Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Europol Shuts Down World's Largest DDoS-for-Hire Service

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

Google search result URLs being rewritten

Started by mmckech , Dec 30 2008 02:39 PM

This topic is locked

2 replies to this topic

#1 mmckech

Members
2 posts
OFFLINE

Local time:04:06 PM

Posted 30 December 2008 - 02:39 PM

In IE 7, Firefox 3 and Chrome any Google search comes back with valid results but the first few entries contain URLs that go to the wrong location. The Chrome browser notes that it is waiting for 7.7.7.0 on each Google search. Sample result links include onlinetrading dot com and watch-replica dot com.

I have run malwarebytes scan (found and quarantined 6 registry entries), hijackthis reports nothing obvious but I have attached the log. I am running zonealarm.

DDS (Version 1.1.0) - NTFSx86
Run by Mike at 20:16:19.23 on 2008-12-30
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.803 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.fr/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: RX Toolbar: {25d8bacf-3de2-4b48-ae22-d659b8d835b0} - c:\program files\rxtoolbar\RXToolBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [WinVNC] "c:\program files\ultravnc\winvnc.exe" -servicehelper
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\autoba~1.lnk - c:\program files\seagate\autobackup\MemeoLauncher.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
Trusted Zone: rservices.com\reuterstrader.session
TCP: {2246FAA0-9664-484E-8128-6342D98F5AB0} = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdidl~1\DVDShell.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\e0wvsarp.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\mike\local settings\application data\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPNd2fn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-30 127768]
R2 athsgt;athsgt;c:\windows\system32\drivers\athsgt.sys [2006-1-2 164992]
R2 limsgt;limsgt;c:\windows\system32\drivers\limsgt.sys [2006-1-2 12544]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-6-10 6016]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-4-9 11001]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-3-28 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-3-28 545088]
R3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-2-17 394952]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-4-9 148688]
S3 etdpipe;etdpipe;\??\c:\docume~1\skye\locals~1\temp\etdpipe.sys []
S3 fdrmk;fdrmk;\??\c:\docume~1\skye\locals~1\temp\fdrmk.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-30 38496]
S3 nvideopr;nvideopr;\??\c:\docume~1\skye\locals~1\temp\nvideopr.sys []
S4 WUSB54GSv2SVC;WUSB54GSv2SVC;"c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe" "WUSB54GSv2.exe" [2007-1-13 53307]

=============== Created Last 30 ================

2008-12-30 20:09 51,232 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-30 20:09 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-30 20:07 75,248 a------- c:\windows\zllsputility.exe
2008-12-30 20:07 11,264 a------- c:\windows\system32\SpOrder.dll
2008-12-30 20:05 1,086,952 a------- c:\windows\system32\zpeng24.dll
2008-12-30 20:05 <DIR> --d----- c:\program files\Zone Labs
2008-12-30 19:21 13,588 a------- c:\windows\system32\wpa.dbl
2008-12-30 19:18 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-30 19:17 <DIR> --d----- c:\program files\SpywareGuard
2008-12-30 16:07 <DIR> --d----- c:\program files\Trend Micro
2008-12-30 16:07 <DIR> --d----- c:\docume~1\mike\applic~1\Malwarebytes
2008-12-30 16:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 16:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 16:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Smith Micro
2008-12-27 20:11 <DIR> --d----- c:\program files\Smith Micro
2008-12-21 21:20 <DIR> --d----- c:\program files\Dragon UnPACKer 5
2008-12-06 10:37 0 -------- c:\windows\QTW.ini
2008-12-03 20:04 <DIR> --d----- c:\windows\BBSTORE

==================== Find3M ====================

2008-12-30 20:10 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-15 12:58 535,040 a------- c:\windows\flashax.exe
2008-12-15 12:58 12,288 a------- c:\windows\impborl.dll
2008-10-23 13:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 21:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 11:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-08-30 11:58 14,912 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-06 18:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 20:17:47.34 ===============

Attached Files

Attach.zip 4.18KB 5 downloads
hijackthis.log 3.27KB 2 downloads

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 mmckech

Topic Starter

Members
2 posts
OFFLINE

Local time:04:06 PM

Posted 31 December 2008 - 02:51 PM

Problem is now gone; I deleted wdmaud.sys from windows\system32 and rebooted. None of the antivirus programs I tried found it including malware bytes, norton, dr. web, combifix.

Back to top

#3 boopme

To Insanity and Beyond

Global Moderator
72,760 posts
ONLINE

Gender:Male
Location:NJ USA
Local time:11:06 AM

Posted 03 January 2009 - 07:49 PM

thank you for telling us!

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook