Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results redirected to ad sites


  • This topic is locked This topic is locked
2 replies to this topic

#1 chickenfingers

chickenfingers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 18 January 2009 - 02:10 PM

Hello, last night the first page of search results for Google started being replaced with ad sites and other suspicious results. This happened while running Opera
9.62 under Windows XP 64-bit, though I'm also getting bad Google results with Firefox.

I've already run a complete system scan with Kaspersky 6 (no bad results, though on 12/15/2008 Kaspersky detected and presumably deleted 2 instances of "Trojan-downloader.JS.Psyme.amg), TrendMicro Housecall (no bad results), Spyware S&D (no bad results, except for cookies, which it deleted), Malwarebytes' Anti-Malware (one result, which it claimed to fix: Hijack.displayproperties; a subsequent scan came up with no bad results).

I tried to run DDS, but it gives me the message "This tool does not support your Operating System". (I hope I can find some help now that most of the security sites/forums want DDS logs!)
Ordinarily I would try running Combofix, which seems to be the standard fix for this problem; however, I've read it--and a lot of other cleaners--don't work with XP 64-bit.

Edit: Update: SuperAntiSpyware didn't find anything. Nor did ESET's online antivirus scanner.

So I've run HijackThis. Your help is GREATLY appreciated. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:49 PM, on 1/18/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
F:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
F:\Program Files (x86)\Java\jre6\bin\jqs.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files (x86)\Java\jre6\bin\jusched.exe
F:\Program Files (x86)\Winamp\Winampa.exe
F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
F:\Other Adobes\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Other Adobes\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Other Adobes\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] F:\WINDOWS\SysWOW64\xRaidSetup.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files (x86)\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVP] "F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "F:\Other Adobes\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = F:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229206298215
O20 - AppInit_DLLs: F:\PROGRA~2\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - F:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - F:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - F:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - F:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - F:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - F:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - F:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - F:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: TabletServiceWacom - Unknown owner - F:\WINDOWS\system32\Wacom_Tablet.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - F:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - F:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7802 bytes

Thank you for your help!

Edit - I ran a few more scanners:
Ran Microsoft Malicious Software Tool (full system scan): no results.
Ran Roguefix v2.234

deleted F:\WINDOWS\system32\win***32.dll
deleted beep.sys

Ran Malwarebytes a 3rd time (quick scan in safe mode this time):

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b385ee3-ee18-4c69-bf55-6b6b406ef591} (Trojan.Zlob) -> Quarantined and deleted successfully.


Edit again - I ran another full system scan with Kaspersky in safe mode. It found 4 suspicious entries, which it deleted, but the problem persists:

deleted: malware Constructor.Win32.VB.hp File: E:\Downloads - Edwin\CD DVD Utils etc\Folder2Iso.exe//UPX
deleted: malware Constructor.Win32.VB.hp File: F:\Downloads - Edwin\CD DVD Utils etc\Folder2Iso.exe//UPX
deleted: malware Constructor.Win32.VB.hp File: F:\System Volume Information\_restore{C380D6B4-3750-4677-A4AD-F715340CEA9C}\RP31\A0010505.exe//UPX
deleted: malware Constructor.Win32.VB.hp File: F:\System Volume Information\_restore{C380D6B4-3750-4677-A4AD-F715340CEA9C}\RP61\A0013830.exe//UPX



So far, the Google results hijacking persists, and I'm already going crazy because I rely on this computer for my livelihood as a graphic artist. Stinkin' malware.
Again, thanks in advance for your help.

Edited by chickenfingers, 19 January 2009 - 01:41 PM.


BC AdBot (Login to Remove)

 


#2 chickenfingers

chickenfingers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:43 AM

Posted 19 January 2009 - 11:24 PM

Update!

I think, finally, I fixed the problem by tackling it manually.
After reading this post on miekiemoes's weblog about fake wdmaud.sys files in the WINDOWS\system32 folder and its accompanying registry entry, I searched for a copy of that file where it shouldn't be. I didn't have wdmaud.sys in the incorrect WINDOWS\system32 folder miekiemoes described or the registry entry mentioned as problematic (I assume the difference is down to XP 32 vs 64 bit) but I did find it under the \WINDOWS\SysWOW64 folder. Also, in the registry in the key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Drivers32

was the entry aux = wdmaud.sys. I deleted the aux entry from my registry (after backing it up elsewhere) and then deleted wdmaud.sys from the SysWOW64 folder. I'm no longer getting redirect results from Google and--perhaps I'm just imagining--system performance seems to have improved.

For anyone else running XP 64-bit whose frustrated by the incompatibility of typically prescribed solutions (Combofix etc), this might work for you. Of course, I guess it would be best for an expert to vet this solution, but I am thrilled! Hooray.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:43 AM

Posted 21 January 2009 - 11:17 AM

Thanks for informing us what you have done.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users