Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google hijacking

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google hijacking

Unread postby Punchbuggy » June 1st, 2009, 1:33 pm

Hello there, I'm new- so if I mess anything up, please tell me!

Almost every time I Google search for something, I click on the link it provides me with and I get redirected to an advertisement. The only surefire way I'll get the page I'm looking for is to click on the provided 'Cached results' link. I've scoured the web for solutions, downloaded AVG, Malwarebytes, and Avast, but the scans keep coming up with nothing. Please help! Here's my log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:55 PM, on 6/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\McRes_MM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Dashsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ATSwpNav.exe
C:\WINDOWS\system32\aetcrss1.exe
C:\windows\system32\KADxMain.exe
C:\WINDOWS\system32\McMon.exe
C:\Program Files\Acronis\TrueImage Motion Computing Edition\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [ATSwpNav] c:\WINDOWS\system32\ATSwpNav.exe -run
O4 - HKLM\..\Run: [CertificateRegistration] aetcrss1.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [KADxMAin] C:\windows\system32\KADxMain.exe
O4 - HKLM\..\Run: [MotionComputingMonitor] C:\WINDOWS\system32\McMon.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage Motion Computing Edition\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Leland\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - .DEFAULT User Startup: Motion Computing Warranty Registration.lnk = C:\Program Files\Motion Computing Registration\register.exe (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.motioncomputing.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\hoyolajo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dgscugsw - zjniimk.dll (file missing)
O20 - Winlogon Notify: mclaunch - C:\\Windows\\System32\\mclaunch.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dashsvc - Motion Computing Inc. - C:\WINDOWS\system32\Dashsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer (lvcomser) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (lvprcsrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: StarWind AE Service (starwindserviceae) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 11282 bytes



Thanks so much!
Punchbuggy
Active Member
 
Posts: 4
Joined: June 1st, 2009, 1:24 pm
Advertisement
Register to Remove

Re: Google hijacking

Unread postby MWR 3 day Mod » June 4th, 2009, 2:03 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Google hijacking

Unread postby Wingman » June 5th, 2009, 1:40 pm

Hello
Welcome to the Malware Removal forum.
My name is Wingman, and I'll be helping you with your malware problems.
HijackThis logs can take a while to research, so please be patient.

I am currently under the guidance of the MRU teachers, everything I post to you, has been reviewed by them.
This additional review process can add some extra time to my responses...but not too much
.
;)

Before we begin...please note the following important guidelines.
  1. The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. Please, if you have questions about something...ASK, don't guess or assume.
  3. Please -only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  4. Please -only- reply to this thread, do not start another!
  5. Please do not run any other fix/removal tools unless instructed to do so!
  6. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  7. Please, continue responding, until I give you the "All Clean"

If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.
In the meantime... please perform the following steps.

Step 1.
HJT - Uninstall Manager Log
    Please run HijackThis
      If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  1. From the Main Menu...Press the "Open the Misc Tools"...button.
  2. Press the "Open Uninstall Manager... button.
  3. Press only the Save List...button.
  4. Press the "Save" button.
    The file "uninstall_list.txt" will be saved in your HJT folder.
  5. Copy and Paste the contents of "uninstall_list.txt' in your next reply.

Step 2.
Please include in your next reply:
  1. HJT uninstall_list.txt file contents
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Google hijacking

Unread postby Punchbuggy » June 6th, 2009, 2:58 am

Thankyouthankyou SO much for taking the time to help me out! You're a life saver!

Here is my uninstall list:

3Planesoft Screensaver Manager 1.2
Acronis?True?Image?Motion?Computing?Edition
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 8.1.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Mobile Device Support
Apple Software Update
ArtRage 2
avast! Antivirus
AVG Free 8.5
Bluetooth Stack for Windows by Toshiba
Bonjour
Connect
Cuckoo Clock 3D Screensaver 1.0
DAEMON Tools Toolbar
EPSON Printer Software
EPSON Scan
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Inst5657
Inst565a
Insta001
Intel(R) Graphics Media Accelerator Driver
IntelliSonic Speech Enhancement
iTunes
Java(TM) 6 Update 13
kuler
LimeWire 5.1.2
Logitech QuickCam
Malwarebytes' Anti-Malware
Manga Studio EX 4.0
Mechanical Clock 3D Screensaver and Animated Wallpaper 1.1
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Streets & Trips 2006
Microsoft Visual C++ 2005 Redistributable
Motion Computing Registration
Motion Dashboard
Motion DataGuard
Mozilla Firefox (3.0.10)
Nautilus 3D Screensaver 1.2
OmniPass 5.00.67.M
OmniPass Smart Card Middleware for Client Security Solution
openCanvas4.06E Plus
PDF Annotator 1.3.0.82
PDF Settings CS4
Pen Tablet
Photoshop Camera Raw
Project64 1.6
QuickTime
QuickVoice
RaakSign-Softex-2312A
RealPlayer
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SigmaTel Audio
Skype? 4.0
Suite Shared Configuration CS4
Tablet PC Tutorials for Microsoft Windows XP SP2
Unity Web Player
Update for Windows XP (KB896256)
Update for Windows XP (KB898461)
Update for Windows XP (KB900722)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Veoh Web Player
VLC media player 0.9.9
Water Clock 3D Screensaver 1.0
Winamp
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
Zoom Player (remove only)



----------------


Thanks again for your help!
Punchbuggy
Active Member
 
Posts: 4
Joined: June 1st, 2009, 1:24 pm

Re: Google hijacking

Unread postby Wingman » June 6th, 2009, 2:44 pm

Hello Punchbuggy

There are several things you need to be made aware of:

Multiple Antivirus Programs
You are running more than 1 Antivirus program!
AVG8
AVAST4
Running - more than one - antivirus program is not recommended because:
  1. They can conflict with each other.
  2. Report the other antivirus software as malicious.
  3. Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
  4. Can cause your computer to become unstable...run slowly and even, in rare cases, crash.
I strongly suggest you uninstall one of them. Which one, is your decision.


Virut Infection!
I'm sorry to have to inform you that you have a very serious infection!
A Polymorphic File Infector.
"Virut" is a family of polymorphic, memory-resident, appending file infectors... meaning it is capable of modifying itself every time it runs. Viruses belonging to this family infect files with .EXE and .SCR extensions.
All viruses belonging to the Virut family also contain an IRC-based backdoor, that provides unauthorized access to infected computers.
In addition, when it infects, it will sometimes destroy the file it infected. For these reasons, you really can't truly fix Virut.

The best course of action... You will need to format/reinstall the operating system on this machine.

You are strongly advised to do the following:
  1. Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  2. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
    If you don't mind the hassle, change all your account numbers.
  3. From a clean computer, change all your passwords
    (Internet login, your email address(es), financial accounts, PayPal, eBay, Amazon...any online activities you carry out which require a username and password).
    Do NOT change your passwords from this computer, the attacker can still get all the new passwords and transaction records.
  4. Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

I would strongly suggest you backup all of your valuable and personal data... (ie. documents, pictures, movies, songs, etc...)
Do NOT backup any applications or installers. Do NOT backup any .exe, .scr, .htm, .html, .xml, .zip, .rar files... as these files may be infected as well.
If you back them up...then replace them, you will re-infect your system again.

Microsoft MVP Miekiemoes, a malware removal expert, discusses this infection...here.
Please refer to these instructions, how to perform Windows XP: Clean Install

To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS
How do I respond to a possible identity theft and how do I prevent it
Where to backup your files
How to backup your files in Windows XP
Restoring your backups


P2P Warning!
IMPORTANT There are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
LimeWire 5.1.2
Please note that as long as you are using any form of P2P networking to download files you can anticipate infestations of malware to occur.
P2P file sharing used to be fairly safe. This is no longer true...continue to use P2P sharing ...at your own risk!
Keep in mind that this practice may be the source of your current malware infestation.
References... siting the risk factors, of using P2P programs:
Malware: Help prevent the Infection
How to Prevent the Online Invasion of Spyware and Adware

I strongly recommend that you uninstall: LimeWire 5.1.2
You can do so using the Control Panel >> Add or Remove Programs function. If you choose NOT to remove these programs...indicate that in your next reply.
As long as you have the P2P program(s) installed, per Malware Removal Forum Policy, I can offer you no further assitance.

If you have any questions, please feel free to ask.
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Google hijacking

Unread postby Wingman » June 9th, 2009, 4:07 pm

3 Day Bump
Hello...
It has been 3 or more days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
If, after 48 hrs., you have not replied to this thread... it will have to be closed!
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Google hijacking

Unread postby Punchbuggy » June 10th, 2009, 10:38 am

Sorry I took so long to reply!

I've uninstalled avast! Antivirus and Limewire. Also, I don't know how this will be received here, but I think I know what the virus is. It could possibly be a key generator I downloaded which has checked out to be safe (I have researched it, and though I am not terribly experienced in this field, I don't think it's harming my computer). I know that keygens are controlled viruses, but if you think it's dangerous, I will get rid of it.

My files have been backed up onto another hard drive (without the keygen) and I'm wondering if I'll have to reformat it still.

If you could possibly tell me where the virus is located or whether or not the keygen is the threat, that would be great.

I'm still having problems with Google, is this related?

Thanks so much for your help and patience!
Punchbuggy
Active Member
 
Posts: 4
Joined: June 1st, 2009, 1:24 pm

Re: Google hijacking

Unread postby Wingman » June 11th, 2009, 1:31 pm

Hi punchbuggy.

Keygen programs are generally used to crack legitimate software, so the "user" does not have to pay in order for the
software to become or continue to be, functional.
This is basically theft and Malware Removal policy on the use of illegal, or cracked/keygen software says it must be removed, before any further help will be given.
It's also possible that keygen files, could contain malicious code, released when it is executed.

The "Virut" infection I referred to is... not the keygen... but could have been included in the keygen. Please read the description of the virus given earlier.
I hesitate to provide the file identified as being Virut... because the tendency would be to remove the file and assume the infection is gone.
This is a dangerous assumption, as this infection spreads itself to other files, possibly destroying the files it infects.

More information: http://free.avg.com/66558
AVG Technologies wrote:
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusP ... key=143034
Network Associates wrote:
W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either: Immediately before the encrypted code at the end of the last section At the end of the code section of the infected host in 'slack-space' (assuming there is any) At the original entry point of the host (overwriting the original host code)

In order to make sure there are no infected files remaining, a reformat and full reinstall of the Operating System is required.

So... to answer your question... "I'm wondering if I'll have to reformat it still"?
YES... a reformat and reinstall is what will have to be done.

Once you reformat and reinstall... I strongly urge you to abandon the use of P2P networks, Limewire, uTorrent, etc... even though the program or site itself may be safe... the files being downloaded are not.
Using keygens is just as dangerous... The use of either of these processes... is probably the source of your multiple infections.

If you have any questions, please feel free to ask.
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Google hijacking

Unread postby Wingman » June 15th, 2009, 11:38 am

3 Day Bump
Hello punchbuggy...
It has been 3 or more days since my last post to you.
  • Do you still need help with this problem?
  • Do you need more time?
  • Are you having problems understanding or following my instructions?
Just let me know what's going on otherwise...
If, after 48 hrs., you have not replied to this thread... it will have to be closed!
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: Google hijacking

Unread postby silver » June 19th, 2009, 2:25 am

Due to a Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Malware Removal forum.

If you have been helped and wish to donate to help with the costs of this volunteer site,
please read Donations For Malware Removal
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware