Google Search and GMail not working

[clam]

Hello,

My computer was infected with 'Security Tool' about a week ago. I followed manual instructions to remove it and everything seems to be working except Google Search and GMail. Search returns a blank page and GMail says page cannot be displayed - so I think there is something that I must have missed. I have run Malwarebytes Anti-Malware, and scanned with the latest AVG version. I am also attaching the dds.txt and attach.txt logs but was not able to run GMER (system kept freezing).

Thank you for any help and suggestions that you can offer!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:59:53 AM, on 12/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\iWin Games\iWinTrusted.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe

C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ewtn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: 78.159.110.59 www.google.com

O1 - Hosts: 78.159.110.59 www.google.de

O1 - Hosts: 78.159.110.59 www.google.fr

O1 - Hosts: 78.159.110.59 www.google.co.uk

O1 - Hosts: 78.159.110.59 www.google.com.br

O1 - Hosts: 78.159.110.59 www.google.it

O1 - Hosts: 78.159.110.59 www.google.es

O1 - Hosts: 78.159.110.59 www.google.co.jp

O1 - Hosts: 78.159.110.59 www.google.com.mx

O1 - Hosts: 78.159.110.59 www.google.ca

O1 - Hosts: 78.159.110.59 www.google.com.au

O1 - Hosts: 78.159.110.59 www.google.nl

O1 - Hosts: 78.159.110.59 www.google.co.za

O1 - Hosts: 78.159.110.59 www.google.be

O1 - Hosts: 78.159.110.59 www.google.gr

O1 - Hosts: 78.159.110.59 www.google.at

O1 - Hosts: 78.159.110.59 www.google.se

O1 - Hosts: 78.159.110.59 www.google.ch

O1 - Hosts: 78.159.110.59 www.google.pt

O1 - Hosts: 78.159.110.59 www.google.dk

O1 - Hosts: 78.159.110.59 www.google.fi

O1 - Hosts: 78.159.110.59 www.google.ie

O1 - Hosts: 78.159.110.59 www.google.no

O1 - Hosts: 78.159.110.59 search.yahoo.com

O1 - Hosts: 78.159.110.59 us.search.yahoo.com

O1 - Hosts: 78.159.110.59 uk.search.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} -

C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -

C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O3 - Toolbar: eGames Toolbar - {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} -

C:\PROGRA~1\EGAMES~1\EGAMES~1.DLL

O3 - Toolbar: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Program

Files\MyPlayCity\tbMyP1.dll

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch

Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe

/logon

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [Arucer] rundll32 C:\WINDOWS\system32\Arucer.dll,Arucer

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio

Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo RX595 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE /FU

"C:\DOCUME~1\Parents\LOCALS~1\Temp\E_SE.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKCU\..\Run: [Parents] C:\Documents and Settings\Parents\Parents.exe /i

O4 - HKCU\..\RunOnce: [shockwave Updater]

C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; YPC 3.2.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727;

.NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR

3.5.30729)" -"http://www.miniclip.com/games/down-hill-chill/en/"

O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org

2.4\program\quickstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common

Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw -

res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm

O9 - Extra button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} -

C:\Program Files\Upromise\upromisetoolbar.dll

O9 - Extra 'Tools' menuitem: Upromise TurboSaver -

{06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) -

http://www.auctiva.com/Aurigma/ImageUploader57.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupd...web_site.cab?11

98379050285

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...uweb_site.cab?1

198380399500

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) -

http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program

Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON

CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3

SSRP\E_S40RP7.EXE

O23 - Service: Google Update Service (gupdate1ca17a6d78901ee) (gupdate1ca17a6d78901ee) -

Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program

Files\Maxtor\Sync\SyncServices.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA

Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common

Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common

Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home

9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home

9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program

Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio

Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program

Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 13480 bytes

Attach.txt

DDS.txt

[miekiemoes]

Hi,

The current formatting of your log makes it difficult to read, so in notepad:

On top, click Format >uncheck Word Wrap

Anyway, * Download: HostsXpert

Unzip hoster to an own folder, eg C:\HostsXpert

Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

Post a new HijackThislog in your next reply.

Also, if you're having problems with HostsXpert and it gives an error, please let me know.

[RickyT]

Hi,

The current formatting of your log makes it difficult to read, so in notepad:

On top, click Format >uncheck Word Wrap

Anyway, * Download: HostsXpert

Unzip hoster to an own folder, eg C:\HostsXpert

Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

Post a new HijackThislog in your next reply.

Also, if you're having problems with HostsXpert and it gives an error, please let me know.

[RickyT]

Had exactly the same thing happen to me. HostsXpert cleanup seems to work.

Thanks!

[miekiemoes]

Good to hear. Let's wait for the topicstarter if this helped as well...

[clam]

Thank you, that seemed to fix the problem!

And sorry about the double post - when I went to check up on my original, I could not locate it for some reason so I thought maybe I had stopped short of actually posting it - not sure why I could not find it.

I really appreciate the help!

[miekiemoes]

Hi,

Can you post a new HijackThislog as well? Because there may still some leftovers present here (but since wordwrap was enabled, it made the log harder to read)

[LJS123]

Hi,

Can you post a new HijackThislog as well? Because there may still some leftovers present here (but since wordwrap was enabled, it made the log harder to read)

I'm new to all of this, so please bear with me... I'm having the same problem with accessing Google. I downloaded HostsXpert, but when I click 'Restore MS Hosts file', I get an error message that says "Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts". I'm stuck...any suggestions as to what to do next? Please keep in mind that I am not very tech savvy.

Thanks!

[miekiemoes]

Hi LJS123,

You have posted in someone elses thread, which makes it extra confusing.. but since this isn't a difficult case to solve this, please follow next steps..

Open Malwarebytes > More Tools tab > Fileassasin > Click Run Tool

Then an explorer Window will open.

Copy and paste next in the field under file name:

C:\WINDOWS\system32\drivers\etc\hosts

Then Click open next to it.

You should see this image:

Click yes there.

FileAssassin will then delete the hosts file.

To recreate it again (default hosts file), start Hostxpert again.

It will give a warning that the hosts file doesn't exist and Press OK to create hosts file.

Click OK there.

[LJS123]

Hi LJS123,

You have posted in someone elses thread, which makes it extra confusing.. but since this isn't a difficult case to solve this, please follow next steps..

Open Malwarebytes > More Tools tab > Fileassasin > Click Run Tool

Then an explorer Window will open.

Copy and paste next in the field under file name:

C:\WINDOWS\system32\drivers\etc\hosts

Then Click open next to it.

You should see this image:

Click yes there.

FileAssassin will then delete the hosts file.

To recreate it again (default hosts file), start Hostxpert again.

It will give a warning that the hosts file doesn't exist and Press OK to create hosts file.

Click OK there.

I can't thank you enough! It worked for me. Do you know how I can prevent this from happening in the future?

Sorry about the confusion!!! As I said, I'm new to this sort of forum and didn't realize I was posting on someone else's thread.

[miekiemoes]

Good to hear. To prevent this:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.