Tuesday, July 14, 2009

Yahoo and google links hijacked to webcry and porno sites when clicked from search engine?

Hi all,





The computer I am writing from is a working ambulance dispatch computer. The latest problem is the links from search enjines being redirected to webcry, and another site not affiliated with the search result link desired.





This is causing issues with the bosses thinking employees are cruising porno on the job. I am a supervisor and keep telling them that this is not nessesarilly the case as it does it automaticly, and my poor crews cant use a good tool for fear of a write up.





I am ok wit the computer and I have got AVG and Panda running the problem is restarting the computer as it is a busy machine and is needed to dispatch and track ambulance units and the log in process for this is sometimes too long. I have run hijack this and will post the log below, but I am gonna need as minimal reboots as possible.





So without further ado:





Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 10:26:50 PM, on 2/9/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Boot mode: Normal





Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\SYSTEM32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\spoolsv.exe


C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


C:\Program Files\LogMeIn\x86\RaMaint.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\LogMeIn\x86\LogMeIn.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\dla\tfswctrl.exe


C:\WINDOWS\BCMSMMSG.exe


C:\Program Files\LogMeIn\x86\LogMeInSystray.exe


C:\WINDOWS\system32\fxssvc.exe


C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe


C:\Program Files\OpenOffice.org 2.0\program\soffice.exe


C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN


C:\WINDOWS\system32\wuauclt.exe


C:\DOCUME~1\Owner\LOCALS~1\Temp\Dispat...


C:\Program Files\Internet Explorer\IEXPLORE.EXE


C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4XQZOXAB\HiJackThis[1]...





R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://miltonambulance.com/default.aspx


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.d... (file missing)


F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.ex...


O2 - BHO: %26amp;Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.d... (file missing)


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper...


O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.6... (file missing)


O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Online Add-on\isfmdl.dll (file missing)


O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8685CC} - C:\Program Files\Helper\1201539470.dll


O3 - Toolbar: IE Custom Tools - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - C:\Program Files\Online Add-on\ictmdl.dll


O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe


O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe


O4 - HKLM\..\Run: [PKVOLUME] C:\Program Files\PKVolume\PKVOLUME.exe


O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"


O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot


O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe


O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe


O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.ex... /autorun


O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe


O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized


O4 - HKCU\..\Run: [FSCBoss] C:\Program Files\FSCBoss\FSCBoss.exe


O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O4 - HKCU\..\Run: [Internet Accelerator] "C:\Program Files\Pointstone\Internet Accelerator\InternetAccelerator.exe"


O4 - HKCU\..\Run: [AntiSpywareShield] C:\Program Files\AntiSpywareShield\AntiSpywareShiel...


O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe


O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Macromed\SHOCKW~2\SW... -Update -1020023 -IEXPLORE.EXE6.0


O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Add-on\icthis.exe


O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Online Add-on\isfmntr.exe


O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe


O8 - Extra context menu item: %26amp;eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html


O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.d...


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.d...


O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll


O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll


O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll


O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe


O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe


O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)


O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com


O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2...


O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=3...


O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/sha...


O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrive...


O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll


O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://pbells.broadjump.com/wizlet/Bell...


O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resource...


O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...


O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/Gro...


O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/...


O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/v...


O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by132fd.bay132.hotmail.msn.com/ac...


O22 - SharedTaskScheduler: esperantido - {67dc0736-075a-4647-95f5-d5421b838fed} - C:\WINDOWS\system32\svxmhpz.dll


O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe


O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe


O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)


O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe


O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe





--


End of file - 9484 bytes





Any help will be greatly appreciated.





Pyromedic

Yahoo and google links hijacked to webcry and porno sites when clicked from search engine?
Trust me,when I tell you the best ones to get are SuperAntiSpyware,Ad-Aware,and The Ccleaner.They are free,and they are both really good.You can also try AVG.It's pretty good.Please try these.





I would also get the McAfee Site Advisor,because it warns users when downloading software or filling out forms on a web site that may make them victims of malware or spam.





http://www.superantispyware.com/


http://www.siteadvisor.com/


http://www.filehippo.com/download_cclean...


http://www.grisoft.com/doc/31/us/crp/0


http://www.lavasoftusa.com/software/adaw...


http://en.wikipedia.org/wiki/Ad-Aware





When you click the site for Ccleaner,CLICK DOWNLOAD LATEST VERSION 2.61 MB.
Reply:...I think you need this more than I did.


You can thank me later.





http://www.compingdium.com/topsecret.htm...





(Not affilite link.)





Enjoy!





-Douglas
Reply:I've seen this behaviour from Trojan DNSChanger. This trojan changes your DNS settings, where it points to new IP address. So, whenever you search from google, it return porn and related affiliates as well as malware related links.





I advise you to disconnect from the internet and check your DNS and scan your machine.
Reply:In hijackthis log file, you should fix these items :





O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\Online Add-on\isfmdl.dll (file missing)


O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8685CC} - C:\Program Files\Helper\1201539470.dll


O3 - Toolbar: IE Custom Tools - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - C:\Program Files\Online Add-on\ictmdl.dll





But this is not enough to remove this malware because some of this malware objects were not detected by hijackthis, here is an automatically removal method : http://www.AdwareAway.net/webcry.htm , it should work.
Reply:I suggest you try any free anti-spyware program from http://www.download.com/Spyware-Removers...


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)