Help!

Google Hijack virus

 
Goto page 1, 2
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions RSS
Next:  Deleted Profile and Norton Security  
Author Message
delonghorn



Joined: Oct 19, 2006
Posts: 5



PostPosted: Thu Oct 19, 2006 1:16 pm    Post subject: Google Hijack virus

I have some kind of virus that has hijacked my google search results... If I do a search, my results come back normally, but if I click on a link I am taken to a spyware page, such as an ebay search with the search string the same as my original google search. If I right click and 'copy shortcut' on a search result and paste it into my browser, it works fine.

I've tried RegDoctor, Spybot, Bazooka, and Adware and none of them can find this thing. Searching around online using the IP address I see in the status bar (it always redirects thru the same IP) immediately after clicking a link, I have found only two results on the same problem, but both are on German websites.

Here's my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:16:46 AM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\New\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/EnvivioTVAutomaticInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1092D692-4298-4206-BF07-CF93C888A1A4}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{245AD227-44C2-4408-A272-D024F6593883}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F8B200F-D1FB-4965-999C-D81AACB1753B}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA1AC90-D1F5-48CD-91E1-D2E84E19A66E}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CS1\Services\Tcpip\..\{1092D692-4298-4206-BF07-CF93C888A1A4}: NameServer = 85.255.114.9,85.255.112.204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



Thanks in advance.
Back to top
Basherz_MkII



Joined: Oct 11, 2006
Posts: 27

Location: South Wales

PostPosted: Fri Oct 20, 2006 11:05 am    Post subject: Re: Google Hijack virus [Login to view extended thread Info.]

Hi

If you can, download:

AntiVirus = AVG: HERE
Spyware = Ewido: HERE

Update both these products. Do not scan yet.

Re-boot into safe mode and run Ewido. When thats finished, run AVG just to check your machine.

Please let us know how you got on.
Back to top
BigFurryMonster



Joined: Nov 10, 2006
Posts: 2



PostPosted: Fri Nov 10, 2006 2:39 pm    Post subject: Re: Google Hijack virus [Login to view extended thread Info.]

I seem to have the same thing.

Google search results show up as normal. Then, sometimes, when I click on a search result link, some weird page shows up. Mostly German ones, and often genealogie.de.
When I go back and click the same link again, I get the proper page.

Seems like some subtle virus. But which one ...?
Back to top
seaeagle



Joined: Aug 31, 2004
Posts: 5764

Location: Sydney, Australia

PostPosted: Fri Nov 10, 2006 3:56 pm    Post subject: Re: Google Hijack virus [Login to view extended thread Info.]

If you haven't been able to remove it using normal anti-virus procedures, then you may want to post a log in Lockergnome's HijackThis Logs forum.
Back to top
BigFurryMonster



Joined: Nov 10, 2006
Posts: 2



PostPosted: Fri Nov 10, 2006 4:16 pm    Post subject: Re: Google Hijack virus [Login to view extended thread Info.]

Thanks for your quick reply!

The thing is - I'm not even sure if it's a virus, a problem with my browser, adware, or some issue on Google's end.
Back to top
danmissi



Joined: Jan 27, 2007
Posts: 1



PostPosted: Sat Jan 27, 2007 6:11 am    Post subject: ditto [Login to view extended thread Info.]

im having the same issue... ive noticed if i click, fast enough, the back button and the link again it will give me results in english.

With the redirect to genealogie.de every now and then also

weird problem, any help would be appreciated, this is the only thread i
could find on the subject.

thanks,
dan

this is my 3rd post in 6 years of interneting so forgive me if i broke the rules
Back to top
ZEUS_GB



Joined: Jan 14, 2003
Posts: 5065

Location: UK

PostPosted: Wed Jan 31, 2007 1:12 pm    Post subject: Re: ditto [Login to view extended thread Info.]

Hello danmissi and welcome to Lockergnome!

Please post a Hijack This logfile in our Hijack This forum so our malware experts can have a look at it.

Hijack this forum
Back to top
DoctorBob



Joined: Mar 02, 2007
Posts: 3



PostPosted: Sat Mar 03, 2007 4:07 am    Post subject: Google Hijack [Login to view extended thread Info.]

I had the same problem, and finally figured out how to fix it. What has happened is you've picked up a bad cookie somewhere, which is how the redirect from Google is done. Sorry, but I don't know exactly which cookie it is.

To fix the problem, you either have to delete all your cookies, or set your privacy settings so that no cookies are accepted. To do this, click "Tools" on the Internet Explorer menu bar, then click "Internet Options", then click "Delete Cookies." Or, if you don't want to delete your cookies, click the "Privacy" tab instead, and then change the settings to "Block All Cookies." Hope this helps.
Back to top
DomBray



Joined: Jun 01, 2008
Posts: 12



PostPosted: Sun Jun 01, 2008 12:50 pm    Post subject: Thank god... [Login to view extended thread Info.]

I've been having a similar problem on Vista, and have found that by blovking thrid party cookies I finally get my search results links working again.

But I have tried clearing out the cookies from within IE and also several spy-ware and adware removal programs and all fail to find this one.

I do not know if I've hit something new but will post in the hijack this forum to see if there is something new...
Back to top
cschwabe



Joined: Nov 03, 2008
Posts: 1



PostPosted: Mon Nov 03, 2008 11:52 pm    Post subject: Certainly a Google Hijack... [Login to view extended thread Info.]

I had the same thing, too. And I wasn't sure if it was because of the cookies, or if it was virus or what. Also IE was running slow, so I just cleared EVERYTHING (cookies, cache, temp files), rebooted, then ran a vir scan from two diff scans (AVG & Kaspersky) then rebooted again. It seemd to go away after that, so I'm not sure if it's exactly the same thing or what exactly that I did to get rid of it...
Back to top
alex_us01



Joined: Dec 07, 2008
Posts: 1



PostPosted: Mon Dec 08, 2008 3:32 am    Post subject: how to remove Rootkit.Agent [Login to view extended thread Info.]

Hello,

I had the same problem.
I have Malwarebytes' Anti-Malware (freeware or something as I didn't pay for it)
and its quick scan could find the virus.

Here is the webpage:
http://www.malwarebytes.org/mbam.php

It put this message in the log:

Files Infected:
C:\WINDOWS\SYSTEM32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

and also required a restart. After the restart, things got normal again.

I hope that solves the problem for you (if you can find this web page hopefully having access to another non-affected computer environment).
Back to top
zhean



Joined: May 12, 2007
Posts: 2



PostPosted: Thu Sep 03, 2009 8:16 pm    Post subject: [Login to view extended thread Info.]

i had google virus before and it came with some computer security program which was fake and asked for money. i used spyware doctor to fix google virus and all the other mess, although it is paid but it has 30 day money back guarantee
Back to top
ak24



Joined: Jul 30, 2009
Posts: 9



PostPosted: Tue Sep 15, 2009 9:43 am    Post subject: [Login to view extended thread Info.]

Use ComboFix. It solved the same problem for me.
http://www.combofix.org


____________________________________
http://cid-556a72d9038a7868.spaces.live.com
Back to top
joseboy



Joined: Oct 21, 2009
Posts: 1



PostPosted: Wed Oct 21, 2009 5:22 pm    Post subject: [Login to view extended thread Info.]

Ok, if you really want to fix the spyware without having to format you pc, you need Mccaffe, this is your only chance to saving your hard drive, other wise, hate to say this, but your gonna need to format your IDE HD(HARD DRIVE) 0.
because it is spyware, it is going to be hard to pick out, but the other anti-virus you can try is office scan.
go to this site, install the software, and then run a malware and spyware full scan, duration of the scan will depend on the amount of data you have on your HD.


http://www.trendmicro.com/download/product.asp?productid=5

thats all i got for ya, shoot me an email if you need furthur help....

extremecomput RemoveThis @gmail.com

till then, PEACE! Razz
Back to top
reedj04



Joined: Jan 18, 2010
Posts: 1



PostPosted: Mon Jan 18, 2010 1:09 pm    Post subject: [Login to view extended thread Info.]

I tried Trbear's Hitman 3.5 from CNET. It WORKED !!!!! Thank you Thank you Thank you
Back to top
wonteach



Joined: Jan 30, 2010
Posts: 1



PostPosted: Sat Jan 30, 2010 7:00 pm    Post subject: [Login to view extended thread Info.]

I haven't yet found any solution that works. But for those of you in my situation, I have found that if you right-click on the link in the google search results, then choose "Open in new tab," you'll probably get hijacked the first time. But if you do the same thing again, immediately, you always get sent to the correct address.

Granted, it's a pain in the ass, but it will get you around the problem until you can find a real fix.
Back to top
Arm



Joined: Feb 16, 2010
Posts: 2



PostPosted: Tue Feb 16, 2010 10:52 pm    Post subject: [Login to view extended thread Info.]

I had the same problem & it drove me crazy. I killed the spyware with MalwareBytes & double checked with AVG. After both came up clean my Google search still mis-directed me.

I edited my DNS Host File
C:\windows\system32\drivers\etc\hosts

and deleted the entries that were taking me to the fake Google site.
(All entries after localhost)
Back to top
eldo500



Joined: Feb 17, 2010
Posts: 2



PostPosted: Wed Feb 17, 2010 1:08 pm    Post subject: [Login to view extended thread Info.]

Arm wrote:
I had the same problem & it drove me crazy. I killed the spyware with MalwareBytes & double checked with AVG. After both came up clean my Google search still mis-directed me.

I edited my DNS Host File
C:\windows\system32\drivers\etc\hosts

and deleted the entries that were taking me to the fake Google site.
(All entries after localhost)


Worked perfectly for me. Thanks a million!
Back to top
eldo500



Joined: Feb 17, 2010
Posts: 2



PostPosted: Wed Feb 17, 2010 1:16 pm    Post subject: [Login to view extended thread Info.]

Sheesh, thought that solved it, but the issue came right back the next time I searched.
Back to top
Arm



Joined: Feb 16, 2010
Posts: 2



PostPosted: Wed Feb 17, 2010 1:50 pm    Post subject: [Login to view extended thread Info.]

eldo500 wrote:
Argh, never mind. Rebooted it and it's forwarding again.


try flushing the DNS cache
at a command prompt type ipconfig /flushdns

It may also be in IE (if you're using that) I reset all the settings.

I used the ping command to see if the issue was in DNS or IE
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions All times are: Eastern Time (US & Canada)
Goto page 1, 2
Page 1 of 2

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum