Yahoo showing "Click Here Now!" and ebay redirecting

Hi guys I've joined this forum as a last resort as I've been trying to fix this problem since 9am this morning and no luck so far.

- EVERY computer on my network which goes to www.yahoo.com has a page displayed (see attachment) with "Click Here Now!" The actual links on Yahoo! still work, even with the "Click Here Now!" text attached.

- When going to www.ebay.com (ONLY if the page finishes loading) it will redirect to a directNIC page with a bunch of links on it (looks like an obvious hijack)

My troubleshooting steps so far:
- Test MANY others sites, but yahoo and ebay are the only two with issues.
- Try it on multiple computers - all have the same problem.
- In my office we have another network on a different router/switch, these computers are NOT affected.
- I took one of the other network computers and threw him on my network and immediately went to the web (theoretically quicker than any virus/spyware can spread to that machine) and it had the same yahoo/ebay problems. So I thought it was a DNS issue.
- I cleared all cookies, internet files, etc. on all machines that were involved in my testing.
- I checked my local DNS server and cleared the cache and checked all the host files, nothing.
- I checked local host files (drivers/etc), nothing.
- I ran hijack this on a few machines to see if anything is common, nothing out of the ordinary.
- I ran the spyware tool as well as the virus scanner from Trend Micros website with no luck on either.
- Placed a technical support call to TrendMicro and they said that since I have the latest definitions and nothing is being detected that it has to be a "network problem". I asked how can something just change in my network if it isn't spyware, virus, malware, etc. related? They had no answers...

I've been involved in numerous spyware issues before, but in my assessment I don't believe this has anything running on each individual machine, but instead it lies somewhere in a changed file on the DNS server which is causing the redirection.

Please let me know your thoughts on this issue, I really don't know where else to turn at this point.

 

Bump?

 

Welcome to Majorgeeks!

It looks like a dns Hijack. or Search Hijack.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

The issue may have come from one of your users clicking a link in a phishing email.

see the following.

http://phishery.internetdefence.net/data/197