Jump to content


Google Hijack?

  • Please log in to reply
2 replies to this topic

#1 cjlhayes



  • New Member
  • Pip
  • 1 posts

Posted 17 March 2007 - 04:24 PM


Thank you very much in advance for any assistance you can offer me:

Problem Details

Some kind of trojan/virus has hijacked my internet explorer. When conducting searches (e.g. google and yahoo) and clicking on the search links, the web address is hijacked and redirects me to other sites (usually porn but not always). The problem does not occur when using Mozilla Firefox as my explorer.

Other weird (either seperate or connected problems include):

-'dnlsvc.exe' appearing in internet temp files
-a folder called 'driverload' containing a windrv0 file (a windrv application is sometimes found running as a windows background application).

Actions Taken

- Spybot search and destroy scan
- Ad Aware Scan
- CWShredder Scan
- Ewido AVG anti-spyware scan
- Kaspersky scan
- Hijack this scan and log

None of these seemed to have resolved the issue.

AVG Anyi-Spyware 7.5 Log

AVG Anti-Spyware - Scan Report

+ Created at: 19:57:16 17/03/2007

+ Scan result:

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP12\A0016866.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP12\A0016873.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP22\A0017164.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017638.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017663.sys -> Backdoor.ForBot.af : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GHOJEXYZ\teenslagune[1].htm -> Downloader.Agent.ab : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C5EZ8TE7\loader[1].exe -> Downloader.Tiny.bn : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017639.exe -> Downloader.Tiny.bn : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017640.exe -> Downloader.Tiny.bn : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017656.exe -> Downloader.Tiny.bn : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KGE16YK0\dnlsvc[1].exe -> Proxy.Agent.jl : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\snapshot\MFEX-1.DAT -> Proxy.Agent.jl : Cleaned.
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n93b268q.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned.
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n93b268q.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.

::Report end

HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 20:57:23, on 17/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itv-f1.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp-expo.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37E3} - C:\WINDOWS\Temp\themes_2.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [alpha] c:\DriverLoad\windrv0.exe
O4 - HKCU\..\Run: [beta] c:\DriverLoad\windrv0.exe
O4 - HKCU\..\Run: [gamma] c:\DriverLoad\windrv0.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp-expo.com/uk/
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{41E6C698-B51B-470D-B68B-00A3384043F2}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{62810E67-35EE-4EF0-87CC-94D9C9E42A85}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{73AE18F5-C7DD-4B65-BDDC-A73916AE05B1}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4FC7BEC-6DDD-4F55-B75E-ECC545556B62}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBE16573-F7B0-4E89-A209-4680C4E2A504}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


I would be more than grateful for any assistance you can offer.

Kind Regards,


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,525 posts

Posted 20 March 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 dave38


    Devout Murphyite!

  • Retired Staff
  • PipPipPipPipPip
  • 8,508 posts

Posted 21 March 2007 - 06:09 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button