Google Hijack virus

delonghorn · Joined: Oct 19, 2006 Posts: 5

I have some kind of virus that has hijacked my google search results... If I do a search, my results come back normally, but if I click on a link I am taken to a spyware page, such as an ebay search with the search string the same as my original google search. If I right click and 'copy shortcut' on a search result and paste it into my browser, it works fine.

I've tried RegDoctor, Spybot, Bazooka, and Adware and none of them can find this thing. Searching around online using the IP address I see in the status bar (it always redirects thru the same IP) immediately after clicking a link, I have found only two results on the same problem, but both are on German websites.

Here's my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:16:46 AM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\New\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/EnvivioTVAutomaticInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1092D692-4298-4206-BF07-CF93C888A1A4}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{245AD227-44C2-4408-A272-D024F6593883}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F8B200F-D1FB-4965-999C-D81AACB1753B}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA1AC90-D1F5-48CD-91E1-D2E84E19A66E}: NameServer = 85.255.114.9,85.255.112.204
O17 - HKLM\System\CS1\Services\Tcpip\..\{1092D692-4298-4206-BF07-CF93C888A1A4}: NameServer = 85.255.114.9,85.255.112.204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks in advance.

Basherz_MkII · Joined: Oct 11, 2006 Posts: 27 Location: South Wales

Hi

If you can, download:

AntiVirus = AVG: HERE
Spyware = Ewido: HERE

Update both these products. Do not scan yet.

Re-boot into safe mode and run Ewido. When thats finished, run AVG just to check your machine.

Please let us know how you got on.

BigFurryMonster · Joined: Nov 10, 2006 Posts: 2

I seem to have the same thing.

Google search results show up as normal. Then, sometimes, when I click on a search result link, some weird page shows up. Mostly German ones, and often genealogie.de.
When I go back and click the same link again, I get the proper page.

Seems like some subtle virus. But which one ...?

seaeagle

If you haven't been able to remove it using normal anti-virus procedures, then you may want to post a log in Lockergnome's HijackThis Logs forum.

BigFurryMonster · Joined: Nov 10, 2006 Posts: 2

Thanks for your quick reply!

The thing is - I'm not even sure if it's a virus, a problem with my browser, adware, or some issue on Google's end.

danmissi · Joined: Jan 27, 2007 Posts: 1

im having the same issue... ive noticed if i click, fast enough, the back button and the link again it will give me results in english.

With the redirect to genealogie.de every now and then also

weird problem, any help would be appreciated, this is the only thread i
could find on the subject.

thanks,
dan

this is my 3rd post in 6 years of interneting so forgive me if i broke the rules

ZEUS_GB · Joined: Jan 14, 2003 Posts: 5061 Location: UK

Hello danmissi and welcome to Lockergnome!

Please post a Hijack This logfile in our Hijack This forum so our malware experts can have a look at it.

Hijack this forum

DoctorBob · Joined: Mar 02, 2007 Posts: 3

I had the same problem, and finally figured out how to fix it. What has happened is you've picked up a bad cookie somewhere, which is how the redirect from Google is done. Sorry, but I don't know exactly which cookie it is.

To fix the problem, you either have to delete all your cookies, or set your privacy settings so that no cookies are accepted. To do this, click "Tools" on the Internet Explorer menu bar, then click "Internet Options", then click "Delete Cookies." Or, if you don't want to delete your cookies, click the "Privacy" tab instead, and then change the settings to "Block All Cookies." Hope this helps.

DomBray · Joined: Jun 01, 2008 Posts: 12

I've been having a similar problem on Vista, and have found that by blovking thrid party cookies I finally get my search results links working again.

But I have tried clearing out the cookies from within IE and also several spy-ware and adware removal programs and all fail to find this one.

I do not know if I've hit something new but will post in the hijack this forum to see if there is something new...

cschwabe · Joined: Nov 03, 2008 Posts: 1

I had the same thing, too. And I wasn't sure if it was because of the cookies, or if it was virus or what. Also IE was running slow, so I just cleared EVERYTHING (cookies, cache, temp files), rebooted, then ran a vir scan from two diff scans (AVG & Kaspersky) then rebooted again. It seemd to go away after that, so I'm not sure if it's exactly the same thing or what exactly that I did to get rid of it...

alex_us01 · Joined: Dec 07, 2008 Posts: 1

Hello,

I had the same problem.
I have Malwarebytes' Anti-Malware (freeware or something as I didn't pay for it)
and its quick scan could find the virus.

Here is the webpage:
http://www.malwarebytes.org/mbam.php

It put this message in the log:

Files Infected:
C:\WINDOWS\SYSTEM32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

and also required a restart. After the restart, things got normal again.

I hope that solves the problem for you (if you can find this web page hopefully having access to another non-affected computer environment).

zhean · Joined: May 12, 2007 Posts: 2

i had google virus before and it came with some computer security program which was fake and asked for money. i used spyware doctor to fix google virus and all the other mess, although it is paid but it has 30 day money back guarantee

ak24 · Joined: Jul 30, 2009 Posts: 5

Use ComboFix. It solved the same problem for me.
http://www.combofix.org

____________________________________
http://cid-556a72d9038a7868.spaces.live.com

joseboy · Joined: Oct 21, 2009 Posts: 1

Ok, if you really want to fix the spyware without having to format you pc, you need Mccaffe, this is your only chance to saving your hard drive, other wise, hate to say this, but your gonna need to format your IDE HD(HARD DRIVE) 0.
because it is spyware, it is going to be hard to pick out, but the other anti-virus you can try is office scan.
go to this site, install the software, and then run a malware and spyware full scan, duration of the scan will depend on the amount of data you have on your HD.

http://www.trendmicro.com/download/product.asp?productid=5

thats all i got for ya, shoot me an email if you need furthur help....

extremecomput DeleteThis @gmail.com

till then, PEACE! Razz