Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo and Google Hijack/Redirect


  • This topic is locked This topic is locked
3 replies to this topic

#1 mike1313

mike1313

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 03 June 2009 - 11:47 AM

This has progressed to a worse state.
I can no longer get to Google or the Bleeping Computer Forum.
I am on a different PC for this edit.


Like many, I have acquired the Yahoo/Google Redirect virus.
First time posting, so let me know what I need to post.
Thanks in advance.


DDS (Ver_09-05-14.01) - FAT32x86
Run by mkelly at 9:24:52.93 on Wed 06/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.191 [GMT -7:00]

AV: ZoneAlarm Anti-virus Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Anti-virus Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\jpos\CLIENT~2\msgsrvc\msgsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mkelly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [PLXSTART] c:\progra~1\plexto~1\PLXSTART.EXE
mRun: [PLXTASK] c:\progra~1\plexto~1\PLXTASK.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243830830831
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://c:\windows\msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-24 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-24 353680]
R2 TomaxMessengerService;Tomax Messenger Service;c:\jpos\client~2\msgsrvc\msgsrvc.exe [2006-12-18 147456]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 G200;G200;c:\windows\system32\drivers\G200m.sys [2002-9-5 320384]
R3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [2009-1-24 14336]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]

=============== Created Last 30 ================

2009-06-03 08:46 <DIR> --d----- c:\program files\Trend Micro
2009-06-03 08:25 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-06-03 08:25 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-06-02 20:47 <DIR> --d----- c:\program files\Panda Security
2009-06-02 20:45 47,252,228 a------- c:\windows\pav.sig
2009-06-02 20:37 69,632 a------- c:\windows\system32\asprouni.exe
2009-06-02 20:36 3,377 a------- c:\windows\system32\.ico
2009-06-02 20:36 2,550 a------- c:\windows\system32\Uninstallpro.ico
2009-06-02 20:36 1,406 a------- c:\windows\system32\Helppro.ico
2009-06-01 18:21 <DIR> --dsh--- c:\documents and settings\mkelly\PrivacIE
2009-06-01 17:53 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-06-01 17:36 268,648 a------- c:\windows\system32\mucltui.dll
2009-06-01 17:36 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-06-01 17:34 <DIR> --dsh--- c:\documents and settings\mkelly\IETldCache
2009-05-31 22:18 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-31 22:16 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-31 22:16 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-31 22:16 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-31 22:16 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-31 22:16 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-31 22:16 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-31 22:16 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-31 22:16 <DIR> --d----- C:\e84f03238c35b02f71
2009-05-31 22:15 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-31 22:04 <DIR> --d----- c:\windows\ie8updates
2009-05-31 22:03 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-31 21:57 <DIR> --d-h--- c:\windows\ie8
2009-05-31 19:59 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-31 19:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-31 19:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-31 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-31 14:42 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-31 12:54 <DIR> --d----- c:\program files\AVG
2009-05-29 23:09 39 a------- c:\windows\Irremote.ini
2009-05-29 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-05-16 07:43 <DIR> --d----- c:\program files\SoundLeech
2009-05-16 07:28 258,352 a------- c:\windows\system32\unicows.dll

==================== Find3M ====================

2009-05-26 06:13 1,933,312 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-26 06:13 14,408 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-16 07:45 1,740 a------- c:\windows\system32\d3d8caps.dat
2009-04-08 18:17 39,744 a------- c:\docume~1\mkelly\applic~1\GDIPFONTCACHEV1.DAT
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 19:08 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
1998-10-13 17:42 11,079 a---h--- c:\program files\folder.htt
1998-10-13 17:42 266 ---sh--- c:\program files\desktop.ini
2008-11-25 10:00 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2008-07-19 10:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat

============= FINISH: 9:28:38.37 ===============

Attached Files


Edited by mike1313, 03 June 2009 - 05:01 PM.


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:40 PM

Posted 14 June 2009 - 09:56 AM

Hello, mike1313.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Also, you may want to consider tracking this topic by either adding it to your favourites or clicking the Options button at the top of this thread.

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • RSIT Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:40 PM

Posted 17 June 2009 - 04:56 AM

Hello mike1313
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:40 AM

Posted 19 June 2009 - 12:52 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users