Jump to content

Problem with Google-hijacker


Recommended Posts

Hi,

For the past few days, I've had a problem with some kind of virus or malware (not sure which one?) that hijacks my Google searches and redirects them to other sites. The titles of pages in a Google search are completely different. Additionally, I haven't been able to properly open IE - DEP closes it whenever I attempt to open it - initial searches for this problem said to remove add-ons, which did nothing to fix my problem - so I suspect this might be connected to this other problem (it showed up the next day, while I was using Firefox). I've run four or five different programs with the latest updates (Malwarebytes, Spybot S&D, AdAware, Avira, and made an attempt with Sympatico Security Manager that was just too slow) and nothing has even come up with a virus at all. With the exception of the initial Spybot scan, which came up with a few tracking things but didn't fix the problem, every scan has been shown my computer to be perfectly clean.

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.39

Database version: 2548

Windows 5.1.2600 Service Pack 3

03/08/2009 11:51:22 AM

mbam-log-2009-08-03 (11-51-22).txt

Scan type: Full Scan (C:\|F:\|H:\|K:\|)

Objects scanned: 595851

Time elapsed: 2 hour(s), 38 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:29:00 AM, on 05/08/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

K:\WINDOWS\System32\smss.exe

K:\WINDOWS\system32\winlogon.exe

K:\WINDOWS\system32\services.exe

K:\WINDOWS\system32\lsass.exe

K:\WINDOWS\system32\svchost.exe

K:\WINDOWS\System32\svchost.exe

K:\WINDOWS\system32\svchost.exe

K:\Program Files\Bell\Security Manager\Fws.exe

K:\WINDOWS\system32\spoolsv.exe

K:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

K:\Program Files\Intel\IDU\awServ.exe

K:\Program Files\Bonjour\mDNSResponder.exe

K:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

K:\WINDOWS\eHome\ehRecvr.exe

K:\WINDOWS\eHome\ehSched.exe

K:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

K:\Program Files\Common Files\Motive\McciCMService.exe

K:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

K:\Program Files\Raxco\PerfectDisk\PDAgent.exe

K:\WINDOWS\system32\svchost.exe

K:\Program Files\Bell\Access Manager\app\TangoService.exe

K:\Program Files\Personal Vault\VaultClientUpgrade.exe

K:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

K:\WINDOWS\system32\SearchIndexer.exe

K:\WINDOWS\system32\dllhost.exe

K:\Program Files\Raxco\PerfectDisk\PDEngine.exe

K:\Program Files\Bell\Security Manager\rpsupdaterR.exe

K:\Program Files\Avira\AntiVir Desktop\avguard.exe

K:\Program Files\Avira\AntiVir Desktop\sched.exe

K:\WINDOWS\system32\winlogon.exe

K:\WINDOWS\Explorer.EXE

K:\Program Files\Bell\Sympatico Security Advisor\SSA.exe

K:\Program Files\BellCanada\McciTrayApp.exe

K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

K:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

K:\Program Files\Avira\AntiVir Desktop\avgnt.exe

K:\WINDOWS\system32\ctfmon.exe

K:\Program Files\Skype\Phone\Skype.exe

K:\Program Files\Mozilla Firefox\firefox.exe

K:\WINDOWS\system32\NOTEPAD.EXE

K:\WINDOWS\system32\SearchProtocolHost.exe

K:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com/?fr=fp-yie8

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/?fr=fp-yie8

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://downloads.yahoo.com/ca/internetexplorer/welcome

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - K:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - K:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - K:\Program Files\Bell\Security Manager\pkR.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - K:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - K:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - K:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - K:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [QuickTime Task] "K:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSA.exe] "K:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN

O4 - HKLM\..\Run: [bellCanada_McciTrayApp] K:\Program Files\BellCanada\McciTrayApp.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "K:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [blackBerryAutoUpdate] K:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [avgnt] "K:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [Aim6] "K:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdobeUpdater] "K:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "K:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-21-776561741-1035525444-725345543-1003\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe (User 'Karl')

O4 - HKUS\S-1-5-21-776561741-1035525444-725345543-1003\..\Run: [search Protection] K:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User 'Karl')

O4 - HKUS\S-1-5-21-776561741-1035525444-725345543-1003\..\Run: [YSearchProtection] K:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User 'Karl')

O4 - HKUS\S-1-5-21-776561741-1035525444-725345543-1003\..\RunOnce: [indexCleaner] "K:\Program Files\Bell\Security Manager\IdxClnR.exe" (User 'Karl')

O4 - Global Startup: Desktop Manager.lnk = K:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - K:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - K:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - K:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://pbctbc.bc.motive.com

O15 - Trusted Zone: http://pbctbcivr.bc.motive.com

O15 - Trusted Zone: http://fix.sympatico.ca

O15 - Trusted Zone: http://rc.sympatico.ca

O15 - Trusted Zone: http://rcfr.sympatico.ca

O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://www.thelandscapes.ca/webcam/VatDec.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - K:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab

O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164318165828

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326

O20 - Winlogon Notify: Winlogon - K:\WINDOWS\SYSTEM32\winmm64.dll

O21 - SSODL: WinCheck - {EAD8F454-EC03-4B47-A5B7-6534DA513FA5} - winmm64.dll (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - K:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - K:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - K:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - K:\Program Files\Intel\IDU\awServ.exe

O23 - Service: Bonjour Service - Apple Inc. - K:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - K:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: Google Software Updater (gusvc) - Google - K:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - K:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - K:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - K:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: McciCMService - Motive Communications, Inc. - K:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: PDAgent - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - K:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: Pml Driver HPH11 - HP - K:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - K:\Program Files\Bell\Security Manager\RpsSecurityAware.exe

O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - K:\Program Files\Bell\Security Manager\rpsupdaterR.exe

O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - K:\Program Files\Bell\Security Manager\Fws.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - K:\Program Files\Bell\Access Manager\app\TangoService.exe

O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - K:\Program Files\Personal Vault\VaultClientUpgrade.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - K:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--

End of file - 12155 bytes

Thank you for your help. =) Is there any further information about the problem I need to include?

Link to post
Share on other sites

  • Staff

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.