3 replies to this topic

[mkraty]

Hi guys,

Hope you can help! IE is being redirected when I click on links (and when I click on google seach links). Seems to keep going to generic sites like - Buy.com, EBay.com, Search engines, etc.

I have run - McAfee, Panda, Hijack this, Spybot S&D, Spyware Blaster, AD Aware, Fix Wareout (as discussed in one of your other threads), CCleaner, CWshredder, XSoft, Ewido, Trojan Hunter and each has found a few loose ends but not much to sink my teeth into.

One other weird thing is that every time I look at the sites listed in Spyware blaster (tools tab) they seem to keep changing to ones like the one listed right below - not sure what this is about.

Any help would be greatly apprciated!


http://ie.search.msn...st/srchcust.htm


Here is my latest Hi-Jack log

Logfile of HijackThis v1.99.1
Scan saved at 12:46:31 PM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\LS_Duhem\lsdiorw\lsdiorw2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\VSO\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Mimeo.com\Mimeo Printing Service for NT\ECSTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Desktop\Hi Jack folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sparkretailsolutions.com/
O2 - BHO: ETHelper Class - {A4032A77-8876-4C3E-9655-2AE16B58692D} - C:\WINDOWS\system32\str.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [exe.hldmd] C:\WINDOWS\system32\dmdlh.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=5
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Mimeo Quick Start.lnk = C:\Program Files\Mimeo.com\Mimeo Printing Service for NT\ECSTray.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LanScsi Helper Service (LanScsiHelper) - XIMETA, Inc. - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: Lsdiorw - Logiciels & Services Duhem, Paris, France - C:\Program Files\LS_Duhem\lsdiorw\lsdiorw2.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[AndyManchesta]

Hi mkraty, Welcome to the forum

The site SpywareBlaster shows is genuine and related to the MSN Search Assistant but the IE redirection sounds like a malware problem, did Fixwareout show any Registry values or files in the Windows\system32 folder ?

Can you check the below files out at a Virus scan site then run a couple of tools and hopefully the results will make it clearer whats causing the problem.

Visit Jotti's or VirusTotal , click on Browse, and upload these files:

C:\WINDOWS\system32\str.dll
C:\WINDOWS\system32\dmdlh.exe

Then click Submit. Allow the file to be scanned, and copy and paste the results back, let me know if you have any problems finding the files.


Download Blacklight beta Here
Run the program, accept statement > click next then scan

When its finished scanning exit the program and post back the log if it detects any hidden files, The log is called fsbl-<date/time>.log'.


Please then download DLLCompare from Here

Save it to the desktop and run it. Click Run Locate.com to scan for DLL files. When the scan is finished, click Compare. Finally, when that is complete, click Make a Log of What Was Found. Please post the contents of the logfile back.

Can you post the Virus scan results, Blacklights log and DLLCompares log if they find any files,

Cheers

Andy

[mkraty]

Hi Andy,

Sorry to be so long getting back to you - I was out of town for a few days.

OK - I looked for the str.dll and dmdlh.exe but do not see either in the System32 folder (good news??).

I ran Blacklight and it found "no hidden items" (more good news??)

The DDLCompare gave the following results

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,515 items found: 1,515 files, 0 directories.
Total of file sizes: 344,150,677 bytes 328.21 M

Administrator Account = True

--------------------End log---------------------

Panda gave me this log


Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner.YOUR-W92P4BHLZG\Cookies\owner@atwola[1].txt
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\SYSTEM32\Connect2Party-uninstall.exe

So I went in and killed the files noted.

Ewido scan results looked good too (after scanning and cleaning once)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:40:47 AM, 4/7/2006
+ Report-Checksum: 7C3B4C4C

+ Scan result:

No infected objects found.


::Report End



Looks pretty clean and my redirecting problem seems to be resolved (after posting I re-ran all of my scans, trojan hunters and malware and let the fix anothing they found. Also ran fix wareout and killed anything in my Hi_Jack log that looked funky.

I did find references to a trojan donwloader in a few of the scans (Ewido seems to find the most stuff). I let it clean what it found.

Thanks for your help, I will keep checking to see if it pops back up again.

Thanks again

[AndyManchesta]

Hey mkraty

Set Windows to show hidden and system files to make sure they are not on the pc,

Click Start. Goto MyComputer then c:\drive

Select the Tools menu from the top bar and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the files by opening the same page and pressing the restore defaults button.

If found upload them at the scan site then fix these two entries in the log.


O2 - BHO: ETHelper Class - {A4032A77-8876-4C3E-9655-2AE16B58692D} - C:\WINDOWS\system32\str.dll
O4 - HKLM\..\Run: [exe.hldmd] C:\WINDOWS\system32\dmdlh.exe


All the other scan results are looking good, if you removed the file Pandascan found then its just the two above files that are worth checking for again and fix the above entries in the log.

Let us know if you find the files or have any problems.

Cheers

Andy