Jump to content


Photo

Google Hijack?


  • Please log in to reply
2 replies to this topic

#1 cjlhayes

cjlhayes

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 March 2007 - 04:24 PM

Hello,

Thank you very much in advance for any assistance you can offer me:

Problem Details

Some kind of trojan/virus has hijacked my internet explorer. When conducting searches (e.g. google and yahoo) and clicking on the search links, the web address is hijacked and redirects me to other sites (usually porn but not always). The problem does not occur when using Mozilla Firefox as my explorer.

Other weird (either seperate or connected problems include):

-'dnlsvc.exe' appearing in internet temp files
-a folder called 'driverload' containing a windrv0 file (a windrv application is sometimes found running as a windows background application).

Actions Taken

- Spybot search and destroy scan
- Ad Aware Scan
- CWShredder Scan
- Ewido AVG anti-spyware scan
- Kaspersky scan
- Hijack this scan and log

None of these seemed to have resolved the issue.

AVG Anyi-Spyware 7.5 Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:57:16 17/03/2007

+ Scan result:

C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP12\A0016866.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP12\A0016873.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP22\A0017164.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017638.sys -> Backdoor.ForBot.af : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017663.sys -> Backdoor.ForBot.af : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GHOJEXYZ\teenslagune[1].htm -> Downloader.Agent.ab : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C5EZ8TE7\loader[1].exe -> Downloader.Tiny.bn : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017639.exe -> Downloader.Tiny.bn : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017640.exe -> Downloader.Tiny.bn : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\A0017656.exe -> Downloader.Tiny.bn : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KGE16YK0\dnlsvc[1].exe -> Proxy.Agent.jl : Cleaned.
C:\System Volume Information\_restore{BE7F1F4B-F208-4467-BA00-4314DC91E883}\RP26\snapshot\MFEX-1.DAT -> Proxy.Agent.jl : Cleaned.
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n93b268q.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned.
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n93b268q.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.


::Report end


HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 20:57:23, on 17/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itv-f1.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp-expo.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37E3} - C:\WINDOWS\Temp\themes_2.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [alpha] c:\DriverLoad\windrv0.exe
O4 - HKCU\..\Run: [beta] c:\DriverLoad\windrv0.exe
O4 - HKCU\..\Run: [gamma] c:\DriverLoad\windrv0.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp-expo.com/uk/
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{41E6C698-B51B-470D-B68B-00A3384043F2}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{62810E67-35EE-4EF0-87CC-94D9C9E42A85}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{73AE18F5-C7DD-4B65-BDDC-A73916AE05B1}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4FC7BEC-6DDD-4F55-B75E-ECC545556B62}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBE16573-F7B0-4E89-A209-4680C4E2A504}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.109 85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.109 85.255.112.103
O17 - HKLM\System\CS2\Services\Tcpip\..\{03B01FA9-4FA2-4EA3-BB98-1534340D9229}: NameServer = 85.255.116.109,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.109 85.255.112.103
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


----------------------------

I would be more than grateful for any assistance you can offer.

Kind Regards,

Chris.

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,481 posts

Posted 20 March 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 dave38

dave38

    Devout Murphyite!

  • Global Moderator
  • PipPipPipPipPip
  • 8,508 posts

Posted 21 March 2007 - 06:09 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
<!--sizeo:4--><span style="font-size:14pt;line-height:100%"><!--/sizeo--><!--fonto:Times New Roman--><span style="font-family:Times New Roman"><!--/fonto--> Be wary of strong drink. It may make you shoot at tax collectors, and miss!<!--fontc--></span><!--/fontc--><!--sizec--></span><!--/sizec-->
<a href="http://www.spywarein...owtopic=113396" target="_blank"><b>Please support SWI forum</b></a>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button