need help being hijacked from email to unwanted site

I have been struggling for the last few days trying to get to my sbc yahoo email account. When I select email from the sbc yahoo site I get sent to an unwanted place. When I try to access through my aol account, selecting yahoo from the pull down window sends me to the same site!
I have run adware6.0, spybot, mcafee antivirus, aol spyware, and sbcyahoo spyware - all say my computer is clean. Below is a hjt thread.
t
Logfile of HijackThis v1.99.0
Scan saved at 2:20:37 PM, on 12/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Edit by chaslang: Unrequested, inline log deleted

 

OK, here goes:
I followed the steps outlined in the email.
GETTING PREPARED
1. Disabled system restore
2. Did not find Network Security, Worstation Netlogon Services, or Remote Procedure (RPC) Helper
3. Enabled hidden files and folders and extensions as directed
4. Downloaded all tools
SCANNING and CLEANING
1. b (I’m running Windows XP)
Could not get online in the safe mode got the following message: “ERROR 711 Cannot load Remote Access connection management service”
In Normal mode:
Trend Micro following Trojans detected:
TROJ SMALL.IF C:\Program Files\Internet Explorer\mxiumnst.exe
TROJ SMALL.IF C:\Program Files\Internet Explorer\nndhvfeb.exe
TROJ SMALL.IF C:\Program Files\Internet Explorer\sewxcjun.exe
TROJ DLDR.DLL C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp
TROJ ISTBAR.FZ C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp
TROJ DLOAD.A C:\Spywarebegone\backups\backups-20040728-215231533.dll

Symantec Security
Hacker Exposure check SAFE
Windows Vulnerability SAFE
Trojan Horse SAFE
Antivirus Product AT RISK

Entered Safe Mode from START, RUN, MSCONFIG, SAFE NETWORK
Ran McAfee AVERT Stinger scan came up clean

Still in SAFE MODE
2. Ran CC Cleaner
3. Ad-Ware came up with a variety of problems that were fixed, SPYBOT came up clean
4. CWShredder came up clean, Kill2Me was clean. About:Buster took a LONG time to complete only thing that came up “ No ADS found on system, Error removing C:\WINDOWS\System 32\?hkdsk.exe” HSRemove cleaned 8 items from the system.

In Normal mode, ran TrojanScan “C:\ recursive, 61,154 items scanned, 0 infected” and RAV Antivirus – came up with same 5 noted above Trend Micro scan.

OK, now what I have done:
In Safe mode I was able to delete all but one of the five Trojans picked up in Trend Micro and RAV (C:\Program Files\Internet Explorer\mxiumnst.exe). I deleted that final one in Normal mode.
I have emptied my Temp and Temp Internet file folders
On both Yahoo and AOL I have emptied the temp internet and cookie files (from tools, browser options)

In addition to the programs I downloaded from your instructions, I ran McAfee Antivirus, AOL and SBCYahoo antivirus programs – all with a clean bill of health.

However, when I use my SBCYahoo as a browser I still get hijacked to a page that sells everything from VIAGRA, to life insurance with penis enhancement on the way. Also, when I try to get to Yahoo mail from google I get sent to the same page. When I try to use AOL as the browser, any time I type in Yahoo! I get sent to the same page. The page does not have a name, the address box still reflects the random yahoo email address. I have had random problems using the search features on yahoo being sent to “sepro.org/search.php?q=”, “topfinder.org/ search.php?q=”, and “ifmore.com/search.php?q=”
Also when I try to click on Internet Explorer I also get sent to the same page my SBCYahoo mail sends me to (address box in IE reads “about:blank”) Also, when I try to use the Microsoft Update feature, I go to the same place. I can’t believe they actually think I’m going to buy something from them!!!!
I've attached a hjt .txt file from today.
Thanks,
TH

 

O15 Trusted IP range has been fixed by HJT.
Here is the HOSTs as requested
TH

 

Yahoo is my primary browser. I get hijacked when trying to access my email. Also, when I try to use the pull down menu or I use google to access email, I get hijacked.
AOL is my secondary browser. I get hijacked anytime I use the pull down or google to access Yahoo.
Using IE, I get sent immediately to the hijacked site.
T

 

as directed received "successfully flushed DNS Resolver Cache".
Still have the same problem

 

Dr. C,
does MG have a download Dll Compare?
Thanks,
Tom

 

Dr. C,
One more thing,
I ran a Dll Compare the log is attached.
T

 

Dr. C,
I will do this when I get home tonight.
I can't tell what the site is, it does not come with a 'title' and the pull down address shows a yahoo email random selection. when I use IE I get 'about:blank' in the window but the same webpage. When I use the search function of either sbcyahoo or aol I get sent to the same page and the URL address simply reflects yahoo search.
I have also had some trouble with a few other sites using the search functions: “sepro.org/search.php?q=”, “topfinder.org/ search.php?q=”, and “ifmore.com/search.php?q=”

T

 

Dr. C,
Thanks for all the help and please, don't be offended but I think I fixed the problem with help from some friends.
They found C:\WINDOWS\System 32\?hkdsk.exe that could not be cleaned from HJT. They recommended I run Purity Scan uninstaller and then reboot. Did that and then ran Silent Runners.vbs and the log is attached.
Right now my system seems to be running OK. Can read email, search on all browsers and computer speed is back to normal.
If you have some time, could you please give a short tutorial on what I did to fix it and what happened in the first place.
Appreciate all your help you have been great! I don't know if this is a pro bono organization but if it is, is there anyway I can help with a contribution?
Tom

 

Dr. C,
Seems you may have been right. After a day, the problem is back again. I'll do what you suggested two posts ago and get back to you.
T

 

OK,
Ran the Generic tools and another HJT. Both logs posted. Email is still hijacked.
T

 

Ran a registry search for SEPRO, IFMORE, and TOPFINDER - I have been sent to these pages from the search function. Only one to render any results was SEPRO, that log is attached below.
T

 

OK,
You are more versed in this stuff than I am.

I will gladly get rid of ALL the 'bloatware', as you so eloquently phrase it, if you tell me how. My computer is obviosly the '68 plymouth, yours is the '05 Ferrari - besides, I know I'm the plumber trying to paint a picasso......

Next, ALL I want to do is get back to being able to access my email on sbcyahoo. Seemingly a simple task, yet one that is about to make me scuttle my current computer, and simply buy a new one.

As I wrote a few posts back and the problem that is still with me:
When I try to access my email on sbcyahoo - I get hijacked to a site I don't want. All other browsing on this site is OK. Except when I try to search for mail.yahoo - then I get hijacked immediately to the f^&*(*Ng site.

Using an alternate browser:

- with IE I get hijacked immediately when is simply select IE.

- If I try to use AOL using their 'search' function and type YAHOO! I get immediately hijacked.

Also as I said before: I don't have a 'title' or URL for said site -regardless of where I look to find it.

I have this feeling I have the cleanest computer that doesn't work.

Sorry I'm testy, but this sucks.
T
T

 

I browse with both because I have accounts with both.

Do you think an uninstall and reinstall of SBC software could be the key? The problem is now intermittent, today for instance came back when I restarted my computer.

How about a reinstall of WINDOWS NT?

Sorry about the last email, I guess my temper, the late hour, and the frustration got the better of me.

My apologies,
Tom