Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Something has hijacked google

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Something has hijacked google

Unread postby tomc » January 15th, 2009, 2:37 pm

Hello,

When I search google from any browser on my laptop I get realistic looking results but the urls are all for spam sites. Adaware, Anti-Malware, Pestpatrol, nothing seems to detect and disinfect this. I just learned of this great site so I hope I am following protocol now by submitting by hijack this log. Thanks in advance for your help.

-Tom

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:11 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmpad.exe
C:\Program Files\Doomi\Doomi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://altiris2.ui.uillinois.edu/Altir ... nload.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O1 - Hosts: 64.22.190.9 vendor.uillinois.edu
O1 - Hosts: 128.248.80.5 login.oscar.aol.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: Doomi.lnk = C:\Program Files\Doomi\Doomi.exe
O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.uillinois.edu
O15 - Trusted Zone: http://*.uiuc.edu
O16 - DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} (Bo6bootstrap Control) - https://eddie.ds.uillinois.edu/wijsp/di ... nstall.cab
O16 - DPF: {10F6654B-3CF5-4E63-B06F-73C8F9B1C07E} (CompositeView Control) - https://bxsprod.apps.uillinois.edu/wx/C ... Viewer.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {32153A1A-2A88-4059-B3C1-3B7C724D94FE} (DDI Print Control Class v2.1 [ENU]) - https://docdirectdweb.admin.uillinois.e ... jpwenu.cab
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - https://altiris2.ui.uillinois.edu/Altir ... tstrap.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgreens.com/WalgreensActivia.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techto ... ntrols.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} (AeXNSConsoleContextHelp Class) - https://altiris2.ui.uillinois.edu/Altir ... onsole.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5301259827
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://urbform.admin.uillinois.edu:7777 ... /jinit.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/syst ... eatgpc.cab
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0E} (ZaboCheckAndRunControl Class) - https://eddie.ds.uillinois.edu/wijsp/di ... boIEen.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ui.uillinois.edu
O17 - HKLM\Software\..\Telephony: DomainName = ui.uillinois.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A2D8404-496E-46F7-B517-F0B5F87E1D38}: NameServer = 128.248.2.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EEDDF3E-DDEB-48AF-BE5A-B02E516242DA}: Domain = ui.uillinois.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EEDDF3E-DDEB-48AF-BE5A-B02E516242DA}: NameServer = 64.22.178.45 64.22.186.47 64.22.178.45 64.22.178.46
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ui.uillinois.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ui.uillinois.edu,aits.uillinois.edu,uillinois.edu,cso.uiuc.edu,aiss.uiuc.edu,aiss.uic.edu,uiuc.edu,uic.edu,admin.uillinois.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ui.uillinois.edu,aits.uillinois.edu,uillinois.edu,cso.uiuc.edu,aiss.uiuc.edu,aiss.uic.edu,uiuc.edu,uic.edu,admin.uillinois.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Actional Agent - Unknown owner - C:\Program Files\Actional\ActionalAgent\bin\ActionalAgentSvc.exe (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: Apacheds - Apache Software Foundation - C:\Program Files\apacheds-1.0.2\bin\apacheds.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Derby Network Server - Alexandria Software Consulting - C:\Program Files\Actional\Derby\bin\DerbySvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: OdosGateway-Test - Multiplan Consultants Limited - C:\OdosGateway\javaService\JavaService.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 16372 bytes
tomc
Active Member
 
Posts: 5
Joined: January 15th, 2009, 2:32 pm
Top
Advertisement
Register to Remove

Re: Something has hijacked google

Unread postby jmw3 » January 22nd, 2009, 3:39 am

Welcome tomc

Apologies for the late reply. As you can appreciate the boards are quite busy. If you still require help with your computer problem could you do the following:

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after a log will appear
  • Click Yes at the next prompt, another log named attach.txt will appear
  • A window will open instructing you to post both logs. Copy the contents of both logs & post in your next reply
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Something has hijacked google

Unread postby tomc » January 23rd, 2009, 10:20 am

Thanks, jmw3. Here are the logs your requested.

DDS.txt
-------

DDS (Ver_09-01-19.01) - NTFSx86
Run by tcerven at 8:15:44.97 on Fri 01/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1171 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\OdosGateway\javaService\JavaService.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Doomi\Doomi.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\tcerven\Local Settings\Temporary Internet Files\Content.IE5\FIJ3R2NP\dds[1].scr
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uWindow Title = Windows Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = https://altiris2.ui.uillinois.edu/Altir ... nload.aspx
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\320\g2mstart.exe "/Trigger RunAtLogon"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [1&1 EasyLogin] c:\program files\1&1\1&1 easylogin\EasyLogin.exe
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PestPatrol Control Center] c:\progra~1\pestpa~1\PPControl.exe
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\tcerven\startm~1\programs\startup\doomi.lnk - c:\program files\doomi\Doomi.exe
StartupFolder: c:\docume~1\tcerven\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
Trusted Zone: uillinois.edu
Trusted Zone: uiuc.edu
DPF: {02ED726B-6517-4245-8E46-233E4B91CEE3} - hxxps://eddie.ds.uillinois.edu/wijsp/di ... nstall.cab
DPF: {10F6654B-3CF5-4E63-B06F-73C8F9B1C07E} - hxxps://bxsprod.apps.uillinois.edu/wx/C ... Viewer.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {32153A1A-2A88-4059-B3C1-3B7C724D94FE} - hxxps://docdirectdweb.admin.uillinois.e ... jpwenu.cab
DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} - hxxps://altiris2.ui.uillinois.edu/Altir ... tstrap.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdat ... /opuc2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techto ... ntrols.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.ipswitch.com/_installs/wsftp_le/setup.exe
DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} - hxxps://altiris2.ui.uillinois.edu/Altir ... onsole.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 5301259827
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/C ... 6346759259
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://urbform.admin.uillinois.edu:7777 ... /jinit.exe
DPF: {CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0E} - hxxps://eddie.ds.uillinois.edu/wijsp/di ... boIEen.cab
TCP: {5A2D8404-496E-46F7-B517-F0B5F87E1D38} = 128.248.2.50
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~1\RNetPin.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tcerven\applic~1\mozilla\firefox\profiles\f5gnnhxq.default\
FF - prefs.js: browser.search.selectedEngine - GoodSearch
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-4-18 58016]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-9-20 17408]
R4 OdosGateway-Test;OdosGateway-Test;c:\odosgateway\javaservice\JavaService.exe [2008-6-30 98304]
S0 GhPostConfig;Ghost Post-Configuration Driver;c:\windows\system32\drivers\ghpcw2k.sys --> c:\windows\system32\drivers\ghpcw2k.sys [?]
S3 Actional Agent;Actional Agent;c:\program files\actional\actionalagent\bin\actionalagentsvc.exe --> c:\program files\actional\actionalagent\bin\ActionalAgentSvc.exe [?]
S3 Apacheds;Apacheds;c:\program files\apacheds-1.0.2\bin\apacheds.exe [2008-7-16 102400]
S3 Derby Network Server;Derby Network Server;c:\program files\actional\derby\bin\DerbySvc.exe [2008-7-16 65536]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 108256]
S3 RapDrv;RapDrv;c:\windows\system32\drivers\RapDrv.sys [2007-4-16 104968]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2007-4-16 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2007-4-16 24344]
S4 black;black;c:\windows\system32\drivers\blackdrv.sys [2007-4-16 229331]
S4 BlackICE;BlackICE;c:\program files\iss\blackice\blackd.exe [2007-4-16 1229430]
S4 GhPostConfig_Auto;GhPostConfig_Auto;c:\windows\system32\drivers\ghpcw2k.sys --> c:\windows\system32\drivers\ghpcw2k.sys [?]
S4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2004-2-13 104000]
S4 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-8-18 221191]
S4 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-8-18 28672]
S4 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2006-4-18 724992]

============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1"

=============== Created Last 30 ================

2009-01-22 12:50 <DIR> --d----- c:\temp\saveeasadmin
2009-01-22 07:12 <DIR> --d----- c:\program files\FreeUndelete
2009-01-22 07:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OfficeRecovery
2009-01-22 07:12 1,238,688 a------- c:\temp\freeundelete.exe
2009-01-21 03:20 <DIR> --d----- c:\program files\Doomi
2009-01-16 19:23 <DIR> --d----- c:\temp\podcasts
2009-01-15 12:16 <DIR> --d----- c:\program files\Trend Micro
2009-01-15 12:16 812,344 a------- c:\temp\HJTInstall.exe
2009-01-12 15:56 <DIR> --d----- c:\docume~1\tcerven\applic~1\Malwarebytes
2009-01-12 15:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-12 15:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 15:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 15:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-09 10:19 146,283 a------- c:\temp\uis-netid-activation-javadoc.zip
2009-01-09 10:14 <DIR> --d----- c:\temp\uis-netid-activation-javadoc

==================== Find3M ====================

2009-01-22 09:49 19,103,879 a------- C:\openeai-eas-source-2.0.zip
2008-12-19 18:05 13,569,592 a------- C:\EasUtils.zip
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-02 13:05 60,744 a------- c:\documents and settings\tcerven\g2mdlhlpx.exe
2008-11-18 13:11 1,666,311 a------- C:\openeai-testsuite-2.0.zip
2008-11-05 10:47 57,664 a---h--- c:\windows\system32\mlfcache.dat
2008-10-31 09:51 225,738,365 a------- C:\openeai-examples-2.0-package-221.zip
2008-10-31 08:10 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-11-16 16:09 160 a------- c:\program files\INSTALL.LOG

============= FINISH: 8:16:32.54 ===============

Attach.txt
----------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-19.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/16/2007 11:42:36 AM
System Uptime: 1/23/2009 8:08:42 AM (0 hours ago)

Motherboard: Dell Inc. | | 0FT292
Processor: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz | Microprocessor | 1830/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 12.614 GiB free.
D: is CDROM ()
H: is NetworkDisk (NTFS) - 2048 GiB total, 133.051 GiB free.
Y: is NetworkDisk (NTFS) - 5 GiB total, 2.151 GiB free.
Z: is NetworkDisk (NTFS) - 10 GiB total, 3.956 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1490 Dual Band WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&2B560C2B&0&00E1
Manufacturer: Broadcom
Name: Dell Wireless 1490 Dual Band WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&2B560C2B&0&00E1
Service: BCM43XX

==== System Restore Points ===================

RP407: 11/20/2008 7:39:08 PM - System Checkpoint
RP408: 11/22/2008 9:33:00 AM - System Checkpoint
RP409: 11/23/2008 9:40:45 AM - System Checkpoint
RP410: 11/24/2008 10:55:55 AM - System Checkpoint
RP411: 11/25/2008 1:18:30 PM - System Checkpoint
RP412: 11/25/2008 1:57:13 PM - Installed eFax Messenger
RP413: 11/26/2008 4:30:58 PM - System Checkpoint
RP414: 11/27/2008 4:49:33 PM - System Checkpoint
RP415: 11/30/2008 9:50:35 AM - System Checkpoint
RP416: 12/1/2008 10:26:34 AM - System Checkpoint
RP417: 12/2/2008 10:33:47 AM - System Checkpoint
RP418: 12/3/2008 2:58:03 PM - System Checkpoint
RP419: 12/4/2008 3:08:22 PM - System Checkpoint
RP420: 12/5/2008 4:59:31 PM - System Checkpoint
RP421: 12/6/2008 6:38:34 PM - System Checkpoint
RP422: 12/7/2008 7:42:10 PM - System Checkpoint
RP423: 12/8/2008 7:46:48 PM - System Checkpoint
RP424: 12/9/2008 8:16:29 PM - System Checkpoint
RP425: 12/10/2008 2:00:30 AM - Software Distribution Service 3.0
RP426: 12/11/2008 2:00:19 AM - Software Distribution Service 3.0
RP427: 12/12/2008 7:57:17 AM - System Checkpoint
RP428: 12/13/2008 8:50:08 AM - System Checkpoint
RP429: 12/14/2008 9:31:13 AM - System Checkpoint
RP430: 12/14/2008 10:28:55 PM - Installed TurboTax Deluxe 2007
RP431: 12/14/2008 10:29:53 PM - Installed AnswerWorks 4.0 Runtime - English
RP432: 12/14/2008 10:46:05 PM - Removed Enterprise Architect 7.1 - 30 Day Trial
RP433: 12/14/2008 10:47:36 PM - Removed MetaFrame Presentation Server Client
RP434: 12/15/2008 11:01:11 PM - System Checkpoint
RP435: 12/16/2008 11:02:13 PM - System Checkpoint
RP436: 12/18/2008 11:24:36 AM - Software Distribution Service 3.0
RP437: 12/19/2008 3:00:47 PM - System Checkpoint
RP438: 12/20/2008 7:40:02 PM - System Checkpoint
RP439: 12/21/2008 8:22:37 PM - System Checkpoint
RP440: 12/22/2008 8:44:11 PM - System Checkpoint
RP441: 12/23/2008 9:57:25 PM - System Checkpoint
RP442: 12/25/2008 2:12:32 PM - System Checkpoint
RP443: 12/26/2008 4:21:20 PM - System Checkpoint
RP444: 12/27/2008 4:52:06 PM - System Checkpoint
RP445: 12/28/2008 6:36:55 PM - System Checkpoint
RP446: 12/30/2008 10:20:01 AM - System Checkpoint
RP447: 12/31/2008 10:40:46 AM - System Checkpoint
RP448: 1/1/2009 11:05:50 AM - System Checkpoint
RP449: 1/2/2009 12:22:49 PM - System Checkpoint
RP450: 1/3/2009 7:10:31 PM - System Checkpoint
RP451: 1/4/2009 7:47:13 PM - System Checkpoint
RP452: 1/5/2009 8:22:09 PM - System Checkpoint
RP453: 1/6/2009 9:22:02 PM - System Checkpoint
RP454: 1/7/2009 11:21:06 AM - Installed Opera 9.63
RP455: 1/8/2009 12:05:55 PM - System Checkpoint
RP456: 1/9/2009 1:19:13 PM - System Checkpoint
RP457: 1/10/2009 1:21:50 PM - System Checkpoint
RP458: 1/11/2009 1:57:08 PM - System Checkpoint
RP459: 1/12/2009 3:34:34 PM - Printer Driver Adobe PDF Converter Installed
RP460: 1/12/2009 10:35:42 PM - Software Distribution Service 3.0
RP461: 1/13/2009 11:23:09 PM - System Checkpoint
RP462: 1/14/2009 11:41:06 PM - System Checkpoint
RP463: 1/15/2009 2:00:30 AM - Software Distribution Service 3.0
RP464: 1/16/2009 2:15:20 AM - System Checkpoint
RP465: 1/17/2009 3:08:14 AM - System Checkpoint
RP466: 1/18/2009 4:19:56 AM - System Checkpoint
RP467: 1/19/2009 11:58:05 AM - System Checkpoint
RP468: 1/20/2009 12:20:25 PM - System Checkpoint
RP469: 1/21/2009 2:47:41 PM - System Checkpoint
RP470: 1/22/2009 3:28:16 PM - System Checkpoint

==== Installed Programs ======================


1&1 EasyLogin
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Add or Remove Adobe Creative Suite 3 Web Standard
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Web Standard
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Reader 8.1.1
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Altova XMLSpy 2005 Professional Edition
AnswerWorks 4.0 Runtime - English
AoA Audio Extractor 1.0
apacheds 1.0.2
Apple Mobile Device Support
Apple Software Update
APPWORXP AppWorx Client
APPWXDV AppWorx Client
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
BeeThink MP3 WMA To WAV Converter 2.0
BlackICE
Bonjour
Broadcom Gigabit Integrated Controller
BusinessObjects 6
Calculatair
Clarify 12.5SR1 for Oracle
Clarify ClearConfigurator 11.5
Clarify ClearConfigurator Rule Wizard 11.5 (Remove Only)
ClarifyCRM eFrontOffice11.5 Client for Oracle 8i
ClarifyCRM FTS Client
Comcast Toolbar
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Crash Analysis Tool
CVSNT
Dawn
Dell Printer Software Uninstall
Dell ResourceCD
Dell Software Uninstall
Dell Wireless WLAN Card
Desktop Doctor
DocumentDirect 2.1 High Resolution Print Plugin
Dojo Toolbox
DojoToolbox
Doomi
DzSoft PHP Editor 4.1.2
eFax Messenger
FreeUndelete
GlassFish V2
Google Earth
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Updater
GoToMeeting 4.0.0.320
GradeQuick
High Definition Audio Driver Package - KB835221
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Inkscape 0.45.1
Intel(R) PRO Network Adapters and Drivers
Ipswitch WS_FTP LE
iTunes
J2SE Development Kit 5.0 Update 14
J2SE Runtime Environment 5.0 Update 14
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment, SE v1.4.2_17
Java 2 SDK, SE v1.4.2_17
Java Web Start
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
JGsoft EditPad Lite 6.3.1
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
MDG Link for Eclipse
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySQL Administrator 1.1
MySQL Control Center
MySQL Server 5.0
NetBeans IDE 6.0
O2Micro Smartcard Driver
Opera 9.63
Oracle Data Provider for .NET Help
Oracle Jinitiator 1.3.1.22
Oracle JInitiator 1.3.1.6
OZ776 SCR CardBus Windows Driver
PDF Settings
PowerDVD 5.7
Progress Bar Demo
Python 2.4
Quest Software Toad for MySQL Freeware 3.1
Quest Software Toad for Oracle Version 8.6.1
QuickTime
RFClient
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Project 2007 (KB949046)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
SigmaTel AC97 Audio Drivers
SigmaTel Audio
Sonic Update Manager
SoundMAX
SSH Secure Shell
Texas Instruments PCIxx21/x515 drivers.
TI_Inst
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
WeatherBug
WebFldrs XP
WinCvs 1.3
Windows Defender Signatures
Windows Desktop Search 3.01
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Grep 2.3
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
Windows XP Service Pack 3 (1033)
WinMerge 2.0
WinRAR archiver
XAMPP 1.6.4
XtenderSolutions Adobe Component
XtenderSolutions KeyView Component
XtenderSolutions Scanning Component

==== Event Viewer Messages From Past Week ========

1/20/2009 6:23:10 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'chiui1.ui.uillinois.edu'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/20/2009 6:08:33 PM, error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error: The operation completed successfully.
1/20/2009 6:08:33 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/20/2009 6:07:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'chiui1.ui.uillinois.edu'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/20/2009 6:07:36 PM, error: NETLOGON [5719] - No Domain Controller is available for domain UI due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
1/20/2009 6:33:21 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'chiui1.ui.uillinois.edu'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/20/2009 2:33:21 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'chiui1.ui.uillinois.edu'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/20/2009 12:33:21 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'chiui1.ui.uillinois.edu'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/19/2009 11:33:21 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'chiui1.ui.uillinois.edu'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/18/2009 6:59:24 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'chiui1.ui.uillinois.edu'. NtpClient will try the DNS lookup again in 960 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/21/2009 11:26:20 AM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
1/21/2009 12:36:09 PM, error: Service Control Manager [7034] - The Apache2.2 service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
tomc
Active Member
 
Posts: 5
Joined: January 15th, 2009, 2:32 pm
Top

Re: Something has hijacked google

Unread postby jmw3 » January 23rd, 2009, 11:34 am

Hello tomc

Looking at the HijackThis log you've supplied, the set up and the software running makes it look like the computer is a business or company computer. If this is the case, you would be best to contact your IT/Computing team for help as there may be specific settings that only they would know about. We, at Malware Removal, would not know these specific settings and may innocently make changes that could cause some of your computer's functions to stop working.

Can you please confirm whether your computer is a personal or a business / corporate computer.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Something has hijacked google

Unread postby tomc » January 23rd, 2009, 11:48 am

Yes, it is but they want to reimage the hard drive and wipe out everything. There has got to be some less drastic way of getting rid of this and I was hoping you guys could help me find it.
tomc
Active Member
 
Posts: 5
Joined: January 15th, 2009, 2:32 pm
Top

Re: Something has hijacked google

Unread postby jmw3 » January 23rd, 2009, 2:04 pm

In General, we do not help in cleaning business or corporate computers. There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware. There may also be legal issues regarding any loss of business data that we do not wish to deal with.
Malware Removal Rules

I'm sorry but I cannot help you with this. The online anti-malware community primarily serves home users and is therefore not ideally suited to deal with situations that are best handled by a company's own IT department. All companies have their own set of policies and procedures for handling situations like this, which are beyond our sphere of knowledge. Therefore, as this computer has been identified as infected, you are strongly advised to immediately seek the assistance of your company's IT department so they may implement their own preferred method for handling this situation.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Something has hijacked google

Unread postby tomc » January 23rd, 2009, 3:05 pm

Ok, but there's no way the PC suuprt people around here could fix this without reformatting the hard drive. I just found a post on another site that has a program that searches for the 7.7.7.0 redirection on google and it found the infected file, C:\WINDOWS\system32\wdmaud.sys. I deleted it and the virus is gone. I tried this in the past but it kept comming back. We'll see how long it lasts. The other information I have is that the infection comes from Acrobat javascript in a PDF. The say to prevent reinfection, disable JavaScript in reader.

Although you didn't help me it seems like you are really helping out a lot of people so I have to thank you for that. This site is amazing.

-Tom
tomc
Active Member
 
Posts: 5
Joined: January 15th, 2009, 2:32 pm
Top

Re: Something has hijacked google

Unread postby NonSuch » January 23rd, 2009, 10:50 pm

Please keep in mind that although the symptoms may have ceased, that gives no assurance that the system is malware free.

We are aware that it can sometimes be very annoying when an IT department decides that the best course of action is to reimage a system. However, you must realize that an IT department has an obligation to make decisions based on what is best and most effective for the entire network as well as what best conserves both time and labor. Also, you should be aware that there are some strains of malware that can only be removed by reformatting the system.

The bottom line is, if this computer is a corporate computer, as an employee you may very likely not be authorized to withhold information from its rightful owners regarding its condition, including the fact that company-owned data may have been compromised and/or may currently be at risk. There is also the risk that this computer could compromise other networked computers if it is still infected, and if it is connected to the company network while in an infected state. You are therefore advised to immediately inform the owners of this computer, or their authorized representatives, that it has been compromised.

As this issue involves a business system, and therefore falls outside the scope of this forum, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 144 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index