# Browser Hijack - IE, Firefox, and Opera.



## SpiralThus (Dec 21, 2008)

Hi All,

Thanks for reading!

I do a lot of webdev, and often use IE, Firefox, Opera, and Google Chrome.

I rarely get malware, as I am pretty good with my security, but today I picked up something, somewhere.

It effects Firefox, IE, and Opera, all three. Chrome is uneffected. I'm pretty sure it came in through Firefox, as most of my browsingtoday was with Firefox.

I also think it must be fairly new, as I have tried to remove it andhad no success, and haven't seen anything like this in my removalresearch.

*What I've Tried So Far:*

I've tried AdAware, SpyBot, CWSShredder, and a few others, all with noluck. I've also tried starting windows with all startup processesdisabled, and researched all of my running processes - still no luck. My AVG antivirus sees nothing, nor does Comodo BOClean.

*What the Hijacker Does (at least the part I know about):*

When running a search (on Google, Yahoo, and MSN that I've tested) in both IE and Firefox:

The first 10 or so search engine results are replaced with URLs. They aren't always to the same set of URLs, so I assume the URLs aredetermined by pay-per-click prices for my search term.
The URLs are actually shown in the results, it in the green partat the bottom, so an untrained observer might actually think these arethe real results.
The rest of each result is normal, so the title and description come from the real result sites.
The pay-per-click ads that would normally be shown by google are missing, so there are only the altered organic results.
In Opera:

Opera shows exactly the same behavior, but ONLY if Firefox or IE is also open. If you open Opera first, it works just fine, but as soon as you open FFor IE, Opera becomes infected. The infection doesn't persist - if youclose Opera, it will show the correct results again, until firefox/ieare opened and infect it again.
*Hijack This Log:*

Note: 
Firefox is 3.0.5
Opera is 9.61 (10463)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:34 PM, on 12/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ITSD Organizer\Itsd.exe
C:\Documents and Settings\Eli Garcia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\windows\System32\dllhost.exe
C:\Program Files\AllNetic Working Time Tracker\WorkingTimeTracker.exe
C:\Program Files\Alcoda\Spell Magic\SpellMagic.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Program Files\PuTTY\putty.exe
C:\Program Files\TightVNC\vncviewer.exe
C:\Program Files\JGsoft\RegexBuddy\RegexBuddy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\SQLyog Enterprise\SQLyogEnt.exe
C:\Program Files\MySQL\MySQL Workbench 5.0 SE\MySQLWorkbench.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\nusphere\phped\phped.exe
C:\PROGRA~1\nusphere\phped\Debugger\DBGLIS~1.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C}- C:\ProgramFiles\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Solid Converter PDF -{259F616C-A300-44F5-B04A-ED001A26C85C} - C:\ProgramFiles\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: NuSphere ToolBar - {0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - C:\Program Files\nusphere\phped\NuSphereIEBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKLM\..\Run: [CB Active User] C:\Program Files\Comodo\BackUp\CmdBkStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ITSD2] "C:\Program Files\Altstone Software\ITSD Organizer 2\itsd2.exe" /n
O4 - HKCU\..\Run: [ITSD] "C:\Program Files\ITSD Organizer\Itsd.exe" /n
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\EliGarcia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe"/c
O4 - Startup: AllNetic Working Time Tracker.lnk = C:\Program Files\AllNetic Working Time Tracker\WorkingTimeTracker.exe
O4 - Startup: Spell Magic.lnk = C:\Program Files\Alcoda\Spell Magic\SpellMagic.exe
O4 - Startup: Start Changing Now ....lnk = C:\Program Files\Wallpaper Changer\WallPaper.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: NuSphere PhpED :: Debug this page - res://C:\Program Files\nusphere\phped\NuSphereIEBar.dll/1000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ProgramFiles\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)-http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208768481867
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)-http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208768445865
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks OnlineEdition Utilities Class v10) -https://accounting.quickbooks.com/c1/v18.166/qboax10.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave FlashObject) -https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = discoverfire.net
O17 - HKLM\Software\..\Telephony: DomainName = discoverfire.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA36C6E4-8E34-4955-887E-BFC432ED885F}: NameServer = 192.168.0.200
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = discoverfire.net
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - MacrovisionCorporation - C:\Program Files\CommonFiles\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. -C:\Program Files\CommonFiles\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental)(rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft,LLC - C:\ProgramFiles\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Zip Backup to CD (ZipBackup2CD) - Datahjaelp - C:\Program Files\Datahjaelp\Zip Backup to CD\ZipBackSrv.exe

--
End of file - 9011 bytes

Thanks for any help/ideas!


----------



## SpiralThus (Dec 21, 2008)

Is there any chance somebody will answer this, or is this a deadwood site?


----------



## SpiralThus (Dec 21, 2008)

Nevermind, I found the solution on this page, among others. http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html A search for "firefox hijack 7.7.7.0" in google will turn up a few results. I had the Windows\system32\wdmaud.sys variant.


----------

