Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo Redirect Virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 CathyB

CathyB

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 01 February 2011 - 06:00 PM

Attached File  DDS.txt   8.75KB   0 downloadsAttached File  ark.txt   31.45KB   0 downloadsI have a Gateway computer, running XP SP3. Running IE 8.
I started getting redirected last week whenever I do a Yahoo search.
I use Webroot Internet Security Complete and it did not detect anything in it's scan.
I also scanned with Malwarebytes and it did not detect anything.

dds log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 16:42:34.20 on Tue 02/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1172 [GMT -5:00]

AV: Webroot Internet Security Complete *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Complete *Enabled*

============== Running Processes ===============

C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
svchost.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.cathypc.000\Local Settings\Temporary Internet Files\Content.IE5\E8FWL31F\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5266E
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5266E
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5266E
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Webroot Browser Helper Object: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - c:\program files\webroot\security\current\products\wisc\toolbar\LPBar.dll
BHO: WebrootBHO Class: {d93ec24d-8741-4d41-b83d-a5793b998416} - c:\program files\webroot\security\current\plugins\browserextension\WebrootBHO.dll
TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - c:\program files\webroot\security\current\products\wisc\toolbar\LPBar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [readericon] "c:\program files\digital media reader\readericon45G.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [Reminder] "%WINDIR%\Creator\Remind_XP.exe"
mRun: [Recguard] "%WINDIR%\SMINST\RECGUARD.EXE"
mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe"
mRun: [EKIJ5000StatusMonitor] "c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [PSDiagnosticM] "c:\program files\linksys wireless-g print server\PSDiagnosticM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://usbportal.usbank.com/,DanaInfo=ccem510.us.bank-dns.com+dwa8W.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - d:\quickbook\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2010-9-12 111952]
R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-9-12 45072]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2010-9-12 3872776]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2010-8-26 3066528]
R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [2010-10-26 12032]
R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [2010-10-26 39424]
R3 vsdatant;vsdatant;c:\windows\system32\VSDATANT.SYS [2008-5-22 394952]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\drivers\iiusbisp.sys --> c:\windows\system32\drivers\iiusbisp.sys [?]

=============== Created Last 30 ================

2011-02-01 19:08:44 -------- d-----w- c:\program files\Stentor
2011-02-01 19:08:35 -------- d-----w- C:\iSiteLogs
2011-01-29 21:28:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-01-29 21:28:22 -------- d-----w- c:\docume~1\ownerc~1.000\locals~1\applic~1\NPE
2011-01-29 00:06:29 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-29 00:02:22 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-29 00:01:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-01-29 00:01:16 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-01-24 04:05:44 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-24 04:04:52 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-08 23:09:48 12800 ----a-w- c:\windows\system32\EKDeviceServices.dll

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-10-23 12:22:05 5555080 ----a-w- c:\program files\common files\wruninstall.exe

============= FINISH: 16:44:56.28 ===============





BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 AM

Posted 05 February 2011 - 04:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 CathyB

CathyB
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 06 February 2011 - 04:35 PM

The problem is getting worse. At first when this started, if I did a Yahoo search, it redirected me to some page other than what I had clicked on the link for. Now if I use Google for searches, it is taking me to Ask.com and then again, if I click on a link, it opens another page than what I clicked.
Today, just opening IE and then clicking my favorite for bleepingcomputer.com brought up another page

hxxp://www.candystand.com/play-random-games?utm_source=adon_113669_155&utm_medium=cpc&utm_campaign=adon2011-6

Here are the gmer and otl logs
Attached File  OTL.Txt   104.46KB   3 downloadsAttached File  ark.log   18.28KB   1 downloads

Edited by etavares, 07 February 2011 - 08:19 AM.
deactivate URL


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 AM

Posted 07 February 2011 - 06:42 PM

Hello, CathyB.

It appears you have a DNS hijacker. Your DNS (like the phonebook for the internet) is pointing to a server in Russia, yet your computer is based elsewhere. So, i'ts redirecting your calls so to speak.

Let's run MBAM to start. It often fixes these issues.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 CathyB

CathyB
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 08 February 2011 - 05:28 PM

Ran Malwarebytes and nothing is detected. Next steps? I'm close to formatting and starting from scratch.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 AM

Posted 08 February 2011 - 06:44 PM

Hello, CathyB.

Next, we'll run Combofix. If that fails, we can fix manually.



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 CathyB

CathyB
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 09 February 2011 - 07:43 PM

Combo fix did not fix the issue. The log is attached. When I search on Yahoo, the search still is redirecting me to whatever it wants to. I noticed today the first search in the URL is saerch

hxxp://saerch.yahoo.com/search;_ylt=Amo3JQOnBS05X5KpCgosOjObvZx4?p=sams+club&toggle=1&cop=mss&ei=UTF-8&fr=yfp-t-701



Attached File  ComboFix.txt   14.47KB   1 downloads

Edited by etavares, 10 February 2011 - 06:09 PM.
deactivate URL


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 AM

Posted 10 February 2011 - 06:14 PM

Hello, CathyB.

That appears to be legit. saerch.yahoo.com resolves to 74.6.239.185 which is a yahoo.com legitimate IP address. Must be a typo or branding on their part.

Let's do this manually. Let me know if you're redirected after the reboot when the script runs.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-2199273608-1465142371-777327702-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: [Recguard]  File not found
    O4 - HKLM..\Run: [Reminder]  File not found
    O4 - HKLM..\Run: [SigmatelSysTrayApp]  File not found
    O4 - HKLM..\Run: [StatusClient 2.6]  File not found
    O4 - HKLM..\Run: [TomcatStartup 2.5]  File not found
    O4 - HKLM..\RunOnceEx: []  File not found
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.66.235 213.109.76.49 1.1.1.1
    O30 - LSA: Authentication Packages - (ows\s) -  File not found
    O30 - LSA: Security Packages - (Lsa) -  File not found
    O30 - LSA: Security Packages - (ity Packages settings...) -  File not found
    O30 - LSA: Security Packages - (41) -  File not found
    :files
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VideoCam Suite 2.0.lnk
    :Commands
    [Reboot]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 CathyB

CathyB
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 12 February 2011 - 12:15 PM

I still have the issue after running the above fix

Attached Files



#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 AM

Posted 13 February 2011 - 07:53 AM

Hello, CathyB.

OK, let's do this manually.

  • Please go to Control Panel --> Network Connections
  • Right click your internet connection (Usually Local Area Connection) and select Properties.
  • Select Internet Protocol (TCP/IP)
  • Click Properties.
  • The bottom half lists the DNS. It should be on Use the following DNS server addressess but we want to set it to automatic and use your ISP's.
  • Click the button next to Obtain DNS server address automatically.
  • OK your way out and reboot.
  • Are you still redirected?



etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 CathyB

CathyB
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 13 February 2011 - 01:08 PM

It is still redirecting

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 AM

Posted 13 February 2011 - 02:03 PM

How many boxes do you have between the wall and your computer? One (just a modem or modem/router combo) or two (modem and a separate router). If two, please plug your computer directly into the modem (box closest to the wall). Are you still redirected then?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 CathyB

CathyB
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 14 February 2011 - 07:09 PM

We have cable modem, then a router box, and 2 switches between the cable modem and my PC. When I plug directly into the modem I am not redirected. But now I'm back to the router, and 2 switches and I'm being redirected again.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 AM

Posted 14 February 2011 - 07:24 PM

Hello, CathyB.

Perfect, we have a confirmed diagnosis we can fix. We fixed one thing, but your router is infected. Basically a virus on your computer tries the default router password then changes settings on it. We need to reset it back to factory defaults, and change the password so viruses can't infect it again. This can be a bit tricky as it depends on the model of your router.

If you need some specific instructions for this, please reply back with the brand and model number of your router and I can do some more research.


Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click Local Area connection and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.[list]
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
  • Click OK twice.
  • If you should change any setting reboot the computer.

==========

Please run the following command on your computer and post the log.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c (ipconfig /all&nslookup mbam-cdn.malwarebytes.org&ping -n 2 mbam-cdn.malwarebytes.org&route print) >log.txt&start log.txt

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 CathyB

CathyB
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 17 February 2011 - 06:24 PM

Eureka! We're fixed...and my son's PC is also now working which he did not tell me it was doing the same redirect.
Thanks!
Cathy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users