Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Results Hijacked


  • Please log in to reply
11 replies to this topic

#1 VirusHeatEvil

VirusHeatEvil

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 11 January 2009 - 12:57 AM

Hello

I am running WinXP and I use Internet Explorer.
My search results in Google are being hijacked with what appears to be random pages coming up as the result of any search.
I have also recently managed to acquire Virus Heat (again!) but I thought I had removed most of that myself.

Here is the Malawarebytes Anti-malaware log that I just ran in safe mode and then rebooted. This has not/not fixed the problem.

Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 3

11/01/2009 4:38:34 PM
mbam-log-2009-01-11 (16-38-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182027
Time elapsed: 1 hour(s), 15 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP158\A0168999.exe (Trojan.FakeAlert) -> No action taken.

When I rebooted SpyBot Search and Destroy advised me of several registry changes which appeared to be related to my home page.

I do not seem to be able to get rid of this bug.
PC Doctor Finds Nothing at all....

BC AdBot (Login to Remove)

 


#2 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 11 January 2009 - 02:26 AM

I also do not seem to be able to run SAS.
Each time the Pc goes into 'sleep' mode SAS freezes in place and will not complete a scan?

Still not having any luck
Ran a search (function1) with smitfradfix in normal mode.. here is the log if it helps

mitFraudFix v2.388

Scan done at 19:53:51.01, Sun 11/01/2009
Run from C:\Documents and Settings\Mark\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Documents and Settings\Mark\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mark\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mark\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\SYSTEM32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® 82562V-2 10/100 Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2DFAC9DD-4A2B-4C4A-B137-A79E9E270E4C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2DFAC9DD-4A2B-4C4A-B137-A79E9E270E4C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2DFAC9DD-4A2B-4C4A-B137-A79E9E270E4C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by VirusHeatEvil, 11 January 2009 - 03:58 AM.


#3 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 12 January 2009 - 03:18 AM

Trying to read other posts and see if I can figure it out. No luck so far :thumbsup:

#4 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 12 January 2009 - 04:53 AM

Just guessing now

Found something on here called Avira Rootkit Detection - followed the instructions and it found nothing.
MBAM continues to find nothing
SAS will not do a full run - as soon as the pc goes into sleep more it freezes up

Please help.... anyone....

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 12 January 2009 - 09:07 AM

Have you tried running SAS in "Safe Mode"? If not, please do so.

Also do this. Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 12 January 2009 - 03:23 PM

As already mentioned I cannot complete a scan of SAS. As soon as the PC goes into sleep mode it freezes up. I will sit here and monitor it in about 11 hours time when I get home from work and run the other scan then too!

Thanks!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 12 January 2009 - 03:31 PM

...Malawarebytes Anti-malaware log that I just ran in safe mode and then rebooted

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. Unlike SAS, MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM.

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database updates through the program's interface (preferable way) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 13 January 2009 - 07:22 AM

Damn this thing is persistent. SAS scan in safe mode found something. I checked it, it was cleaned by SAS and I re-booted as requested and.... IT'S STILL THERE!

Google results are still hijacked....

SAS Scan Results Below

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2009 at 11:11 PM

Application Version : 4.24.1004

Core Rules Database Version : 3707
Trace Rules Database Version: 1682

Scan type : Complete Scan
Total Scan Time : 02:38:33

Memory items scanned : 246
Memory threats detected : 0
Registry items scanned : 5776
Registry threats detected : 0
File items scanned : 131598
File threats detected : 6

Adware.Tracking Cookie
C:\Documents and Settings\Mark\Cookies\mark@pornotube[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ads.cnn[2].txt
C:\Documents and Settings\Mark\Cookies\mark@stat.dealtime[2].txt
C:\Documents and Settings\Mark\Cookies\mark@208.122.40[1].txt
C:\Documents and Settings\Mark\Cookies\mark@ads.bleepingcomputer[1].txt

Trojan.Unclassified-Packed/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP158\A0169000.DLL


Forgot to say that the MBAM scan in normal mode conducted before this found nothing at all.
I ran out of time to run the other scan you recomended (my SAS scan took almost three hours to complete) so will do that tomorrow... the quest continues!

Thank you very much for your help so far! So much appreciated!

Edited by VirusHeatEvil, 13 January 2009 - 08:08 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 13 January 2009 - 10:38 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 15 January 2009 - 04:55 AM

AVG Found It

And Google is operating as usual.

I still have been unable to complete the Doctor Web scan as I am estimating that it will take well in excess of three hours but I will run it as soon as I can.

As AVG seems to have got it, is there anything else you suggest I run to confirm the system is clean before setting a restore point or should I proceed with the HJT Log?

I don't want to post the HJT Log if you think it is not required as I aware of the tremendous amount of help you guys already provide for free and don't want to waste anyone's time.

Thanks again.. please let me know what you think?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 AM

Posted 15 January 2009 - 06:20 AM

Persistance pays off. Glad to here things are working again.

I did not see evidence of a major infection from any of the scan logs you posted so if there are no more problems you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. When is AUTORUN.INF really an AUTORUN.INF?. For more information on this risk, please read USB-Based Malware Attacks and Please disable Autorun asap!.

I also recommend taking advantage of the Malwarebytes Anti-Malware Protection Module which uses advanced heuristic scanning technology to monitor your system and provide real-time protection. This technology monitors every process and stops malicious processes before they can infect your computer. Enabling the Protection Module feature requires reqistration and purchase of a license key. When a license is purchased, Malwarebytes can also be set to update itself automatically and schedule scans automatically on a daily basis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 16 January 2009 - 07:13 AM

Has it moved to the next phase???

MBAM is now freezing less than a minute into any attempted scan (although update appears to be working ok). Will try and run SAS is safe mode and everything else I have in the arsenal and let you know...

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users