Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Search Engines


  • This topic is locked This topic is locked
13 replies to this topic

#1 ctjordan

ctjordan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 January 2009 - 12:11 AM

Blackle.com, Ask.com, and Google when I'm logged into Gmail all work fine but otherwise, I get a bunch of results with the correct text but the links associated all direct to sites such as moxiesearch.com, findstuff.com, and web.info.com. I've run Malwarebytes already and it found a few things but hasn't fixed the problem at hand. I don't know if I'm supposed to post a HijackThis log or a DDS log, but here's my DDS log. If something else is needed just let me know, looking forward to getting this fixed. Thanks!


DDS (Ver_09-01-18.01) - NTFSx86 NETWORK
Run by ctjordan at 0:03:10.15 on Thu 01/22/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1577 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\ctjordan\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.unc.edu/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = ftp=localhost:80;http=localhost:80;https=localhost:80;socks=localhost:1080
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: MRI_DISABLED - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\ctjordan\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Wlan Wireless] APPLESERVICE.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd csspwntfy

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ctjordan\applic~1\mozilla\firefox\profiles\ichbherz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\ctjordan\application data\mozilla\firefox\profiles\ichbherz.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\components\FoxyTunes.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2005-12-21 6912]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-6-11 85760]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
S1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-6-11 4736]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-6-11 4442]
S3 AVP;AVP;"c:\docume~1\ctjordan\locals~1\temp\mri_temp\kaspersky antivirus\avp\scanner\avp.exe" -r --> c:\docume~1\ctjordan\locals~1\temp\mri_temp\kaspersky antivirus\avp\scanner\AVP.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-19 99376]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-11-2 42112]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090121.003\naveng.sys [2009-1-21 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090121.003\navex15.sys [2009-1-21 876112]
S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [2004-7-27 15744]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2008-4-24 54176]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-12-21 186016]
S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-12-21 83616]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-12-21 177824]
S4 ConfidenceOnlineEE;Confidence Online™ for Corporate PCs;c:\program files\wholesecurity\enterprise edition\WSService2K.exe [2005-9-13 1205864]
S4 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
S4 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
S4 PStrip;PStrip;c:\windows\system32\drivers\PStrip.sys [2004-11-9 21968]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-5-27 169200]
S4 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
S4 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-12-8 3328]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-5-27 1757936]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]

=============== Created Last 30 ================

2009-01-21 23:33 <DIR> --d----- c:\program files\Trend Micro
2009-01-21 23:28 <DIR> --d----- c:\program files\CleanUp!
2009-01-21 21:32 <DIR> --d----- c:\docume~1\ctjordan\applic~1\Malwarebytes
2009-01-21 21:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 21:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 21:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 21:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-09 22:03 <DIR> --d----- c:\program files\common files\VMware
2009-01-09 22:00 79,872 a------- C:\memo1.MDB
2009-01-09 22:00 140 a------- c:\windows\NSFASTKY.INI
2009-01-09 18:42 <DIR> --d----- c:\program files\WinAVI Video Converter
2009-01-07 12:47 <DIR> --d----- c:\docume~1\ctjordan\applic~1\uTorrent

==================== Find3M ====================

2009-01-19 02:18 28,672 a------- c:\windows\system32\drivers\CO_Mon.sys
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-11-02 01:49 5,427 a------- c:\windows\system32\EGATHDRV.SYS
2007-01-24 10:05 561,152 a------- c:\documents and settings\ctjordan\GoToAssist_chat2way__268_en.exe

============= FINISH: 0:03:24.95 ===============

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 January 2009 - 03:02 AM

Hi,

While I will be helping you - I hope you can help me as well.

Can you navigate to your C:\Windows\System32 folder and search for the file wdmaud.sys in there? If so, upload it here for me: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Extra note, make sure it's the wdmaud.sys file present in the system32 folder and not the wdmaud.drv file (because that one will be present there as well and is the legitimate one).
Also, don't upload the wdmaud.sys present in the drivers folder or dllcache folder, because those are legitimate as well. Only the wdmaud.sys file present in the system32 folder is a bad one and may be causing your problem.

I actually already blogged about the infection you are dealing with here: http://miekiemoes.blogspot.com/2008/10/fak...archengine.html
But please perform above instructions first before deleting it.

So upload that file for me (if present) for analysis. Thanks.

Let me know in your next reply once you've uploaded the file - or if you could find it.

Edited by miekiemoes, 22 January 2009 - 03:17 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ctjordan

ctjordan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 January 2009 - 11:34 AM

I found and uploaded it. Waiting for your next instructions :thumbup2:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 January 2009 - 11:44 AM

Thank you for the file, EXACTLY the file I was looking for. The malware authors decided to put "Miekiemoes rules" in its file description :thumbup2:

Anyway, please delete the wmaud.sys file present in the C:\Windows\system32 folder. Don't delete it anywhere else and don't delete the wmaud.drv file there either.

Also, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Let me know if that solved your issue.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ctjordan

ctjordan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 January 2009 - 12:00 PM

It sure did. I also uninstalled Viewpoint. I think I have another issue but it's not malware or a virus, it's software that didn't uninstall correctly. Where should I post it?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 January 2009 - 12:08 PM

You can post it here about the software problem you are dealing with.
I can try to help you (depending what software or what problem), and if I can't help you, or don't know the answer, then I'll refer you to somewhere else where they can help you. :thumbup2:

By the way, can you search if APPLESERVICE.EXE is still present on your computer? Because you have this questionable entry in your log:

mRun: [Wlan Wireless] APPLESERVICE.EXE

If it's still present, then upload the file here:
http://www.virustotal.com/en/indexf.html

Let it scan and post the results. If not present, or found to be malware, do next:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wlan Wireless"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ctjordan

ctjordan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 January 2009 - 12:40 PM

Appleservice.exe was not found so I did the registry fix. My other question is dealing with VMWare Player that was not uninstalled correctly. Basically any time I open certain programs, a box opens saying VMWare Player in the title bar with the message "Please wait while Windows configures VMWare Player," If I let it continue, it says "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package 'VMWare Player.msi' in the box below." Then I click cancel and it says "Error 1706. No valid source could be found for product VMWare Player. The Windows Installer cannot continue." If I hit cancel when the message first pops up, it will come up a few more times, and I hit cancel each time, and then the program will open. It's not stopping me from doing anything, but it is getting annoying. VMWare Player is still in the Add/Remove Programs list but I get a similar message when trying to uninstall it; "Error 1316. A network error occured while attempting to read from the file C:\WINDOWS\Installer\VMWare Player.msi" I've gone through the information on VMWare's website where they walk you through a manual uninstallation but this continues to pop up. Any idea?

Edited by ctjordan, 22 January 2009 - 12:41 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 January 2009 - 01:03 PM

Hi,

Have you already tried to reinstall it again and then uninstall it?

Extra addition..

I searched the Vmware Forums and found this solution for you:
http://communities.vmware.com/message/650456#650456

Edited by miekiemoes, 22 January 2009 - 01:21 PM.
extra instruction

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 January 2009 - 01:16 PM

Extra addition..

I searched the Vmware Forums and found this solution for you:
http://communities.vmware.com/message/650456#650456
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 ctjordan

ctjordan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 January 2009 - 01:22 PM

I don't have the disk to reinstall it anymore. And it was installed to my hard drive, not on anything else. I did the VMWare_Install_Cleaner.exe with no luck, unfortunately. Thank you very much for your help with the other issue, I really appreciate it.

Edited by ctjordan, 22 January 2009 - 01:25 PM.


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 January 2009 - 01:28 PM

I don't have the disk to reinstall it anymore.

That explains it since you've installed it from the disk.

You can reinstall it from here though: http://www.vmware.com/products/player/
In anyway, read and perform the instructions in the link I posted first before reinstalling it to properly uninstall again.
This page is important for you as well: http://kb.vmware.com/selfservice/microsite...0%200%206385775

Run the installer command with the /c switch, which automatically removes the MSI installer registration information.


Edited by miekiemoes, 22 January 2009 - 01:30 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 ctjordan

ctjordan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 22 January 2009 - 01:42 PM

That worked. I didn't realize I could download it from their website, otherwise I would've done that a long time ago. Haha, thanks for all your help. I may paypal you some money when I get some. In the middle of rebuilding my engine and I'm broke. :thumbup2:

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 January 2009 - 01:56 PM

Good to hear it worked. :thumbup2:
Yes, you can download all Vmware products from there. I have the Vmware Workstation installed and I really love it!

And glad I could help :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 26 January 2009 - 06:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users