Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It must be a highjack or something like that...


  • This topic is locked This topic is locked
2 replies to this topic

#1 snc23

snc23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 06 February 2009 - 06:37 AM

Hello
I have a problem when I€™m trying to search for something with a search engine.

It doesn€™t matter if it is Google (my homepage) or yahoo nor if I€™m using Firefox (my primary browser) or iexplorer. The results are always directing me to something like click.com or <my search phrase here>-best-deals.com and such.
After a bit of search I learned that this is called highjacking and it can be fixed by spybot or similar programs. I tried Spybot - Search & Destroy, Malwarebytes' Anti-Malware, Spyware Doctor, Lavasoft Ad-Aware SE Personal, I changed from nod32 to avg free and back to nod32, scanned everything with everything in normal and safe mode and€ nothing€ the problem is still there€ :thumbup2:

Then I searched some more and found HijackThis which led me here. I used dds.scr and here are the results:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Joseph at 12:54:49.14 on Fri 02/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1628 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Eset\nod32krn.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Eset\nod32kui.exe
H:\Program Files\Crypto\Crypto AirData 54 USB Wireless LAN Driver and Utility\RtWLan.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Documents and Settings\Joseph\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
mRun: [nod32kui] "h:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\crypto~1.lnk - h:\program files\crypto\crypto airdata 54 usb wireless lan driver and utility\RtWLan.exe
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - h:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
LSP: h:\windows\system32\imon.dll
Trusted Zone: download.microsoft.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: update.microsoft.com
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.microsoft.com
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - h:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\joseph\applic~1\mozilla\firefox\profiles\fqf0uwxw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: h:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: h:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;h:\windows\system32\drivers\nod32drv.sys [2009-2-2 15424]
R2 EAPPkt;Realtek EAPPkt Protocol;h:\windows\system32\drivers\EAPPkt.sys [2009-2-2 38144]
R2 NOD32krn;NOD32 Kernel Service;h:\program files\eset\nod32krn.exe [2009-2-2 549256]
R3 RTL8187B;Crypto AirData 54 USB Wireless LAN Network Card;h:\windows\system32\drivers\RTL8187B.sys [2009-2-2 270720]
S3 IKFileSec;File Security Driver;h:\windows\system32\drivers\ikfilesec.sys [2009-2-4 40840]
S3 IKSysFlt;System Filter Driver;h:\windows\system32\drivers\iksysflt.sys [2009-2-4 66952]
S3 IKSysSec;System Security Driver;h:\windows\system32\drivers\iksyssec.sys [2009-2-4 81288]
S3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2009-2-5 15504]
S4 MBAMService;MBAMService;h:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-2-5 170640]
S4 sdAuxService;PC Tools Auxiliary Service;h:\program files\spyware doctor\pctsAuxs.exe [2009-2-4 356920]
S4 sdCoreService;PC Tools Security Service;h:\program files\spyware doctor\pctsSvc.exe [2009-2-4 1079176]

=============== Created Last 30 ================

2009-02-06 12:44 <DIR> --d----- h:\windows\pss
2009-02-06 10:46 <DIR> --d----- h:\program files\Spybot - Search & Destroy
2009-02-06 10:46 <DIR> --d----- h:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-05 20:44 <DIR> --d----- h:\program files\Lavasoft
2009-02-05 20:44 <DIR> --d----- h:\program files\common files\Wise Installation Wizard
2009-02-05 20:37 <DIR> --d----- h:\docume~1\joseph\applic~1\Malwarebytes
2009-02-05 20:37 15,504 a------- h:\windows\system32\drivers\mbam.sys
2009-02-05 20:37 38,496 a------- h:\windows\system32\drivers\mbamswissarmy.sys
2009-02-05 20:37 <DIR> --d----- h:\program files\Malwarebytes' Anti-Malware
2009-02-05 20:37 <DIR> --d----- h:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-05 20:28 <DIR> --d----- h:\program files\Trend Micro
2009-02-05 12:26 <DIR> --d----- H:\Fraps
2009-02-05 10:36 <DIR> --d----- h:\program files\Bonjour
2009-02-05 10:31 <DIR> --d----- h:\program files\common files\Macrovision Shared
2009-02-04 17:06 56 ---shr-- h:\windows\system32\A9B845B800.sys
2009-02-04 17:05 2,306 a--sh--- h:\windows\system32\KGyGaAvL.sys
2009-02-04 17:02 <DIR> --d----- h:\program files\common files\Enterbrain
2009-02-04 17:01 <DIR> --d----- h:\program files\Enterbrain
2009-02-04 16:58 <DIR> --d----- h:\windows\system32\appmgmt
2009-02-04 16:51 <DIR> --d----- H:\Games
2009-02-04 14:25 81,288 a------- h:\windows\system32\drivers\iksyssec.sys
2009-02-04 14:25 66,952 a------- h:\windows\system32\drivers\iksysflt.sys
2009-02-04 14:25 40,840 a------- h:\windows\system32\drivers\ikfilesec.sys
2009-02-04 14:25 29,576 a------- h:\windows\system32\drivers\kcom.sys
2009-02-04 14:25 <DIR> --d----- h:\program files\Spyware Doctor
2009-02-04 14:25 <DIR> --d----- h:\docume~1\joseph\applic~1\PC Tools
2009-02-03 22:54 <DIR> --d----- h:\program files\CDisplay
2009-02-03 20:49 32,592 a------- h:\windows\system32\msonpmon.dll
2009-02-03 20:46 <DIR> --d----- h:\program files\Microsoft Visual Studio 8
2009-02-03 20:46 <DIR> --d----- h:\windows\SHELLNEW
2009-02-03 19:06 23 a------- h:\windows\BlendSettings.ini
2009-02-03 18:55 <DIR> --d----- h:\program files\DAEMON Tools
2009-02-03 10:13 <DIR> --d----- h:\program files\Uniblue
2009-02-03 09:59 <DIR> --d----- h:\docume~1\joseph\applic~1\Uniblue
2009-02-03 09:35 <DIR> --d----- h:\docume~1\joseph\applic~1\MSNInstaller
2009-02-03 09:27 <DIR> --d----- h:\docume~1\joseph\applic~1\EternalEden
2009-02-03 01:04 <DIR> --d-h--- h:\windows\system32\GroupPolicy
2009-02-03 01:01 <DIR> --d----- h:\program files\common files\Windows Live
2009-02-03 00:05 <DIR> --d----- h:\windows\RegisteredPackages
2009-02-02 23:59 683,520 a------- h:\windows\system32\divx.dll
2009-02-02 23:59 499,712 a------- h:\windows\system32\msvcp71.dll
2009-02-02 23:59 7,680 a------- h:\windows\system32\ff_vfw.dll
2009-02-02 23:59 547 a------- h:\windows\system32\ff_vfw.dll.manifest
2009-02-02 23:59 348,160 a------- h:\windows\system32\msvcr71.dll
2009-02-02 23:59 <DIR> --d----- h:\program files\K-Lite Codec Pack
2009-02-02 23:55 6,400 a------- h:\windows\system32\drivers\splitter.sys
2009-02-02 23:55 142,464 a------- h:\windows\system32\drivers\aec.sys
2009-02-02 23:55 54,272 a------- h:\windows\system32\drivers\swmidi.sys
2009-02-02 23:55 52,864 a------- h:\windows\system32\drivers\DMusic.sys
2009-02-02 23:55 7,552 a------- h:\windows\system32\drivers\MSKSSRV.sys
2009-02-02 23:55 2,944 a------- h:\windows\system32\drivers\drmkaud.sys
2009-02-02 23:55 4,992 a------- h:\windows\system32\drivers\MSPQM.sys
2009-02-02 23:55 5,376 a------- h:\windows\system32\drivers\MSPCLOCK.sys
2009-02-02 23:55 82,944 a------- h:\windows\system32\drivers\wdmaud.sys
2009-02-02 23:55 171,776 a------- h:\windows\system32\drivers\kmixer.sys
2009-02-02 23:55 60,800 a------- h:\windows\system32\drivers\sysaudio.sys
2009-02-02 23:55 3,072 a------- h:\windows\system32\drivers\audstub.sys
2009-02-02 23:54 21,504 a------- h:\windows\system32\hidserv.dll
2009-02-02 23:51 685,816 a------- h:\windows\system32\drivers\sptd.sys
2009-02-02 23:51 74,240 a------- h:\windows\system32\usbui.dll
2009-02-02 23:50 <DIR> --d----- h:\program files\common files\ODBC
2009-02-02 23:50 <DIR> --d----- h:\program files\common files\SpeechEngines
2009-02-02 23:49 66,594 ac------ h:\windows\system32\dllcache\c_869.nls
2009-02-02 23:49 <DIR> --d--r-- h:\documents and settings\all users\Documents
2009-02-02 23:48 1,086,058 ac------ h:\windows\system32\dllcache\NTPRINT.CAT
2009-02-02 23:47 <DIR> --d----- h:\windows\system32\oldcatroot2
2009-02-02 23:47 <DIR> --d----- h:\windows\system32\CatRoot
2009-02-02 23:47 <DIR> --d----- H:\Documents and Settings
2009-02-02 23:45 261 a------- h:\windows\system32\$winnt$.inf
2009-02-02 23:18 <DIR> --d----- h:\program files\uTorrent
2009-02-02 23:17 <DIR> --d----- h:\docume~1\joseph\applic~1\uTorrent
2009-02-02 22:53 <DIR> --d----- h:\program files\NVIDIA Corporation
2009-02-02 22:53 <DIR> --d----- h:\program files\common files\NVIDIA Shared
2009-02-02 22:48 <DIR> --d----- h:\program files\ESET
2009-02-02 22:45 <DIR> --d----- h:\program files\Crypto
2009-02-02 22:16 <DIR> --dsh--- h:\documents and settings\all users\DRM
2009-02-02 22:16 <DIR> --d-h--- h:\program files\WindowsUpdate
2009-02-02 22:15 <DIR> --d----- h:\program files\common files\MSSoap
2009-02-02 22:14 <DIR> --d----- h:\program files\Online Services
2009-02-02 22:13 <DIR> --d----- h:\program files\MSN Gaming Zone
2009-02-02 22:13 <DIR> --d----- h:\program files\Windows NT

==================== Find3M ====================

2009-02-03 22:56 86,327 a------- h:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-02 22:48 512,096 a------- h:\windows\system32\drivers\amon.sys
2009-02-02 22:48 299,392 a------- h:\windows\system32\imon.dll
2009-02-02 22:48 15,424 a------- h:\windows\system32\drivers\nod32drv.sys
2009-02-02 22:46 21,035 a------- h:\windows\system32\drivers\AegisP.sys
2009-02-02 22:14 21,640 a------- h:\windows\system32\emptyregdb.dat
2009-01-03 13:24 81,920 a------- h:\windows\system32\frapsvid.dll
2008-12-02 22:37 49,480 a------- h:\windows\system32\sirenacm.dll

============= FINISH: 12:55:02.50 ===============

Tell me if you want to help and need any other info. I want to keep trying for a couple of days more but just to be sure I€™ll go find my windows xp copy and prepare the rituals for the format (you know€ back up material, some snacks and a good book :) )

Thanks to anyone that took time to read this.

edit:
I found out that the ip 209.85.171.199 has something to do with the redirects. I don't know if it helps or if it is even relevant but I thought to edit it in anyway.

Attached Files


Edited by snc23, 06 February 2009 - 12:42 PM.


BC AdBot (Login to Remove)

 


#2 snc23

snc23
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 07 February 2009 - 01:04 PM

I found that i a had the 'wdmaud.sys' thing (trojan?) after looking in miekiemoes' blog. Particularly this:

http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

Thanks miekiemoes!! My searching is now ok!! :thumbup2: :)
(Nice dog btw)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:40 AM

Posted 17 February 2009 - 12:35 PM

Thanks for informing us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users