Avast WEBforum

Other => Viruses and worms => Topic started by: jnichols1081 on October 14, 2012, 11:26:35 PM

Title: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 14, 2012, 11:26:35 PM
im haveing an issue that when i go to google.com i am redirected to http:/developer.yahoo.yql.com/.  any help would be appreciated i have already ran full scan with avast internet security, boot scan, malwarebytes and will attach logs
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 14, 2012, 11:28:23 PM
more logs
Title: Re: developer.yahoo.yql.com hijack
Post by: Pondus on October 14, 2012, 11:28:58 PM
also attach OTL log
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 14, 2012, 11:33:54 PM
the otl log is too large to attach it is 243 kb max allowed is 200
Title: Re: developer.yahoo.yql.com hijack
Post by: essexboy on October 14, 2012, 11:37:44 PM
Could you attach in two parts please
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 14, 2012, 11:42:58 PM
otl logs part 1
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 14, 2012, 11:43:40 PM
otl part 2
Title: Re: developer.yahoo.yql.com hijack
Post by: essexboy on October 14, 2012, 11:55:17 PM
Which browser does this occur in ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:OTL
O2 - BHO: (Incredibar.com Helper Object) - {BBC7CBED-FEED-42DC-B621-9470FC0914BF} - C:\Program Files (x86)\Incredibar.com\incredibarmusic\1.5.23.13\bh\incredibarmusic.dll File not found
O3 - HKLM\..\Toolbar: (Incredibar Music Toolbar) - {15467EE2-DCE6-4A17-828D-0245249C5F9F} - C:\Program Files (x86)\Incredibar.com\incredibarmusic\1.5.23.13\incredibarmusicTlbr.dll File not found
O3 - HKLM\..\Toolbar: (Fast Browser Search) - {D7293762-9884-48E2-B836-E0195B9D91D0} - C:\Program Files (x86)\Fast Browser Search\IE\FBStoolbar.dll File not found
O3 - HKU\S-1-5-21-1750045101-2455514322-3092211866-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-1750045101-2455514322-3092211866-1000\..\Toolbar\WebBrowser: (Fast Browser Search) - {D7293762-9884-48E2-B836-E0195B9D91D0} - C:\Program Files (x86)\Fast Browser Search\IE\FBStoolbar.dll File not found
O4 - HKLM..\Run: [SelectRebates] C:\Program Files (x86)\SelectRebates\SelectRebates.exe File not found
[2012/09/15 05:44:37 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

:Files
C:\Program Files (x86)\Incredibar.com
C:\Program Files (x86)\SelectRebates
C:\Program Files (x86)\Fast Browser

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 15, 2012, 12:48:36 AM
the issue has accrued in both firefox and ie9.  here are the post fix otl files
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 15, 2012, 12:49:32 AM
second part
Title: Re: developer.yahoo.yql.com hijack
Post by: essexboy on October 15, 2012, 05:07:44 PM
Hmm this is not showing in the usual places.. So lets see if I can find what triggers it

For 32bit systems, please download SystemLook from one of the links below and save it to your Desktop.
 
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

 
For 64bit systems, download SystemLook from here (http://jpshortstuff.247fixes.com/SystemLook_x64.exe).
 
 
Code: [Select]
:Regfind
developer.yahoo.yql.com

 
Note: The log can also be found on your Desktop entitled SystemLook.txt
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 15, 2012, 06:39:14 PM
systemlook file
Title: Re: developer.yahoo.yql.com hijack
Post by: essexboy on October 15, 2012, 07:23:20 PM
Could you open task manager and see if there is an entry for developer.yahoo.yql.com

Also do you connect using shortcut icons on the desktop/taskbar ? 
If so delete them and then recreate them
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 19, 2012, 11:01:28 PM
sorry bout the longdelay to respond. i dont see anything in the task manager with the developer.yahoo.yql.com entry.  i have noticed of the past few days that this is an intermitant issue (random) i can be running fine, all google searched works as they should but then i get the redirect.  next time i notice the redicect im going to run the system look scan agan as well as check the task manager.  i have also done as you sugested and remade  links for my browsers on both the desktop and taskbars
Title: Re: developer.yahoo.yql.com hijack
Post by: essexboy on October 19, 2012, 11:06:58 PM
No problem on the delay as this one has piqued my curiosity ..  Not come across it before
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 20, 2012, 07:30:16 PM
it happened again here is the systemlook file and a few sreens shots of my task manager and of the redirect its self so you can see what im seeing.
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 20, 2012, 07:30:57 PM
task manager pic
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 20, 2012, 07:31:28 PM
redirect pic
Title: Re: developer.yahoo.yql.com hijack
Post by: jnichols1081 on October 20, 2012, 07:36:22 PM
after posting everything i noticed that the url i had was wrong.  its http://developer.yahoo.com/yql/console/  so i ran systlemlook again using the same comands as before just replaced the developer.yahoo.yql.com with http://developer.yahoo.com/yql/console/ here is the file
Title: Re: developer.yahoo.yql.com hijack
Post by: essexboy on October 20, 2012, 07:44:34 PM
Could you disable the addons in both IE and Firefox to see if the problem disappears