Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Google Results


  • Please log in to reply
2 replies to this topic

#1 adambomb

adambomb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 08 January 2006 - 02:27 PM

Hi there. Sorry to bother. Normally, I'm able to figure out my mal/spy/adware woes on my own, but this one's a doozy. I've had similar malware that completely replaced my Google results with their own results, but this one is different. This one brings up the normal Google results, but when I click on any of the results, it redirects me to a site that shares similar keywords. This only happens 2/3 of the time, though. For instance, if I search for "spyware removal," and click on the first result, I will be redirected. If I click on the first result again, I will be redirected again. Usually to a different site. So I have to click on the result I'm looking for three times before I can actually get there. This affects Yahoo and MSN as well. Other search engines, such as AskJeeves and Altavista seem unaffected. I don't seem to have any other symptoms, such as popups. It's just this stupid search engine thing. I've swept my computer with AdAware, Microsoft AntiSpyware, SpySweeper, and Spybot multiple times. If anyone can shed some light on this nuisance, I'd be more than grateful. Here's my HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 2:06:43 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{70A46321-A768-4B37-A5C1-3461CBB609A0}: NameServer = 85.255.116.23,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D5EB9A-EA79-4446-A559-69681D18A5AD}: NameServer = 85.255.116.23,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6D731F0-0C8B-411E-896E-61B99CCF2777}: NameServer = 85.255.116.23,85.255.112.166
O17 - HKLM\System\CS1\Services\Tcpip\..\{70A46321-A768-4B37-A5C1-3461CBB609A0}: NameServer = 85.255.116.23,85.255.112.166
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\sdgina.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

BC AdBot (Login to Remove)

 


m

#2 adambomb

adambomb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 09 January 2006 - 12:52 PM

Bump. Still hoping someone can help me with this.

#3 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 16 January 2006 - 10:15 PM

Hi, adambomb.

Sorry for the delay in responding to your post.

You have Microsoft AntiSpyware running on your system. While it's a good program, it may try to block some of the changes made by hijackthis.
Please right click the Microsoft AntiSpyware icon in the system tray and choose shutdown before continuing the fix.

Also shutdown spysweeper by right clicking the system tray icon and choose exit or shutdown.

Scan with hijackthis and checkmark these lines:

O17 - HKLM\System\CCS\Services\Tcpip\..\{70A46321-A768-4B37-A5C1-3461CBB609A0}: NameServer = 85.255.116.23,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D5EB9A-EA79-4446-A559-69681D18A5AD}: NameServer = 85.255.116.23,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6D731F0-0C8B-411E-896E-61B99CCF2777}: NameServer = 85.255.116.23,85.255.112.166
O17 - HKLM\System\CS1\Services\Tcpip\..\{70A46321-A768-4B37-A5C1-3461CBB609A0}: NameServer = 85.255.116.23,85.255.112.166
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\sdgina.dll (file missing)

Close all browsers and open windows, except hijackthis, and click fix checked.
Exit from hijackthis.


Restart your system.
Scan with hijackthis and post the new log,

Try your searches and see if they are still hijacked.
Any improvement?
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users