Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google 404 error and google search results hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google 404 error and google search results hijacked

Unread postby anamarin » December 5th, 2010, 9:49 pm

I'm a real novice with this stuff and have been researching as best possible to get rid of a problem. I can't logon to google.com without getting an error 404 page not found message. And when I try and click on items that I've searched, I get redirected to Viagra and all sorts of other rubbish. Another thing that happens is sometimes when I go to google.com, it asks if I'm human and asks me to punch in the letters that appear. So overall, google.com is very inefficient at the moment and also my links from search results are being hijacked.

I took googles advice, did a malware scan and nothing suspicious was detected. It then said to try Hijack this as the next option which I did. I have a log and uninstall list which I've attached below. If somebody could help me out with a solution to this very inconvenient problem, it'd be much appreciated :)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:39:40 PM, on 6/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25573
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [EPSON TX120 NX120 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIGGP.EXE /FU "C:\Windows\TEMP\E_S2F1B.tmp" /EF "HKCU"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/ph ... den-au.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ABBYY FineReader 9.0 Sprint Licensing Service (ABBYY.Licensing.FineReader.Sprint.9.0) - ABBYY - C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: EpsonCustomerResearchParticipation - SEIKO EPSON CORPORATION - C:\Program Files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1ca562719966b7a) (gupdate1ca562719966b7a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10831 bytes


2007 Microsoft Office system
ABBYY FineReader 9.0 Sprint
ABBYY FineReader 9.0 Sprint
Acrobat.com
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
Business Contact Manager for Outlook 2007 SP2
Business Contact Manager for Outlook 2007 SP2
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
CleanUp!
DVD MovieFactory for TOSHIBA
Epson Customer Research Participation
Epson Easy Photo Print 2
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser)
Epson Event Manager
EPSON Scan
EPSON TX120 NX120 Series Manual
EPSON TX120 NX120 Series Printer Uninstall
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
Google Chrome
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
IP Confidentiality Agreement Generator
Java(TM) 6 Update 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Norton Internet Security
OGA Notifier 2.0.0048.0
Picasa 2
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Skype Toolbars
Skype™ 4.2
Spelling Dictionaries Support For Adobe Reader 9
Synaptics Pointing Device Driver
Tax Withheld Calculator
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm
Advertisement
Register to Remove

Re: Google 404 error and google search results hijacked

Unread postby askey127 » December 9th, 2010, 8:32 am

Hi anamarin,

Sorry for the delay.
If you still need help and are not receiving it elsewhere, please proceed as follows:

First, tell me, did you set this proxy server yourself?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25573

------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:

Java(TM) 6 Update 6

Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------
Download and Run Rkill
Please download and run the tool named Rkill, which may help in allowing other programs to run.
There are 4 different versions. If one of them won't run then download and try to run one of the other ones.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools, ignore them or shutdown your antivirus.
Please download Rkill from one of the following links and save to your Desktop:
Rkill.exe
RKill.com
RKill.scr
Rkill.pif
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If ir does not, delete the desktop entry. Then download and use the one provided in the next link.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • XP : Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • VISTA/Win7: Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google 404 error and google search results hijacked

Unread postby anamarin » December 9th, 2010, 5:38 pm

Hi askey127 - I really appreciate you giving me a hand with this.

In answer to your first question above, I have not intentially installed a proxy server that I'm aware of. I have never identified a need to do so, so in answer to your question, no I didn't install it myself.

I will wait until I hear back from you on this before I proceed with your other instructions.

Again thank you :)

A
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm

Re: Google 404 error and google search results hijacked

Unread postby askey127 » December 9th, 2010, 7:00 pm

anamarin,
Just proceed with the other instructions.
We will take care of that later.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google 404 error and google search results hijacked

Unread postby anamarin » December 9th, 2010, 10:34 pm

Ok I've unistalled Java 6 Update

Have succesfully run and completed the run kill as you instructed.

And here's what I got from Gmer:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-10 11:14:33
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG01
Running: cmq9wmn4.exe; Driver: C:\Users\ANAM~1\AppData\Local\Temp\kwldrpoc.sys


---- System - GMER 1.0.15 ----

SSDT 89953468 ZwAlertResumeThread
SSDT 89953548 ZwAlertThread
SSDT 897145B8 ZwAllocateVirtualMemory
SSDT 8819EB08 ZwAlpcConnectPort
SSDT 8948DAE8 ZwAssignProcessToJobObject
SSDT 899531B8 ZwCreateMutant
SSDT 8948D808 ZwCreateSymbolicLinkObject
SSDT 89714A80 ZwCreateThread
SSDT 8948DBC8 ZwDebugActiveProcess
SSDT 89714788 ZwDuplicateObject
SSDT 897143D8 ZwFreeVirtualMemory
SSDT 899532A8 ZwImpersonateAnonymousToken
SSDT 89953388 ZwImpersonateThread
SSDT 8819EA90 ZwLoadDriver
SSDT 89953F28 ZwMapViewOfSection
SSDT 8948DF90 ZwOpenEvent
SSDT 89714968 ZwOpenProcess
SSDT 897146A8 ZwOpenProcessToken
SSDT 8948DDF0 ZwOpenSection
SSDT 89714878 ZwOpenThread
SSDT 8948D9F8 ZwProtectVirtualMemory
SSDT 899539D8 ZwResumeThread
SSDT 89953C78 ZwSetContextThread
SSDT 89953D58 ZwSetInformationProcess
SSDT 8948DCA8 ZwSetSystemInformation
SSDT 8948DED0 ZwSuspendProcess
SSDT 89953AB8 ZwSuspendThread
SSDT 89714B60 ZwTerminateProcess
SSDT 89953B98 ZwTerminateThread
SSDT 89953E48 ZwUnmapViewOfSection
SSDT 897144C8 ZwWriteVirtualMemory
SSDT 8948D8F8 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 822BA880 8 Bytes [68, 34, 95, 89, 48, 35, 95, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822BA894 4 Bytes [B8, 45, 71, 89]
.text ntkrnlpa.exe!KeSetEvent + 13D 822BA8A0 4 Bytes [08, EB, 19, 88]
.text ntkrnlpa.exe!KeSetEvent + 1F5 822BA958 4 Bytes [B8, 31, 95, 89]
.text ntkrnlpa.exe!KeSetEvent + 21D 822BA980 8 Bytes [08, D8, 48, 89, 80, 4A, 71, ...]
.text ...
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A959480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A99A900, 0x3CA, 0x48000040]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[1504] kernel32.dll!SetUnhandledExceptionFilter 7600A84F 5 Bytes JMP 61A654C1 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[1504] ole32.dll!OleLoadFromStream 76FE1E80 5 Bytes JMP 6251D62A C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!CreateWindowExW 75F21305 5 Bytes JMP 6AA1DB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxParamW 75F410B0 5 Bytes JMP 6A9454F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxIndirectParamW 75F42EF5 5 Bytes JMP 6AB15027 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxParamA 75F58152 5 Bytes JMP 6AB14FC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!DialogBoxIndirectParamA 75F5847D 5 Bytes JMP 6AB1508A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxIndirectA 75F6D4D9 5 Bytes JMP 6AB14F59 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxIndirectW 75F6D5D3 5 Bytes JMP 6AB14EEE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxExA 75F6D639 5 Bytes JMP 6AB14E8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1536] USER32.dll!MessageBoxExW 75F6D65D 5 Bytes JMP 6AB14E2A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[5116] ntdll.dll!DbgBreakPoint 778A8B2E 1 Byte [90]
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!CreateDialogParamW 75F172A2 5 Bytes JMP 6AA1DED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!GetAsyncKeyState 75F1863C 5 Bytes JMP 6A938F0F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!SetWindowsHookExW 75F187AD 5 Bytes JMP 6AA19AED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!CallNextHookEx 75F18E3B 5 Bytes JMP 6AA0D14D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!UnhookWindowsHookEx 75F198DB 5 Bytes JMP 6A984686 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!EnableWindow 75F1CD8B 5 Bytes JMP 6AA1DD5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!CreateWindowExW 75F21305 5 Bytes JMP 6AA1DB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!GetKeyState 75F28CB1 5 Bytes JMP 6AA1D30B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!IsDialogMessageW 75F30745 5 Bytes JMP 6A945A07 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!CreateDialogParamA 75F317AA 5 Bytes JMP 6AB15C93 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!IsDialogMessage 75F31847 5 Bytes JMP 6AB1552F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!CreateDialogIndirectParamA 75F326F1 5 Bytes JMP 6AB15CCA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!CreateDialogIndirectParamW 75F39A62 5 Bytes JMP 6AB15D01 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!SetKeyboardState 75F40987 5 Bytes JMP 6AB1589E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!DialogBoxParamW 75F410B0 5 Bytes JMP 6A9454F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!DialogBoxIndirectParamW 75F42EF5 5 Bytes JMP 6AB15027 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!SendInput 75F42F75 5 Bytes JMP 6AB1645B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!EndDialog 75F4326E 5 Bytes JMP 6A947EAE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!SetCursorPos 75F56FB2 5 Bytes JMP 6AB164AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!DialogBoxParamA 75F58152 5 Bytes JMP 6AB14FC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!DialogBoxIndirectParamA 75F5847D 5 Bytes JMP 6AB1508A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!MessageBoxIndirectA 75F6D4D9 5 Bytes JMP 6AB14F59 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!MessageBoxIndirectW 75F6D5D3 5 Bytes JMP 6AB14EEE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!MessageBoxExA 75F6D639 5 Bytes JMP 6AB14E8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!MessageBoxExW 75F6D65D 5 Bytes JMP 6AB14E2A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] USER32.dll!keybd_event 75F6D972 5 Bytes JMP 6AB167DF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] SHELL32.dll!SHRestricted + D95 765389A8 4 Bytes [4D, 30, 4D, 6D] {DEC EBP; XOR [EBP+0x6d], CL}
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] SHELL32.dll!SHRestricted + D9D 765389B0 8 Bytes [57, 2F, 4D, 6D, 9C, 5B, 4C, ...] {PUSH EDI; DAS ; DEC EBP; INSD ; PUSHF ; POP EBX; DEC ESP; INSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] ole32.dll!OleLoadFromStream 76FE1E80 5 Bytes JMP 6AB1538F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5680] ole32.dll!CoCreateInstance 77019F3E 5 Bytes JMP 6AA1DBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm

Re: Google 404 error and google search results hijacked

Unread postby askey127 » December 10th, 2010, 7:15 am

anamarin,
-----------------------------------------------------------
Disable Windows Defender
Open Windows Defender by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Defender.
If you don't see it in the Programs List, you can access it using the Control Panel.
Click Tools, and then click Options.
Under Administrator options, clear the Use Windows Defender check box, and then click Save.
Administrator permission is required. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25573
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
------------------------------------------------
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a Imagesign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
    • click "Ok."
    • a popup will warn that protection will now be disabled.
    Norton Antivirus Guard is now disabled.
  • Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".
  • OK any disclaimers and start the Scan.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your Norton Antivirus software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google 404 error and google search results hijacked

Unread postby anamarin » December 10th, 2010, 7:12 pm

Hi askey127,

I followed all your instructions thank you! With your first instruction regarding Microsoft Defender, it seems it was already switched off.

After running run combo fix my computer did a lot of funny things (it rebooted itself twice) but it seems after the second reboot it's now all smooth sailing. The google problem has now gone and I don't recieve the google error page, so thanks.

See the run combo fix below.

Also, will I need to uninstall all the programs I've installed with you after we're done?


ComboFix 10-12-09.04 - Ana M 11/12/2010 9:40:39.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.2939.1800 [GMT 11:00]
Running from: C:\Users\Ana M\Desktop\zzz.eee.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Ana M\AppData\Roaming\Internet Security Suite

.
((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-10 22:46:20 . 2010-12-10 22:46:20 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-12-10 22:09:54 . 2010-12-10 22:09:55 388096 ----a-r- C:\Users\Ana M\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-08 06:30:03 . 2010-12-08 06:31:55 -------- d-----w- C:\Users\Ana M\AppData\Roaming\FreeTorentPlayer
2010-12-05 23:14:36 . 2010-12-05 23:14:36 -------- d-----w- C:\Program Files\Trend Micro
2010-12-04 01:19:56 . 2010-11-16 01:01:26 6273872 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EB27B548-87D6-42D0-921F-2834C1E0FB19}\mpengine.dll
2010-11-25 21:52:29 . 2010-11-25 21:52:29 -------- d-----w- C:\Program Files\Microsoft Silverlight
2010-11-23 22:20:19 . 2010-10-19 04:27:49 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2010-11-23 04:34:25 . 2010-11-23 04:34:25 -------- d-----w- C:\ProgramData\Office Genuine Advantage
2010-11-23 04:34:23 . 2010-11-23 04:34:23 -------- d-----w- C:\Users\Ana M\Office Genuine Advantage
2010-11-22 23:43:22 . 2010-11-23 00:01:26 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2010-11-22 23:43:22 . 2010-11-22 23:43:22 126512 ----a-w- C:\Windows\system32\drivers\SYMEVENT.SYS
2010-11-22 23:43:22 . 2010-11-22 23:43:22 -------- d-----w- C:\Program Files\Symantec
2010-11-22 23:42:44 . 2010-11-22 23:42:44 -------- d-----w- C:\Windows\system32\drivers\NIS
2010-11-22 23:42:42 . 2010-11-22 23:42:44 -------- d-----w- C:\Program Files\Norton Internet Security
2010-11-22 23:42:32 . 2010-11-22 23:42:32 -------- d-----w- C:\Program Files\NortonInstaller
2010-11-22 23:31:46 . 2010-11-22 23:31:49 -------- d-----w- C:\Program Files\CleanUp!
2010-11-22 23:19:20 . 2010-11-22 23:19:20 -------- d-----w- C:\Users\Ana M\AppData\Roaming\Malwarebytes
2010-11-22 23:19:12 . 2010-11-22 23:19:12 -------- d-----w- C:\ProgramData\Malwarebytes
2010-11-22 23:18:16 . 2010-11-22 23:18:16 -------- d-----w- C:\Users\Ana M\AppData\Local\CrashDumps
2010-11-21 06:17:28 . 2010-11-22 23:20:13 -------- d-----w- C:\ProgramData\PC Tools
2010-11-14 03:34:16 . 2010-11-22 23:42:42 -------- d-----w- C:\ProgramData\Norton
2010-11-13 23:58:18 . 2010-11-13 23:58:18 -------- d-sh--w- C:\ProgramData\ISTSXZRS
2010-11-13 23:57:25 . 2010-11-14 03:47:29 -------- d-sh--w- C:\ProgramData\542221

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 23:41:44 . 2009-10-17 04:15:24 222080 ------w- C:\Windows\system32\MpSigStub.exe
2010-09-13 13:56:41 . 2010-10-14 14:21:09 8147456 ----a-w- C:\Windows\system32\wmploc.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm

Re: Google 404 error and google search results hijacked

Unread postby askey127 » December 11th, 2010, 8:01 am

anamarin,
Somehow, you did not post the entire log.
After ComboFix finished scanning and was generating the report, did you wait until the report popped up, or did you decide it was done and stopped it?
If you waited until the report popped up, you didn't copy the whole thing.

The report is saved in the C drive main directory here: C:\Combofix.txt

If you open it with Notepad and use (Edit -> Select All) and (Edit -> Copy) you should be able to paste all of it here..
Please do so.
Let me know. Thanks
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google 404 error and google search results hijacked

Unread postby anamarin » December 11th, 2010, 7:24 pm

Hi Askey127,

I've double checked the file and that's all that is within the combofix text file.

ComboFix never genererated a report in front of me after it finished scanning. Like I said it just switched itself off. When it came back on it was behaving strangely and a small box at the bottom right hand side reffered to a corrupt file. I also wrote down one of the error messages I got grep.chexe.crruptfile 0x753591B00, 0x753591B00,0x753591B00. Then without me touching it, it rebooted again and microsoft conducted a scan which took a while and then it just started working normally and all seemed ok. That might not help you but I thought to let you know anways.

Is there anything else I should do?

Thanks Again :)
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm

Re: Google 404 error and google search results hijacked

Unread postby askey127 » December 11th, 2010, 8:00 pm

anamarin,
Lets run Combofix again:
-----------------------------------------------------------
Run ComboFix
  • DISABLE NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a Imagesign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
    • click "Ok."
    • a popup will warn that protection will now be disabled.
    Norton Antivirus Guard is now disabled.
  • Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".
  • OK any disclaimers and start the Scan.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Please be patient until it pops up. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google 404 error and google search results hijacked

Unread postby anamarin » December 11th, 2010, 8:52 pm

Askey127,

Ok this time the report auto generated. Here are the details:

ComboFix 10-12-09.04 - Ana M 12/12/2010 11:35:50.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.2939.1731 [GMT 11:00]
Running from: c:\users\Ana M\Desktop\zzz.eee.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_monitor


((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-12 00:41 . 2010-12-12 00:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-11 23:04 . 2010-12-11 23:04 -------- d-----w- c:\users\Ana M\AppData\Local\{4E307D2F-1FF0-4625-9835-18223534BF6E}
2010-12-11 00:01 . 2010-12-11 00:01 -------- d-----w- c:\users\Ana M\AppData\Local\{0B6D5786-153D-4B82-929E-63346D25A61F}
2010-12-11 00:01 . 2010-12-11 00:06 -------- d-----w- c:\users\Ana M\AppData\Roaming\Windows Live Writer
2010-12-11 00:01 . 2010-12-11 00:01 -------- d-----w- c:\users\Ana M\AppData\Local\Windows Live Writer
2010-12-10 23:30 . 2010-09-22 13:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-12-10 23:29 . 2010-11-16 01:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6B03FC21-FFE2-47A1-9D2E-ACB2BDEA0DEE}\mpengine.dll
2010-12-10 23:19 . 2010-12-10 23:46 -------- d-----w- c:\program files\Windows Live
2010-12-10 23:19 . 2010-12-10 23:23 -------- d-----w- c:\program files\Microsoft
2010-12-10 23:18 . 2009-09-04 06:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-12-10 23:18 . 2009-09-04 06:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-12-10 23:18 . 2009-09-04 06:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-12-10 23:16 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2010-12-10 23:15 . 2010-12-11 23:14 -------- d-----w- c:\users\Ana M\AppData\Local\Windows Live
2010-12-10 23:15 . 2010-12-10 23:15 -------- d-----w- c:\program files\Common Files\Windows Live
2010-12-10 23:02 . 2010-12-10 23:02 -------- d-----w- C:\found.000
2010-12-10 22:09 . 2010-12-10 22:09 388096 ----a-r- c:\users\Ana M\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-08 06:30 . 2010-12-08 06:31 -------- d-----w- c:\users\Ana M\AppData\Roaming\FreeTorentPlayer
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-11-25 21:52 . 2010-11-25 21:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-11-23 22:20 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 04:34 . 2010-11-23 04:34 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-11-23 04:34 . 2010-11-23 04:34 -------- d-----w- c:\users\Ana M\Office Genuine Advantage
2010-11-22 23:43 . 2010-11-23 00:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-11-22 23:43 . 2010-11-22 23:43 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-22 23:43 . 2010-11-22 23:43 -------- d-----w- c:\program files\Symantec
2010-11-22 23:42 . 2010-11-22 23:42 -------- d-----w- c:\windows\system32\drivers\NIS
2010-11-22 23:42 . 2010-11-22 23:42 -------- d-----w- c:\program files\Norton Internet Security
2010-11-22 23:42 . 2010-11-22 23:42 -------- d-----w- c:\program files\NortonInstaller
2010-11-22 23:31 . 2010-11-22 23:31 -------- d-----w- c:\program files\CleanUp!
2010-11-22 23:19 . 2010-11-22 23:19 -------- d-----w- c:\users\Ana M\AppData\Roaming\Malwarebytes
2010-11-22 23:19 . 2010-11-22 23:19 -------- d-----w- c:\programdata\Malwarebytes
2010-11-22 23:18 . 2010-11-22 23:18 -------- d-----w- c:\users\Ana M\AppData\Local\CrashDumps
2010-11-21 06:17 . 2010-11-22 23:20 -------- d-----w- c:\programdata\PC Tools
2010-11-14 03:34 . 2010-11-22 23:42 -------- d-----w- c:\programdata\Norton
2010-11-13 23:58 . 2010-11-13 23:58 -------- d-sh--w- c:\programdata\ISTSXZRS
2010-11-13 23:57 . 2010-11-14 03:47 -------- d-sh--w- c:\programdata\542221

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 23:41 . 2009-10-17 04:15 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-14 14:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" [BU]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-20 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-02 976320]

c:\users\Ana M\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca562719966b7a;Google Update Service (gupdate1ca562719966b7a);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 133104]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-20 30192]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1201000.025\SYMDS.SYS [2010-06-13 339504]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1201000.025\SYMEFA.SYS [2010-07-29 666672]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2010-11-23 691248]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20101210.001\IDSvix86.sys [2010-11-09 353912]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1201000.025\Ironx86.SYS [2010-06-27 134704]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NIS\1201000.025\SYMTDIV.SYS [2010-07-13 331312]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 EpsonCustomerResearchParticipation;EpsonCustomerResearchParticipation;c:\program files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe [2010-09-28 472448]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [2010-07-23 126904]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-11-22 102448]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-24 73728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 10:28]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 10:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Sidebar - (no file)
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 11:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????8?T???????????????? ??H

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.1.0.37\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-12 11:43:59
ComboFix-quarantined-files.txt 2010-12-12 00:43

Pre-Run: 298,961,113,088 bytes free
Post-Run: 298,953,412,608 bytes free

- - End Of File - - 8E2044A7B65159A1818FDD16AFEBC988
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm

Re: Google 404 error and google search results hijacked

Unread postby askey127 » December 12th, 2010, 8:26 am

anamarin,
Using FreetorentPlayer is a sure way to wreck your machine.
Along with Limewire, Azureus,Frostwire Bittorrent, etc., these P2P programs download "free" files that are loaded with planted infections.

Cleanup! is a registry cleaner. Registry Cleaners and optimizers have damaged machines in the past, and don't do any good. You should never use one.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:

Cleanup!

Take extra care in answering questions posed by any Uninstaller.
-------------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Folder::
    c:\program files\CleanUp!
    c:\users\Ana M\AppData\Roaming\FreeTorentPlayer
    
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
----------------------------------------------
Download and Run Temp File Cleaner (TFC.exe)
Download Temp File Cleaner and save it to your desktop.
Right click it and choose Run as Administrator
If you have a lot of junk files to remove, it could take a while, so please be patient and let it finish.
When it's done, if it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *Freetorentplayer*
    
    :folderfind
    Freetorentplayer
    Cleanup!
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

You have a service running that is from "EpsonCustomerResearch". Do you want to participate in that?
I cannot tell what exact information is being transmitted to Epson.

So we are looking for the results from the Combofix(zzz.exe) script, the file from Systemlook, and your preference about the Epson tracking service.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google 404 error and google search results hijacked

Unread postby anamarin » December 13th, 2010, 2:29 am

Hi Askey127 - Please see results below...

Also, I don't want to participate in Epson Customer Research so am happy to remove??

Thanks again for all your help :)

ComboFix 10-12-09.04 - Ana M 13/12/2010 15:03:35.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.2939.1586 [GMT 11:00]
Running from: c:\users\Ana M\Desktop\zzz.eee.exe
Command switches used :: c:\users\Ana M\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Ana M\AppData\Roaming\FreeTorentPlayer
c:\users\Ana M\AppData\Roaming\FreeTorentPlayer\arctic.conf
c:\users\Ana M\AppData\Roaming\FreeTorentPlayer\resume\Tool_-_10_000_Days.3750071.TPB[1].torrent
c:\users\Ana M\AppData\Roaming\FreeTorentPlayer\torrents\Tool_-_10_000_Days.3750071.TPB[1].torrent

.
((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
.

2010-12-13 04:09 . 2010-12-13 04:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-13 00:15 . 2010-12-13 00:16 -------- d-----w- c:\users\Ana M\AppData\Local\{78D4651A-7026-4F5A-A5C5-A9EE44EB5018}
2010-12-13 00:15 . 2010-12-13 00:15 -------- d-----w- c:\users\Ana M\AppData\Local\{501F448B-DEA6-41E2-970D-8A76AD60CE99}
2010-12-11 23:04 . 2010-12-11 23:04 -------- d-----w- c:\users\Ana M\AppData\Local\{4E307D2F-1FF0-4625-9835-18223534BF6E}
2010-12-11 00:01 . 2010-12-11 00:01 -------- d-----w- c:\users\Ana M\AppData\Local\{0B6D5786-153D-4B82-929E-63346D25A61F}
2010-12-11 00:01 . 2010-12-11 00:06 -------- d-----w- c:\users\Ana M\AppData\Roaming\Windows Live Writer
2010-12-11 00:01 . 2010-12-11 00:01 -------- d-----w- c:\users\Ana M\AppData\Local\Windows Live Writer
2010-12-10 23:30 . 2010-09-22 13:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-12-10 23:29 . 2010-11-16 01:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6B03FC21-FFE2-47A1-9D2E-ACB2BDEA0DEE}\mpengine.dll
2010-12-10 23:19 . 2010-12-10 23:46 -------- d-----w- c:\program files\Windows Live
2010-12-10 23:19 . 2010-12-10 23:23 -------- d-----w- c:\program files\Microsoft
2010-12-10 23:18 . 2009-09-04 06:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-12-10 23:18 . 2009-09-04 06:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-12-10 23:18 . 2009-09-04 06:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-12-10 23:16 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2010-12-10 23:15 . 2010-12-13 00:15 -------- d-----w- c:\users\Ana M\AppData\Local\Windows Live
2010-12-10 23:15 . 2010-12-10 23:15 -------- d-----w- c:\program files\Common Files\Windows Live
2010-12-10 23:02 . 2010-12-10 23:02 -------- d-----w- C:\found.000
2010-12-10 22:09 . 2010-12-10 22:09 388096 ----a-r- c:\users\Ana M\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-11-25 21:52 . 2010-11-25 21:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-11-23 22:20 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 04:34 . 2010-11-23 04:34 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-11-23 04:34 . 2010-11-23 04:34 -------- d-----w- c:\users\Ana M\Office Genuine Advantage
2010-11-22 23:43 . 2010-11-23 00:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-11-22 23:43 . 2010-11-22 23:43 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-22 23:43 . 2010-11-22 23:43 -------- d-----w- c:\program files\Symantec
2010-11-22 23:42 . 2010-11-22 23:42 -------- d-----w- c:\windows\system32\drivers\NIS
2010-11-22 23:42 . 2010-11-22 23:42 -------- d-----w- c:\program files\Norton Internet Security
2010-11-22 23:42 . 2010-11-22 23:42 -------- d-----w- c:\program files\NortonInstaller
2010-11-22 23:19 . 2010-11-22 23:19 -------- d-----w- c:\users\Ana M\AppData\Roaming\Malwarebytes
2010-11-22 23:19 . 2010-11-22 23:19 -------- d-----w- c:\programdata\Malwarebytes
2010-11-22 23:18 . 2010-11-22 23:18 -------- d-----w- c:\users\Ana M\AppData\Local\CrashDumps
2010-11-21 06:17 . 2010-11-22 23:20 -------- d-----w- c:\programdata\PC Tools
2010-11-14 03:34 . 2010-11-22 23:42 -------- d-----w- c:\programdata\Norton
2010-11-13 23:58 . 2010-11-13 23:58 -------- d-sh--w- c:\programdata\ISTSXZRS
2010-11-13 23:57 . 2010-11-14 03:47 -------- d-sh--w- c:\programdata\542221

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 23:41 . 2009-10-17 04:15 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" [BU]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-20 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-02 976320]

c:\users\Ana M\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca562719966b7a;Google Update Service (gupdate1ca562719966b7a);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 133104]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-20 30192]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1201000.025\SYMDS.SYS [2010-06-13 339504]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1201000.025\SYMEFA.SYS [2010-07-29 666672]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2010-11-23 691248]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20101210.001\IDSvix86.sys [2010-11-09 353912]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1201000.025\Ironx86.SYS [2010-06-27 134704]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NIS\1201000.025\SYMTDIV.SYS [2010-07-13 331312]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 EpsonCustomerResearchParticipation;EpsonCustomerResearchParticipation;c:\program files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe [2010-09-28 472448]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [2010-07-23 126904]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-11-22 102448]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-24 73728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 10:28]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 10:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 15:10
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????8?T???????????????? ??H

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.1.0.37\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-12-13 15:11:45
ComboFix-quarantined-files.txt 2010-12-13 04:11
ComboFix2.txt 2010-12-12 00:44

Pre-Run: 296,847,646,720 bytes free
Post-Run: 296,822,317,056 bytes free

- - End Of File - - DD10431B37F9D40CAA8A27B0C2FA9B28

SystemLook 04.09.10 by jpshortstuff
Log created at 17:24 on 13/12/2010 by Ana M
Administrator - Elevation successful

========== filefind ==========

Searching for "*Freetorentplayer*"
No files found.

========== folderfind ==========

Searching for "Freetorentplayer"
C:\Qoobox\Quarantine\C\Users\Ana M\AppData\Roaming\FreeTorentPlayer d------ [04:09 13/12/2010]

Searching for "Cleanup!"
No folders found.

-= EOF =-
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm

Re: Google 404 error and google search results hijacked

Unread postby askey127 » December 13th, 2010, 8:47 am

anamarin,
------------------------------------------------
Remove Program Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click this Entry, if it exists, choose Uninstall/Change, and give permission to Continue:

Epson Customer Research Participation

Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------------------
Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 23 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, (or right click and choose "Run as administrator") and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
Please go here to the Download Location, click on Download.
  • Right click the Malwarebytes icon to start the program. Click the Updates tab and have it check for updates.
  • If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program has started up, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items, check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.

Tell me how the machine is behaving.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Google 404 error and google search results hijacked

Unread postby anamarin » December 14th, 2010, 4:10 pm

Hi Askey - See Malware bytes log below.

Computer is behaving very very well.. Very fast and very efficiencent... No problems with google now and no problems with the re-direction of pages. Awesome stuff thank you!

Is there anything else I need to do???

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5310

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

14/12/2010 10:39:06 PM
mbam-log-2010-12-14 (22-39-06).txt

Scan type: Quick scan
Objects scanned: 141462
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
anamarin
Regular Member
 
Posts: 16
Joined: December 5th, 2010, 7:41 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 149 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware