• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
cjlhayes

Google Hijack?

3 posts in this topic

Hello,

 

Thank you very much in advance for any assistance you can offer me:

 

Problem Details

 

Some kind of trojan/virus has hijacked my internet explorer. When conducting searches (e.g. google and yahoo) and clicking on the search links, the web address is hijacked and redirects me to other sites (usually porn but not always). The problem does not occur when using Mozilla Firefox as my explorer.

 

Other weird (either seperate or connected problems include):

 

-'dnlsvc.exe' appearing in internet temp files

-a folder called 'driverload' containing a windrv0 file (a windrv application is sometimes found running as a windows background application).

 

Actions Taken

 

- Spybot search and destroy scan

- Ad Aware Scan

- CWShredder Scan

- Ewido AVG anti-spyware scan

- Kaspersky scan

- Hijack this scan and log

 

None of these seemed to have resolved the issue.

 

AVG Anyi-Spyware 7.5 Log

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 19:57:16 17/03/2007

 

+ Scan result:

 

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP12\A0016866.sys -> Backdoor.ForBot.af : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP12\A0016873.sys -> Backdoor.ForBot.af : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP22\A0017164.sys -> Backdoor.ForBot.af : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017638.sys -> Backdoor.ForBot.af : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017663.sys -> Backdoor.ForBot.af : Cleaned.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GHOJEXYZ\teenslagune[1].htm -> Downloader.Agent.ab : Cleaned.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C5EZ8TE7\loader[1].exe -> Downloader.Tiny.bn : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017639.exe -> Downloader.Tiny.bn : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017640.exe -> Downloader.Tiny.bn : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017656.exe -> Downloader.Tiny.bn : Cleaned.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KGE16YK0\dnlsvc[1].exe -> Proxy.Agent.jl : Cleaned.

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\snapshot\MFEX-1.DAT -> Proxy.Agent.jl : Cleaned.

:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n93b268q.default\cookies.txt -> TrackingCookie.Com : Cleaned.

C:\Documents and Settings\LocalService\Cookies\system@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned.

:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n93b268q.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.

 

 

::Report end

 

 

HiJackThis Log

 

Logfile of HijackThis v1.99.1

Scan saved at 20:57:23, on 17/03/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\HPConfig.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\RadioSvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\btbb_wcm\McciTrayApp.exe

C:\Program Files\MSN Messenger\usnsvc.exe

c:\Program Files\Microsoft Money\System\urlmap.exe

C:\Program Files\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itv-f1.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp-expo.com/uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37E3} - C:\WINDOWS\Temp\themes_2.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [alpha] c:\DriverLoad\windrv0.exe

O4 - HKCU\..\Run: [beta] c:\DriverLoad\windrv0.exe

O4 - HKCU\..\Run: [gamma] c:\DriverLoad\windrv0.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hp-expo.com/uk/

O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CCS\Services\Tcpip\..\{41E6C698-B51B-470D-B68B-00A3384043F2}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CCS\Services\Tcpip\..\{62810E67-35EE-4EF0-87CC-94D9C9E42A85}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CCS\Services\Tcpip\..\{73AE18F5-C7DD-4B65-BDDC-A73916AE05B1}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CCS\Services\Tcpip\..\{E4FC7BEC-6DDD-4F55-B75E-ECC545556B62}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CCS\Services\Tcpip\..\{FBE16573-F7B0-4E89-A209-4680C4E2A504}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.109 85.255.112.103

O17 - HKLM\System\CS1\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.109 85.255.112.103

O17 - HKLM\System\CS2\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer = 85.255.116.109,85.255.112.103

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.109 85.255.112.103

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: WIKI.DLL

O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe

O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe

O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

 

 

----------------------------

 

I would be more than grateful for any assistance you can offer.

 

Kind Regards,

 

Chris.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

 

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

 

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

 

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0