Google Hijack virus

Goto page 1, 2
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions RSS
Next:  Deleted Profile and Norton Security  
Author Message

Joined: Oct 19, 2006
Posts: 5

PostPosted: Thu Oct 19, 2006 1:16 pm    Post subject: Google Hijack virus

I have some kind of virus that has hijacked my google search results... If I do a search, my results come back normally, but if I click on a link I am taken to a spyware page, such as an ebay search with the search string the same as my original google search. If I right click and 'copy shortcut' on a search result and paste it into my browser, it works fine.

I've tried RegDoctor, Spybot, Bazooka, and Adware and none of them can find this thing. Searching around online using the IP address I see in the status bar (it always redirects thru the same IP) immediately after clicking a link, I have found only two results on the same problem, but both are on German websites.

Here's my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:16:46 AM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\\agent\mcdetect.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\DOCUME~1\New\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O1 - Hosts: localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1092D692-4298-4206-BF07-CF93C888A1A4}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{245AD227-44C2-4408-A272-D024F6593883}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F8B200F-D1FB-4965-999C-D81AACB1753B}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA1AC90-D1F5-48CD-91E1-D2E84E19A66E}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{1092D692-4298-4206-BF07-CF93C888A1A4}: NameServer =,
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\\Agent\mcupdmgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks in advance.
Back to top

Joined: Oct 11, 2006
Posts: 27

Location: South Wales

PostPosted: Fri Oct 20, 2006 11:05 am    Post subject: Re: Google Hijack virus


If you can, download:

AntiVirus = AVG: HERE
Spyware = Ewido: HERE

Update both these products. Do not scan yet.

Re-boot into safe mode and run Ewido. When thats finished, run AVG just to check your machine.

Please let us know how you got on.
Back to top

Joined: Nov 10, 2006
Posts: 2

PostPosted: Fri Nov 10, 2006 2:39 pm    Post subject: Re: Google Hijack virus

I seem to have the same thing.

Google search results show up as normal. Then, sometimes, when I click on a search result link, some weird page shows up. Mostly German ones, and often
When I go back and click the same link again, I get the proper page.

Seems like some subtle virus. But which one ...?
Back to top

Joined: Aug 31, 2004
Posts: 5764

Location: Sydney, Australia

PostPosted: Fri Nov 10, 2006 3:56 pm    Post subject: Re: Google Hijack virus

If you haven't been able to remove it using normal anti-virus procedures, then you may want to post a log in Lockergnome's HijackThis Logs forum.
Back to top

Joined: Nov 10, 2006
Posts: 2

PostPosted: Fri Nov 10, 2006 4:16 pm    Post subject: Re: Google Hijack virus

Thanks for your quick reply!

The thing is - I'm not even sure if it's a virus, a problem with my browser, adware, or some issue on Google's end.
Back to top

Joined: Jan 27, 2007
Posts: 1

PostPosted: Sat Jan 27, 2007 6:11 am    Post subject: ditto

im having the same issue... ive noticed if i click, fast enough, the back button and the link again it will give me results in english.

With the redirect to every now and then also

weird problem, any help would be appreciated, this is the only thread i
could find on the subject.


this is my 3rd post in 6 years of interneting so forgive me if i broke the rules
Back to top

Joined: Jan 14, 2003
Posts: 5065

Location: UK

PostPosted: Wed Jan 31, 2007 1:12 pm    Post subject: Re: ditto

Hello danmissi and welcome to Lockergnome!

Please post a Hijack This logfile in our Hijack This forum so our malware experts can have a look at it.

Hijack this forum
Back to top

Joined: Mar 02, 2007
Posts: 3

PostPosted: Sat Mar 03, 2007 4:07 am    Post subject: Google Hijack

I had the same problem, and finally figured out how to fix it. What has happened is you've picked up a bad cookie somewhere, which is how the redirect from Google is done. Sorry, but I don't know exactly which cookie it is.

To fix the problem, you either have to delete all your cookies, or set your privacy settings so that no cookies are accepted. To do this, click "Tools" on the Internet Explorer menu bar, then click "Internet Options", then click "Delete Cookies." Or, if you don't want to delete your cookies, click the "Privacy" tab instead, and then change the settings to "Block All Cookies." Hope this helps.
Back to top

Joined: Jun 01, 2008
Posts: 12

PostPosted: Sun Jun 01, 2008 12:50 pm    Post subject: Thank god...

I've been having a similar problem on Vista, and have found that by blovking thrid party cookies I finally get my search results links working again.

But I have tried clearing out the cookies from within IE and also several spy-ware and adware removal programs and all fail to find this one.

I do not know if I've hit something new but will post in the hijack this forum to see if there is something new...
Back to top

Joined: Nov 03, 2008
Posts: 1

PostPosted: Mon Nov 03, 2008 11:52 pm    Post subject: Certainly a Google Hijack...

I had the same thing, too. And I wasn't sure if it was because of the cookies, or if it was virus or what. Also IE was running slow, so I just cleared EVERYTHING (cookies, cache, temp files), rebooted, then ran a vir scan from two diff scans (AVG & Kaspersky) then rebooted again. It seemd to go away after that, so I'm not sure if it's exactly the same thing or what exactly that I did to get rid of it...
Back to top

Joined: Dec 07, 2008
Posts: 1

PostPosted: Mon Dec 08, 2008 3:32 am    Post subject: how to remove Rootkit.Agent


I had the same problem.
I have Malwarebytes' Anti-Malware (freeware or something as I didn't pay for it)
and its quick scan could find the virus.

Here is the webpage:

It put this message in the log:

Files Infected:
C:\WINDOWS\SYSTEM32\sysaudio.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

and also required a restart. After the restart, things got normal again.

I hope that solves the problem for you (if you can find this web page hopefully having access to another non-affected computer environment).
Back to top

Joined: May 12, 2007
Posts: 2

PostPosted: Thu Sep 03, 2009 8:16 pm    Post subject:

i had google virus before and it came with some computer security program which was fake and asked for money. i used spyware doctor to fix google virus and all the other mess, although it is paid but it has 30 day money back guarantee
Back to top

Joined: Jul 30, 2009
Posts: 9

PostPosted: Tue Sep 15, 2009 9:43 am    Post subject:

Use ComboFix. It solved the same problem for me.

Back to top

Joined: Oct 21, 2009
Posts: 1

PostPosted: Wed Oct 21, 2009 5:22 pm    Post subject:

Ok, if you really want to fix the spyware without having to format you pc, you need Mccaffe, this is your only chance to saving your hard drive, other wise, hate to say this, but your gonna need to format your IDE HD(HARD DRIVE) 0.
because it is spyware, it is going to be hard to pick out, but the other anti-virus you can try is office scan.
go to this site, install the software, and then run a malware and spyware full scan, duration of the scan will depend on the amount of data you have on your HD.

thats all i got for ya, shoot me an email if you need furthur help....

till then, PEACE! Razz
Back to top

Joined: Jan 18, 2010
Posts: 1

PostPosted: Mon Jan 18, 2010 1:09 pm    Post subject:

I tried Trbear's Hitman 3.5 from CNET. It WORKED !!!!! Thank you Thank you Thank you
Back to top

Joined: Jan 30, 2010
Posts: 1

PostPosted: Sat Jan 30, 2010 7:00 pm    Post subject:

I haven't yet found any solution that works. But for those of you in my situation, I have found that if you right-click on the link in the google search results, then choose "Open in new tab," you'll probably get hijacked the first time. But if you do the same thing again, immediately, you always get sent to the correct address.

Granted, it's a pain in the ass, but it will get you around the problem until you can find a real fix.
Back to top

Joined: Feb 16, 2010
Posts: 2

PostPosted: Tue Feb 16, 2010 10:52 pm    Post subject:

I had the same problem & it drove me crazy. I killed the spyware with MalwareBytes & double checked with AVG. After both came up clean my Google search still mis-directed me.

I edited my DNS Host File

and deleted the entries that were taking me to the fake Google site.
(All entries after localhost)
Back to top

Joined: Feb 17, 2010
Posts: 2

PostPosted: Wed Feb 17, 2010 1:08 pm    Post subject:

Arm wrote:
I had the same problem & it drove me crazy. I killed the spyware with MalwareBytes & double checked with AVG. After both came up clean my Google search still mis-directed me.

I edited my DNS Host File

and deleted the entries that were taking me to the fake Google site.
(All entries after localhost)

Worked perfectly for me. Thanks a million!
Back to top

Joined: Feb 17, 2010
Posts: 2

PostPosted: Wed Feb 17, 2010 1:16 pm    Post subject:

Sheesh, thought that solved it, but the issue came right back the next time I searched.
Back to top

Joined: Feb 16, 2010
Posts: 2

PostPosted: Wed Feb 17, 2010 1:50 pm    Post subject:

eldo500 wrote:
Argh, never mind. Rebooted it and it's forwarding again.

try flushing the DNS cache
at a command prompt type ipconfig /flushdns

It may also be in IE (if you're using that) I reset all the settings.

I used the ping command to see if the issue was in DNS or IE
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions
Goto page 1, 2
Page 1 of 2

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum