Who stole my Google???

The strangest thing happened on my way to Google ... something else popped up. A web site that offers "today's hot searches" showing a range of sites from online gambling to hotel reservation desks. What gives? I'm working with Microsoft XP. How do I get my google back?
Thanks.

 

sounds like you've been hi-jacked

http://www.majorgeeks.com/download.php?det=3155

 

Thanx for the info Kodo. I downloaded the Registry Mechanic but it did nothing to correct what is hijacking my Google and now my Yahoo Home page. After downloading Hijacthis it listed a sizeable number of programs that might be the culprit HOWEVER the warning clearly stated that I should get someone who knows what's what to decipher the cause and not just delete everything. Deleting everything might do more harm than good. Sooooo with that I submit the following as it was listed. Hopefully you can tell me what to heave out and what to keep. I know this is a lot to ask but I have no choice but to defer to your expertise. Again, many thanks for your help in this matter.
The list:
Logfile of HijackThis v1.97.7
Scan saved at 6:44:43 AM, on 1/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\SVCHOST.EXE
C:\program files\GlobalDialer\domer00014\gd-dial.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Clement Schubert\Local Settings\Temporary Internet Files\Content.IE5\4XGF4FS7\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.search-dot.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-dot.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-dot.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-dot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-dot.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search-dot.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.search-2003.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hand-book.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-dot.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-dot.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/indexb.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.hand-book.com/search/
R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
O1 - Hosts: 66.98.142.143 auto.search.msn.com
O1 - Hosts: 66.98.142.143 search.msn.com
O1 - Hosts: 66.98.142.143 msn.com
O1 - Hosts: 66.98.142.143 www.msn.com
O1 - Hosts: 66.98.142.143 yahoo.com
O1 - Hosts: 66.98.142.143 www.yahoo.com
O1 - Hosts: 66.98.142.143 google.com
O1 - Hosts: 66.98.142.143 www.google.com
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Clement Schubert\Application Data\winlink\winlink.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\Fonts\fonts.hta
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00014\gd-dial.exe -remove
O4 - HKCU\..\Run: [TWKUMSFLQBO] C:\WINDOWS\PUNOTAPREQ.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

 

all the R1's and R0's except for the R1 that has dell.com in it can be "fixed".. that's what's taking over your browser.

 

Umm, the 01 Hosts file?
(Just passing by. Not trying to butt in.)

...Ww

 

no no.. you're right wiz.. I didn't see the hosts part.. Dump them too, they are redirecting you.

while you're at it.. after you clean up go to this directory..

C:\windows\system32\drivers\etc

find your hosts file (it won't have an extension) and make the file read only. this way nothing else can modify it and you'll know it when something tries to do it.

 

Also not trying to butt in here but...

To add to what has already been pointed out, these 2 lines

C:\WINDOWS\SVCHOST.EXE
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.EXE

indicate that you may be infected with the Backdoor.Tofger trojan.

Info and removal instructions:

http://www.symantec.com/avcenter/venc/data/backdoor.tofger.html


[edit] Spotted another nasty, this line

C:\WINDOWS\System32\msrexe.exe

indicates Backdoor.Jeem

Info here:

http://www.symantec.com.mx/avcenter/venc/data/backdoor.jeem.html

Do you have the latest virus definitions for your McAfee AV, and if so, have you run a scan recently?


Also, this line appears to be related to your browser hijack issue

O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\Fonts\fonts.hta

This line looks suspicious

O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs

And this one is probably spyware or related to one of the trojans

O4 - HKCU\..\Run: [TWKUMSFLQBO] C:\WINDOWS\PUNOTAPREQ.exe

 

Gentlemen,
Many thanks for your assistance on this problem. I do have some questions related to your help. Kodo, you suggested I should go to "C:\windows\system32\drivers\etc find your hosts file (it won't have an extension) and make the file read only. this way nothing else can modify it and you'll know it when something tries to do it."
I'm afraid that bit has thrown me for a loop. I can't seem to find it among what was listed.
After cleaning up this directory I'm noticing something I never encountered before and that is my homepage refdesk.com will appear and shortly afterwards the following notice appears "Internet Explorer cannot open site http://refdesk.com/ operation aborted. I reentered the site frommy desktop ie icon and same thing. after the third attempt it came up and stayed. what gives with that?
Again, many thanks for all your help.

 

do a search for HOSTS on your PC.. and then follow the rest of the directions I gave you. Also, follow alanc's advice and scan for nasties. If you don't have an updated AV then head here.. http://housecall.antivirus.com and run the online scan.

 

just wanted to update you guys and thank you again for all your help. i went to merijn site and downloaded his startuplist and the following is the report. i don't know what to make of it and i thought if there were any problems you would spot them in a flash. lemme kow. thanks:


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\program files\GlobalDialer\domer00014\gd-dial.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe