Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/browser Redirect Problem - Help


  • Please log in to reply
5 replies to this topic

#1 neilkav

neilkav

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 04 October 2007 - 07:10 AM

Hello all,

Really hope you can help in some way. Here's my story...

First off I should say that I'm no expert and would appreciate any terminology to be kept in simple terms, thanks..

Laptop is Fujitsu Siemens Amilo 1GB RAM, 80 GB HD, 128M ATI card.

Browser is IE6

Problem : for the last 2 months or so, every time I hit a link in a search engine like google or msn or yahoo, my computer is redirected to sites far away from what I'm looking for, ussually pornographic. I have tried all I can with my limited experience but to no avail.

I used AVG free virus software for over a year, was fine, then I kept on getting a message about a particlular trojan - it would not quaratine or delete and the message popped up evry 5 seconds, it was a system 32 bug with the ending jlmijlm.dll. I had to uninstall AVG in the end. I am now considering what to do about virus software, because AVG when reinstalled had exactly the same problem.

It was around the same time that I started to get these redirecting problems.

I have DL and installed and run the following....

AVG anti-spyware
Trend micro anti-spyware
Adaware
CCCleaner
FreeRegistry fix
Winpatrol - the 2 files below look suspect from the winpatrol report, but once again I cannot delete them
ynfcgcsk.dll
jlmijlm.dll


All scanned & the only thing they find is cookies, or tracking cookies which I delete, but I STILL have my internet problem.

Please could somebody advise what to do??

I am on GMT, live in England, so If I dont reply quickly please bear with me.

Look forward to some help,

Thanks in advance Neil Kavanagh.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:04 AM

Posted 04 October 2007 - 08:29 AM

Have you tried doing your scans in "SAFE MODE"? Are you doing scans while logged into the Administrator's
account
or an account with administrator privileges?

Since you are no longer using an anti-virus, you need to get one installed ASAP. Free alternatives to AVG would be Avast or AntiVir PersonalEdition Classic.

Anytime you come across a suspicious file for which you cannot find any information about, you can submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Do that for the two files detected by WinPatrol and post back with the results of the file analysis. I can't find any info on them but I suspect they are vundo related.

Edited by quietman7, 04 October 2007 - 08:29 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 neilkav

neilkav
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 05 October 2007 - 12:21 PM

Hi,

I have run the programs in safe mode before, no difference.

I have uploaded the 2 files (they were.bak files) to virus total, results below...

jlmijlm.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.10.6.0 2007.10.05 -
AntiVir 7.6.0.20 2007.10.05 -
Authentium 4.93.8 2007.10.05 -
Avast 4.7.1051.0 2007.10.05 -
AVG 7.5.0.488 2007.10.05 BHO.BIG
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.05 TrojanClicker.Delf.iv
ClamAV 0.91.2 2007.10.05 -
DrWeb 4.44.0.09170 2007.10.05 Trojan.Click.4634
eSafe 7.0.15.0 2007.10.04 Suspicious Trojan/Worm
eTrust-Vet 31.2.5188 2007.10.05 -
Ewido 4.0 2007.10.05 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.05 -
F-Prot 4.3.2.48 2007.10.05 W32/Trojan.CECP
F-Secure 6.70.13030.0 2007.10.05 W32/BHO.QG
Ikarus T3.1.1.12 2007.10.05 -
Kaspersky 7.0.0.125 2007.10.05 -
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 -
NOD32v2 2574 2007.10.05 -
Norman 5.80.02 2007.10.05 W32/BHO.QG
Panda 9.0.0.4 2007.10.05 Trj/Clicker.AGD
Prevx1 V2 2007.10.05 -
Rising 19.43.40.00 2007.10.05 -
Sophos 4.22.0 2007.10.05 -
Sunbelt 2.2.907.0 2007.10.04 -
Symantec 10 2007.10.05 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.05 -
VirusBuster 4.3.26:9 2007.10.05 Trojan.CL.Delf.ZNL
Webwasher-Gateway 6.0.1 2007.10.05 Packer.Morphine
Additional information
File size: 81920 bytes
MD5: bc4df9e26f292944bf4a3d0764fc0cfa
SHA1: 4b71064ac49023c66cc76eda40f09a73707579ad





File ysbfsbli.dll.bak received on 10.05.2007 17:47:11 (CET)
Current status: finished
Result: 6/32 (18.75%)
Compact
Print results
Email:



Antivirus Version Last Update Result
AhnLab-V3 2007.10.6.0 2007.10.05 -
AntiVir 7.6.0.20 2007.10.05 TR/Crypt.Morphine.Gen
Authentium 4.93.8 2007.10.05 -
Avast 4.7.1051.0 2007.10.05 -
AVG 7.5.0.488 2007.10.05 -
BitDefender 7.2 2007.10.05 -
CAT-QuickHeal 9.00 2007.10.05 -
ClamAV 0.91.2 2007.10.05 -
DrWeb 4.44.0.09170 2007.10.05 -
eSafe 7.0.15.0 2007.10.04 Suspicious Trojan/Worm
eTrust-Vet 31.2.5188 2007.10.05 -
Ewido 4.0 2007.10.05 -
FileAdvisor 1 2007.10.05 -
Fortinet 3.11.0.0 2007.10.05 -
F-Prot 4.3.2.48 2007.10.05 -
F-Secure 6.70.13030.0 2007.10.05 W32/BHO.QG
Ikarus T3.1.1.12 2007.10.05 -
Kaspersky 7.0.0.125 2007.10.05 -
McAfee 5134 2007.10.04 -
Microsoft 1.2803 2007.10.04 -
NOD32v2 2574 2007.10.05 -
Norman 5.80.02 2007.10.05 W32/BHO.QG
Panda 9.0.0.4 2007.10.05 Suspicious file
Prevx1 V2 2007.10.05 -
Rising 19.43.40.00 2007.10.05 -
Sophos 4.22.0 2007.10.05 -
Sunbelt 2.2.907.0 2007.10.04 -
Symantec 10 2007.10.05 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.05 -
VirusBuster 4.3.26:9 2007.10.05 -
Webwasher-Gateway 6.0.1 2007.10.05 Trojan.Crypt.Morphine.Gen
Additional information
File size: 123904 bytes
MD5: c1c1da62d504e661de846e83b6ebc8ce
SHA1: f2ed257c01b532827d7a0781009e1f29ae749efa
packers: Morphine


I guess from the results above they look bad, what's my next step, thanks in advance for your help,

Neil

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:04 AM

Posted 05 October 2007 - 12:30 PM

Did you install an anti-virus program and run a scan in safe mode?

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Please download and install SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next"..
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "No".
  • To retrieve the removal information:
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done. (You can use Notepad to open the DrWeb.cvs report)
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 neilkav

neilkav
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 07 October 2007 - 05:29 PM

Hi there,

I've done evrything you suggested, below are the reports/logs, it seems to have done the trick, google is no longer redirecting, yippeeee.

Thanks very very much for your help.

I have also installed Avira anti virus, and it seems to be working well.

Thanks again, Neil.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/07/2007 at 11:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3320
Trace Rules Database Version: 1321

Scan type : Complete Scan
Total Scan Time : 01:26:51

Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 6910
Registry threats detected : 4
File items scanned : 87587
File threats detected : 1

Trojan.Download-Gen/DSPRPRE
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9EB5073-15D6-4716-9ABD-B77FD07AA3BA}
HKCR\CLSID\{A9EB5073-15D6-4716-9ABD-B77FD07AA3BA}
HKCR\CLSID\{A9EB5073-15D6-4716-9ABD-B77FD07AA3BA}\InprocServer32
HKCR\CLSID\{A9EB5073-15D6-4716-9ABD-B77FD07AA3BA}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\YNFCGCSK.DLL
jlmijlm.dll;c:\windows\system32;Trojan.Click.4674;Deleted.;
ynfcgcsk.dll;c:\windows\system32;Trojan.Click.4671;Deleted.;
bpmmetf.bak;C:\WINDOWS\system32;Trojan.Packed.169;Deleted.;
jgddih.bak;C:\WINDOWS\system32;Trojan.Click.4634;Deleted.;
jlmijlm.dll;C:\WINDOWS\system32;Trojan.Click.4674;Deleted.;
jlmijlm.dll.bak;C:\WINDOWS\system32;Trojan.Click.4647;Deleted.;
rpwjyq.bak;C:\WINDOWS\system32;Trojan.Click.4422;Deleted.;
vvprydv.bak;C:\WINDOWS\system32;Trojan.Click.4321;Deleted.;
ynfcgcsk.1;C:\WINDOWS\system32;Trojan.Starter.252;Deleted.;
ynfcgcsk.2;C:\WINDOWS\system32;Trojan.Iespy;Deleted.;
ynfcgcsk.3;C:\WINDOWS\system32;Trojan.Sentinel;Incurable.Moved.;
ynfcgcsk.4;C:\WINDOWS\system32;Trojan.PWS.Tanspy.775;Deleted.;
jlmijlm.dll;c:\windows\system32;Trojan.Click.4674;Deleted.;

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:04 AM

Posted 07 October 2007 - 07:19 PM

Your welcome.

If there are no more problems, you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users