Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search result URLs being rewritten


  • This topic is locked This topic is locked
2 replies to this topic

#1 mmckech

mmckech

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 December 2008 - 02:39 PM

In IE 7, Firefox 3 and Chrome any Google search comes back with valid results but the first few entries contain URLs that go to the wrong location. The Chrome browser notes that it is waiting for 7.7.7.0 on each Google search. Sample result links include onlinetrading dot com and watch-replica dot com.

I have run malwarebytes scan (found and quarantined 6 registry entries), hijackthis reports nothing obvious but I have attached the log. I am running zonealarm.

DDS (Version 1.1.0) - NTFSx86
Run by Mike at 20:16:19.23 on 2008-12-30
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.803 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.fr/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: RX Toolbar: {25d8bacf-3de2-4b48-ae22-d659b8d835b0} - c:\program files\rxtoolbar\RXToolBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [WinVNC] "c:\program files\ultravnc\winvnc.exe" -servicehelper
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\autoba~1.lnk - c:\program files\seagate\autobackup\MemeoLauncher.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
Trusted Zone: rservices.com\reuterstrader.session
TCP: {2246FAA0-9664-484E-8128-6342D98F5AB0} = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdidl~1\DVDShell.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\e0wvsarp.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\mike\local settings\application data\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPNd2fn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-30 127768]
R2 athsgt;athsgt;c:\windows\system32\drivers\athsgt.sys [2006-1-2 164992]
R2 limsgt;limsgt;c:\windows\system32\drivers\limsgt.sys [2006-1-2 12544]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-6-10 6016]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-4-9 11001]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-3-28 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-3-28 545088]
R3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-2-17 394952]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-4-9 148688]
S3 etdpipe;etdpipe;\??\c:\docume~1\skye\locals~1\temp\etdpipe.sys []
S3 fdrmk;fdrmk;\??\c:\docume~1\skye\locals~1\temp\fdrmk.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-30 38496]
S3 nvideopr;nvideopr;\??\c:\docume~1\skye\locals~1\temp\nvideopr.sys []
S4 WUSB54GSv2SVC;WUSB54GSv2SVC;"c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe" "WUSB54GSv2.exe" [2007-1-13 53307]

=============== Created Last 30 ================

2008-12-30 20:09 51,232 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-30 20:09 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-30 20:07 75,248 a------- c:\windows\zllsputility.exe
2008-12-30 20:07 11,264 a------- c:\windows\system32\SpOrder.dll
2008-12-30 20:05 1,086,952 a------- c:\windows\system32\zpeng24.dll
2008-12-30 20:05 <DIR> --d----- c:\program files\Zone Labs
2008-12-30 19:21 13,588 a------- c:\windows\system32\wpa.dbl
2008-12-30 19:18 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-30 19:17 <DIR> --d----- c:\program files\SpywareGuard
2008-12-30 16:07 <DIR> --d----- c:\program files\Trend Micro
2008-12-30 16:07 <DIR> --d----- c:\docume~1\mike\applic~1\Malwarebytes
2008-12-30 16:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 16:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 16:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Smith Micro
2008-12-27 20:11 <DIR> --d----- c:\program files\Smith Micro
2008-12-21 21:20 <DIR> --d----- c:\program files\Dragon UnPACKer 5
2008-12-06 10:37 0 -------- c:\windows\QTW.ini
2008-12-03 20:04 <DIR> --d----- c:\windows\BBSTORE

==================== Find3M ====================

2008-12-30 20:10 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-15 12:58 535,040 a------- c:\windows\flashax.exe
2008-12-15 12:58 12,288 a------- c:\windows\impborl.dll
2008-10-23 13:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 21:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 11:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-08-30 11:58 14,912 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-06 18:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 20:17:47.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mmckech

mmckech
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 31 December 2008 - 02:51 PM

Problem is now gone; I deleted wdmaud.sys from windows\system32 and rebooted. None of the antivirus programs I tried found it including malware bytes, norton, dr. web, combifix.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:51 AM

Posted 03 January 2009 - 07:49 PM

thank you for telling us!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users