Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This - Help Please - Web Links Redirecting to Random Sites


  • This topic is locked This topic is locked
2 replies to this topic

#1 datadoer

datadoer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 16 June 2010 - 07:48 PM

Moved to Proper forum,Virus, Trojan, Spyware, and Malware Removal Logs ~~boopme

Below is the Hijack this output. We've run av/malware scans in safe mode, used rootkitrevealer and analyzed Hijackthis output ourselves to no avail.

Problem: web links redirect to random website. It only happens on this PC on the network. No other PC's redirect. The internal domain controller appears to be fine and the only dns setup on the pc is for the internal domain controller which resides on the local subnet.

Below is the Hijackthis output. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:41 PM, on 6/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files\Fortinet\FortiClient\fcappdb.exe
C:\Program Files\Fortinet\FortiClient\FortiProxy.exe
C:\Program Files\Fortinet\FortiClient\rmon.exe
C:\Program Files\Fortinet\FortiClient\fmon.exe
C:\Program Files\Fortinet\FortiClient\fortifw.exe
C:\Program Files\Fortinet\FortiClient\fortiwf.exe
C:\Program Files\Fortinet\FortiClient\FCMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe
C:\Program Files\Citrix\GoToAssist Express Customer\223\g2ax_comm_customer.exe
C:\Program Files\borland\interbase\Bin\IBGuard.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\SDMan.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\csia.exe
C:\Program Files\Citrix\GoToAssist Express Customer\223\g2ax_system_customer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trams\common files\tlmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\SABRE\Apps\OADP\Oadp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Citrix\GoToAssist Express Customer\223\g2ax_host.exe
C:\Program Files\borland\interbase\Bin\IBServer.exe
C:\Program Files\Citrix\GoToAssist Express Customer\223\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Program Files\Trams\common files\tlmgrconsole.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\sabserv.exe
C:\SABRE\Apps\OADP\OadpUtil.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Donna\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.sabre.com/login.jsp?TYPE=3355443...//my.sabre.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
F3 - REG:win.ini: load=
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Chargers Official Toolbar - {86664ca1-028a-4f8a-a84f-bd4eea340fb5} - C:\Program Files\Chargers_Official\tbCha0.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Chargers Official Toolbar - {86664ca1-028a-4f8a-a84f-bd4eea340fb5} - C:\Program Files\Chargers_Official\tbCha0.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O4 - HKLM\..\Run: [TRAMSLicenseManagerConsole] C:\Program Files\Trams\common files\tlmgrconsole.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'Default user')
O4 - Startup: OadpUtil.lnk = Apps\OADP\OadpUtil.exe
O4 - Global Startup: Sabre Server.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: *.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.facebook.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/60.07/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192501104841
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photoservices.van.fedex.com/softwar...geUploader4.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://brendanvacations.webex.com/client/T...ent/ieatgpc.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B690CB4E-5A39-4534-9ED3-393CCE65E739}: NameServer = 10.1.1.1
O18 - Protocol: schmap-help - (no CLSID) - (no file)
O18 - Filter hijack: text/html - {a4431ee9-0a64-4f99-8ecd-ed10699b01dc} - (no file)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FortiClient Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Interbase Guardian (InterbaseGuardian) - Borland Software Corporation - C:\Program Files\borland\interbase\Bin\IBGuard.EXE
O23 - Service: Interbase Server (InterbaseServer) - Borland Software Corporation - C:\Program Files\borland\interbase\Bin\IBServer.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Sabre Inc. - C:\SABRE\Apps\OADP\Oadp.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: Secunia CSI Agent - Secunia - C:\csia.exe
O23 - Service: TRAMS License Manager (TRAMSLicenseManager) - TRAMS, Inc. - C:\Program Files\Trams\common files\tlmgr.exe

--
End of file - 11755 bytes

Edited by boopme, 16 June 2010 - 07:51 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 21 June 2010 - 03:51 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:34 PM

Posted 26 June 2010 - 06:30 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users