Google fake top page?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sunset77, May 6, 2004.

  1. sunset77

    sunset77 Private E-2

    Hi, I've come to your forum with one question that has me stumped. I've already written to Google about a fake Google search results"cover page" that comes up before the actual search results. It takes a few seconds extra to begin with to do the search, irritating... then you see a list of links to stuff related to your search but this is stuff for SALE or else refers you to other search engines. You have to scroll down to get to the list of results pages, showing that you're on page 1 now, and when you select page 2, there's the REAL Google results starting with page 1 of them! I regularly run Adware, Bazooka, and Spybot but this Google glitch doesn't get fixed. Google's reply was that I have adware running and should clean it out. Anyone know what's up with this?
     
    sunset77, May 6, 2004
    #1
  2. alanc

    alanc MajorGeek

    Sounds like you may have been hijacked...

    Make sure you update all your anti-spyware tools to the latest definintions, and here's some good info on spyware:
    http://www.majorgeeks.com/vb/showthread.php?t=25834

    In addition to that what you can do is run HijackThis and post the log here so we can take a look at it.
     
    alanc, May 6, 2004
    #2
  3. sunset77

    sunset77 Private E-2

    what hijackthis turned up...

    Alanc, as you requested... what do you make of it? The spyware link was good reading and a great resource. Saved it for whenever.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:25:41 PM, on 5/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\BQTray.exe
    C:\documents and settings\karen\local settings\temp\jrhckekU6.exe
    C:\documents and settings\karen\local settings\temp\jrhckekU6.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wapisvsu.exe
    C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\America Online 8.0a\waol.exe
    C:\Program Files\America Online 8.0a\shellmon.exe
    C:\DOCUME~1\Karen\LOCALS~1\Temp\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [jrhckekU6] C:\documents and settings\karen\local settings\temp\jrhckekU6.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [McAfee Instant Update Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
    O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.american.edu/activex/AxisCamControl.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37883.2575231481
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
    O17 - HKLM\System\CCS\Services\Tcpip\..\{82F47093-A744-4563-A765-C3E44AEDF93F}: NameServer = 205.188.146.146
     
    sunset77, May 6, 2004
    #3
  4. alanc

    alanc MajorGeek

    OK, first of all download and run this peper trojan uninstaller while online:
    http://www.memorywatcher.com/uninst.exe

    Then reboot, run HijackThis again and fix these lines if they're still there:
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop

    O4 - HKLM\..\Run: [jrhckekU6] C:\documents and settings\karen\local settings\temp\jrhckekU6.exe
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe

    Then reboot to Safe Mode, make sure Folder Options > View > 'Show hidden files and folders' is checked and delete the files in those last two lines (if they're still there).

    Then post a new HJT log.
     
    alanc, May 6, 2004
    #4
  5. sunset77

    sunset77 Private E-2

    Did what you said...

    Alanc, we followed all the steps and got exactly ONE Google search before it was back with the fake top page selling other search engines and products... So here's the newest log from Hijack This. See what you make of it. A computer friend is following all this with me and found some connection to a Googlems (also identified as Blow ----something, no irony intended) program running. Where it's coming back in from, I want to find out. Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:55:20 PM, on 5/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\BQTray.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
    C:\DOCUME~1\Karen\LOCALS~1\Temp\hijackthis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [McAfee Instant Update Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
    O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.pconcall.com/tsweb/msrdp.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.american.edu/activex/AxisCamControl.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37883.2575231481
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
     
    sunset77, May 8, 2004
    #5
  6. alanc

    alanc MajorGeek

    This fugger's still there:
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe

    You need to fix that in HJT, boot into safe mode and delete that file.


    Do you have some kind of Land's End shopping software on your system? If not, fix this line too:
    O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab


    That's all I can see in there, maybe someone else will catch something I missed...
     
    alanc, May 8, 2004
    #6
  7. sunemoonsong

    sunemoonsong Private E-2

    Hi there

    I have been looking for information on the Google Fake front page as well. Some of the information here so far has been very useful. I have downloaded the program 'Hijack This' and have run it. i got rid of everything that it said was dangerous with a few exceptions which are in the ignore list. Now there isn't anything that it says it considers suspicious.

    So i have copied my startup log file and am pasting it here in hopes that someone may be able to read it out and figure out what disease my computer has gotten.

    StartupList report, 5/22/2004, 1:15:27 AM
    StartupList version: 1.52
    Started from : C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE
    --------------------------------------------------
    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv
    --------------------------------------------------
    C:\WINDOWS\WININIT.BAK listing:
    (Created 22/5/2004, 0:40:18)
    [Rename]
    NUL=c:\program files\lycos\sidesearch\sidesearch1311.dll
    NUL=c:\program files\lycos\sidesearch\temp
    NUL=c:\windows\system\sset.exe
    NUL=c:\windows\cookies\steven@7search[2].txt
    NUL=c:\windows\cookies\steven@servedby.advertising[2].txt
    NUL=c:\windows\cookies\steven@ehg-cbot.hitbox[1].txt
    NUL=c:\windows\cookies\steven@ehg-techtarget.hitbox[2].txt
    NUL=c:\windows\cookies\steven@server.iad.liveperson[2].txt
    NUL=c:\windows\cookies\steven@bfast[1].txt
    NUL=c:\windows\cookies\steven@bluestreak[2].txt
    NUL=c:\windows\cookies\steven@questionmarket[1].txt
    NUL=c:\windows\cookies\steven@ttarget.adbureau[1].txt
    NUL=c:\windows\cookies\steven@advertising[1].txt
    NUL=c:\windows\cookies\steven@ads.addynamix[1].txt
    NUL=c:\windows\cookies\steven@0104[1].txt
    NUL=c:\windows\cookies\steven@cgi-bin[1].txt
    NUL=c:\windows\cookies\steven@statcounter[2].txt
    NUL=c:\windows\cookies\steven@realmedia[1].txt
    NUL=c:\windows\cookies\steven@trafficmp[2].txt
    NUL=c:\windows\cookies\steven@ads.specificpop[2].txt
    NUL=c:\windows\cookies\steven@pro-market[2].txt
    NUL=c:\windows\cookies\steven@phg.hitbox[1].txt
    NUL=c:\windows\cookies\steven@hitbox[1].txt
    NUL=c:\windows\cookies\steven@gator[1].txt
    NUL=c:\windows\cookies\steven@qksrv[1].txt
    NUL=c:\windows\cookies\steven@tmpad[1].txt
    NUL=c:\windows\cookies\steven@z1.adserver[2].txt
    NUL=c:\windows\cookies\steven@targetnet[1].txt
    NUL=c:\windows\cookies\steven@valueclick[2].txt
    NUL=c:\windows\cookies\steven@zedo[1].txt
    NUL=c:\windows\cookies\steven@centrport[1].txt
    NUL=c:\windows\cookies\steven@atdmt[1].txt
    NUL=c:\windows\cookies\steven@mediaplex[1].txt
    NUL=c:\windows\cookies\steven@overture[1].txt
    NUL=c:\windows\cookies\steven@fastclick[2].txt
    NUL=c:\windows\cookies\steven@tripod[1].txt
    NUL=c:\windows\cookies\steven@2o7[2].txt
    NUL=c:\windows\cookies\steven@doubleclick[1].txt
    NUL=c:\windows\cookies\steven@edge.ru4[2].txt
    NUL=c:\windows\cookies\steven@tribalfusion[1].txt
    --------------------------------------------------
    C:\AUTOEXEC.BAT listing:
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP
    --------------------------------------------------
    C:\WINDOWS\WINSTART.BAT listing:
    C:\WINDOWS\tmpcpyis.bat
    --------------------------------------------------

    Enumerating Task Scheduler jobs:
    PCHealth Scheduler for Data Collection.job
    --------------------------------------------------
    Enumerating ShellServiceObjectDelayLoad items:
    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL
    --------------------------------------------------
    End of report, 4,327 bytes
    Report generated in 0.149 seconds
    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
    sunemoonsong, May 22, 2004
    #7
  8. alanc

    alanc MajorGeek

    Well, sunset77 never did post back to let us know his/her results, so there's no way of knowing if the problem was actually fixed.

    Have you gone thru all the steps listed at this link to get rid of spyware/adware? If not do that.

    If you have not rebooted since you ran HijackThis do so and see if the problem remains.

    I don't see anything suspicious in the info you posted, but it doesn't tell the whole story since it's not the HJT log file, so if you could please:
    Note whatever you've got in the HJT ignorelist and then clear the list.
    If you've got anything disabled in msconfig or another startup manger enable it.
    Run HJT again and post the log here.
     
    alanc, May 22, 2004
    #8
  9. sunemoonsong

    sunemoonsong Private E-2

    Thank you for your email. I neglected to mention that i have ad aware on this computer and did run it before going to write on the forum. I also installed and ran a program called unist posted by your in an earlier forum, then restarted and ran hijack again. it came up clean.

    So next thing i did was in following this page i went into msconfig and reenabled everything, and then i restarted. then i got the log you were looking for, and here it is. incidentally i rechecked google, and it is still doing the hijack page thing.


    Logfile of HijackThis v1.97.7
    Scan saved at 2:57:51 AM, on 5/22/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\ICQ\ICQ.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE

    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
     
    sunemoonsong, May 22, 2004
    #9
  10. sunemoonsong

    sunemoonsong Private E-2

    oh yes, and the bxxs5.dll, i had tried fixing it before and deleted the actual dll file associated with it. i had some major problems earlier on, and so i fixed most of them, this is the last one.

    upon restart that above file said it could not load it was missing the dll.
    victoria
     
    sunemoonsong, May 22, 2004
    #10
  11. Adrynalyne

    Adrynalyne Guest

    Part of your log is missing?
     
    Adrynalyne, May 22, 2004
    #11
  12. Adrynalyne

    Adrynalyne Guest

    Adrynalyne, May 22, 2004
    #12
  13. sunemoonsong

    sunemoonsong Private E-2

    Ok, something strange happened. I couldn't get to the internet, so i went backward in time (with me to the system restore function) and went back a couple days, then i went and i did a restore of all the files that i disabled through hijack this. i did another log after going through and doing an msconfig, and here is what i have come up with.

    i will be disabli8ng system restore again and so on

    Logfile of HijackThis v1.97.7
    Scan saved at 12:56:32 AM, on 5/23/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\TABLET.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\WIN86.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\WACOM\TABUSERW.EXE
    C:\PROGRAM FILES\ICQ\ICQ.EXE
    C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
    C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinInit] Win86.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O4 - Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31bf494b7f8c860f4223/netzip/RdxIE601.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38128.7498958333
     
    sunemoonsong, May 23, 2004
    #13
  14. Mafia

    Mafia Private E-2

    I FIXED THIS PROBLEM YESTERDAY

    1)Google CWShredder.exe (download)
    2) Empty all temp folders
    a) (c:\doc&set\%userprofile\Local settings\temp)
    b) (c:\doc&set\%userprofile\Local settings\temporary internet files and all subfolers, ie content.IEX)
    c) (c:\winnt\temp, c:\windows\temp)
    d) (did I miss any?)
    3) Close all Browsers of all kinds
    4) Run Spybot or Adware 6
    5) REMOVE ALL
    6) Run CWShredder
    7) Reboot (DO NOT OPEN A WEB BROWSER)
    8) Thank me!!

    The problem happens because the FAKE GOOGLE runs a script that reinstalls an infected file everytime you open it. CWShredder helps rewrite a certain file (haven't figure out which one) that fakes www.google.com (as well as others)
    Good Luck!
     
    Mafia, May 27, 2004
    #14
  15. Spy-Killer

    Spy-Killer Private E-2

    Managed to finally rid this fake google search. CWShredder crashed running when it got to Smartsearch and had adaware and spybot run and still had this problem. I found that Windows Media Player was hijacked and the wmplayer.exe file had a newer date and there was now a wmplayer2.exe (probably the original file renamed).

    I restarted in safe mode and deleted this file and also did a search (remember to include hidden & system files in your search) for google in any file names (don't know if I really needed to do this), but when I restarted and ran CWShredder it got past the place it always hung up on and then was able to clear the SearchX hijack and now everything works great.

    Man this is the worst one I've seen (I'm an IT Administrator and I've seen lots!!) I tried HJT, editing the registry and just about everythinbg else to get rid of this---short or rebuilding the machine!! and now this worked....hope this helps.
     
    Spy-Killer, May 27, 2004
    #15
  16. sunemoonsong

    sunemoonsong Private E-2

    You are a GOD!!!
    To everyone out there, i did try everything too. followed all the instructions etc etc. This persisted. i was going to format. (am a little obsessive about the file system) However this worked. I didn't think it was going to because cwshredder didn't really do a whole lot, but i ran it and finished following Mafia's directions, and voila!!!
    I have google back!
    Thank you Mafia
    victoria


     
    sunemoonsong, May 29, 2004
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds