Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google results being redirected to icky places


  • This topic is locked This topic is locked
9 replies to this topic

#1 RouterPouter

RouterPouter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 21 January 2009 - 08:56 AM

Hello,

I have a client machine that has intercepted/redirected Google results. If I search for "atomic" on my machine versus this client machine, the results are drastically different, and clicking links on the client machine almost always leads to pop-ups that want to infect me with more garbage.

I have tried:

# SnD full scan (clean)
# MWB full scan (clean)
# NOD32 online scan (clean)
# Webroot scan (clean)
# Changed DNS to use openDNS
# Installed Firefox (results are STILL jacked with!)
# Done sfc/scannow
# Cwshredder.exe
# Fixwareout.exe

I heard great things about the wonderful people in your forums and am hoping you can give me some advice! DDS below, Attach attached:


DDS (Ver_09-01-18.01) - NTFSx86
Run by Maureen Kostial at 7:36:20.46 on Wed 01/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.846 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: Webroot Internet Security Essentials *disabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CrashPlan\CrashPlanService.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\TDxVGAUTIL.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\CrashPlan\CrashPlanTray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\RDS\RMClient\PMCTray.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
c:\atomickaseya\KRlyCLis.exe
C:\atomickaseya\windows-kb890830-v2.6.exe
c:\55e351890102c583a82792549127\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\atomickaseya\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061203
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061203
uInternet Settings,ProxyServer = 192.168.0.84:8080
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ModemOnHold] "c:\program files\netwaiting\netWaiting.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [Document Manager] "c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Dell QuickSet] "c:\program files\dell\quickset\quickset.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [TDxVGAUTIL] "c:\windows\system32\TDxVGAUTIL.EXE"
mRun: [CmUsbSound] "c:\windows\system32\rundll32.exe" cmcnfgu.cpl,CMICtrlWnd
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\RegistryController.exe"
mRun: [JobHisInit] "c:\program files\rds\rmclient\JobHisInit.exe"
mRun: [MplSetUp] "c:\program files\rds\rmclient\MplSetUp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe"
mRun: [GoBoingo] "c:\program files\boingo\goboingo\GoBoingo.exe"
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\crashp~1.lnk - c:\program files\crashplan\CrashPlanTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {A5B0CE52-6D83-44F9-9D52-68E905524775} = 208.67.222.222,208.67.220.220
TCP: {CA7F73BA-FEBE-4746-9C28-EE1E9E002222} = 208.67.222.222,208.67.220.220
TCP: {D69AAACA-5DFA-4CFF-BBED-E70AEBC07597} = 208.67.222.222,208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: wxvault.dll c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mauree~1\applic~1\mozilla\firefox\profiles\41hg8g7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-12-12 4064]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-1-19 20792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090120.003\naveng.sys [2009-1-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090120.003\navex15.sys [2009-1-20 876112]
R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMini.sys [2007-1-2 233984]
R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [2007-1-2 234496]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 CrashPlanService;CrashPlan Backup Service;c:\program files\crashplan\CrashPlanService.exe [2008-1-3 110592]
R4 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-1-19 610304]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-3 1251720]
R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]
R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-1-21 1086840]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2007-1-2 27135]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.sys [2007-1-2 22528]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2009-01-21 07:22 <DIR> --d----- C:\55e351890102c583a82792549127
2009-01-21 01:05 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-21 00:56 8,377,527 a------- c:\windows\system32\HMAFQPL
2009-01-21 00:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{96F7253C-332D-4BC5-B60D-23F6E09069EE}
2009-01-21 00:45 <DIR> --d----- c:\program files\Solid Oak Software
2009-01-21 00:23 775,168 a------- c:\windows\isRS-000.tmp
2009-01-21 00:23 <DIR> --d----- C:\Binaries
2009-01-21 00:22 1,553,272 a------- c:\windows\WRSetup.dll
2009-01-21 00:22 <DIR> --d----- c:\program files\Webroot
2009-01-21 00:22 <DIR> --d----- c:\docume~1\mauree~1\applic~1\Webroot
2009-01-21 00:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-01-21 00:04 <DIR> --d----- C:\fixwareout
2009-01-20 23:57 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-20 23:57 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-20 23:57 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-20 23:57 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-01-20 23:57 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-01-20 23:55 35,871 a------- c:\windows\system32\dllcache\wbfirdma.sys
2009-01-20 23:54 7,556 a------- c:\windows\system32\dllcache\usroslba.sys
2009-01-20 23:53 211,968 a------- c:\windows\system32\dllcache\um54scan.dll
2009-01-20 23:52 123,995 a------- c:\windows\system32\dllcache\tjisdn.sys
2009-01-20 23:51 41,472 a------- c:\windows\system32\dllcache\sw_effct.dll
2009-01-20 23:50 7,168 a------- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-01-20 23:49 50,432 a------- c:\windows\system32\dllcache\sisv.sys
2009-01-20 23:48 17,280 a------- c:\windows\system32\dllcache\scr111.sys
2009-01-20 23:47 82,432 a------- c:\windows\system32\dllcache\rwia450.dll
2009-01-20 23:46 112,574 a------- c:\windows\system32\dllcache\ptserlp.sys
2009-01-20 23:45 86,016 a------- c:\windows\system32\dllcache\pctspk.exe
2009-01-20 23:44 54,186 a------- c:\windows\system32\dllcache\otcsercb.sys
2009-01-20 23:43 10,880 a------- c:\windows\system32\dllcache\ndisip.sys
2009-01-20 23:42 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex
2009-01-20 23:41 22,848 a------- c:\windows\system32\dllcache\lwusbhid.sys
2009-01-20 23:40 6,144 a------- c:\windows\system32\dllcache\kbd106.dll
2009-01-20 23:39 154,496 a------- c:\windows\system32\dllcache\icam4usb.sys
2009-01-20 23:38 115,807 a------- c:\windows\system32\dllcache\hsf_fsks.sys
2009-01-20 23:37 907,456 a------- c:\windows\system32\dllcache\hcf_msft.sys
2009-01-20 23:36 7,040 a------- c:\windows\system32\dllcache\exabyte2.sys
2009-01-20 23:35 241,206 a------- c:\windows\system32\dllcache\el656se5.sys
2009-01-20 23:34 29,531 a------- c:\windows\system32\dllcache\dgapci.sys
2009-01-20 23:33 1,677,824 a------- c:\windows\system32\dllcache\chsbrkr.dll
2009-01-20 23:32 342,336 a------- c:\windows\system32\dllcache\banshee.dll
2009-01-20 23:31 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-01-20 23:31 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-01-20 23:31 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-01-20 23:31 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-01-20 23:31 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-01-20 23:31 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-20 23:31 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-01-20 23:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-20 23:28 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-19 23:02 297 a------- c:\windows\wininit.ini
2009-01-19 22:28 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-19 22:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-19 21:02 <DIR> --d----- c:\docume~1\mauree~1\applic~1\Malwarebytes
2009-01-19 21:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-19 21:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 21:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 20:48 <DIR> --d----- c:\program files\RealVNC
2009-01-19 16:28 <DIR> --d----- C:\atomickaseya
2009-01-19 16:17 135,168 a------- c:\windows\system32\kaseyasp.dll
2009-01-19 16:17 20,792 a------- c:\windows\system32\drivers\KaPFA.sys
2009-01-19 16:17 13,240 a------- c:\windows\system32\drivers\KaseyaHA.sys
2009-01-19 16:17 <DIR> --d----- c:\program files\Kaseya
2009-01-07 13:22 56 a---h--- c:\windows\system32\ezsidmv.dat

==================== Find3M ====================

2009-01-21 00:19 164 a------- C:\install.dat
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 04:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-10-24 05:21 455,296 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-07-29 11:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072920080730\index.dat

============= FINISH: 7:37:19.35 ===============

Attached Files

  • Attached File  DDS.txt   17.76KB   0 downloads


BC AdBot (Login to Remove)

 


#2 RouterPouter

RouterPouter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 21 January 2009 - 12:14 PM

Hey folks,

PLEASE DISREGARD! I've found a solution! After seeing that Firefox/IE had the same behavior of hijacking Google results, I downloaded Chrome and hit www.google.com. Interestingly enough, at the bottom of the page it said something about "Waiting for 7.7.7.0"

When I Googled "waiting for 7.7.7.0" I came across this: http://kevinmcguire.blogspot.com/2009/01/w...ot-anymore.html

And renaming the c:\windows\system32\wdmaud.sys to wmdaud.totally-lame-crapware-that-can-suck-it, I rebooted the machine and BLAMO! I'm back in action!

I think you should definitely consider this when answering a ton of other posts in this forum...looks like LOTS of people got bit with this after Christmas, and this was the hardest, yet easiest malware fix ever.

Brian

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 PM

Posted 21 January 2009 - 02:21 PM

Hi,

This is indeed a common infection nowadays. I've blogged about it as well a couple of months ago. However, this is once again a new variant.

Can you send me the c:\windows\system32\wdmaud.sys file please? (in your case it will be the renamed wmdaud.totally-lame-crapware-that-can-suck-it)
Upload the file here: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Extra note - Don't send me the wdmaud.sys file present in the system32\drivers and system32\dllcache folder as they are legitimate.
Also, don't send me the wdmaud.drv file as that one is legitimate as well.

Thanks.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 RouterPouter

RouterPouter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 21 January 2009 - 05:26 PM

Hi there,

Yes, I'll absolutely get you that file. It's on a client machine that I probably can't access until tomorrow, but I'll let you know when it's done (via PM?).

By the way I really want to thank you for the service you're providing here. This malware stuff is an art form of its own, and I can tell you've got a lot of very appreciative users.

Thanks,
Brian

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 PM

Posted 21 January 2009 - 05:58 PM

Ok, thanks - and yes, notify me in this thread or via PM :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 RouterPouter

RouterPouter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 22 January 2009 - 12:05 AM

Roger that good sir. Just posted that file for you. Interested to see how this little bugger plays out. I don't know how the forum is structured and if other users like myself are allowed to pitch in on threads, but I'd be happy to sift through posts identical to mine and point people to your blog post and the article I found if their symptoms are similar to mine.

Brian

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 PM

Posted 22 January 2009 - 02:19 AM

Thank you for the file. Unfortunately, it's not the variant I am looking for. The one I am looking for has "Miekiemoes rules" in its file description.The malware authors added it there :thumbup2:
Someone notified me about that variant and made a screenshot of it: http://www.bluemedicine.be/images/miekiemoesrules.gif
That was what she got when she hovered her mouse over the bad wdmaud.sys
Unfortunately she already deleted the file. That's why I am searching for the file now...

Edited by miekiemoes, 22 January 2009 - 02:20 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 RouterPouter

RouterPouter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 22 January 2009 - 09:40 AM

Miekiemoes,

Oh man, I thought you were kidding during the first part of the message...wow, you must be quite popular in the malware-fighting world eh? Well, the good guys are glad you're here!

Brian

P.S. how does one become a member of the HijackThis team?

Edited by RouterPouter, 22 January 2009 - 09:42 AM.


#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 PM

Posted 22 January 2009 - 09:46 AM

Hi,

To become a member of the HIjackThis Team, you have to go through training first.
At the moment, there's no room available for new trainees, but you can always sign up here (another forum) to get trained. That's where I also learned the ropes :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 PM

Posted 26 January 2009 - 06:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users