Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


google and yahoo redirects

  • This topic is locked This topic is locked
2 replies to this topic

#1 gatorh8tr


  • Members
  • 4 posts
  • Local time:06:33 AM

Posted 04 October 2009 - 04:22 PM

This started on Thursday. I tried to search on google. I would click a link, then would be re-directed to a different site. I ran malwarebytes and found AVcare. I used malwarebytes and superantispyware and both started to run then just stopped. I restarted in safe mode, reinstalled both then ran in safe mode and it got rid of AVCare. Then I got basically the same thing called PolicePro (I think). Once again, I used malwarebytes and superantispyware, then I downloaded asquared free and ran that. It found several files that it said were medium risk. I deleted those. I ran malwarebytes in safe mode and it found nothing. I ran superantispyware in safe mode and it found nothing. I restarted windows normally, went back to google and punched in a search and was still re-directed. I did notice the domain it was taking me too before all of the re-directs was z43523673.cn followed by a bunch of different characters, then it would switch to the other site. I have run malwarebytes, superantispyware and a squared free again in normal mode and safe mode and they haven't found anything. I am running avast free anti-virus and it hasn't found anything either. I just ran kaspersky online scan and didn't find anything. I have done everything I know to do. Any help would be greatly appreciated.
I am attaching the scans as instructed in Grinler's post, and I also have a hijackthis log that I can post if needed. Once again, thanks for any help.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Steve at 16:49:35.81 on Sun 10/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2390 [GMT -4:00]

AV: avast! antivirus 4.8.1356 [VPS 091004-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [EPSON Stylus Photo RX620 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
mRun: [CTStartup] c:\program files\creative\sbaudigy\program\CTEaxSpl.EXE /run
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
uPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231485329421
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254463533359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\sp52w50j.default\
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-30 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-3 200784]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-3 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-3 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-10-1 1858144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-30 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-30 138680]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-3 1244360]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-10-2 34760]
S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-3 3184328]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-30 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-30 352920]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-10-2 24416]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-10-03 23:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-10-03 23:02 410,984 a------- c:\windows\system32\deploytk.dll
2009-10-03 23:02 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-03 22:41 <DIR> --d----- c:\program files\CCleaner
2009-10-03 21:50 <DIR> --d----- c:\docume~1\steve\applic~1\OnlineArmor
2009-10-03 21:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-10-03 21:50 200,784 a------- c:\windows\system32\drivers\OADriver.sys
2009-10-03 21:50 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-10-03 21:50 24,656 a------- c:\windows\system32\drivers\OAmon.sys
2009-10-03 21:50 <DIR> --d----- c:\program files\Tall Emu
2009-10-02 11:56 <DIR> a-d----- c:\windows\system32\images
2009-10-02 11:55 88 a------- c:\windows\system32\wwp.htm
2009-10-02 11:00 <DIR> --d----- C:\RootkitNO
2009-10-02 03:50 24,416 a------- c:\windows\system32\drivers\regguard.sys
2009-10-02 03:31 2 a--shrot c:\windows\winstart.bat
2009-10-02 03:29 35,040 a------- c:\windows\system32\Partizan.exe
2009-10-02 03:29 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-10-02 03:29 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-10-02 03:28 <DIR> --d----- c:\program files\UnHackMe
2009-10-01 21:55 <DIR> -cd-h--- c:\windows\ie8
2009-10-01 20:56 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-10-01 16:52 <DIR> --dsh--- c:\documents and settings\steve\IECompatCache
2009-10-01 16:01 <DIR> --d----- c:\program files\a-squared Free
2009-09-30 23:49 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-09-30 22:11 <DIR> --d----- c:\program files\Trend Micro
2009-09-30 22:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-30 21:01 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-30 19:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 19:42 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-30 19:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 17:51 160,143 a------- c:\windows\system32\PC_protectnewn.exe
2009-09-30 17:38 <DIR> --d-h--- c:\windows\PIF
2009-09-30 13:18 <DIR> --d----- C:\spoolerlogs
2009-09-13 21:53 <DIR> --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-09-13 21:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-09 23:45 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,904 a------- c:\windows\system32\muweb.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

============= FINISH: 16:53:53.57 ===============

Attached Files

BC AdBot (Login to Remove)


#2 gatorh8tr

  • Topic Starter

  • Members
  • 4 posts
  • Local time:06:33 AM

Posted 06 October 2009 - 04:19 AM

Reformated the hard drive to fix the problem

#3 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:12:33 PM

Posted 06 October 2009 - 04:41 AM


glad to hear you solved your problem! :(

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users