Hijacking of search results

Discussion in 'ESET NOD32 Antivirus' started by djackino, Jul 22, 2011.

Thread Status:
Not open for further replies.
  1. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    I am having a problem in IE 8 only when going to a search results page for either Yahoo! or Google. The search results page comes up, but if you attempt to go away from the search page (via a shortcut or the home page button), something is taking control of the browser and jumping to a random (useless) web page. No virus is detected by NOD32 and nothing serious happens other then being annoyed by the useless webpage (such as a bogus search webpage - will provide URLs in a PM). I have not hit the same useless webpage twice.

    A second click to the shortcut or home page works fine.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    Attached as a .txt file (I don't see any other way to send, including a PM to Cudni):

    I looked in IE's add on list and noticed the following:
    Item: Control Name is Not Available
    Name: Network License Config. DLL
    Publisher: Control Name is Not Available

    I disabled this add-on, restarted IE and the problem has gone away... for now.
     
    Last edited by a moderator: Jul 22, 2011
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    I meant for you to submit the report to Eset tech support. I would still use more tool to scan that machine
     
  5. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    Sorry, my bad. I have run Spybot and it found nothing. Should I run
    MalwareBytes as well?
     
  6. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Yes, just in case
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    RKill, HitmanPro, TDSSKiller, MBAM (edit: run in that order starting with rkill)

    usually takes care of everything I've dealt with
     
    Last edited: Jul 22, 2011
  8. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    MBAM found four problems (registry and one rogue file) and cleaned them all up, a reboot was needed to completely clean things. I'll look into the other tools should I continue to have problems.

    Edit: I started running MBAM before Hungry Man's post.

    Thanks for the help!
     
    Last edited: Jul 22, 2011
  9. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    The problem has returned. There appears to be a rootkit that has done the following:
    1. Re-enabled the questionable IE8 add-on described above. I am able to go back into the addons menu and disable it.

    2. Placed audiodrv32.exe and audiodrv32.dll in C:\windows\system32. The files cannot be deleted. I can rename the files, but the rootkit puts the files back in a few minutes. The files have been submitted to ESET for analysis.

    3. Started a process audiodrv32.exe (attempting to End Process does not work, the process comes back immediately)

    I have run ESET scans, Spybot, and the following in order as suggested by
    Hungry Man:
    RKill, HitmanPro, TDSSKiller, MBAM

    Everything reports clean. HitmanPro won't clean anything anyway, the trial period has expired.

    Any additional help is greatly appreciated.
     
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  11. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    I have an account at BleepingComputer and will pursue there. But isn't this something that ESET should be looking into as well?
     
  12. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    did you contact their tech support?
     
Thread Status:
Not open for further replies.