Hijacking of search results

Discussion in 'ESET NOD32 Antivirus' started by djackino, Jul 22, 2011.

Thread Status:
Not open for further replies.
  1. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    I am having a problem in IE 8 only when going to a search results page for either Yahoo! or Google. The search results page comes up, but if you attempt to go away from the search page (via a shortcut or the home page button), something is taking control of the browser and jumping to a random (useless) web page. No virus is detected by NOD32 and nothing serious happens other then being annoyed by the useless webpage (such as a bogus search webpage - will provide URLs in a PM). I have not hit the same useless webpage twice.

    A second click to the shortcut or home page works fine.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    Attached as a .txt file (I don't see any other way to send, including a PM to Cudni):

    I looked in IE's add on list and noticed the following:
    Item: Control Name is Not Available
    Name: Network License Config. DLL
    Publisher: Control Name is Not Available

    I disabled this add-on, restarted IE and the problem has gone away... for now.
     
    Last edited by a moderator: Jul 22, 2011
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    I meant for you to submit the report to Eset tech support. I would still use more tool to scan that machine
     
  5. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    Sorry, my bad. I have run Spybot and it found nothing. Should I run
    MalwareBytes as well?
     
  6. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Yes, just in case
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    RKill, HitmanPro, TDSSKiller, MBAM (edit: run in that order starting with rkill)

    usually takes care of everything I've dealt with
     
    Last edited: Jul 22, 2011
  8. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    MBAM found four problems (registry and one rogue file) and cleaned them all up, a reboot was needed to completely clean things. I'll look into the other tools should I continue to have problems.

    Edit: I started running MBAM before Hungry Man's post.

    Thanks for the help!
     
    Last edited: Jul 22, 2011
  9. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    The problem has returned. There appears to be a rootkit that has done the following:
    1. Re-enabled the questionable IE8 add-on described above. I am able to go back into the addons menu and disable it.

    2. Placed audiodrv32.exe and audiodrv32.dll in C:\windows\system32. The files cannot be deleted. I can rename the files, but the rootkit puts the files back in a few minutes. The files have been submitted to ESET for analysis.

    3. Started a process audiodrv32.exe (attempting to End Process does not work, the process comes back immediately)

    I have run ESET scans, Spybot, and the following in order as suggested by
    Hungry Man:
    RKill, HitmanPro, TDSSKiller, MBAM

    Everything reports clean. HitmanPro won't clean anything anyway, the trial period has expired.

    Any additional help is greatly appreciated.
     
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  11. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    I have an account at BleepingComputer and will pursue there. But isn't this something that ESET should be looking into as well?
     
  12. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    did you contact their tech support?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.