PDA

View Full Version : Click redirect -- another virus?


Hulk
02-24-2009, 01:09 AM
Here's what is going on:

I go to Google and type in a search: canon 40d vs 50d (http://www.google.com/search?hl=en&q=canon+40d+vs+50d&btnG=Google+Search&aq=4&oq=Canon+40)

I click on the 3rd link down, called "The Canon EOS 40D vs 50D: We Review & Compare | Spot Cool Stuff: Tech". It's supposed to take me here:
tech.spotcoolstuff.com/photography/digital-camera/slr-showdown-40d-50d-canon-eos (http://tech.spotcoolstuff.com/photography/digital-camera/slr-showdown-40d-50d-canon-eos/)/

Instead, when I click it, it takes me here:
http://www.ave99.com/search.php?q=canon%2B40d%2Bvs%2B50d

The next time, it takes me here:
http://www.dexknows.com/search.ds?newSearch=true&siteid=CD42&what=Cameras&where=denver+co&pid=bresults&from=CD42&metro=checked&qCD=

Then it took me here:
http://biassickness.info/search.php?aid=11774&said=2788-3&keyword=canon%2040d%20vs%2050d&ipr=&rej=1

Finally, it took me here:
http://www.google.com/undefined

One more click and it took me where I actually want to go.

Any idea what's going on?

Hulk
02-24-2009, 01:36 AM
I changed from the Qwest DNS to OpenDNS, thinking Qwest was the cause of the problem. But even after rebooting my modem/router, I clicked the same link above and ended up here:
http://www.ibuydigital.com/product/?43681&cart_id=21760711

Aha. It sounds like it is a trojan:
http://answers.yahoo.com/question/index?qid=20090214093138AAEKpVQ

pmccumber
02-24-2009, 01:42 AM
I got the first link (the correct one) on two of my home computers.

I always tell people to check their hosts table and see if anything looks odd:
C:\WINDOWS\system32\drivers\etc\hosts

Mine simply has the localhost defined. If somebody were trying to spoof another site they could do so by falsifying an entry in this table.

Other than that, it seems odd that the clicks yielded somewhat relevant destinations. When you mouse over these hyperlinks, do you get the address you expect? If you're using Firefox, right click and copy the link location and paste that into a text buffer somewhere and look at it.

Seems odd.

DaveInDenver
02-24-2009, 06:44 AM
Clicked the link and got the correct page, no redirects here. Running Qwest DSL using qwest.net for my ISP. Checked with Firefox and Safari, no difference I could see.

Hulk
02-24-2009, 08:35 AM
My hosts file only shows this:
127.0.0.1 localhost

pmccumber
02-24-2009, 09:27 AM
Another one is running a trace of the route the packet took to get to the destination. I did a trace on my computer. I have a router downstairs, the cable modem which is also a router, and comcast. So once comcast has it, where they inject it into the Al Gore's WAN might be different than other providers. But, you doing this should show the offender somewhere in the process, just finding it might be tough.

Here is my trace:

C:\Documents and Settings\Dad>tracert tech.spotcoolstuff.com

Tracing route to tech.spotcoolstuff.com [69.4.229.209]
over a maximum of 30 hops:

1 2 ms <1 ms <1 ms 192.168.1.1
2 * * * Request timed out.
3 9 ms 9 ms 10 ms GE-2-2-ur01.longmont.co.denver.comcast.net [68.8
6.104.225]
4 32 ms 25 ms 50 ms te-0-8-0-5-ar02.denver.co.denver.comcast.net [68
.86.103.154]
5 20 ms 20 ms 9 ms pos-0-4-0-0-cr01.denverqwest.co.ibone.comcast.ne
t [68.86.91.17]
6 13 ms 14 ms 12 ms pos-0-10-0-0-cr01.denver.co.ibone.comcast.net [6
8.86.86.22]
7 27 ms 26 ms 26 ms pos-0-9-0-0-cr01.dallas.tx.ibone.comcast.net [68
.86.85.174]
8 44 ms 26 ms 28 ms softlayer-cr01.dallas.tx.ibone.comcast.net [75.1
49.228.34]
9 33 ms 29 ms 29 ms po2.dar01.dal01.dallas-datacenter.com [66.228.11
8.205]
10 67 ms 68 ms 66 ms te2-2.cer01.sea01.seattle-datacenter.com [66.228
.118.194]
11 64 ms 65 ms 64 ms po01.fcr01.sea01.seattle-datacenter.com [67.228.
118.134]
12 67 ms 67 ms 65 ms ans67.midphase.com [69.4.229.209]

Trace complete.

Hulk
02-24-2009, 10:55 AM
OK, I think I have killed this virus. I did some searching using IE for "clickfraudmanager" and found this geeks to go thread (http://www.geekstogo.com/forum/Clickfraudmanager-google-yahoo-redirect-t228175.html&st=20). Someone else had the same problem. I used the GooredFix program that he mentions in post #22. He says the problem was "the new variant of the XUL Cache infection."

Looks like my redirect problem is solved.

kvanoort
02-25-2009, 08:18 PM
OK, I think I have killed this virus. I did some searching using IE for "clickfraudmanager" and found this geeks to go thread (http://www.geekstogo.com/forum/Clickfraudmanager-google-yahoo-redirect-t228175.html&st=20). Someone else had the same problem. I used the GooredFix program that he mentions in post #22. He says the problem was "the new variant of the XUL Cache infection."

Looks like my redirect problem is solved.

Thanks for posting this up Matt. I currently have this same problem on my home computer and will check out this link. I've just been using Blackle.com with no problems.