View Full Version : Browser Hijack??
NatLogotree
2007-06-08, 20:50
Hello,
When I search in Goolge I get 'redirect' or 'jump' to another site unrelated to the one I intented to see. I've been trying to figure this out (you seem to be the best!) and it seems it may be affecting my page position...
My HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:25:57 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\BORGChat\BORGChat.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: BORGChat.lnk = C:\Program Files\BORGChat\BORGChat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178569662234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Thank you for your help,
Natalie
pskelley
2007-06-10, 13:45
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Natalie, I see nothing in the HJT log, are you receiving any error messages? Where exactly are you being redirected to?
You have AVG Anti-Spyware onboard, let's see if it will show us anything.
Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
Post that scan report and any information you think will help.
Thanks
NatLogotree
2007-06-11, 15:28
Sorry for the delay in responding (this is my work computer and I didn't have access over the weekend).
When I search in Google, for instace "logo design," and click on a desired link, I get redirected to a different page other than the one I had clicked on, usually its to a directory site that displays search results for "logo design." And in my browser the Back button says 'jump' or 'redirect' in the history, as opposed to saying the site I clicked on.
This is my AVG Spyware scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:18:13 AM 6/11/2007
+ Scan result:
:mozilla.105:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.106:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.107:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.108:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.109:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.110:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.111:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.172:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.257:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.280:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.306:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.321:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.396:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\SEO Manager\Cookies\seo manager@oneononemarketing.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.125:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.126:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.43:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.46:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.47:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.48:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.39:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.44:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.45:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.37:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.38:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.40:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.41:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.42:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.175:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\SEO Manager\Cookies\seo manager@enhance[2].txt -> TrackingCookie.Enhance : No action taken.
:mozilla.523:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.524:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.525:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.526:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.527:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.528:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.529:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.530:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.531:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.532:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.78:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.79:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.80:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.104:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.482:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Information : No action taken.
:mozilla.486:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.487:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.488:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.489:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.76:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.77:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\SEO Manager\Cookies\seo manager@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.401:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Netflame : No action taken.
:mozilla.85:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.86:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.87:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.551:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
:mozilla.127:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.128:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.129:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.130:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.351:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.352:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.358:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.359:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.360:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.361:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.362:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.363:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.364:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.157:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.378:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.379:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.380:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.381:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.382:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\SEO Manager\Cookies\seo manager@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.95:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.96:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.97:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.98:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.93:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.18:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.19:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.20:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.21:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.31:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.32:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.16:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.17:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.24:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.25:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.27:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.30:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.476:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\SEO Manager\Cookies\seo manager@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.
:mozilla.447:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Yadro : No action taken.
:mozilla.448:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Yadro : No action taken.
:mozilla.15:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.28:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.29:C:\Documents and Settings\SEO Manager\Application Data\Mozilla\Firefox\Profiles\p7llh7t0.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\SEO Manager\Cookies\seo manager@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\SEO Manager\Cookies\seo manager@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
::Report end
Thanks for your time and patience.
Natalie
pskelley
2007-06-11, 17:23
Work computer?
The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteers.
We realise on occasion a business where staff are trained to remove malware need a second opinion. In that case please state that up-front and note the steps already taken. Our volunteers appreciate that.
Natalie, my instructions say to "delete or quarantine" anything it finds and for some reason you have chosen "No action taken" ?
Please follow the instructions and post a new scan report.
I am still seeing no reason for this, let's look for a hidden rootkit infection:
Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml
Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created
The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).
Please provide the log created by BlackLight in your next reply.
(do not fix anything, most if not all files will be valid)
Thanks
NatLogotree
2007-06-11, 19:47
I did delete, but I had saved the log first, very sorry about that.
I downloaded the F-Secure BlackLight Beta, and no items were found.
I'm not sure what that means, maybe I'm just crazy:)
Thank you for all your help and understanding, I genuinely appreciate it!
pskelley
2007-06-11, 20:57
Thanks for returning that information, BlackLight creates a log on your Desktop if it finds rootkit infections or not, please post that log.
When I search in Goolge I get 'redirect' or 'jump' to another site unrelated to the one I intented to see. I've been trying to figure this out (you seem to be the best!) and it seems it may be affecting my page position...You have not provided a lot of information, please provide any information you think will help, post the site/sites to where you are being redirected, any information may provide a clue. When you tak about your "page position" please explain exactly what you mean in detail, remember...I can not see it happen.
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
Thanks
NatLogotree
2007-06-11, 22:04
Apperently I'm retarded. Sorry I'm causing you grief! What I meant by page position is its position in Google. It was ranking highly a few days ago and then over night it dropped 5 pages. So I was searching for reasons as to why this might be and page dramatic page dropping, redirect, and hijacking cam up as a common combination.Though, part of the problem is that it doesn't do it all the time. If it does tonight, I'll post the pages I get redirected to, but right now I'm going where I'm supposed to.
This is from Blacklight:
06/11/07 13:41:17 [Info]: BlackLight Engine 1.0.61 initialized
06/11/07 13:41:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/11/07 13:41:17 [Note]: 7019 4
06/11/07 13:41:17 [Note]: 7005 0
06/11/07 13:41:45 [Note]: 7006 0
06/11/07 13:41:45 [Note]: 7011 956
06/11/07 13:41:45 [Note]: 7026 0
06/11/07 13:41:45 [Note]: 7026 0
06/11/07 13:41:47 [Note]: FSRAW library version 1.7.1021
06/11/07 13:44:22 [Note]: 7007 0
Kaspersky Report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 11, 2007 3:50:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/06/2007
Kaspersky Anti-Virus database records: 321162
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 39679
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 14
Duration of the scan process: 00:30:08
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SEO Manager\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\SEO Manager\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SEO Manager\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SEO Manager\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SEO Manager\Local Settings\History\History.IE5\MSHist012007061120070612\index.dat Object is locked skipped
C:\Documents and Settings\SEO Manager\Local Settings\Temp\installer.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\SEO Manager\Local Settings\Temp\Perflib_Perfdata_4dc.dat Object is locked skipped
C:\Documents and Settings\SEO Manager\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SEO Manager\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SEO Manager\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP14\A0000587.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000620.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000621.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000641.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000642.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000695.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000696.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000728.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP16\A0000729.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP17\A0000751.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP17\A0000752.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP20\A0000870.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP20\A0000878.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP21\A0000882.exe Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP21\A0000883.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP21\A0000893.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP24\A0001059.exe Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP24\A0001060.exe Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP24\A0001061.exe Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP24\A0001062.exe Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP33\A0003506.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP34\A0003537.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP34\A0003539.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP35\A0003610.dll Object is locked skipped
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP38\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\installer.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ipv6monr.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\system32\ipv6mons.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\update Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\update.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Natalie
pskelley
2007-06-11, 22:40
From my limited understanding of Google , the position of the page is in direct proportion to the times the page is accessed. Say the second page has been accessed 12 times less than the first, so if you ac cessed page two 13 times, and no one accessed page one, then page two would become page one. This is only my understanding.
Blacklight is indeed clean, you may remove it from your computer.
I am concerned about this item:
C:\WINDOWS\system32\ipv6mons.dll Suspicious: Packed.Win32.Morphine.a skipped
Her's the Google: http://www.google.com/search?hl=en&q=ipv6mons.dll+&btnG=Google+Search
I believe Kaspersky may be finding some junk you have in System Restore:
C:\System Volume Information\_restore{664AAF9E-ED37-4F80-8B02-BDC986445AB0}\RP14\A0000587.dll Suspicious: Packed.Win32.Morphine.a skipped
There is more, I am only showing you one. Unstand when your System Restore makes a backup, if you have infected files on the computer it backs up the infected files also. Then if down the line you need System Restore for some valid reason, guess what happens.
C:\WINDOWS\system32\ipv6mons.dll <<< this item scares me, if it is what I think it is look at this:
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-080315-1729-99&tabid=1
Steals the following information, if available:
Host name and IP Address
Outlook Express Accounts
SMTP and POP3 Server
Password for Internet Explorer AutoComplete
MSN Explorer Signup account
Windows Cached Passwords
URLs visited
HTTP POST request
Content of HTTP FORM
TAN and PIN numbers of bank accounts
Since this is a work computer and I am not 100% sure what we are dealing with, I suggest you involve your security people right away and to be safe, pull the plug on this computer, except when troubleshooting.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Assuming you wish to continue, then do this:
1) Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
3) Run another Kaspersky scan.
Post the combofix report and the new Kaspersky log.
Thanks
This topic has been moved to archives to prevent others with similar issues posting to it.
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.