Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects in FF and IE7


  • Please log in to reply
5 replies to this topic

#1 PuffBunny

PuffBunny

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 10 May 2009 - 04:04 AM

I have been having a problem with Firefox and IE when searching on Google the clicked links often go to other web sites. Quite often the adress in the title bar is zeus.org.au or something similar.

I have run Bitdefender, Ad-Aware, SpyWare Doctor, MalwareBytes etc and all have found infections and have removed them. I have also run ComboFix - but wasnt sure what i was doing with this so i am unsure of the results.

Can any one please point me in the right direction?

I have read the Preperation Guide for Use before using Hijckthis and have included the DDS.txt file generated by DDS below.

Many thanks in advance

svchost.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\AntiSpyWare Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Diigo Toolbar: {09197ffb-c236-4153-b268-31051e4f3b6c} - c:\program files\diigo\DiigoToolbar.3.1.13.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Diigo Sidebar: {69523951-583f-418c-bde7-18efc9fd54b4} - c:\program files\diigo\DiigoToolbar.3.1.13.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ALLUpdate] "c:\program files\allplayer\ALLUpdate.exe" "sleep"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\david\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\david\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cardmi~1.lnk - c:\program files\pfu\scansnap\cardminder v3.2\CardLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.16.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1232569857296
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240051637437
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232281337812
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\cr5ernp3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2009-5-4 22312]

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:15 AM

Posted 24 May 2009 - 11:04 AM

Hello Puffbunny,
Please advise if you have resolved your issues, or , if you are being helped elsewhere.
If you wish to get guided help here, please be careful when copying the reports we ask for.
Your 1 and only log was truncated at the top, and I cannot tell your Windows version.
Always select ALL text, and COPY, and Paste ALL contents of report / log files in your replies here.

If your system is XP: Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

If your system is Vista: Show all files:
  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.
=
Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTListIt2 by clicking the X at top right.
Download Security Check by screen317 and save it to your Desktop: here or here
  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):
  • the contents of OTListIt.txt;
  • the contents of Extras.txt ; and
  • the contents of checkup.txt
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 24 May 2009 - 11:07 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 PuffBunny

PuffBunny
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 24 May 2009 - 11:36 AM

Hi Maurice

Thank you for finaly getting back to me - i do appreciate you are very busy fighting this sort of crap.

Sorry or the truncated post -

Whilst waiting for a reply, i posted on another forum - this isn't meant as a complaint, but the frequency of the redirects was hitting anything up to 90% of search results, and i was near tears in desperation so i felt i couldn't wait.

If its any consolation the other forum haven't made much progress either and i have so far tried with them, OTList (as suggested by you) Malwarebytes, ATF Cleaner, SysRestore (used during one of the clean-ups), CCleaner, Spyware Doctor, Ad-Aware, erunt, rooter, gmer, combofix, drweb-cureit.... and nothing has stopped it.

Today i did a search on other forums and by accident came across a google forum post someone who was also having re-direct isseus , and they found it was down to a file in C:/Windows/System32 called wdmaud.sys which redirects to other parts of the web - there is a legitimate file called this but this i think (assuming the post is correct) should sit in System32/drives - the this one is bogus.

I had to use Malwarebytes, FileAssassin to remove it (renaming doesn't work as it replicates itself, and its locked from being deleted any other way).

Since i removed it i haven't been redirected - so fingers crossed that this was the cause. It is worrying that NONE of the tools mentioned inclufing BitDefender, my virus scanner didnt detect it, and i dont know how i got it onto my system.

So - at this time i do not need your help - However i would be very greatfull if you can suggest any way to stop me getting further infected by this sort of crap.

keep up the great works you guys do.

PuffBunny

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:15 AM

Posted 24 May 2009 - 11:41 AM

Puffbunny,

Which forum, please? and provide a link to your topic.
While the topic is open there, I'll hold off on advice. I do not want to hinder or conflict with something already way.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 PuffBunny

PuffBunny
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 24 May 2009 - 11:52 AM

maurice the forum is geekstogo.com

Follow this link for my topic

I haven't updated my post with the development from today, yet but will.

Again - my searching elsewhere was NOT a reflection on this site - just my frustration.

Thank you and i hope you find a permanent fix for this type of problem

PuffBunny

Edited by PuffBunny, 24 May 2009 - 11:53 AM.


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:15 AM

Posted 24 May 2009 - 12:22 PM

Ping your helper by PM at geekstogo to see about remaining or outstanding issues. If nothing else, they need to assist you in removal of the tools used.
If after, say, another 24 hours there's no response, let me know here.

If you still have a copy of the rogue wdmaud.sys it would be nice to submit a copy to Virustotal or such.
It is interesting what you mentioned about this driver and what others have mentioned. However, it is not always the case that this file is malware. From the readings, it is a suspect if it is found anywhere else other than the \system32\drivers sub-folder

Generally speaking, there's several ways that malware will redirect your browser, and there are some measures you can take to somewhat minimize odds of your getting redirected.
If by tomorrow you have no other response at G2G forum, let me know here.

My preference is to have them help you close the case properly on that forum first.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users