Internet Buggery

[Sphexi]

Somehow I got nailed with something I can't figure out. I've run spybot/adaware and both come up clean, yet whenever I go to MSN/Google/Yahoo and search for ANYTHING the top 5 or 6 results (only ones that popup) are for sites like crossdots.com and redup.com and a few that all look the same. I run Kaspersky anti-virus, and adaware all the time, and I've run through all the possibilities I could come up with as to what's causing this. If I go to Megaproxy and use them to search things work fine, it's obviously something on my comp that's redirecting searches to their sites, and darned if I can find it.


Any help, or suggestions on where to look? I've checked the HOSTS file, and it doesn't seem to alter the sites that I use to search, it looks like Google searching, just comes up with the same results no matter what.

 

[daniel49]

You try running hijack this yet?

 

[Sphexi]

Doing that now, I was checking a few other things first.

 

[Sphexi]

DO NOT CLICK THE LINKS IN HERE ....I apologize for htem being automatically linked, but don't click em.


Logfile of HijackThis v1.99.1
Scan saved at 10:43:43 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Screenshot Utility\ScreenshotUtility.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Sphexi\LOCALS~1\Temp\Rar$EX00.563\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize
O4 - HKCU\..\Run: [cpknwbd] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [pdhgshw] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [lyosdcu] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [yajwhsp] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [rlykewx] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [ysyegks] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [toxcyyy] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [mtmncxd] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [uyvqant] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [hslhvui] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [silvcki] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [xuexbcm] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [uhdshyq] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [cnfjpwr] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [ngjuvno] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [qsiaxnx] c:\windows\nygleja.exe
O4 - HKCU\..\Run: [lrfhltm] c:\windows\xxpxysp.exe
O4 - Startup: Screenshot Utility.lnk = C:\Program Files\Screenshot Utility\ScreenshotUtility.exe
O4 - Startup: Winamp Agent.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8706B6D0-E661-40E2-A4AB-5B669A0DF43D}: NameServer = 68.168.96.162,68.168.96.165
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe





You know, I'm going to turn in my Man Badge if it's as simple as removing those R0 registry tags, and the rest of that crap. BTW, the nygleja.exe and xxpxysp.exe I already had found and deleted, but I dunno what flsmngr.dll is, and the rest of this crap I'm slowly working through now.

 

[blodhi74]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/index.htm

delete these .... also ckeck UR registry and shell32 folder

 

[Sphexi]

I had already gotten rid of those, the one that was doing it was the flsmngr.dll in the Winsock LSP...I went in and removed that, plus the other things that were obviously crap, and voila, works fine


So thanks for the kick in the ass, I should be better than this *hides Network Engineering degree*


BTW the funny part was that I tried Firefox to see if it was an IE thing only, and Firefox had the same problem. Obviously it was something else entirely, and something very slick at that, I'm almost impressed with how sophisticated it was.

 

[FlyingPenguin]

You may still have other nasties hiding. Have you checked for BHO Helpers? Checked to see if your HOSTS file has been tampered with?

Please refer to my detailed spyware removal instructions here: http://theflyingpenguin.com/spyware-removal.shtml

I wouldn't trust Spybot or Adaware anymore. Both have sold out to the enemy. They've been off my radar for 9 months. They miss a LOT of malware.

 

[mechBgon]

Sounds like what McAfee/NAI call Startpage-GT or one of its descendants, since it affects both browsers. McAfee has a manual command-line scanner you can try if you like: how to (a text file). Also make sure Kaspersky is updating "From Internet, Extended Databases" like shown in this pic.

Check your Layered Service Provider stack. Microsoft AntiSpyware Beta > Advanced Tools > System Explorers can help with checking the LSP, to name one possibility.

Bigger picture: are you using a Limited account for daily-driver stuff? Good idea to do so if possible, don't hand over the gun and the ammo.

 

[Sphexi]

Originally posted by: mechBgon
Sounds like what McAfee/NAI call Startpage-GT or one of its descendants, since it affects both browsers. McAfee has a manual command-line scanner you can try if you like: how to (a text file). Also make sure Kaspersky is updating "From Internet, Extended Databases" like shown in this pic.

Check your Layered Service Provider stack. Microsoft AntiSpyware Beta > Advanced Tools > System Explorers can help with checking the LSP, to name one possibility.

Bigger picture: are you using a Limited account for daily-driver stuff? Good idea to do so if possible, don't hand over the gun and the ammo.

No idea what it was called, didn't have much of a name other than the DLL file that was sitting in the LSP stack. And yeah, I don't use the admin account or something stupid like that, I did learn a few things in college to make it worth the ever rising tuition.

Kaspersky is updated, so is everything else, I've scanned a few more times with all, no problems, and I've been tracking outgoing connections just out of curiousity and doing whois lookups on the servers to see who owns them and if any of them are places I don't want to be connecting to.

I actually have a modified HOSTS file, which I have a backup of just in case something edits it to put fun things in there, I have it setup right now to redirect traffic from about 5k some odd bad/spyware/advert servers to localhost, cuts down on a lot of the stuff.