Jump to content

Google Search Is Hacked


GeraldRoy

Recommended Posts

I appreciate whatever help I can get on this problem. I have some sort of Malware or Trojan that has hijacked my Google search results, Yahoo search results and Bing search results.

I am running Windows XP Media Center Edition.

I ran Malware Bytes, but it doesn't find anything. I then ran Defogger to disable the CD ROM drivers.

I then ran DDS and ran it and saved the log files to my desktop. But then when I tried to run the random version of GMER, I got a physical dump of memory and a blue screen with an error message . I was forced to restart. I repeated the above procedure again, and again I got the exact same results. I had actually saved the log files prior to the dump. Attach.txt is attached and the contents of dds.txt are listed below:

********************************************************************************************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Run by HP_Administrator at 12:45:25 on 2011-09-20

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1278 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\WINDOWS\system32\dgdersvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\FsUsbExService.Exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Maxtor\Utils\SyncServices.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hphmon06.exe

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Citrix\GoToMeeting\723\g2mstart.exe

C:\Program Files\Webroot\Washer\wwDisp.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Citrix\GoToMeeting\723\g2mcomm.exe

C:\Program Files\Citrix\GoToMeeting\723\g2mlauncher.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll

uURLSearchHooks: H - No File

mURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll

mURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll

TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File

TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\723\g2mstart.exe" "/Trigger RunAtLogon"

uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe

uRun: [DropboxUpdate] c:\documents and settings\hp_administrator\application data\dropbox\dropboxupdate\Dropboxupdt32.exe

uRun: [MouseUpdatePolicy] rundll32.exe "c:\documents and settings\all users\application data\MouseUpdatePolicy.dll",DllRegisterServer

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [nwiz] "nwiz.exe" /install

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPHmon06] c:\windows\system32\hphmon06.exe

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [DropboxUpdate] c:\documents and settings\hp_administrator\application data\dropbox\dropboxupdate\Dropboxupdt32.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{28FFAF14-CC65-467B-8EE0-BFD8FEC87C0F} : DhcpNameServer = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\ocia6tu6.default\

FF - prefs.js: browser.search.selectedEngine - ICQ Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.3.1&q=

FF - prefs.js: network.proxy.ftp - 127.0.0.1

FF - prefs.js: network.proxy.ftp_port - 7212

FF - prefs.js: network.proxy.gopher - 127.0.0.1

FF - prefs.js: network.proxy.gopher_port - 7212

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 53414

FF - prefs.js: network.proxy.socks - 127.0.0.1

FF - prefs.js: network.proxy.socks_port - 7212

FF - prefs.js: network.proxy.ssl - 127.0.0.1

FF - prefs.js: network.proxy.ssl_port - 7212

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\musicnotes\npmusicn.dll

FF - plugin: c:\program files\musicnotes\NPSibelius.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [2010-1-25 9600]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKsl1681409f;MpKsl1681409f;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsl1681409f.sys [2011-9-19 28752]

R1 MpKsl754e43b3;MpKsl754e43b3;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsl754e43b3.sys [2011-9-20 28752]

R1 MpKsld1f45300;MpKsld1f45300;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsld1f45300.sys [2011-9-20 28752]

R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-5-25 95568]

R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-7-23 233472]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2011-4-18 31896]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-5-25 18136]

R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-23 36608]

S1 MpKsl06aded21;MpKsl06aded21;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\mpksl06aded21.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsl06aded21.sys [?]

S2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2011-9-6 247608]

S2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2011-7-21 618896]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 msdemgr;msdemgr;c:\windows\system32\msdemgr.sys [2010-6-16 2304]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-12-11 14336]

S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-7-23 96488]

S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-7-23 12776]

S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-7-23 121576]

S4 Seagate Sync Service;Seagate Sync Service;c:\program files\seagate\sync\SeaSyncServices.exe [2007-1-18 24120]

.

=============== File Associations ===============

.

JSEFile=NOTEPAD.EXE %1

.txt=

.

=============== Created Last 30 ================

.

2011-09-20 17:38:53 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsl754e43b3.sys

2011-09-20 14:44:38 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsld1f45300.sys

2011-09-20 01:12:07 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsl1681409f.sys

2011-09-20 01:08:20 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKsle98b2be2.sys

2011-09-19 22:46:51 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9d333402-025d-428d-9667-0ebca26954ad}\MpKslf2c3a74b.sys

2011-09-14 14:32:47 -------- d-----w- c:\documents and settings\all users\application data\AVS4YOU

2011-09-14 14:31:19 774144 ----a-w- c:\windows\system32\htmlayout.dll

2011-09-14 14:31:09 -------- d-----w- c:\program files\common files\AVSMedia

2011-09-14 14:30:46 24576 ----a-w- c:\windows\system32\msxml3a.dll

2011-09-14 14:30:46 -------- d-----w- c:\program files\AVS4YOU

2011-09-14 14:19:00 -------- d-----w- c:\program files\Wondershare

2011-09-14 14:07:02 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Temp

2011-09-14 13:31:26 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan

2011-09-14 13:31:21 -------- d-----w- c:\program files\McAfee Security Scan

2011-09-11 12:19:01 -------- d-s---w- C:\ComboFix

2011-09-09 02:04:07 0 ---ha-w- c:\documents and settings\hp_administrator\ksjmehgkpf.tmp

2011-09-08 22:55:44 111104 ----a-w- c:\documents and settings\all users\application data\MouseUpdatePolicy.dll

2011-09-06 13:40:27 -------- d-----w- c:\program files\ICQ6Toolbar

2011-09-06 13:39:17 -------- d-----w- c:\documents and settings\all users\application data\ICQ

2011-09-05 17:04:56 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-08-31 20:10:16 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-08-31 20:10:16 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-08-28 23:56:14 -------- d-----w- c:\program files\omniformat

2011-08-28 23:51:03 59 ----a-w- c:\windows\wpd99.drv

2011-08-28 23:51:03 -------- d-----w- c:\documents and settings\all users\application data\pdf995

2011-08-28 23:51:02 51716 ----a-w- c:\windows\system32\pdf995mon.dll

2011-08-28 23:51:02 249856 ----a-w- c:\windows\system32\pdfmona.dll

2011-08-28 23:49:50 -------- d-----w- c:\program files\pdf995

2011-08-28 23:43:39 -------- d-----w- C:\omniformat

2011-08-28 23:39:00 -------- d-----w- C:\PDFOCR_Output

2011-08-28 23:37:51 -------- d-----w- c:\documents and settings\hp_administrator\application data\YCanPDF

2011-08-28 23:37:02 -------- d-----w- C:\pdfOCR

2011-08-28 23:26:32 -------- d-----w- c:\documents and settings\hp_administrator\application data\Downloaded Installations

.

==================== Find3M ====================

.

2011-09-18 11:42:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 12:46:18.95 ===============

****************************************************************************************************************

attach.txt

Link to post
Share on other sites

Hello GeraldRoy,

Please download MiniToolBox.exe by Farbar save it to your desktop and run it.

Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed !

Regards,

Georgi

Link to post
Share on other sites

Georgi,

After making the post, I actually started reading some of the other posts on this form from people who seemed to have had the same problem. I took a chance and replicated some of the suggestions in one of the posts. I first ran DeFogger in order to stop CD terminal emulation. Then I ran ATF-Cleaner, then GooredFix.exe, then TDSSKiller and the Google redirect vanished. I then ran DeFogger again to reinstate the CD drivers.

I haven't yet done a restart to see if the problem resurfaces but I will shortly and advise you if it does. I thank you and everyone at your forum who make life a little easier on those of us who are less gifted. I can't stress how much I appreciate the help.

Thank you

Gerald

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.