Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijack ?


  • Please log in to reply
1 reply to this topic

#1 cotyledon

cotyledon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 22 May 2005 - 06:33 PM

If I type in www.google.com or www.google.co.uk I get a page which looks like the 'old style' google home page.

Regardless of what I enter as the search topic I get a list of porn sites.

I have run AVG, Registry Mechanic, Spybot (whilst offline) till two consecutive runs of each show no problems anywhere.

I have de-installed IE and Firefox and Opus and reinstalled them after a re-boot.

A TraceRoute to wherever I'm redirected ends up with a timeout at 194.186.157.229.

It also meanst that I cannot access my GMail - on which I now depend somewhat - and so is, for me, an emergency situation.

Any assistance gratefully received - Thanx.

Logfile of HijackThis v1.99.1
Scan saved at 00:18:53, on 23/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\3Com_DMI\3CDMINIC.EXE
G:\AVG7\avgamsvr.exe
G:\AVG7\avgupsvc.exe
G:\DiskeeperWkt\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\PANASO~1\REMOTE~1\kmentsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TCAUDIAG.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
G:\Adobe\Acrobat7\Distillr\Acrotray.exe
G:\VirtualDrive\VHD\RDTask.exe
G:\VirtualDrive\VDTask.exe
G:\AVG7\avgcc.exe
G:\AVG7\avgemc.exe
G:\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
G:\NetMeter\NetMeter.exe
G:\BlackICE\blackice.exe
G:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\dllhost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 213.219.251.81 astalavista.com
O1 - Hosts: 213.219.251.81 www.astalavista.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Adobe\Acrobat7\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - (no file)
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [DiskeeperSystray] "G:\DiskeeperWkt\DkIcon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "G:\Adobe\Acrobat7\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RAMDrive] "G:\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [VirtualDrive] "G:\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [AVG7_CC] G:\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] G:\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [G:\NetMeter\NetMeter.exe] G:\NetMeter\NetMeter.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: blackice.exe.lnk = G:\BlackICE\blackice.exe
O4 - Startup: Diskeeper 9 Server Standard Edition Registration.lnk = G:\DiskeeperWkt\ESIRegister.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Status Display.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://G:\Adobe\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\office11\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\office11\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\system32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\DiskeeperWkt\DkService.exe
O23 - Service: KME Remote Server - Unknown owner - C:\PROGRA~1\PANASO~1\REMOTE~1\kmentsrv.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


m

#2 rstones12

rstones12

    Malware Expert


  • Members
  • 227 posts
  • OFFLINE
  •  
  • Location:Tempe, Arizona
  • Local time:02:04 AM

Posted 23 May 2005 - 03:10 PM

cotyledon,
Welcome to the BC Forums, I will be reviewing your HJT log.
Please read through all the instructions before proceeding:
You may want to print out these instructions for a reference.

Please download hoster from the link below.

http://www.funkytoad.com/download/hoster.zip
Unzip the file and save it to your desktop. Dont run it just yet.

Download CleanUp
Install the program, dont run it yet, we will later.

Scan with HJT and place a checkmark next to the following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 213.219.251.81 astalavista.com
O1 - Hosts: 213.219.251.81 www.astalavista.com

O2 - BHO: (no name) - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - (no file)
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll

O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)

O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)

O4 - HKCU\..\Run: [G:\NetMeter\NetMeter.exe] G:\NetMeter\NetMeter.exe

Close all browsers and open windows except HJT, then click the Fix Checked button.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Go to Start | Control Panel | Add Remove Programs:
Remove the following programs or any variation:
NetMeter

Using Windows Explorer find and remove the following folders/files if present:

G:\NetMeter\ <-- Folder
C:\WINDOWS\shginas.dll <-- File

Go to your desktop and double click on Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close the program when complete.
Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot your system and post back a new HJT log by using Add Reply

Thanks,
rstones12
"Security is a Process not a Product"

Posted Image Version 3.6
Help here is always free, but if you want to donate to help me continue my fight against malware -- Click Here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users