1 2 Previous Next 10 Replies Latest reply on Nov 28, 2010 11:26 AM by garrygraham


      I thought we had this fixed, but even after running the latest McAfee and EMCO malware destroyer and Malwarebytes anti malware I AM STILL BEING REDIRECTED.


      Here are some of the clues.


      I keep getting a webpage that is blank and the ulr is www.epoclick.com/?ad=1288800529

      I also got a message that said System Configuration utility Windons , want permission to run, because I did not ask for this to run I denied it.


      The Emco malware program gave me a report that said.

      Action : Detected
      FREDNMC.HLLW.OROR.CWORM01/11/20103:09:14 PM
      FREDNMC.IWONADWARE01/11/20103:09:14 PM
      FREDNMC.HLLW.OROR.CWORM03/11/201012:05:05 AM


      Malware bytes said that they found 173 infected items and cleaned that all.


      I would appreciated and help that I can get





          Hello Garry

             I'm sorry to see that it's not quite fixed yet. Putting up the screenshot was a good idea, since it gives us something to work on.


          Here is a little extra information which might perhaps be useful, or helpful. First, the 'epoclick.com' URL points to a computer in the Republic of Moldova. The IP address for it is and the domain name has only been registered since October 11th. Reports of problems associated with this site have been coming in since October 19th, perhaps earlier. There is a second web site, drvtrf.com, at the same IP address - I'll follow this up on SiteAdvisor when I've done this.


          This site is certainly associated with multiple reports of redirection and site blocking - those reporting it used various names to describe it, which was confusing. All reported that AV programs (not just McAfee) didn't catch it, and nor did Malwarebytes, SuperAntiSpyware, or Microsoft Security Essentials. It slipped through the nets, but Malwarebytes at least is on to it. There are two threads dealing with it on their forums :

          http://forums.malwarebytes.org/index.php?showtopic=66309 and



          Quote from the Malwarebytes person handling one of the threads :

          "This is the nearest I can get and it is regarded as an infection carrier - hxxp://www.epoclick.com/?ad=1287926187"


          So yours must be assumed to be in that category. We're dealing with malware spreaders.


          It looks as if it may be necessary to run GetSusp - for which you will need to talk to one of the McAfee technical experts - or else HijackThis or ComboFix. ComboFix is a very powerful tool and needs to be run under the supervision of a qualified expert. If you're lucky that might not be necessary.


          There is a thread about how to remove FunWebProducts at http://www.2-spyware.com/remove-funwebproducts.html

          but see also Spywareterminator.com's page - they rate this as a critical threat -


          I can't give any advice yet as to whether you should run their product to remove FunWeb - it might be better not to click on that big yellow button saying 'Scan Now', at least until someone here can give that site the OK.


          I see NMC.IWON on your screenshot but you should also run a search for something called aornum.exe which is associated with iwon; it's said to be a Browser Helper Object. See http://www.auditmypc.com/process/aornum.asp and http://www.spywareremove.com/removeAornum.html.

          Both of these are malware.  For OROR.c see http://www.dslreports.com/forum/remark,5761615; this is/was a worm spread by email, in which case McAfee should have caught it.


          I have some lingering doubts as to the EMCO software you downloaded to try to fix your problem. The name EMCO keeps on cropping up in the logs on the Malwarebytes forum and elsewhere produced by Combofix and HijackThis for users with the redirect problem, and also in the output logs for those dealing with FunWeb/iwon/aornum. Cropping up rather too much, and more than I would expect. Plus, several users of EMCO have reported that it is not safe to use. I withhold judgement, but perhaps you shouldn't use it while you're using any other removal tools.


          One thing that OROR.C is said to do is to attempt to disable security software. Is your McAfee installation working as it should? Perhaps you ought to run the Virtual Technician to make sure everything's there and working.


          This has been a very long post. I apologise for that. But I still had to leave out some other stuff; I may do a follow-up if needed.


          I suggest you will need one of the McAfee techs from this point on. I'm going to go and ferret around in the McAfee threat database.


          Good luck



            Quick follow-up : I found some information about OROR.C on the Symantec.com site (yes, yes, I know, they're a competitor, but I found it there first).


            The report is at http://www.symantec.com/security_response/writeup.jsp?docid=2003-012309-1531-99

            You only need to read Sections 1 & 2; Section 3 is removal and is specific to Symantec.


              Quick update. I've been around one or two of the forums looking for extra information about this and it seems that this particular redirection problem is extremely widespread and is getting worse, although the instances where the connection to epoclick can be definitely made are relatively few. Over at Google there has been a thread running since October 23rd dealing with this redirection problem, and there the link has definitely been made with epoclick; also at Malwarebytes (who found out about it on the 19th, when the first pleas for help came in).


              One curious thing that is being reported is that whatever is in this code appears to be targeting not just PCs but also routers, and changes the DNS server settings. There are many valuable pieces of advice and information in the posts in that thread, and it repays reading all the way through (just try to ignore the fisticuffs between one particular irate poster and the poor forum moderator). One useful snippet : any given anti-malware program will work for some but not all of the people who are reporting similar symptoms or problems. Either there are different pieces of malware involved or this thing is mutating or being refined. Perhaps that's normal.


              If the malware is DNS-related, the Google thread gives a link to a fix :



              For modified router settings caused by this malware :

              http://forums.mozillazine.org/viewtopic.php?f=38&t=2016401&p=10052447&sid=89d7e0 c64a114ea7fc41e85bbbc8a54c

              The question has to be asked, since it dominates that particular thread : anyone having any problem with google-analytics? Any extra tabs or windows opening when you do a Google search? (Or that may be the irate poster's own special Red Herring).


              If there's a connection to Google you can report it at http://www.google.com/safebrowsing/report_badware/ (which I didn't know about before this).

              One person who did report epoclick described them as "terrorising the internet at the moment".


              If anybody reads ComputerWorld (is that a UK or US publication?) you might see something in there about all this. Possibly even this exchange :

              >>Tens of thousands of people are experiencing this problem
              "If it's not 100% then it's localized."
              1 of 1 people found this helpful

                Thanks for all that investigating, I read the stuff you recommended.  Its is a little over my head.  I will keep watching for a fix.

                FYI this problem in NOT unique to Google, it happen on Yahoo also.  It is amazing how shallow minded some of the people on the blogs are.




                  We may be close to getting a fix for this.


                  Contributors to the Malwarebytes and Google forums are saying that this is a variant of a known Trojan, which they say is Trojan.OSX.DNSChanger


                  This is the Apple name for it, so McAfee's name will be different. I haven't yet found it in the McAfee database but it will be there somewhere. If indeed it is similar to one already fixed, then fixing the new variant should be a lot easier.


                  The description from the iAntiVirus site for this is below :

                  "Trojan.OSX.DNSChan is a malicious trojan that uses social engineering techniques to entice users to manually install the program. This trojan disguises itself as a video codec and associates itself with shared and free download videos. It was first seen and linked to porn sites but later it was also linked to funny videos. The mode of delivery of this trojan is typically via spam blogs (splogs), malicious banner Ads, poisoned Google search results and pay-per-install programs."


                  Most or all of the reported problems are related to results from web searches. This Trojan (if that's what it is) seems to be 'poisoning' search results pages, sometimes by inserting results that link to malware sites, which only makes things worse.


                  I think you're right about the problem not being restricted to Google. It's on all browsers, and it's not restricted to Windows. I think it's even turned up on the Android mobile phone OS.


                  The IP for epoclick.com was apparently blacklisted in the Malwarebytes Anti-Malware database not long after the first reports came in to them. Full marks to them for speedy action.


                  If the identification is correct, no doubt there will be a fix coming through in the regular McAfee updates some time soon.



                  Message was edited by: Hayton on 05/11/10 06:06:14 GMT
                  1 of 1 people found this helpful
                  • 6. Re: I AM BEING REDIRECTED, AGAIN AND AGAIN

                    If it is like other DNS changer and redirectors mcafee and malwarebytes updates fail as it blocks installation of MWB and access to the mcafee site.


                    What I found with other versions is when one downloads MWB or superantispyware I suggest downloading it as another named file ie so the trojan cannot recognise it. Also when installing these programs install it in a different folder than the default 1. Again to defeat the trojan blocking it. Worked for me on a redirecting trojan back 3 mths ago.


                    Dat files (if Mcafee can update that is) should be updated soon hopefully though a mcafee staffer better to say when though.

                    1 of 1 people found this helpful
                    • 7. Re: I AM BEING REDIRECTED, AGAIN AND AGAIN

                      Thanks for your input, I will give that a try.

                      • 8. Re: I AM BEING REDIRECTED, AGAIN AND AGAIN

                        Once again you have been most helpful, I think I will wait and see if a fix come in the next few days.

                        Have a great weekend.


                        • 9. Re: I AM BEING REDIRECTED, AGAIN AND AGAIN

                          It always pays to look through the archives for earlier submissions. As a researcher I know this in my bones. And sure enough, there's something in a thread from several months ago which gives a link to this :

                          http://www.review-buddy.com/spyware-removers/how-to-remove-google-redirect-virus .html


                          So what we're seeing is a new variant of an existing piece of malware. This has been around (and around, and around) for quite a while.

                          1 2 Previous Next