Yahoo gets redirected completed 8 steps

By chimp8
Jun 15, 2010
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Chimp, looks like you may have a Rootkit infection. Please run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      serial .*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please include both logs in your next reply.

    EDIT: It looks like you had the Zone Alarm Security Suite with firewall and antivirus at some point. You have replaced the AV with Avast, but the firewall is still loading. If that was originally from the security suite, you will need to uninstall the entire ZA Se. Suite, them if you want, you can get the free Zone Alarm free-standing firewall.
  2. chimp8

    chimp8 TS Rookie Topic Starter

    I followed the directions and did what you suggested here are the logs. There are two SystemLook logs because i did a scan with Serial.* with serial seperated from .* that looked like this
    serial .*
    and the log did not find anything that would be the log named SystemLook1.
    I did another scan with serial attached to .* that looked like this
    and the log found somethings so i named the log SystemLook2. I hope this is a bit helpful to you.
    The log named log is the log from Combofix.Thank you so much for the help you are providing me with.

    View attachment log.txt

    View attachment SystemLook1.txt

    View attachment SystemLook2.txt
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There was another part to the DDS log named Attach.txt. Please look for that on your system and leave it for me in the next reply. I missed that it was missing!

    You need to send a file in for identification as follows:
    Go to

    Suspicious file(s) to scan: > browse or upload.


    1, You can UPLOAD any files, but there is 20Mb limit per file.
    2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
    3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

    Leave the result in next reply.
    Custom CF Script

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    c:\program files\Enigma Software Group
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    I have removed the Enigma Software Group. That is not a good program to have on the system. I also suggest you remove the Iobit Advanced SystemCare for the same reason .I have not put ASC in the script.
  4. chimp8

    chimp8 TS Rookie Topic Starter will not let us upload or type in c:\windows\system32\luyusowa.exe
    I looked for it manaully and I still could not find the file. I am not very computer savy so any help on were to find it will be greatly apreciated. thank you again for your time.I have included how ever, the DDS file you needed.

    View attachment Attach.txt
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I need the log that was created after you ran the script in Combofix.

    Please do the following scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Please include logs for Combofix after script, Eset log and HijackThis log in your next reply.
  6. chimp8

    chimp8 TS Rookie Topic Starter

    I tried attaching the combo fix after script but the attachment manager would not allow me to do so, saying that it was already in the thread. But here are the other logs.

    View attachment log.txt

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:01:01 PM, on 7/4/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{587B93B1-23E2-40C5-BD75-9CF6719AEFF4}: NameServer =
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    End of file - 8183 bytes
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this script and include the log it creates in your next reply:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
  8. chimp8

    chimp8 TS Rookie Topic Starter

    I did what you asked and combofix is gone from my desktop should i re-download it?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I didn't instruct you to uninstall Combofix- did you save it to the desktop or did you save somewhere else in the system?

    If you removed it, yes, start the process again. Download and install Combofix, run the scan, then run the script. Leave the log.
  10. chimp8

    chimp8 TS Rookie Topic Starter

    First things First I'm sorry for my downright stupid mistake, that being said here are the logs you asked me to provide. The first is from the rescan and the second is from the script scan. Thanks again for your help and again I'm very sorry.

    View attachment logcf2.txt

    View attachment CFScriptlog.txt
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- don't know how I overlooked this!

    Did you miss my comment at the end of Post #4? I ask because I had put the Enigma Software Group in for removal but it's still showing, and there was no answer regarding the Iobit Advanced System Care.

    Did you want to keep both of these?
    The HJT log and Combofix report are okay. Let me know about hose 2 programs and we'll finish up.
  12. chimp8

    chimp8 TS Rookie Topic Starter

    At the risk of sounding stupid, what are these programs? where exactly can i find them and how can i remove them? so sorry i have limited computer knowledge.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The 2 programs are:
    Iobit Advanced System Care
    Enigma Software Group

    They should be on the All Programs list and also in Add/Remove Programs in the Control Panel:

    First, look in All Programs: If you see the program listed there, double click to open the program. Look to see if it has it's own Uninstaller. If it does, use that to remove it.

    Second, if it's not showing in All Program> see if it's in Add/Remove Programs.Uninstall from there if listed.

    Third, use Windows Explorer (Windows key + E)> click on My Computer> Double click on Local Drive (C)> Programs> find each of these programs and do a right click> Delete on each program folder.
  14. chimp8

    chimp8 TS Rookie Topic Starter

    I was able to find Enigma Software Group using the third step, but I can not find lobit advanced systems care. does it have a different name it could be under?
  15. chimp8

    chimp8 TS Rookie Topic Starter

    nevermind I found it. ok both should be deleted. Should we keep Combofix, GMER, hijack this, and Systemlook?
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A tip for you: HP puts the Digital Imaging program on startup- it's several processes. Neither the printer itself or the imaging program need to start on boot so you might want to uncheck all those related process on Startup, using the msconfig utility:

    Using the msconfig utility:
    Start> Run> type in msconfig>enter> Selective Startup> Startup menu> Uncheck these processes> when finished with all the unchecking> click on Apply> OK

    That's all I saw in the HijackThis log. If you see anymore 'hp', you can uncheck it. This does not uninstall it- only stop it from starting on boot and running in the background.
    (NOTE: the first time you boot after making the change, you get a nag message> ignore it and close after checking 'don't show this message again.' Stay in Selective Startup.

    Changing a Service Startup type:
    4. Start> Run> type in services.msc> double click the Pml Driver HPZ12 Service> Change the Startup type to Manual> Stop the Service.
    Close Services. Now this will only start when you want to print.
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
    If I can be of more help, let me know.
  17. chimp8

    chimp8 TS Rookie Topic Starter

    follwed the steps but the computer still has GMER and something Called ESET online scanner. What do you recomend i do?
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Uninstall GMER in Add/Remove Programs in the Control Panel.

    For the Eset online AV scan:
    Open IE> Tools> Manage add-ons> find the Eset or Nod32 entry and disable it.

    Then use Widows Explorer (Windows key + E) and follow this path:
    My Computer> Double click on Local Drive (C)> Programs> look for both GMER and Eset folders and do a right click> Delete on each> Close Windows Explorer.

    Please follow these simple steps to keep your computer clean and secure:

    Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    Do regular Maintenance
    • Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
    • Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...