Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser redirected to Sedoparking (again and again T_T)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 4th, 2009, 3:39 am

Hi, my browser kept redirected to Sedoparking. I tried switching from Firefox to Safari, I tried reformatting/reinstalling the Windows, changing antivirus programs, CCleaner...didn't help. Help! :cyclops:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:45 PM, on 12/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\PLFSetL.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\oDesk\oDeskCommonPrefs.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\oDesk\oDeskTeam.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [Malware Defender] c:\program files\malware defender\malwaredefender.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Prefs] C:\PROGRA~1\oDesk\oDeskLaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Malware Defender Service (MalwareDefenderService) - TorchSoft - c:\program files\malware defender\mdservice.exe

--
End of file - 5749 bytes
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am
Advertisement
Register to Remove

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby Odd dude » December 9th, 2009, 2:24 pm

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you to get rid of whatever you have on your computer (don't worry, just the malware stuff :D). However, it is important to take note of the following:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please try to reply within three days - failure to do so might result in this thread being archived before we have finished cleaning you up. :o
    If you need more time than that, all you need to do is tell me. ;)
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

---------------------------

Malware surviving a reformat/reinstall is rare, but not unheard of. Possibilities include an infection of the master boot record.

Seeing as you reformatted/reinstalled, you will undoubtedly have made backups of important files. The first thing I want to check is to see if the backups may be causing the issues. I'll first check for the master boot record infection, because that'll need immediate attention if it's present. However, during the next steps we may need to scan any backup media you might have, which I therefore advice you to have available.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
    If it warns you about rootkit activity, click Yes when asked whether to scan the system.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place and post it in your next reply.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 10th, 2009, 5:36 am

Hellooo! Thank you so much for replying..
Attached is my GMER log, because I tried to post it here, but it looks so messed up. Let me know if you need me to post them, not as attachment.
GMER log.txt
You do not have the required permissions to view the files attached to this post.
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 10th, 2009, 5:37 am

And here's the Uninstall List:

Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe Photoshop CS2
Adobe Reader 9.1
Adobe SVG Viewer 3.0
Apple Mobile Device Support
Apple Software Update
AVG 9.0
Bonjour
CCleaner (remove only)
Conexant HD Audio
DAEMON Tools Toolbar
GTS
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
iTunes
K-Lite Mega Codec Pack 2.01
Macromedia Director MX 2004
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia FreeHand MX
Malware Defender
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
oDesk MiniCam 2.0.73
oDesk ScreenSnap 2.0.113
oDesk Share 2.0.69
oDesk Team 2.0.140
PDF-Viewer
QuickTime
Safari
Synaptics Pointing Device Driver
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar

Thanks Odd Dude :P
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby Odd dude » December 10th, 2009, 6:42 am

Hi :)

There is something I would like to check with some of my 'colleagues', but there's nothing alarming showing :)

For the next step please plug in all/any backup media you use or have used. We need to make sure those aren't bringing back an infection.

You said you recently switched browsers, from Firefox to Safari. Did this make a difference? There's a known malevolent firefox-plugin which could cause issues such as the ones you describe.

Run Panda Online Scan

Run Panda's ActiveScan from here and perform a full system scan.
    - Once you are on the Panda site click the "Scan Now" button
    - If it wants to install an ActiveX component allow it
    - if you get a security warning to install this software click install
    - It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
    - Save the log file to your desktop
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 10th, 2009, 7:05 am

Hi, this kept happening during download:
"We're sorrry. The download could not be completed due to an error. Please try again."
I will try to download it again tonight.

Sometimes during work, if I open a page from the same site over and over again (for example DeviantArt or Smugmug, with different account from different people) the page was redirected to Sedoparking. But after a while, I tried the same address again and it was fine. Also happened with eppraisal.com. After a few times, it was redirected to Sedoparking. Switching browser only works for some time before the same thing happened.

Thank you Odd :flower:
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby Odd dude » December 10th, 2009, 7:13 am

Thanks for the info :)

Let's try a different scan.

Download and run Sysclean
  • Create a folder on your desktop called Sysclean.
  • Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
  • Go to http://www.trendmicro.com/download/pattern.asp and download the Virus Pattern File (Official Pattern Release) to your desktop.
    This file will be called lptXXX.zip (XXX represents the version number)
  • Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX. Read here how to unzip/extract properly.
  • Move the lpt$vpn.XXX to the Sysclean-folder you created on your desktop.
  • Open the sysclean-folder and doubleclick sysclean.com.
  • Check: "Automatically clean or delete detected files".
  • Click scan.
Open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply.

Also, I hope you don't mind me asking, but why is your Windows XP still at Service Pack 2 and not at SP3?
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 11th, 2009, 1:29 am

I don't know about the service pack. I went to the computer shop to have my laptop reformatted, and I just wrote down that I wanted to have Windows XP, not Vista or 7, and several programs I'd like to have installed. Does it make a difference? :profileleft:

Here's the log:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-12-11, 00:48:50, Auto-clean mode specified.
2009-12-11, 00:48:52, Initialized Rootkit Driver version 2.2.0.1004.
2009-12-11, 00:48:52, Running scanner "C:\Documents and Settings\user\Desktop\sysclean\TSC.BIN"...
2009-12-11, 00:49:18, Scanner "C:\Documents and Settings\user\Desktop\sysclean\TSC.BIN" has finished running.
2009-12-11, 00:49:18, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 2 ( B u i l d 1 0 1 6 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )

W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 2 )


S t a r t t i m e : F r i D e c 1 1 2 0 0 9 0 0 : 4 8 : 5 5


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ u s e r \ D e s k t o p \ s y s c l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ u s e r \ D e s k t o p \ s y s c l e a n \ t s c . p t n " ( v e r s i o n 1 0 6 6 ) [ s u c c e s s ]



C o m p l e t e t i m e : F r i D e c 1 1 2 0 0 9 0 0 : 4 9 : 1 8


E x e c u t e p a t t e r n c o u n t ( 3 0 6 3 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )


2009-12-11, 00:49:18, Running scanner "C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN"...
2009-12-11, 01:22:14, Scanner "C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN" has finished running.
2009-12-11, 01:22:14, VSCANTM Log:

2009-12-11, 01:22:14, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 12/11/2009 00:49:19
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 683 (498524/498524 Patterns) (2009/12/09) (668300)

Command Line: C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\user\Desktop\sysclean\lpt$vpn.683

44248 files have been read.
44248 files have been checked.
44199 files have been scanned.
108610 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/11/2009 01:22:14 32 minutes 54 seconds (1974.16 seconds) has elapsed.(44.616 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-12-11, 01:22:14, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 12/11/2009 00:49:19
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 683 (498524/498524 Patterns) (2009/12/09) (668300)

Command Line: C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\user\Desktop\sysclean\lpt$vpn.683

44248 files have been read.
44248 files have been checked.
44199 files have been scanned.
108610 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/11/2009 01:22:14 32 minutes 54 seconds (1974.16 seconds) has elapsed.(44.616 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-12-11, 01:22:14, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 12/11/2009 00:49:19
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 683 (498524/498524 Patterns) (2009/12/09) (668300)

Command Line: C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\user\Desktop\sysclean\lpt$vpn.683

44248 files have been read.
44248 files have been checked.
44199 files have been scanned.
108610 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/11/2009 01:22:14 32 minutes 54 seconds (1974.16 seconds) has elapsed.(44.616 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-12-11, 01:22:14, Running scanner "C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN"...
2009-12-11, 01:30:38, Scanner "C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN" has finished running.
2009-12-11, 01:30:38, VSCANTM Log:

2009-12-11, 01:30:38, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 12/11/2009 01:22:15
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 683 (498524/498524 Patterns) (2009/12/09) (668300)

Command Line: C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Documents and Settings\user\Desktop\sysclean\lpt$vpn.683

18107 files have been read.
18107 files have been checked.
18106 files have been scanned.
24659 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/11/2009 01:30:38 8 minutes 22 seconds (502.44 seconds) has elapsed.(27.748 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-12-11, 01:30:38, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 12/11/2009 01:22:15
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 683 (498524/498524 Patterns) (2009/12/09) (668300)

Command Line: C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Documents and Settings\user\Desktop\sysclean\lpt$vpn.683

18107 files have been read.
18107 files have been checked.
18106 files have been scanned.
24659 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/11/2009 01:30:38 8 minutes 22 seconds (502.44 seconds) has elapsed.(27.748 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-12-11, 01:30:38, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 12/11/2009 01:22:15
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 683 (498524/498524 Patterns) (2009/12/09) (668300)

Command Line: C:\Documents and Settings\user\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Documents and Settings\user\Desktop\sysclean\lpt$vpn.683

18107 files have been read.
18107 files have been checked.
18106 files have been scanned.
24659 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 12/11/2009 01:30:38 8 minutes 22 seconds (502.44 seconds) has elapsed.(27.748 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby Odd dude » December 11th, 2009, 3:40 pm

Hi :)

First of all, I apologize for the delay in replying.

To answer your question: having SP2 is not a problem, but be sure to update your Windows to SP3 when we're finished. Service pack 3 has been out for a while, containing many important security fixes. Don't update right now, as service pack updates do not usually go well on infected computers.

Could you please inform me how you connect to the internet? I'm looking for answers such as: cable/wireless network/dial-up/...
This may enlighten me on the situation you're having.
Also are you using any firewall?

The virusscan came back clean. Let's explore some more options.

Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Also please download Malwarebytes' Anti-Malware.

  • Install the program by following the prompts after double-clicking on mbam-setup.exe
  • Once you approach the final installation screen, put a check next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish
  • MBAM (that's an acronym of Malwarebytes' Anti-Malware) will now start. Choose Perform full scan and click Scan
  • Get a cup of coffee/tea/hot chocolate and watch some TV for about an hour.
  • Once the scan has finished, click OK, then Show Results.
  • Put a check next to everything, then click Remove selected.
  • Now, a log will open. Save this to your desktop and post it.

Please post the CKFiles.txt and the Malwarebytes log and the answers to my questions.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 12th, 2009, 1:20 am

CKFiles

CKScanner - Additional Security Risks - These are not necessarily bad
c:\crack acrobat 8.0\adobelm.dll
c:\exclusiv03\crack\fangdown.nfo
c:\exclusiv03\crack\www.fangdown.com.txt
c:\exclusiv03\crack\zwt.nfo
c:\exclusiv04\crack\fangdown.nfo
c:\exclusiv04\crack\www.fangdown.com.txt
c:\exclusiv04\crack\zwt.nfo
c:\program files\macromedia\dreamweaver 8\configuration\content\reference\html\keygen.html
c:\program files\macromedia\dreamweaver 8\configuration\content\reference\php\crackf.html
scanner sequence 3.ED.11
----- EOF -----

MBAM scan is in progress, and I'm using ADSL/broadband internet with cable (not wi-fi). Could it be this problem is due to the provider?
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 12th, 2009, 2:30 am

Malwarebytes' Anti-Malware 1.42
Database version: 3348
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/12/2009 1:27:16 PM
mbam-log-2009-12-12 (13-27-16).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165972
Time elapsed: 31 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby Odd dude » December 12th, 2009, 4:38 am

Hi :)

The reason I asked how you connect to the internet is that sometimes malware modifies certain settings in routers which will cause redirects to malevolent domains to be programmed into your router.

Seeing as you connect through cable, that must mean you use a router. I recommend that you perform these steps:

1) Shut down your computer
2) Reset the router (consult the manual that came with it for instructions)
3) Turn on your computer
4) When you have logged in, click start>run and enter cmd
5) Enter these commands:
Code: Select all
ipconfig/flushdns
ipconfig/registerdns
exit

6) Reboot the computer once more and see if there's any change

Also, could you tell me what's inside this folder: c:\crack acrobat 8.0 ?
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 12th, 2009, 1:44 pm

Okay, but I will need to find the instructions that comes with the modem first. I don't think I'm using a router. I used to back when I live at my old place, but this one looks like regular modem (even looks like the old modem when internet is still connected through phone line). I can send you the picture if you want :lol: but meanwhile, I'll ask what type of modem this is to the internet service provider.

I do ipconfig /flushdns regularly. I don't know what is the correct use of this, but everytime the internet went slower in the office, the IT staff told me to do this, so I did without knowing the exact reason :lol:

I'll try the registerdns too.

Inside the folder C:\crack acrobat is a file named Adobelm.dll
I don't know what this is, since my computer is recently reformatted. Should I just go ahead and delete it?
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby Odd dude » December 12th, 2009, 2:04 pm

I don't know what this is, since my computer is recently reformatted. Should I just go ahead and delete it?
From the folder name it seems to be cracked software for Adobe Acrobat 8.0, which you apparently don't use. So I'd strongly recommend that you delete it.

I can tell you that I myself have a wired LAN and the router looks exactly like you describe - but still is a router ;)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Browser redirected to Sedoparking (again and again T_T)

Unread postby nashata » December 14th, 2009, 2:52 am

Hi OD,
I've deleted the unnecessary folder of Adobe, and reboot the modem. But I don't know if it's correct, since there's no reset button on it, so I tried using the reboot option from the internet provider's site. I asked the call center and they didn't know any better, so I thought I'd better ask you :lol:
Attached is an image of what the page said.

After the reboot, this malwareremoval.com is redirected to sedoparking all the time. But after I restart the computer, and do flushdns and registerdns, it's back to normal. I'll report if anything unusual happens again in the next 24hr.
You do not have the required permissions to view the files attached to this post.
nashata
Regular Member
 
Posts: 26
Joined: December 4th, 2009, 3:29 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 86 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware