Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo Results RedirectingMOVED to AII


  • Please log in to reply
14 replies to this topic

#1 dcmets162

dcmets162

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 28 July 2009 - 08:30 PM

Hello,

I've searched through this forum and didn't see anyone with this problem, some close but not quite. I apologize if the answer has already been posted and I missed it.

I've spent the last couple of days trying to figure this out: I noticed that when I click on a link from my search results in Yahoo, I am redirected to something else like nexplore.com, bizrate.com, shopica, etc. Google results are not affected, however. I am on XP, using Firefox, running AVG and my numerous Malwarebytes scans have shown 0 infections. I was reading the tutorial on Combofix, getting ready to up the ante, when I decided I should ask someone for a bit of guidance before I made things any worse.

Thanks!

Edited by garmanma, 28 July 2009 - 08:40 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 28 July 2009 - 08:49 PM

Try this:

http://forums.majorgeeks.com/showthread.php?t=182559
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 dcmets162

dcmets162
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 28 July 2009 - 09:05 PM

Hello Budapest,

I ran gooredfix and it never gave me an option for 1 or 2, but saved this txt to my desktop:

GooredFix by jpshortstuff (12.07.09)
Log created at 21:58 on 28/07/2009 (Brian & Mia)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:50 31/07/2007]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [23:14 13/02/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [00:30 29/07/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [01:08 28/07/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:30 29/07/2009]

-=E.O.F=-

If I did something wrong please let me know.

Thanks for the input.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 28 July 2009 - 09:50 PM

Try option 2.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 dcmets162

dcmets162
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 July 2009 - 09:24 AM

When I double click on the GooredFix icon (black bomb with droplet of water over the fuse) it brings me to the OpenFile Security Warning. I click Run and it goes right to a message saying:

"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit"

If I click 'No' I exit the program. If I click 'Yes' I get a GooredFix txt. Nowhere along this do I have an option to choose 1 or 2.

Looking through the "Am I Infected" posts I found someone with a similar problem and attempted the suggested fix:

1. Run ATF-Cleaner - Done
2. Run SUPERAntispyware Free - Done and this is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/29/2009 at 00:33 AM

Application Version : 4.27.1000

Core Rules Database Version : 4025
Trace Rules Database Version: 1965

Scan type : Quick Scan
Total Scan Time : 01:46:14

Memory items scanned : 251
Memory threats detected : 0
Registry items scanned : 548
Registry threats detected : 0
File items scanned : 27031
File threats detected : 2


Adware.Tracking Cookie
.adinterax.com [ C:\Documents and Settings\Brian & Mia\Application Data\Mozilla\Profiles\default\gh3e94cq.slt\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Brian & Mia\Application Data\Mozilla\Profiles\default\gh3e94cq.slt\cookies.txt ]

3. Run Dr.Web Cureit - Done with the following log:

vsfoceoejyubuh.dll;C:\WINDOWS\system32;BackDoor.Tdss.333;Deleted.;
vsfoceexojbyaglq.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.333;Deleted.;

Unfortunately, Yahoo result links are STILL redirected to a number of different sites (www.gklife.com, www.toseeka.com, www.intelius.com, etc.)

I'd appreciate any help.

Thanks!

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 29 July 2009 - 04:14 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 dcmets162

dcmets162
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 July 2009 - 08:14 PM

Hello Budapest

The RootRepeal Report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/29 21:10
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\vsfocedlhttxpo.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfoceoejyubuh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfocepsxwkmnq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfocexetoivpo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfocecbpuicoopq.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfocefpmwouoijp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfocejduyadsiwe.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Yahoo! Games\Bejeweled 2 Deluxe\Bejeweled2.exe:{87946AEC-E7E1-B13E-F928-F836195F11FC}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\vsfocetkyegsal.sys
Status: Invisible to the Windows API!

Thanks!

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 29 July 2009 - 08:16 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\vsfocetkyegsal.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes. Keep rebooting and running quick-scans with Malwarebytes until it shows zero infections. If after 3 scans it is still not clean post the final log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 dcmets162

dcmets162
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 July 2009 - 09:17 PM

Budapest,

Malwarebytes reported 0 problems on the 2nd scan. As far as I can tell the computer is clean! Thank you so much!!

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 29 July 2009 - 10:01 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 dcmets162

dcmets162
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 July 2009 - 10:29 PM

I've created the Restore Point.

I'm not exactly sure what you're asking for with the Add/Remove part. I looked in Add or Remove Programs and found only:

Java™ 6 Update 14.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 29 July 2009 - 10:34 PM

Your Java is up-to-date, so you're good to go.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 dcmets162

dcmets162
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 July 2009 - 10:40 PM

Ah. Thanks again for your time and help.

I did have 1 more question...

When I first came to the Bleepingcomputer forums (2 days ago) the background for everything was a shade of blue. Now the background for everything is white. Is this OK?

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 29 July 2009 - 10:44 PM

It should be blue; however I've no idea what the problem is. You should try cleaning out all your temp files, cache etc.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 dcmets162

dcmets162
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 29 July 2009 - 10:57 PM

Simple, yet effective. Thanks again for your time.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users