Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine results hijacked


  • This topic is locked This topic is locked
6 replies to this topic

#1 mdrgolf

mdrgolf

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 22 February 2009 - 10:52 PM

Using Google and Yahoo Search engines. When search results appear the site description look correct, but the url points to places like this:

BleepingComputer.com - Computer Help ForumsWelcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. ...
findstuff.com - 111k - Cached - Similar pages

I can't figure out how to fix it. Thanks in advance!!

Here is my DDS file


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 21:39:37.56 on Sun 02/22/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.112 [GMT -6:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\winnt\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [WPSched3] "c:\program files\webposition 3\Wpsched3.exe" MINIMIZE
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [Steam] c:\valve\steam\Steam.exe -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Gene USB Monitor] c:\winnt\system32\UMonit2k.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_04\bin\jusched.exe"
mRun: [DIGStream] "c:\program files\digstream\digstream.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\turbot~2.lnk - c:\program files\turbo tourney pro 2006\tts2006.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: xfire_lsp_10650.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.7059837963
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\winnt\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R0 hptpro;hptpro;c:\winnt\system32\drivers\hptpro.sys [2002-10-18 9826]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [2003-1-13 253984]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 HPW5ECP;HPW5ECP;c:\winnt\system32\drivers\HPW5ECP.sys [1999-12-17 44032]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-12-30 1107784]
R3 NAVAPEL;NAVAPEL;c:\program files\navnt\navapel.sys [2003-9-27 7920]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090222.003\naveng.sys [2009-2-22 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090222.003\navex15.sys [2009-2-22 876144]
S0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-2-22 64160]
S1 AluriaFilter;AluriaFilter;c:\winnt\system32\drivers\alurfltr.sys --> c:\winnt\system32\drivers\AlurFltr.sys [?]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-10 255600]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-10 243312]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-10 87664]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2003-9-25 61712]
S3 Norton AntiVirus Server;Norton AntiVirus Client;c:\progra~1\navnt\rtvscan.exe [2003-9-27 385024]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-12-30 153416]
S3 USTOR2K;Genesys USB Mass Storage Windows Driver;c:\winnt\system32\drivers\ustor2k.sys [2003-10-1 16896]

=============== Created Last 30 ================

2009-02-22 21:39 16,384 a------t c:\winnt\system32\Perflib_Perfdata_3e0.dat
2009-02-22 20:53 <DIR> --d----- c:\program files\Trend Micro
2009-02-22 20:22 130 a------- c:\winnt\wininit.ini
2009-02-22 16:12 64,160 a------- c:\winnt\system32\drivers\Lbd.sys
2009-02-22 16:06 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{2BAE6915-8510-4B9F-B498-02DA86258AA0}
2009-02-22 16:06 <DIR> --d----- c:\program files\Lavasoft
2009-02-22 15:52 16,896 a------- c:\winnt\system32\fltlib.dll
2009-02-21 16:05 <DIR> --d----- C:\ADCPRD
2009-02-17 05:54 16,384 a------t c:\winnt\system32\Perflib_Perfdata_338.dat

==================== Find3M ====================

2009-01-30 20:22 43,520 a------- c:\winnt\system32\CmdLineExt03.dll
2009-01-12 05:57 16,384 a------t c:\winnt\system32\Perflib_Perfdata_31c.dat
2008-12-14 21:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2f4.dat
2008-12-10 08:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2e4.dat
2008-11-25 14:51 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2ec.dat
2006-10-31 17:48 121,506,833 a------- c:\program files\CoDUO_Patch.exe
2005-09-22 21:18 6,888,184 a------- c:\program files\ssfsetup1786_1819176595.exe
2005-09-03 08:49 57,600 a------- c:\program files\interm.wav
2005-09-03 08:48 46,592 a------- c:\program files\GAMEBEGINNING.wav
2005-09-03 08:47 17,008 a------- c:\program files\killed.wav
2005-06-16 10:25 34,129 a------- c:\program files\blackandwhiteab.jpg
2004-07-19 21:40 0 a---h--- c:\program files\common files\MSN
2004-01-06 20:59 65,536 a------- c:\program files\pup.exe
2003-09-25 12:45 21,952 ----h--- c:\program files\folder.htt
2003-09-25 12:45 271 ----h--- c:\program files\desktop.ini
1999-12-07 06:00 32,528 a------- c:\winnt\inf\wbfirdma.sys
1998-12-08 20:53 186,368 a------- c:\program files\common files\IRAREG.DLL
1998-12-08 20:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL
1998-12-08 20:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 20:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL
1998-12-08 20:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 20:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 21:40:17.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:11 PM

Posted 23 February 2009 - 05:56 AM

Hi,

Is this the problem you are having?

http://miekiemoes.blogspot.com/2008/10/fak...archengine.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mdrgolf

mdrgolf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 23 February 2009 - 08:48 AM

That is very similar to the problem I am having, except that all pages of my search results point to "bad" urls. Also I don't notice any delay in getting the search engine to load or in gettting search engine results.

None of the adware / malware programs are finding anything wrong. I ran hijack this and didn't find anything out of the ordinary.

When I get home from work this evening I will check the files mentioned in your blog. Heopfully that will cure me.

Thanks for the quick and informative reply.

Edited by mdrgolf, 23 February 2009 - 08:49 AM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:11 PM

Posted 23 February 2009 - 08:53 AM

Hi,

I'm pretty sure it's that one you're dealing with, since I can't see anything strange in above logs. The infection I'm mentioning doesn't display in logs anyway.
Anyway, let me know...

If unsure, or it's not the wdmaud.sys problem present in the system32 folder, do next instead...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mdrgolf

mdrgolf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 23 February 2009 - 04:56 PM

Wow you were right!!

I found the wdmaud.sys file in the system32 folder and deleted it. Voila!! My search engine works normally again.

I would have never found that without your help.

Thank you sooooooooo much!!!
How can i repay you?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:11 PM

Posted 23 February 2009 - 05:06 PM

Hi,

Good to hear and glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:11 PM

Posted 24 February 2009 - 08:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users