For the past week or so when I click on photos at this site I sometimes get sent to a Google page or some other TGP site.  Is anyone else seeing this happen?  I went to the Microsoft page and downloaded the new patch, but it hasn't stopped this or the "windows viewer page" from opening now and then.  Can anyone help me here.  This was the best site on the net until this started happening.  Thanks.

jackohearts wrote:

...when I click on photos at this site...

Although I am no mod or so, or in anyway afliated with them, I think, I can say that this site does not host photos on this site, it just presents links to pages with photos on them or photos on other servers like imagevenue etc.

In older threads you can find attachments, but this has been stopped because of reports on problems with some of those files.
There is a thread on this issue:
http://www.peachyforum.com/forums/178426/ShowPost.aspx

jackohearts wrote:

For the past week or so when I click on photos at this site I sometimes get sent to a Google page or some other TGP site.  Is anyone else seeing this happen? ....

Not more redirection as usual. Can you post one or two examples.
And redirection can differ, from the country, you live in! Which one is it???

jackohearts wrote:

For the past week or so when I click on photos at this site I sometimes get sent to a Google page or some other TGP site....   I went to the Microsoft page and downloaded the new patch, but it hasn't stopped this or the "windows viewer page" from opening now and then...

The first incidents should not have anything to do with the WMF-exploit. Only if it says - spy ware detected (or something like that) Do you want to install help file/software to clean your system?? (Don't do this, of course, those are Trojans, too...)

The second kind of incidents really points in the direction of WMF-vulnerabilty!!!
(Can you read German pretty well - I could give you a link to a WMF-test page!!???)
As the opening of MS Pic/Fax Viewer indicates that your system is still vulnerable (I only assume) first aid would be to not use MS Internet Explorer anymore and install Firefox/Netscape or Opera...
so far for now and really provide links where those things occur, so the mods can check it...

jackohearts wrote:

For the past week or so when I click on photos at this site I sometimes get sent to a Google page or some other TGP site.

You mean when you click on attachments, aor on the links? Can you give an example?

O

On today;s opening page (1/10/06) at the top where the four galleries appear.  The one on the far right with the threesome in the field is a perfect example.  Thanks for all of the help.

That is strange because the links work fine for me. Try the direct link:

http://video.armygalleries.com/j01a/index.html

Does that work?

O

No, it still takes me to a Google page with links to other adult sites.  I ran my Spyware and it detects nothing and I used CyberScrub and the Microsoft patch.  Is this some bizzare unique thing just for my computer??  Thanks for all of the help so far.  You are all being very helpful.

Here's what I get when I click on the picture:

http://www.google.com/search?hl=en&q=free%20dating%20sites

This has to be some fake site to get hits wouldn't you think?

You've got a known Trojan not detected by your current Spyware ... that's 100% sure -

andylo wrote:

You've got a known Trojan not detected by your current Spyware ... that's 100% sure -

You definitely have spyware.

My advice:

Get Spybot and update your A/V. Reboot in safe mode and scan with both. (I was assuming you are using a pc?)

O

Hi all....

Ive had a similar problem.  It seems to redirect via a site which uses an IP address: 69.50.190.131

Usually, it refers to a google search page, with some generic search (ranging from adult material to products to buy).  It seems to work based on the domain you're trying to access.  For example, if I try to access any sites from the following domains, I get the problem:
www.teenminx.com
www.wantmoreporn.com
www7.kinghost.com
www.hungaryteens.com
www.500galleries.com
www.xxxteensparty.com
(Note: Its not limited to these domains)

To rectify this, Ive run ad-aware, spybot, CCleaner, and CWS.  None have rectified the issue.  I have checked all processes in startup, and can find no offenders there either.  Interestingly, it affects both Mozilla and IE.

Has anyone been able to resolve these problems?  Admittedly, I havent tried scaning in safe mode (but if the item isnt detectable in a normal boot, I doubt it'd be detectable in safe mode).  I'll give that a go in the next few days.


Anyone got any ideas?

Glad to hear that I'm not alone, but still sorry that someone else is having these problems.  I have run the spyware scan and it detects nothing anywhere.  I've run it several times in a day and nothing. 

As far as I can tell it has downloaded nothing in my add or remove programs either.  It only happens at these adult sites and doesn't seem to hinder anything else that I do.

I'm open to any suggestions.  Thanks again for all of the responses.  I'd pretty much quit going anywhere else on the net for pics since I found this site.  It has always been clean and never given me a problem until this started.

 

abloke21 wrote:

Admittedly, I havent tried scaning in safe mode (but if the item isnt detectable in a normal boot, I doubt it'd be detectable in safe mode).  I'll give that a go in the next few days.

I've found several spyware progs that are only detectable on safe mode. I am not sure why, perhaps because they are not running. It's worth a try anyway. Also, have you run Hijack This?

O

From what you describe, my guess is that your HOSTS file has been injected with bogus entries for certain domains. You can also try turning off http redirects to yield more clues about what is going on in your browser.

hi, try a scan with ewido. for the first 14 days you get the full version which has real-time protection after that it's just an on demand scanner. update it before you scan, if you are not worried about system restore turn it off too because if you are infected and ewido cleans it the infection will still be in SR. turn it on again afterwards.
www.ewido.net/en/

do the scan in safe mode - tap the F8 key at boot and select safe mode.

if it's really bad you could try a scan with coolwebshredder. it's really safer to just do a scan and not click on fix incase you aren't infected and it gets it wrong, but it's up to you.
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml

see if ewido can show what running processes you have and what your startups are too. save anything you can from ewido and post it here. if it's not too bad we can probably go through it together if not you will need to see an expert.

did you say which broswer you are using?

either way if you haven't installed java sun you should.
http://java.sun.com/j2se/1.5.0/download.jsp
click where it says "Download JRE 5.0 Update 6"

Sounds to me like the P2LoadA worm, or a variant....and if so, those pages that you are sent to are NOT Google, but a spoofed version of Google. What these fuckers do is they plant the worm when you visit certain webpages (has nothing to do with clicking on pics by the way, and also nothing to do with Peachy) and then when you go later to view a new webpage it redirects you to their fake Google search page, where they have conveniently replaced the legitimate ads and sponsored listings with links to their own scam-pages, which no doubt have additional worms, trojans, and surprises. Google the name of the worm (P2LoadA) and you will find many discussions. Either way, you need not be using ad/spyware scanners, you need to be using antivirus software that has been updated recently. Wouldn't hurt to do an online scan here if you don't have anything:
http://www.trendmicro.com/hc_intro/default.asp

F~

I am having this exact same problem with Google redirects as well. 

I use Mozilla Firefox, the pages seem to redirect with both Mozilla and Internet Explorer.  My computer was scanned with a full system scan tonight (1/18) using Norton and the definitions were downloaded yesterday (1/17) and nothing came up. I ran ad-aware for good measure but nothing there either.

Would this show up in a hijackthis log? And if so, would it be OK to post one?  Thanks.

 Hessian_4x4 wrote:

Would this show up in a hijackthis log? And if so, would it be OK to post one?  Thanks.

Go for it....we will take a look at it.

F~

Here goes...

Logfile of HijackThis v1.99.1
Scan saved at 7:24:42 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\mikeyboy\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E2A8AC7-1FBA-4E83-9D0F-64888B0AE345}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{B86A6A82-411C-46C2-AC48-F507DC2E02D3}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{C17FDDDA-446C-4A05-AB38-123499FDF184}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF4491F2-FF63-48A0-B13B-D0BC3F07D427}: NameServer = 85.255.116.119,85.255.112.195
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
....is spyware and causes all kinds of problems....could be part of your problem. That's all that jumps out at me right now other than the fact that you have a TON of things that don't need to be running and alot of "extra" menu items and buttons. BHO's are almost never a good thing and you could pretty much get rid of all those, other than the Norton one I am not sure if you need. I would also go into msconfig and stop all those programs that you don't need running all the time, from starting up. Much better to start each program individually as you need them.

Check out my Computer thread if you haven't already:
http://peachyforum.com/forums/7162/ShowPost.aspx

F~

I think I may have found the problem.  After looking through hijackthis a little further (and deleting the BHO's) I found these processes running:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E2A8AC7-1FBA-4E83-9D0F-64888B0AE345}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{B86A6A82-411C-46C2-AC48-F507DC2E02D3}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{C17FDDDA-446C-4A05-AB38-123499FDF184}: NameServer = 85.255.116.119,85.255.112.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF4491F2-FF63-48A0-B13B-D0BC3F07D427}: NameServer = 85.255.116.119,85.255.112.195

The info on them basically said they were redirects.  After fixing them in hijackthis, and restarting the puter a few times the problem has gone away it seems, although I have not "extensively tested" my computers operation yet.  Thanks for the help guys.  Anyone who is having this problem should probably get rid of these processes/files whatever they are. 

hi, 017s can cause redirects. unless your ISP is in the Ukraine, which is where it was pointing with the 017s you deleted, you probably did the right thing.

you can check by opening a command prompt Start>run>cmd - click OK, then type ipconfig /all

it should show your two DNS servers which should be different to the values you deleted.


i found some instructions you can follow if you want from the link below - let the page load fully before you do anything with your mouse.
http://www.geekstogo.com/forum/index.php?s=d55dc6aaebfc0e7d78744677a664c506&showtopic=50396&view=findpost&p=266585
i'd run cleanup and ewido if i were you then post a hjt log at one of the security forums telling them what the problem was and what you have done to clean up. cleanup and ewido are great programs to have anyway. plus posting a log somewhere isn't too hard to do when everything seems to be running OK.