redirected to yeah.com - how to remove?

Discussion in 'adware, spyware & hijack cleaning' started by sintagma, Feb 10, 2004.

Thread Status:
Not open for further replies.
  1. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    Hello

    something strange is happening to my IE - cannot access any microsoft page nor HOTMAIL, an this is almost
    a tragedy. I get redirected to yeah.com - tried the 3 recommended steps - nothing worked.
    I'm an absolute newbie - pls. provide easy instructions.

    looking forward to any suggestion.

    angela


    ogfile of HijackThis v1.97.7
    Scan saved at 11:58:30, on 10.02.2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\VetMsgNT.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\PRPCUI.exe
    C:\Programme\Launch Manager\LaunchAp.exe
    C:\Programme\Launch Manager\PowerKey.exe
    C:\Programme\Launch Manager\HotkeyApp.exe
    C:\Programme\Launch Manager\CtrlVol.exe
    C:\Programme\Launch Manager\Wbutton.exe
    C:\Programme\Synaptics\SynTP\SynTPLpr.exe
    C:\Programme\Synaptics\SynTP\SynTPEnh.exe
    C:\WINNT\LTSMMSG.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe
    C:\Programme\QuickTime\qttask.exe
    C:\Programme\Winamp\winampa.exe
    C:\Programme\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
    O4 - HKLM\..\Run: [PowerKey] "C:\Programme\Launch Manager\PowerKey.exe"
    O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
    O4 - HKLM\..\Run: [MMKey] C:\Programme\Launch Manager\MMKey.exe
    O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
    O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/de/win/QuickTimeInstaller.exe
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

    :'(
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sintagma,

    I assume this happens only when you put a invalid URL in the address bar.
    The Hijacker is not on your computer, but abusing the AutoSearch of IE.

    Regards,

    Pieter
     
  3. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    pieter

    thanks for the quick reply. how can I solve the problem in IE?

    angela
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sintagma,

    Before I forget again, Welcome at Wilders. :)

    Not sure if this will fix it. Could you please try:
    In IE > Tools > Internet options > Advanced tab > scroll down to "when searching" and make sure everything is unchecked except for "Just display the reults in the main window"
    Click Apply. Close all explorer and IE Windows.
    Then open one new IE window and let me know if it worked.

    Regards,

    Pieter
     
  5. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    pieter

    thanks for the 'welcome' note... feels good to know there's someone out there willing to share valuable information and give help.

    oh well, did what you suggested but no change. it simply takes a very long time to look for hotmail.com before yeah.com appears.

    what else can I do?

    angela
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sintagma,

    How do you enter the url?
    Do you click a link or type it in or use your favorites?
    Let me know.

    Regards,

    Pieter
     
  7. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    hi pieter

    I do open a new window and type the url in.

    angela
     
  8. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    pieter

    when typing an url (i.e. hotmail.com or microsoft.com) it does not redirect me to yeah.com anymore.
    That worked. but now I get 'page not found'

    angela
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Yeah (excuse the pun). That's progress.

    When you type www.hotmail.com, is it succesfull then?

    Regards,

    Pieter
     
  10. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    hmm no. hotmail.com is not found. then it tries to find it via auto.search.msn.com/response.htm .... and we're back at yeah.com!!!

    really nasty.

    help!

    angela
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Bear with me. I am trying to figure this out as we go.

    What happens when you click: http://www.hotmail.com ?

    Regards,

    Pieter
     
  12. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    hi again

    when I type the url www.hotmail.com - IE searches for ages and then either displays "page not found" or it tries auto.search.msn.com (displayed on the bottom), then eventually gets to www.yeah.com, again.

    thanks for your help, pieter.

    angela m.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sintagma,

    The problem seems to be rather that you can't reach hotmail or microsoft then being redirected to yeah.com
    I think the second is only a consequence of the first problem.

    Are you using a hosts file?
    And how long has this been going on?

    Regards,

    Pieter
     
  14. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    pieter

    don't know what a hosts file is.

    the problem persists since 24 hrs. before no problem at all.

    shall I run hijack this again and post the logfile for you to see?

    angela m.
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Your log looked fine and I doubt if that will have changed much. :)

    Any changes you made since the time this started happening.
    Installed software, updates, anything?

    For your hosts file please download http://members.shaw.ca/techcd/VB_Projects/HostsFileReader.exe direct download link
    and see if you can find any lines mentioning hotmail, passport, microsoft or akamai.

    Regards,

    Pieter
     
  16. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    hi again pieter

    tried your last suggestion. no sign of hotmail, akamai, microsoft

    thanks again for trying to help.

    angela m.
     
  17. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi angela....

    i saw ur post... and i was reading it.
    i then started researching and studying on the evil www. yeah . com

    wat i hav got in conclusion till now... its a real monster which i have not yet found out a perfect solution .. and i am continueing my studying..lets see

    its like a real evil which i saw .. mostly comes into existence when one working site is hijacked .. and then after sometime when the server is not found the site is redirected to www. yeah. com

    i am giving some links where you will find problems like u.. but i am sorry i din find any soln thr yet... i am trying... and pieter is always here with other experts

    http://www.broadbandreports.com/forum/remark,8791902~mode=flat~start=0

    http://www.airsoftcore.com/postp20605.html

    http://www.airsoftcore.com/postt3454.html

    referral sites ---> http://texastrader.net/Referring_Sites.htm (its not where ur probz discussed but gives list of referral sites)

    remember... evils lose...
     
  18. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    hi 'angel'

    thank you for having a heart for my cause

    I've run cwshredder, and that's what came out:

    CWShredder v1.48.2 scan only report

    Windows 2000 (5.00.2195 SP3)
    Windows dir: C:\WINNT
    Windows system dir: C:\WINNT\system32
    AppData folder: C:\Dokumente und Einstellungen\Angela\Anwendungsdaten
    Username: Angela
    Found Java ByteVerifier patch (Q816093) installed! (Hotfix)

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\TypedURLs,url6
    Infected data: http://www.yeah.com/
    Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (820 bytes, -)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINNT\win.ini (598 bytes, A)
    Found System.ini file: C:\WINNT\system.ini (231 bytes, A)

    - END OF REPORT -

    Now I will run http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore all IE functions and remove restrictions implemented by the parasite.

    will report after reboot!

    angela
     
  19. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    angela,

    just wondering...

    are you pressing SCAN ONLY or FIX... in CWshredder??
    maybe you know... maybe you dont... run the FIX BUTTON

    cheers
     
  20. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    hi again

    restarted cwshredder using button fix --- problem still persists after rebooting.

    any idea? thank you so much for help.

    angela m.
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sintagma,

    Want some more confusing information?
    http://www.dslreports.com/forum/remark,9330624~mode=flat

    In short: yeah.com and your.com are not the real problem. They just get all the traffic that goes to com.org and org.com and who knows what else.

    First find this file: H:\WINDOWS\system32\drivers\etc\hosts
    Rightclick that file and change the name to hosts.bak

    If that does not help, start a command prompt and enter this command:
    ipconfig /flsuhdns
    and ENTER.

    If that still does not help, download lspfix from http://cexx.org/lspfix.htm
    Run it and let us know what files are in your winsock.
    If anything shows up in the Remove windows (I don't think so) then remove it. Otherwise just give us the names of the files in the Keep window.

    Regards,

    Pieter
     
  22. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    hi again pieter


    thanks for being so kind and taking time to help solve my problem. I will attack this problem tonight, i.e. in about 5 hours.
    have tried ipconfig and all you suggested and then rebooted, but still, no change. will try to ping hotmail.com and then type in the ip in the ie-bar, but cmd promt does not seem to work.
    Anyhow, will report soonest...

    thanks again!

    angela m.
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi angela,

    One more thing we could try crossed my mind (not a long walk)
    But I would need to know who your ISP (Internet Provider) is.

    Regards,

    Pieter
     
  24. sintagma

    sintagma Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    13
    Location:
    Switzerland
    ciao pieter

    something you and the other 'angels' suggested worked!!!

    did the ipconfig flush thing, then turned off my computer for a few hours.

    turned it back on now and MAGICALLY everything works just fine.

    I'm so so grateful for all the help you gave me.

    cheers,

    angela m.
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sintagma,

    Well. On one hand I'm glad it worked out for you, but I wish I knew what did the trick, if only for the next one that asks.
    We all learned a bit and that's what counts.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.