Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need help getting rid of hijacked search results (Google)

  • This topic is locked This topic is locked
1 reply to this topic

#1 Lantern Spirit

Lantern Spirit

  • Members
  • 2 posts
  • Local time:08:18 PM

Posted 02 February 2009 - 12:58 PM

Hi everyone!

First post here, just found the forum, interesting place :). Anyway, I've been trying to get rid of some kind of malware infection for two days now. No luck at all so far, hopefully you guys can help.

The problem is whenever I do a search using Google, the top couple of hits are always altered to stuff like [searchterm].find.com or [searchterm]best-deals.com etc. The rest of the results seem to be correct though. I'm using Firefox, latest version (3.0.5) and this only affects Google, Altavista for example, seems to work fine.

I've tried doing full system scans with both AdAware2008 And Avira Antivir, both fully updated (after booting into safemode, as I still don't know what I'm up against). I've also done full system scans using SpyBot Search & Destroy and MalwareBytes Anti-Malware. Avira found something potentially harmful, but I strongly suspect alot of the detections it gets are false alarms, anyway I quarantine everything it finds. Apart from that there were a couple of tracking cookies, nothing too exciting. Those has been removed aswell, but Google stills seems to find best-deals.com really interesting.

I've tried everything I can think of and I haven't even figured out whats causing this, so any help or pointers would be very appreciated :step4:.

Here's the DDS.txt log, and I've attached the attach.txt file and a hijackthis log incase you want to take a look at that aswell.

And again, I'd really appreciate any help you can give, going nuts trying to sort this out :thumbup2:


**EDIT** I just did a scan in safemode with Sdfix, no detections, adding that log to the attachments aswell.**


DDS (Ver_09-02-01.01) - NTFSx86
Run by Rikard Palm‚r at 15:51:54,43 on 2009-02-02
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.46.1053.18.2047.1582 [GMT 1:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program\Creative\Shared Files\CTSched.exe
C:\Program\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Delade filer\Logitech\KhalShared\KHALMNPR.EXE
C:\Documents and Settings\Rikard Palmér\Skrivbord\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.spray.se/mail/?ec=1999
uInternet Settings,ProxyOverride = *.local
BHO: Länkhjälp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [STYLEXP] c:\program\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [DAEMON Tools Pro Agent] "d:\program\daemon tools pro\DTProAgent.exe"
uRun: [SpybotSD TeaTimer] c:\program\spybot - search & destroy\TeaTimer.exe
mRun: [CTSysVol] c:\program\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [CreativeTaskScheduler] "c:\program\creative\shared files\CTSched.exe" /logon
mRun: [Logitech Hardware Abstraction Layer] "c:\program\delade filer\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [BootSkin Startup Jobs] "c:\program\stardock\wincustomize\bootskin\BootSkin.exe" /StartupJobs
mRun: [COMODO Firewall Pro] "c:\program\comodo\firewall\cfp.exe" -h
mRun: [COMODO Internet Security] "c:\program\comodo\firewall\cfp.exe" -h
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\logite~1.lnk - c:\program\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\program\micros~2\office12\EXCEL.EXE/3000
IE: E&xportera till Microsoft Excel - c:\program\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program\delade~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rikard~1\applic~1\mozilla\firefox\profiles\hb1a4cpw.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.se
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program\download manager\npfpdlm.dll
FF - plugin: c:\program\mozilla firefox\plugins\npzylomgamesplayer.dll

c:\program\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program\avira\antivir personaledition classic\avgio.sys [2008-2-2 11840]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-11-5 101776]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-11-5 31504]
R1 tvtool;tvtool;c:\program\tvtool\TVTOOL.SYS [1996-4-3 5248]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program\avira\antivir personaledition classic\sched.exe [2008-2-2 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program\avira\antivir personaledition classic\avguard.exe [2008-2-2 151297]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program\comodo\firewall\cmdagent.exe [2008-11-5 618232]
R3 avgntflt;avgntflt;c:\program\avira\antivir personaledition classic\avgntflt.sys [2008-2-2 52032]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program\symantec\liveupdate\aluschedulersvc.exe" --> c:\program\symantec\liveupdate\ALUSchedulerSvc.exe [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\rikard~1\lokala~1\temp\alsysio.sys --> c:\docume~1\rikard~1\lokala~1\temp\ALSysIO.sys [?]

=============== Created Last 30 ================

2009-02-02 14:16 <DIR> --d----- c:\docume~1\rikard~1\applic~1\Malwarebytes
2009-02-02 14:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-02 14:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 14:16 <DIR> --d----- c:\program\Malwarebytes' Anti-Malware
2009-02-02 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-02 13:58 <DIR> --d----- c:\program\Spybot - Search & Destroy
2009-02-02 13:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 21:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-01 18:23 <DIR> --d----- c:\program\Trend Micro
2009-01-17 21:26 <DIR> --d----- c:\program\CCleaner
2009-01-17 18:29 3,532 a------- C:\drmHeader.bin
2009-01-14 17:49 <DIR> --d----- c:\docume~1\rikard~1\applic~1\com.Desktop.FlyCast.7C0C57158F17768D90610B2E569AA275F34D83AB.1
2009-01-14 17:49 <DIR> --d----- c:\program\FlyCast
2009-01-08 21:21 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-08 21:21 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-08 21:21 <DIR> --d----- c:\program\iPod
2009-01-08 21:21 <DIR> --d----- c:\program\iTunes
2009-01-08 21:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-08 21:21 <DIR> --d----- c:\program\Bonjour
2009-01-08 21:19 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-08 21:19 <DIR> --d----- c:\program\delade filer\Apple
2009-01-05 16:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-02-02 15:51 10,223,616 a---h--- c:\documents and settings\rikard palmér\NTUSER.DAT
2009-01-10 22:19 446,368 a------- c:\windows\system32\perfh01D.dat
2009-01-10 22:19 83,934 a------- c:\windows\system32\perfc01D.dat
2009-01-10 18:42 163,712 a------- c:\windows\system32\drivers\vidstub.sys
2008-12-23 21:58 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-11 12:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 01:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 01:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 03:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 03:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 03:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 03:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-05 10:02 147,192 a------- c:\windows\system32\guard32.dll
2008-12-05 10:02 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2008-12-01 20:08 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-12-01 20:08 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-11-26 01:12 2,072 a------- c:\windows\system32\ealregsnapshot1.reg
2008-11-06 17:37 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-06 17:37 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-06 17:35 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-06 17:35 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-06 17:33 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-11-06 17:33 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-11-06 17:33 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-11-06 17:33 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-11-06 17:33 684,032 a------- c:\windows\system32\DivX.dll
2008-11-06 17:33 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-05 16:11 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-05 14:24 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-03-09 22:52 22,328 a------- c:\docume~1\rikard~1\applic~1\PnkBstrK.sys
2008-01-27 22:49 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-08-03 10:10 16,752 a------- c:\docume~1\rikard~1\applic~1\GDIPFONTCACHEV1.DAT
2006-06-23 07:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2008-08-07 16:10 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2008-08-07 16:10 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-07 16:10 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:52:23,12 ===============

Attached Files

Edited by Lantern Spirit, 02 February 2009 - 02:13 PM.

BC AdBot (Login to Remove)


#2 Lantern Spirit

Lantern Spirit
  • Topic Starter

  • Members
  • 2 posts
  • Local time:08:18 PM

Posted 05 February 2009 - 11:26 AM

Hi all

I've managed to figure this out and solve it. I kept researching the symptoms and turns out a DNS-changer had managed to worm (heh, eh..) its way into my system.

So this was caused by a trojan which installed the DNS-changer which in turn redirected my browser traffic. Anyway, my antivirus (Avira) found the file while I was reading up on the thing, and after getting rid of the trojan I used smitfraudfix ( http://www.bleepingcomputer.com/files/smitfraudfix.php ) to flush the DNS settings. After that everything is working peachy, and since every scan I can think of comes out clean I'll just assume that the problem is solved.

I'll add a fairly exhaustive list of symptoms I found, in case anyone stumbles upon this thread and suspects they might've gotten the same thing. But it seems the best way to actually get rid of it may vary alot (different versions of the malware?) so my way of doing it might not work for you.

Here's a list of symptoms, I only had some of these :

Trojan DNSChanger symptoms
* Windows Update redirects you to msn.com.
* Search results in Google, Yahoo, MSN and other redirect you to other non related sites.
* Google/Yahoo/MSN results redirects you via copy-book.com or another fake site.
* Google/Yahoo/MSN has become slower when doing searches.
* Facebook and youtube redirects to different sites.
* “Waiting for…” at the bottom left corner of IE while Google search results were loading. It is caused by the file C:\Windows\system32\wdmaud.sys (reported as Rootkit.Win32.Agent.fwt). The legitimate wdmaud.sys actually exists at C:\Windows\system32\drivers\.
* Any web page loads really slowly.
* System restore function is blocked.
* Vimax pills banner ads are popping up on some sites, include security sites.
* Cannot run msconfig.
* Cannot update antivirus and antispyware programs.
* Trojan affects all browsers (IE7 and Firefox).
* HijackThis shows infection.

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC}: NameServer =,

And to the Bleepingcomputer staff:
thanks anyway guys, you're doing a really good thing helping other users keep their systems running, and for free too. Thanks :thumbup2:


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users