No porn site for me; using Firefox. Lots of cookies and JavaScript
(way too much of it), and lines of code that scroll off to the right
for about 5 kilometers. A quick skim doesn't show me anything
malicious, though.

It's not the site; it's something else. In addition to all the other
anti-malware programs you've tried, have you gotten to A-Squared yet?
Link on my tips page.

Thanks - I'll take a look. I was trying Firefox a while ago, but I
had problems making it work with a walking forum I read.

Try Opera, too.

 

[David H. Lipman]

From: "Beauregard T. Shagnasty" <[email protected]>


No porn site for me; using Firefox. Lots of cookies and JavaScript
(way too much of it), and lines of code that scroll off to the right
for about 5 kilometers. A quick skim doesn't show me anything
malicious, though.

It's not the site; it's something else. In addition to all the other
anti-malware programs you've tried, have you gotten to A-Squared yet?
Link on my tips page.
will help. http://home.rochester.rr.com/bshagnasty/tips.html

Thanks - I'll take a look. I was trying Firefox a while ago, but I

had problems making it work with a walking forum I read.


Try Opera, too.

No porn redirection in IE either. It must be a resident app. on Shirley's PC.

 

[Default NG ID]

It's not the site; it's something else. In addition to all the other
anti-malware programs you've tried, have you gotten to A-Squared yet?
Link on my tips page.

I had it but I'd forgotten. I've just run it - wow, that was thorough!
- and I thought it had found the problem. It found two instances of
Exploit.JS.ScriptsSrc.a, so I deleted them and rebooted. On reboot,
though, I got the same result as last night when I went to the blog
page I was trying to view :-(

Hmmm.... I wonder whether it was replaced by that System Restore thing
when I rebooted... will try some experiments.
Incidentally, it's causing the same problem in Firefox. I tried that
after what you said y/day.

This is incredibly frustrating...

 

[Default NG ID]

No porn redirection in IE either. It must be a resident app. on Shirley's PC.

Yes - but it seems to be impossible to find it :-(

 

[Default NG ID]

I'm not sure whether this helps anyone to understand what's happening?

I've just gone to www.meerkitty.blogspot.com in IE and the page it was
re-directed to was hXXp://www.find-use.net/inse.php?id=dname (I've
munged that).

Nothing at all showed up in the NOD32 Control Centre Threat Log.

I've re-run the a-squared scan to see whether it found the two malware
files it detected earlier, before I re-booted, but it didn't, so
presumably System Restore (or whatever it is) didn't just replace
them.

Any further ideas, anyone?

 

[rjdriver]

I'm not sure whether this helps anyone to understand what's happening?

I've just gone to www.meerkitty.blogspot.com in IE and the page it was
re-directed to was hXXp://www.find-use.net/inse.php?id=dname (I've
munged that).

Nothing at all showed up in the NOD32 Control Centre Threat Log.

I've re-run the a-squared scan to see whether it found the two malware
files it detected earlier, before I re-booted, but it didn't, so
presumably System Restore (or whatever it is) didn't just replace
them.

Any further ideas, anyone?

Have you run NOD32 in safe mode yet? Disable system restore before you do
it.


Bob

 

[David H. Lipman]

From: "Default NG ID" <[email protected]>

| On Sat, 27 Aug 2005 09:59:38 +0100, Default NG ID <[email protected]>
| wrote:
|
| I'm not sure whether this helps anyone to understand what's happening?
|
| I've just gone to www.meerkitty.blogspot.com in IE and the page it was
| re-directed to was hXXp://www.find-use.net/inse.php?id=dname (I've
| munged that).
|
| Nothing at all showed up in the NOD32 Control Centre Threat Log.
|
| I've re-run the a-squared scan to see whether it found the two malware
| files it detected earlier, before I re-booted, but it didn't, so
| presumably System Restore (or whatever it is) didn't just replace
| them.
|
| Any further ideas, anyone?

Give the following a shot. This is in case it is a virus that NOD32 fails to detect. It
provides scanners for; Mcafee, Trend Micro and Sophos.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Default NG ID]

Have you run NOD32 in safe mode yet? Disable system restore before you do
it.

Thanks Bob. I hadn't tried that but I have now, and it was clean.

Thanks anyway!

 

[Roger Wilco]

Any further ideas, anyone?

Ensure that your primary and secondary DNS settings are what they should
be. If you are not sure what they should be, ask your provider.

 

[rjdriver]

Have you run NOD32 in safe mode yet? Disable system restore before you do
it.


Bob

Try the trial version of Counterspy from www.sunbeltsoftware.com. Update it
after installation and do a FULL scan.

Also, get the NEW VX2 plugin from AdAaware. It was updated recently. It
doesn't run during the normal scan. You must click on Add Ons and run it
separately. VX2 is one of the most insideous piecies of malware out here.
It continously regenerates itself until you discover main file. And there
are new varients popping up frequently.


Also try other anti virus programs. Many have evaluation versions that can
be run for free. Always run in safe mode after updating definitions. Some
may conflict with others so disable one before running another.

Good luck. Sounds like you've got a bad one.


Bob

 

[Default NG ID]

A quick update on how the battle's going!

Try the trial version of Counterspy from www.sunbeltsoftware.com. Update it
after installation and do a FULL scan.

Many thanks. I've just done that and it found just one Spyware threat,
which it identified as WindUpdates.MediaAccess (Adware). It removed it
for me.

Also, get the NEW VX2 plugin from AdAaware. It was updated recently. It
doesn't run during the normal scan. You must click on Add Ons and run it
separately. VX2 is one of the most insideous piecies of malware out here.
It continously regenerates itself until you discover main file. And there
are new varients popping up frequently.

Thanks for that. I've d/loaded and run it, but it found nothing.

Also try other anti virus programs. Many have evaluation versions that can
be run for free. Always run in safe mode after updating definitions. Some
may conflict with others so disable one before running another.

I'm running through the ones that David suggested last night.

Good luck. Sounds like you've got a bad one.

Thanks again for your help - it's much appreciated!

 

[Default NG ID]

On Sat, 27 Aug 2005 14:37:26 GMT, "David H. Lipman"

Hi David,

Many thanks for your further help.

Give the following a shot. This is in case it is a virus that NOD32 fails to detect. It
provides scanners for; Mcafee, Trend Micro and Sophos.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

Ok - I did that last night and ran Sophos and Trend in Safe Mode.
(McAfee wouldn't run there.) Both Sophos and Trend produced results
files (which I've kept).

Sophos said it had discovered and removed three viruses, namely:

====
Virus 'Troj/JDownL-B'
Virus fragment 'Mid/Kakworm' and
Virus fragment 'W95/Sledge-A'
====

It also said it encountered 553 errors, but unfortunately I don't know
what that means.

Trend said it found and dealt with one virus as follows:

====
TROJ_SMALL-1[virus found]
-->delete registry
key("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\63.219.181.7","") success
-->delete process("explorer.exe","","") success
-->create process("C:\WINDOWS\EXPLORER.EXE","","") success
====

McAfee wouldn't run in Safe Mode but I've run it now in Normal Mode.
It didn't find any viruses, but it mentioned the following:

====
C:\Program Files\Agent\Data\temp\Monica.zip\MONICAP.EXE ... Found
potentially unwanted program Joke-MessageMate
====

Since then I've also run Counterspy, as suggested by rjdriver, but
that found only the following, and has now removed it.

====
WindUpdates.MediaAccess (Adaware)
====

* * * Please report back your results * * *

Unfortunately, clicking on www.meerkitty.blogspot.com still results in
diversion to poro site...

I know you said to run Sophos and Trend in Normal Mode too, and I'll
do that now. I thought I'd report back first, though, as it took them
over 4 and 6 hrs respectively to run in Safe Mode!

Many thanks again for helping

 

[Default NG ID]

Ensure that your primary and secondary DNS settings are what they should
be. If you are not sure what they should be, ask your provider.

Thanks - I'll drop them a line about that.

 

[Randy]

On Sat, 27 Aug 2005 14:37:26 GMT, "David H. Lipman"

Hi David,

Many thanks for your further help.

Give the following a shot. This is in case it is a virus that NOD32 fails to detect. It
provides scanners for; Mcafee, Trend Micro and Sophos.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

Ok - I did that last night and ran Sophos and Trend in Safe Mode.
(McAfee wouldn't run there.) Both Sophos and Trend produced results
files (which I've kept).

Sophos said it had discovered and removed three viruses, namely:

====
Virus 'Troj/JDownL-B'
Virus fragment 'Mid/Kakworm' and
Virus fragment 'W95/Sledge-A'
====

It also said it encountered 553 errors, but unfortunately I don't know
what that means.

Trend said it found and dealt with one virus as follows:

====
TROJ_SMALL-1[virus found]
-->delete registry
key("HKEY_CURRENT_USER","Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\63.219.181.7","") success
-->delete process("explorer.exe","","") success
-->create process("C:\WINDOWS\EXPLORER.EXE","","") success
====

McAfee wouldn't run in Safe Mode but I've run it now in Normal Mode.
It didn't find any viruses, but it mentioned the following:

====
C:\Program Files\Agent\Data\temp\Monica.zip\MONICAP.EXE ... Found
potentially unwanted program Joke-MessageMate
====

Since then I've also run Counterspy, as suggested by rjdriver, but
that found only the following, and has now removed it.

====
WindUpdates.MediaAccess (Adaware)
====

* * * Please report back your results * * *

Unfortunately, clicking on www.meerkitty.blogspot.com still results in
diversion to poro site...

I know you said to run Sophos and Trend in Normal Mode too, and I'll
do that now. I thought I'd report back first, though, as it took them
over 4 and 6 hrs respectively to run in Safe Mode!

Many thanks again for helping

Have you checked your Hosts file?

 

[Default NG ID]

I've now run Sophos and Trend in normal mode, and neither found
anything.

Sorry to keep going on about this, but does anyone have any further
ideas at all? The same problem has just occurred on another link that
someone sent me:

hXXp://cycledog.blogspot.com/2005/08/cyclist-101-satire.html

I've searched Google on browser divert and have found lots of other
people having variations on this problem, but I've not been able to
find any solutions there.

Thanks again for all help so far.

Shirley