This forum requires Javascript to be enabled for posting content
Log In
Please consider registering
Guest
Search
Advanced Search
Forum Scope


Match



Forum Options



Min search length: 3 characters / Max search length: 84 characters
Search
Register
Register Lost password?
Link redirects
RSS
carbonterry2
356 Posts
(Offline)
1
March 13, 2013 - 12:30 am
Print

Having the issue of being redirects to ads when clicking on links.

I'll include a jpeg of the Hijack this files.

 

Thanks

Alan Wade
Sweden
43 Posts
(Offline)
2
March 13, 2013 - 3:47 am
Print

The file you have highlighted - Wlidnsp.dll is part of Windows Live, leave that well alone it isnt doing any harm.

 

Can you describe your problem a little better?

Is it all links in email and browser that redirects you? For example click on this link and does that open an advert?

Is it the same ads everytime?

What is the browser you are using?

Jim Hillier
2700 Posts
(Offline)
3
March 14, 2013 - 10:47 am
Print

Terry, we need the entire Hijack This log file. Best method is to copy and paste the whole thing into a post.

carbonterry2
356 Posts
(Offline)
4
March 14, 2013 - 11:44 pm
Print

Right..

FireFox (latest version)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:42:50 PM, on 3/14/2013
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16470)
Boot mode: Normal

Running processes:
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\Western Digital\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\terry\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SnippingTool.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe" /LaunchType=Auto /LaunchApps=Common
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files\Western Digital\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKUS\S-1-5-18\..\Run: [cdloader] "C:\Windows\system32\config\systemprofile\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cdloader] "C:\Windows\system32\config\systemprofile\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK (User 'Default user')
O4 - Startup: Dropbox.lnk = terry\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: firefox.exe
O4 - Startup: PTReplicator.exe - Shortcut.lnk = C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\sendori.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\sendori.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\sendori.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\sendori.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\sendori.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A509B175-30B2-4EA2-96AE-7D40C8AA3D48}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{A509B175-30B2-4EA2-96AE-7D40C8AA3D48}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{A509B175-30B2-4EA2-96AE-7D40C8AA3D48}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: magicJack - Unknown owner - C:\mjusbsp\srvany.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: OO DiskImage - O&O Software GmbH - C:\Program Files\OO Software\DiskImage\oodiag.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

--
End of file - 8451 bytes

carbonterry2
356 Posts
(Offline)
5
March 14, 2013 - 11:53 pm
Print

FWIW I ran a Kapersky TDSSKILLER that found 1 trojan. Elimination does not seem to make any improvement.

Jim Hillier
2700 Posts
(Offline)
6
March 15, 2013 - 12:19 am
Print

Terry, looks like you have something called "Sendori" installed on that machine. While Sendori appears to be benign, the blurb does suggest the kind of behavior you are experiencing, such as browser redirects:

What is Sendori?

Sendori is a web browser plugin and layered service provider filter that is typically installed through a bundled installation. The plugin is designed to intercept Internet web traffic and provided modified results to various requests. Such results include DNS error redirection to sponsored affiliate advertisers. Sendori provides DNS redirection where advertisers can purchase navigation traffic from Sendori's domain name clients. When a user with the installed Senordi software is running types a specific keyword in the web browser's search bar such as a brand, keyword or partial URL, the Sendori software will redirect the search results to the suggested targeted advertiser, which may or may not be the desired results.
Go to Control Panel>Programs and Features and look down the list for "Sendori". If it is there, uninistall it.

carbonterry2
356 Posts
(Offline)
7
March 15, 2013 - 2:02 am
Print

Jim,

Nothing listed as Sendori.

 

terry

carbonterry2
356 Posts
(Offline)
8
March 15, 2013 - 2:11 am
Print

Sendori is listed in 2 reg backups from way back in 2012.

Alan Wade
Sweden
43 Posts
(Offline)
9
March 15, 2013 - 3:35 am
Print

Scanning with just one anti-malware program is slightly better than nothing.

Download SUPERAntispyware Free and Malwarebytes and scan with them one after the other.

 

Jim Hillier
2700 Posts
(Offline)
10
March 15, 2013 - 8:16 am
Print

From what you have said Terry, it appears that Sendori was installed at some time but has since been uninstalled. According to HijackThis, Sendori has also left remnants in the System 32 folder... namely sendori.dll. I suggest you perform a Windows Search, using "sendori" as the search term, and delete any entries found.

Other than that, the HJT logfile seems pretty clean. I agree with Alan, most likely cause of browser redirects is malware. Do as Alan suggested and then get back to us.

Cheers... Jim

 

 

carbonterry2
356 Posts
(Offline)
11
March 16, 2013 - 1:26 am
Print

Scanned with Mal's, SAS & Ad Aware. No malicious items found.

Computer is now going haywire...does not display any website correctly

 

Repair install on the near horizon

carbonterry2
356 Posts
(Offline)
12
March 16, 2013 - 1:28 am
Print

carbonterry2
356 Posts
(Offline)
13
March 16, 2013 - 1:28 am
Print

Alan Wade
Sweden
43 Posts
(Offline)
14
March 16, 2013 - 3:41 am
Print

Try I.E. or Chrome to open and display a few links and sites and let us know. It looks like a corrupted FF priofile.

carbonterry2
356 Posts
(Offline)
15
March 16, 2013 - 9:59 am
Print

websites OK with IE

123
Forum Timezone: America/Indiana/Indianapolis
All RSSShow Stats
Administrators:
Jim Hillier
Richard Pedersen
David Hartsock
Moderators:
Carol Bratt
dandl
Jason Shuffield
Jim Canfield
Terry Hollett
Stuart Berg
John Durso
Top Posters:
Chad Johnson: 867
Mindblower: 666
carbonterry2: 356
Flying Dutchman: 278
grr: 211
Newest Members:
blutsband
cyberguy
JudeLandry
benjaminlouis680309
drogers97439
Forum Stats:
Groups: 8
Forums: 20
Topics: 1942
Posts: 13520

 

Member Stats:
Guest Posters: 11
Members: 3179
Moderators: 7
Admins: 3
Most Users Ever Online: 2303
Currently Online:
Guest(s) 42
Currently Browsing this Page:
1 Guest(s)
Exit mobile version

WHY NOT SUBSCRIBE TO OUR NEWSLETTER?

Get great content like this delivered to your inbox!

It's free, convenient, and delivered right to your inbox! We do not spam and we will not share your address. Period!