Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirected when using google (zlob?)


  • This topic is locked This topic is locked
4 replies to this topic

#1 ericwyatt

ericwyatt

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 20 July 2009 - 01:42 AM

hi! about a week ago, i noticed that every time i clicked a link on a google search results page, instead of going to the webpage shown, i would go to something like "overclick (which wont let me back up), or some shopping thing or other garbage. i've run several cleaners suggested, and cleared out quite a bit of junk from my computer, but i continue to have the redirection problem.
i've got the hijack this logs here--


DDS (Ver_09-06-26.01) - NTFSx86
Run by eric wyatt at 1:25:42.85 on Mon 07/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.756 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\eric wyatt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: InlineSearchHandleHotKeys Class: {b6ffe2ae-4d12-451f-b457-fe6125ffb1cf} - c:\program files\ieforge\inline search\InlineSearch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-

f7252adaa4f2/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188447381452
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1188448102656
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ssqQgHYP - ssqQgHYP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ericwy~1\applic~1\mozilla\firefox\profiles\elpvnccn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-nick&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-nick&p=
FF - component: c:\documents and settings\eric wyatt\application data\mozilla\firefox\profiles\elpvnccn.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}

\platform\winnt\components\EbayAccessService.dll
FF - component: c:\documents and settings\eric wyatt\application data\mozilla\firefox\profiles\elpvnccn.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}

\platform\winnt\components\EbayFormSubmitObserver.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R3 wcgmpd;wcgmpd;c:\windows\system32\drivers\wcgmpd.sys [1980-1-1 103296]
S3 NAVAP;NAVAP;\??\c:\windows\system32\drivers\navap.sys --> c:\windows\system32\drivers\NAVAP.SYS [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20020227.005\NAVENG.SYS [2008-10-15 65920]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20020227.005\NAVEX15.SYS [2008-10-15 585792]
S4 Application Layer Gateway Service (ALG) ;Application Layer Gateway Service (ALG) ;c:\program files\tinyproxy\tinyproxy.exe --> c:\program

files\tinyproxy\TinyProxy.exe [?]
S4 gupdate1c9e3eeb3b0623d;Google Update Service (gupdate1c9e3eeb3b0623d);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]

=============== Created Last 30 ================

2009-07-15 07:49 118 a------- c:\windows\system32\MRT.INI
2009-07-14 23:34 1,674 a------- c:\windows\system32\tmp.reg
2009-07-11 21:48 <DIR> --d----- c:\docume~1\ericwy~1\applic~1\Malwarebytes
2009-07-11 21:48 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 21:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-11 21:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-11 18:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-11 18:28 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-11 18:28 <DIR> --d----- c:\docume~1\ericwy~1\applic~1\SUPERAntiSpyware.com
2009-07-11 18:27 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-08 16:06 <DIR> --dsh--- c:\documents and settings\eric wyatt\PrivacIE
2009-07-08 16:05 <DIR> --dsh--- c:\documents and settings\eric wyatt\IETldCache
2009-07-08 15:32 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-08 15:31 <DIR> --d----- c:\windows\ie8updates
2009-07-08 15:31 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-08 15:30 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 19:57 4,122,368 a----r-- c:\windows\system32\drivers\alcxwdm.sys
2009-07-07 19:57 577,536 a------- c:\windows\soundman.exe
2009-07-07 19:57 147,456 a------- c:\windows\system32\RtlCPAPI.dll
2009-07-07 19:57 49,152 a------- c:\windows\system32\ChCfg.exe
2009-07-07 19:57 18,804,736 a------- c:\windows\system32\alsndmgr.cpl
2009-07-07 19:57 10,528,768 a------- c:\windows\system32\RTLCPL.exe
2009-07-07 19:57 141,016 a------- c:\windows\system32\alsndmgr.wav
2009-07-07 19:57 <DIR> --d----- c:\program files\Realtek AC97
2009-07-07 19:57 315,392 a------- c:\windows\alcupd.exe
2009-07-07 19:57 217,088 a------- c:\windows\alcrmv.exe
2009-07-07 19:56 <DIR> --d----- c:\program files\SigmaTel
2009-07-07 19:56 <DIR> --d----- C:\dell
2009-07-07 19:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-07-02 11:23 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-02 11:23 78,336 a------- c:\windows\system32\dllcache\ieencode.dll

==================== Find3M ====================

2009-07-19 02:39 2,068 a------- c:\windows\system32\d3d9caps.dat
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-04 22:47 1,956 a------- c:\windows\system32\d3d8caps.dat
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 14:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-06 13:04 182,970 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 23:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 23:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 23:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 23:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-28 23:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-28 23:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 23:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 23:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 23:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 04:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 04:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 00:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 00:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-19 20:11 83,960 a------- c:\docume~1\ericwy~1\applic~1\GDIPFONTCACHEV1.DAT
2008-11-19 16:39 30 a------- c:\documents and settings\eric wyatt\jagex_runescape_preferences.dat
2008-07-22 11:40 15,452,536 a------- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-07-22 06:35 477 a------- c:\program files\Shortcut to Azureus.lnk
2007-10-12 21:36 774,144 a------- c:\program files\RngInterstitial.dll
2002-10-11 15:12 36,608 a------- c:\windows\inf\SYMMPI.SYS
2013-09-12 18:05 1,537 a--sh--- c:\windows\page files\maxmeg.sys
2008-08-20 17:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 1:28:14.81 ===============


the other hijackthis log is attached.


thanks for all yall do!
eric

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:23 PM

Posted 25 July 2009 - 05:29 PM

Hello ericwyatt,

What antivirus are you running on this computer?


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 10
    Java™ 6 Update 13
    Java™ 6 Update 3
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.
*****************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*****************

Please post the last Malwarebytes log so I can see what it is finding.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ericwyatt

ericwyatt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 27 July 2009 - 09:28 AM

ok, i see now that i've been really stupid. i havent been using our computer much the last few months, just my wife and kids. i thought i had eset nod32 installed and running, but i see that it's not. i may not have, and may not have had, any protection. yeah, i know. i've been a moron.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:23 PM

Posted 27 July 2009 - 09:57 AM

Hi ericwyatt,

If you dont have an antivirus installed, then install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:23 PM

Posted 02 August 2009 - 10:22 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users