New threat

Discussion in 'ESET Smart Security' started by dsnooks70, Feb 10, 2010.

Thread Status:
Not open for further replies.
  1. dsnooks70

    dsnooks70 Registered Member

    Joined:
    Jan 28, 2010
    Posts:
    9
    -www.tomshardware.com/forums- gets hijacked and redirected to a Security Warning site.

    I am running ESS4 (.0.314.0) database 4854 (20100210) on Vista 64 SP2

    Windows and ESS4 don't respond in any way, my only response so far has been to start task manager and kill the application(s) (two IE windows are opened with the same name)

    So far tomshardware is the only site that hijacks my IE ... Firefox doesn't seem to have a problem.

    Just FYI
     
    Last edited by a moderator: Feb 10, 2010
  2. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Nothing amiss here.

    ??
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,950
    Location:
    U.S.A.
  4. dsnooks70

    dsnooks70 Registered Member

    Joined:
    Jan 28, 2010
    Posts:
    9
  5. dsnooks70

    dsnooks70 Registered Member

    Joined:
    Jan 28, 2010
    Posts:
    9
    hmm ... seems that the bookmark itself was causing the redirect ... ?

    any ideas how that happened? I have now deleted said bookmark
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,950
    Location:
    U.S.A.
    dsnooks70, can you recall what was the bookmark's URL? And what was the Security Warning site?

    On your second link, in order to see everything in that page, I had to disable both AdBlock Plus and NoScript.

    A rundown of all the 3rd party sites that are part of that page:

    tomshardware.com, doubleclick.net, mediaplex.com, voicefive.com, scorecardresearch.com, bestofmedia.com, apmebf.com, googleadservices.com, atdmt.com, 2mdn.net, computing.net, smartadserver.com, and google-analytics.com. :ouch:
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    The forum seems to be just fine, they may have gone offline for a bit for a server backup.

    Best best is that it's not the site, you likely have another undetected issue.

    Run an on-demand scan and post back your findings.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Yeah, :ouch: is right, my eyes would hurt as well if I didn't have the ads blocked.
    All Boards and so on, these days need the third-party revenue to keep going, save a few, you just need to run a HOSTS File for IE or NoScript, etc for FF.
     
  9. dsnooks70

    dsnooks70 Registered Member

    Joined:
    Jan 28, 2010
    Posts:
    9
    looks like my system definately had an issue ... I backed up and removed all of my favs and did a full ATF clean for IE and Firefox. Unloaded a bunch of crap from starting with windows and also found ESET firewall was posting an Incorrect IP Packet Length message about once every second, only shows the time, the event name and the Protocol as 0. I checked out programs that had been installed lately, looks like my wife has been watching movies online with DivX ... hmmmm. Deep sixed the DivX browser program just to be safe. Things seem ok now.

    Anyone have an idea what the firewall was squawking about?

    in the process of doing a on-demand full scan, will report findings

    thanks all
     
  10. dsnooks70

    dsnooks70 Registered Member

    Joined:
    Jan 28, 2010
    Posts:
    9
    here is the log from the On-Demand scan. Sorry about the smilies at the beginning of the log, lol ... is there a way to disable smilies?

    Scan Log
    Version of virus signature database: 4854 (20100210)
    Date: 10/02/2010 Time: 3:39:14 PM
    Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\; D:\Boot sector; D:\;E:\Boot sector;E:\
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\Boot\BCD - error opening [4]
    C:\Boot\BCD.LOG - error opening [4]
    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_f740e06a-2f38-494c-ba92-8ac890f30b63 - error opening [4]
    C:\ProgramData\Microsoft\Search Enhancement Pack\SeaPort\SeaNote.cab - error opening [4]
    C:\ProgramData\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.cab - error opening [4]
    C:\ProgramData\Microsoft\Search Enhancement Pack\SeaPort\SearchBoxExt.cab - error opening [4]
    C:\ProgramData\Microsoft\Search Enhancement Pack\SeaPort\SHelper.cab - error opening [4]
    C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_f740e06a-2f38-494c-ba92-8ac890f30b63 - error opening [4]
    C:\Users\All Users\Microsoft\Search Enhancement Pack\SeaPort\SeaNote.cab - error opening [4]
    C:\Users\All Users\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.cab - error opening [4]
    C:\Users\All Users\Microsoft\Search Enhancement Pack\SeaPort\SearchBoxExt.cab - error opening [4]
    C:\Users\All Users\Microsoft\Search Enhancement Pack\SeaPort\SHelper.cab - error opening [4]
    C:\Users\Trudy\NTUSER.DAT - error opening [4]
    C:\Users\Trudy\ntuser.dat.LOG1 - error opening [4]
    C:\Users\Trudy\ntuser.dat.LOG2 - error opening [4]
    C:\Users\Trudy\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9FB88167-1682-11DF-A84A-001D92B692C0}.dat - error opening [4]
    C:\Users\Trudy\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9FB88168-1682-11DF-A84A-001D92B692C0}.dat - error opening [4]
    C:\Users\Trudy\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A6C2B895-1682-11DF-A84A-001D92B692C0}.dat - error opening [4]
    C:\Users\Trudy\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
    C:\Users\Trudy\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
    C:\Users\Trudy\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
    C:\Users\Trudy\AppData\Local\Microsoft\Windows Defender\FileTracker\{00666A20-D5E1-4739-B136-46767E9C98EA} - error opening [4]
    C:\Users\Trudy\Downloads\Daniel\esv.logos.3284cfc4.zip » ZIP » Setup/Installs/IESetup/EN/IE_S1.CAB » CAB » IE_1.CAB » CAB » MSHTML.TLB - next archive volume not found
    C:\Users\Trudy\Downloads\Daniel\esv.logos.3284cfc4.zip » ZIP » Setup/Installs/IESetup/EN/IENT_S1.CAB » CAB » IENT_1.CAB » CAB » MSHTML.DLL - next archive volume not found
    C:\Users\Trudy\Downloads\Daniel\tademo99b2.exe » NSIS - bad archive
    C:\Windows\MEMORY.DMP - error opening [4]
    C:\Windows\Logs\CBS\CBS.log - error opening [4]
    C:\Windows\Logs\CBS\CBS.persist.log - error opening [4]
    C:\Windows\Logs\DPX\setupact.log - error opening [4]
    C:\Windows\Logs\DPX\setuperr.log - error opening [4]
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config - error opening [4]
    C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe.config - error opening [4]
    C:\Windows\Panther\UnattendGC\diagerr.xml - error opening [4]
    C:\Windows\Panther\UnattendGC\diagwrn.xml - error opening [4]
    C:\Windows\Panther\UnattendGC\setupact.log - error opening [4]
    C:\Windows\Panther\UnattendGC\setuperr.log - error opening [4]
    C:\Windows\security\database\secedit.sdb - error opening [4]
    C:\Windows\System32\LogFiles\Firewall\pfirewall.log - error opening [4]
    C:\Windows\System32\LogFiles\Firewall\pfirewall.log.old - error opening [4]
    C:\Windows\winsxs\amd64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_2d4d2c2fee5d2889\dnary.xsd - error opening [4]
    C:\Windows\winsxs\amd64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18226_none_2d3d91dfee67f2c3\dnary.xsd - error opening [4]
    C:\Windows\winsxs\amd64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.22389_none_2d89500107b38638\dnary.xsd - error opening [4]
    C:\Windows\winsxs\amd64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6002.18005_none_2f38a53beb7ef3d5\dnary.xsd - error opening [4]
    C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd - error opening [4]
    C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18226_none_d11ef65c360a818d\dnary.xsd - error opening [4]
    C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.22389_none_d16ab47d4f561502\dnary.xsd - error opening [4]
    C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6002.18005_none_d31a09b83321829f\dnary.xsd - error opening [4]
    D:\ - error opening [4]
    E:\NGC\omg\Downloads\winamp5572_pro_all.exe » NSIS - incorrect CRC checksum, the file may be damaged
    E:\NGC\omg\Downloads\Winamp_Essentials_6_7_8.exe » NSIS - archive damaged - the file could not be extracted.
    Number of scanned objects: 518491
    Number of threats found: 0
    Time of completion: 4:36:15 PM Total scanning time: 3421 sec (00:57:01)

    Notes:
    [4] Object cannot be opened. It may be in use by another application or operating system.
     
    Last edited by a moderator: Feb 10, 2010
  11. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I have asked ESET to examine your follow-up scan log since it has firewall components that I am not familiar with.

    There will be a slight delay.
     
  12. JesusV

    JesusV Former ESET Support Rep

    Joined:
    Jan 21, 2010
    Posts:
    93
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
Thread Status:
Not open for further replies.