Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Does this sound like a virus?

- - - - -

  • Please log in to reply
14 replies to this topic

#1
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag
Folks, I decided to give Yahoo! Search a shot as an alternative to Google I have been using, but there is something really bothersome, I am wondering if it is Y! causing this or it is my system, browser, etc?

When I type a search in Yahoo, for example "how to edit sendto menu pcmag", it pulls up results, since I am looking for what PCMag had to say about it, I add a pcmag keyword, the link I want to see is listed in the first place, but sometimes, not everytime, when I click on this link, I end up in a totally unrelated advertisement website. It doesn't happen with Google. Just a few minutes ago, I was doing another search about Windows 7's media center, I clicked on of the search results and I ended up in this VLC media player advertisement. At first you don't notice, you skim through the page and once you can't find the information you are looking for, usually you wake up within a second, you go back, click the link again and this time the result displays correctly.

What is happening here? I use MSSE for virus protection and Spybot for spyware protection, if it is Yahoo abusing it, I am going back to Google. Please advise. Thanks...


How to remove advertisement from MSFN

#2
Sp0iLedBrAt

Sp0iLedBrAt

    MSFN Addict

  • MSFN Sponsor
  • 1,727 posts
  • Joined 19-March 09
  • OS:XP Pro x86
  • Country: Country Flag
I did your first search (how to edit sendto menu pcmag) and the first link I got was the exact answer by PCMag. Yes, I suppose it could be some kind of advertising, or even some kind of link redirecting. Do the results match on different browsers? (Asking because they obviously have different tolerance/ management of web pages) I used Firefox 3.6 on the Yahoo home page.

If it is some infection, it is more probable that it is spyware.

#3
Tarun

Tarun

    Spectre

  • Super Moderator
  • 3,189 posts
  • Joined 27-January 04
  • OS:Windows 7 x64
  • Country: Country Flag
Please download my Anti-Malware Toolkit and get the package that matches your OS. Then follow the directions in the PC Cleanup guide. After that, please post a HijackThis log.

#4
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag
Sorry guys, I have been away past couple days, I am doing what Tarun suggests right now. Because these search redirects are getting out of control and Google is doing it too right now...

#5
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag

Please download my Anti-Malware Toolkit and get the package that matches your OS. Then follow the directions in the PC Cleanup guide. After that, please post a HijackThis log.


Tarun, I have followed the instructions and here is my HijackThis log after all those scans...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:21, on 2/25/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files (x86)\SpeedFan\speedfan.exe
C:\Program Files (x86)\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files (x86)\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files (x86)\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files (x86)\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files (x86)\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Users\John & Jolene Yasar\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Yahoo! Widgets] C:\Program Files (x86)\Yahoo!\Widgets\YahooWidgets.exe
O4 - HKLM\..\Run: [speedfan] C:\Program Files (x86)\SpeedFan\speedfan.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.co...sreqlab_nvd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.updat...b?1264574732790
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creat...101/CTSUEng.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (System Requirements Lab Class) - http://systemrequire...etect_intel.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creat...15111/CTPID.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Dolby Digital Live Pack Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\DDLLicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files (x86)\MediaMall\MediaMallServer.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files (x86)\Sony Ericsson\PC Suite\SupServ.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Safer Networking\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @C:\Program Files (x86)\TuneUp Utilities\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities\TuneUpUtilitiesService64.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\John & Jolene Yasar\AppData\Local\TVersity\Media Server\MediaServer.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11783 bytes


Thank you for all your service to the community. I am still wondering where I got this from... MSSE is not a good product???

#6
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag
Bumping the thread...

#7
Tarun

Tarun

    Spectre

  • Super Moderator
  • 3,189 posts
  • Joined 27-January 04
  • OS:Windows 7 x64
  • Country: Country Flag
Did the scanners find and remove anything?

This should go: O15 - Trusted Zone: http://software.kuaiche.com

#8
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag

Did the scanners find and remove anything?

This should go: O15 - Trusted Zone: http://software.kuaiche.com


Thanks. Only Superantispyware, 8 tracks, that's it... The rest didn't... The search behavior didn't repeat either...

#9
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,958 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

This line looks suspect:

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL


I know it says Office14, but note your other office14 paths are in the correct folders, not this MIF5BA~1.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg

#10
BetaMerc

BetaMerc
  • Member
  • 1 posts
  • Joined 25-February 10
  • OS:XP Pro x86
  • Country: Country Flag

This line looks suspect:

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL


I know it says Office14, but note your other office14 paths are in the correct folders, not this MIF5BA~1.


That line is weird.


Have you cleaned this line? if so still happens?

Edited by BetaMerc, 01 March 2010 - 10:56 AM.

Need help? PM me, i'll give it a shot.

#11
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag


This line looks suspect:

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL


I know it says Office14, but note your other office14 paths are in the correct folders, not this MIF5BA~1.


That line is weird.


Have you cleaned this line? if so still happens?


I have the Office 2010 Beta, I wonder if it is related. However since I ran the Anti-Malware kit (PC Cleanup) I haven't had the redirect problem. Should I still consider deleting this line?

#12
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,958 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

I can't find what the full path is that this folder is shortening. It would appear to be a legit path. Can you post the full path?
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg

#13
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag

I can't find what the full path is that this folder is shortening. It would appear to be a legit path. Can you post the full path?


You mean this folder? "C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL" ??

I can't find the folder myself, there is no MIF5BA~1 in either x86 or x64 folders.. I am searching for URLREDIR.DLL right now.

#14
Bushmaster78FS

Bushmaster78FS

    U.S. Army WO1

  • Member
  • Pip
  • 59 posts
  • Joined 11-July 07
  • OS:Windows 7 x64
  • Country: Country Flag
URLREDIR happens to be in MS Office folder, but no MIF5BA~1... Weird...

#15
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,958 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Its probably in ProgramData, which is a Hidden System file. If you change your display options to view these types of files, you might find it. I can't find it on my PC.

Anyways, if the probably hasn't come back, you can probably safely ignore this file.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users