Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I get useless results from search engines


  • This topic is locked This topic is locked
5 replies to this topic

#1 eirik99t

eirik99t

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 21 January 2009 - 03:05 PM

Ok, I'll try to be short :)

When I use Google, Yahoo (etc.) I only get results like "bestcarinsurance.com" and so on. I've tried numerous spyware/malware removal programmes, but none of them has worked so far.

I've tried to follow the steps in the guide for posting a hijackthis log, and hope I've done this right! I suddenly realized some of the "Attach-file" are in norwegian :thumbup2: well I hope we still can figure this out!

And thanks in advance for any help, I'm very thankful!!


Here's an example to illustrate my problem
Posted Image

The texts are from real sites, but the URL's sure aren't the ones I'm looking for (at least the 5 ones from the top)




DDS (Ver_09-01-18.01) - FAT32x86
Run by Eirik XXXXXXXXXXX at 20:48:21,87 on 21.01.2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.510.122 [GMT 1:00]

AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Programfiler\Java\jre6\bin\jqs.exe
C:\Programfiler\Microsoft LifeCam\MSCamS32.exe
C:\Programfiler\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programfiler\Sekvens AS\Sekvens PC Config\WinVNC.exe
C:\Programfiler\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Programfiler\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Programfiler\Winamp\winamp.exe
C:\Programfiler\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programfiler\Opera\Opera.exe
C:\Documents and Settings\Eirik Osa SkjŠveland\Skrivebord\dds.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.defaulthomepage.info
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programfiler\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\programfiler\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programfiler\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programfiler\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programfiler\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\programfiler\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OE] c:\programfiler\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\programfiler\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programfiler\synaptics\syntp\SynTPEnh.exe
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [Windows Defender] "c:\programfiler\windows defender\MSASCui.exe" -hide
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\programfiler\google\gmail notifier\gnotify.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [LifeCam] "c:\programfiler\microsoft lifecam\LifeExp.exe"
mRun: [WinampAgent] c:\programfiler\winamp\winampa.exe
mRun: [iTunesHelper] "c:\programfiler\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\programfiler\lavasoft\ad-aware\AAWTray.exe
mRun: [SpyHunter Security Suite] c:\programfiler\enigma software group\spyhunter\SpyHunter3.exe
mRun: [SunJavaUpdateSched] "c:\programfiler\java\jre6\bin\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\programfiler\trend micro\internet security\UfSeAgnt.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\programfiler\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [OE] c:\programfiler\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\eiriko~1\start-~1\progra~1\oppstart\msnmes~1.lnk - c:\programfiler\msn messenger\msnmsgr.exe
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programfiler\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\felles~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\programfiler\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-19 64160]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-1-20 334352]
R4 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-1-3 4096]
R4 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-1-3 78208]
R4 IKSysFlt;IKSysFlt; [x]
R4 IKSysSec;IKSysSec; [x]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programfiler\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\programfiler\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-1-20 181584]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-1-20 36368]
R4 WinDefend;Windows Defender;c:\programfiler\windows defender\MsMpEng.exe [2006-10-5 13592]
S3 asbp2poa;asbp2poa;c:\docume~1\eiriko~1\lokale~1\temp\asbp2poa.sys [2005-1-12 15872]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [2008-10-4 32000]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-1-20 49680]
S4 TmPfw;Trend Micro Personal Firewall;c:\programfiler\trend micro\internet security\TmPfw.exe [2009-1-20 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\programfiler\trend micro\internet security\TmProxy.exe [2009-1-20 677128]

=============== Created Last 30 ================

2009-01-21 19:27 <DIR> --d----- c:\docume~1\eiriko~1\progra~1\Malwarebytes
2009-01-21 19:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 19:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 19:26 <DIR> --d----- c:\docume~1\alluse~1\progra~1\Malwarebytes
2009-01-21 19:26 <DIR> --d----- c:\programfiler\Malwarebytes' Anti-Malware
2009-01-21 19:10 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-01-21 19:10 77,824 a------- c:\windows\system32\kdfapi.dll
2009-01-21 19:10 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-01-21 19:09 722,472 a------- c:\windows\system32\kdfmgr.exe
2009-01-21 19:09 <DIR> --d----- c:\windows\kdefense
2009-01-21 19:09 846,336 a------- c:\windows\system32\kdfinj.dll
2009-01-20 23:37 <DIR> --d----- c:\programfiler\Spyware Doctor
2009-01-20 21:07 <DIR> --d----- c:\windows\LocalSSL
2009-01-20 21:06 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-20 21:06 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-01-20 21:06 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-01-20 21:05 <DIR> --d----- c:\docume~1\alluse~1\progra~1\Trend Micro
2009-01-20 21:04 <DIR> --d----- c:\programfiler\Trend Micro
2009-01-20 20:50 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-01-20 20:50 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2009-01-20 20:50 334,352 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-01-20 20:50 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-01-20 20:50 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-01-20 20:50 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-01-20 19:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-20 19:11 <DIR> --d----- c:\documents and settings\eirik osa skjŠveland\.housecall6.6
2009-01-19 19:38 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-19 18:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-19 18:19 <DIR> --d-h--- c:\docume~1\alluse~1\progra~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-14 23:49 6,784 a------- c:\windows\system32\drivers\serscan.sys
2009-01-14 23:49 6,784 a------- c:\windows\system32\dllcache\serscan.sys
2009-01-14 23:49 41,472 a------- c:\windows\system32\qvusd.dll
2009-01-14 23:49 41,472 a------- c:\windows\system32\dllcache\qvusd.dll
2009-01-14 23:49 71,680 a------- c:\windows\system32\fnfilter.dll
2009-01-14 23:49 71,680 a------- c:\windows\system32\dllcache\fnfilter.dll
2009-01-02 22:19 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-02 22:19 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-01-02 22:19 15,104 a------- c:\windows\system32\dllcache\usbscan.sys
2009-01-02 22:19 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-01-21 20:48 14,155,776 a---h--- c:\documents and settings\eirik osa skjŠveland\NTUSER.DAT
2008-12-23 16:14 411,946 a------- c:\windows\system32\perfh014.dat
2008-12-23 16:14 73,324 a------- c:\windows\system32\perfc014.dat
2008-12-13 07:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 09:22 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 11:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 12:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys

============= FINISH: 20:49:29,14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 22 January 2009 - 03:16 AM

Hi,

While I will be helping you - I hope you can help me as well.

Can you navigate to your C:\Windows\System32 folder and search for the file wdmaud.sys in there? If so, upload it here for me: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Extra note, make sure it's the wdmaud.sys file present in the system32 folder and not the wdmaud.drv file (because that one will be present there as well and is the legitimate one).
Also, don't upload the wdmaud.sys present in the drivers folder or dllcache folder, because those are legitimate as well. Only the wdmaud.sys file present in the system32 folder is a bad one and may be causing your problem.

I actually already blogged about the infection you are dealing with here: http://miekiemoes.blogspot.com/2008/10/fak...archengine.html
But please perform above instructions first before deleting it.

So upload that file for me (if present) for analysis. Thanks.

Let me know in your next reply once you've uploaded the file - or if you could find it.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 22 January 2009 - 03:41 AM

Hi,

Thank you for sending me the file. Unfortunately it's not the version I am looking for, but in anyway, the file you have uploaded is the cause of your problems, is malware and should be deleted.
Do not delete the wdmaud.drv file or wdmaud.sys file present anywhere else!

Let me know if deleting that file solved your issue.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 eirik99t

eirik99t
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 22 January 2009 - 11:46 AM

Thanks a lot!

It seems to be working again now! All I did was to delete the file like you told me to, and restart my webbrowser (which was open at the time of deletion).

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 22 January 2009 - 11:52 AM

Yes, it's an easy one to delete.
Glad to hear that solved your problem. :thumbup2:

What I suggest is to use Firefox with the Noscript extension to prevent a new infection. This because this piece of malware is in most cases downloaded via legitimate sites, forums etc...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 26 January 2009 - 06:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users