PDA

View Full Version : Google searches return wrong results

winx62
06-04-2005, 04:45 PM
Hi,

I am fairly knowledgable when it comes to viruses, spyware and malware, but this one has me boggled. Here is what I get when typing in something for a google search, follow this link to see the screen shot:

http://users.zoominternet.net/~dawinx25/search.jpg

http://users.zoominternet.net/~dawinx25/search.jpg

Try typing in the same thing I did and see what your results are, they will be dramatically different. Your first result will be the actual Butler School website.

Has anyone ever heard of this and how to correct it? I have tried ad-aware, spybot, stinger, Windows Anti-Spyware, Norton AV 2005, Norton SystemWorks, and they are all updated also.

Any other ideas?
david eaton
06-04-2005, 04:53 PM
There are several varieties of malware that can cause this.

Please download http://www.merijn.org/files/hijackthis.zip
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan and save log".

When the scan is finished, the log will open in Notepad. Do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
winx62
06-06-2005, 11:21 PM
Thanks for the reply, it is my gf's computer, so next time I am over there I will post the log.
It may not be til later in the week.

Thanks a lot,

Dane
winx62
06-12-2005, 02:49 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:47:38 PM, on 6/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Fry Fam\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 66.180.173.39 google.ae
O1 - Hosts: 66.180.173.39 google.am
O1 - Hosts: 66.180.173.39 google.as
O1 - Hosts: 66.180.173.39 google.at
O1 - Hosts: 66.180.173.39 google.az
O1 - Hosts: 66.180.173.39 google.be
O1 - Hosts: 66.180.173.39 google.bi
O1 - Hosts: 66.180.173.39 google.ca
O1 - Hosts: 66.180.173.39 google.cd
O1 - Hosts: 66.180.173.39 google.cg
O1 - Hosts: 66.180.173.39 google.ch
O1 - Hosts: 66.180.173.39 google.ci
O1 - Hosts: 66.180.173.39 google.cl
O1 - Hosts: 66.180.173.39 google.co.cr
O1 - Hosts: 66.180.173.39 google.co.hu
O1 - Hosts: 66.180.173.39 google.co.il
O1 - Hosts: 66.180.173.39 google.co.in
O1 - Hosts: 66.180.173.39 google.co.je
O1 - Hosts: 66.180.173.39 google.co.jp
O1 - Hosts: 66.180.173.39 google.co.ke
O1 - Hosts: 66.180.173.39 google.co.kr
O1 - Hosts: 66.180.173.39 google.co.ls
O1 - Hosts: 66.180.173.39 google.co.nz
O1 - Hosts: 66.180.173.39 google.co.th
O1 - Hosts: 66.180.173.39 google.co.ug
O1 - Hosts: 66.180.173.39 google.co.uk
O1 - Hosts: 66.180.173.39 google.co.ve
O1 - Hosts: 66.180.173.39 google.com
O1 - Hosts: 66.180.173.39 google.com.ag
O1 - Hosts: 66.180.173.39 google.com.ar
O1 - Hosts: 66.180.173.39 google.com.au
O1 - Hosts: 66.180.173.39 google.com.br
O1 - Hosts: 66.180.173.39 google.com.co
O1 - Hosts: 66.180.173.39 google.com.cu
O1 - Hosts: 66.180.173.39 google.com.do
O1 - Hosts: 66.180.173.39 google.com.ec
O1 - Hosts: 66.180.173.39 google.com.fj
O1 - Hosts: 66.180.173.39 google.com.gi
O1 - Hosts: 66.180.173.39 google.com.gr
O1 - Hosts: 66.180.173.39 google.com.gt
O1 - Hosts: 66.180.173.39 google.com.hk
O1 - Hosts: 66.180.173.39 google.com.ly
O1 - Hosts: 66.180.173.39 google.com.mt
O1 - Hosts: 66.180.173.39 google.com.mx
O1 - Hosts: 66.180.173.39 google.com.my
O1 - Hosts: 66.180.173.39 google.com.na
O1 - Hosts: 66.180.173.39 google.com.nf
O1 - Hosts: 66.180.173.39 google.com.ni
O1 - Hosts: 66.180.173.39 google.com.np
O1 - Hosts: 66.180.173.39 google.com.pa
O1 - Hosts: 66.180.173.39 google.com.pe
O1 - Hosts: 66.180.173.39 google.com.ph
O1 - Hosts: 66.180.173.39 google.com.pk
O1 - Hosts: 66.180.173.39 google.com.pr
O1 - Hosts: 66.180.173.39 google.com.py
O1 - Hosts: 66.180.173.39 google.com.sa
O1 - Hosts: 66.180.173.39 google.com.sg
O1 - Hosts: 66.180.173.39 google.com.sv
O1 - Hosts: 66.180.173.39 google.com.tr
O1 - Hosts: 66.180.173.39 google.com.tw
O1 - Hosts: 66.180.173.39 google.com.ua
O1 - Hosts: 66.180.173.39 google.com.uy
O1 - Hosts: 66.180.173.39 google.com.vc
O1 - Hosts: 66.180.173.39 google.com.vn
O1 - Hosts: 66.180.173.39 google.de
O1 - Hosts: 66.180.173.39 google.dj
O1 - Hosts: 66.180.173.39 google.dk
O1 - Hosts: 66.180.173.39 google.es
O1 - Hosts: 66.180.173.39 google.fi
O1 - Hosts: 66.180.173.39 google.fm
O1 - Hosts: 66.180.173.39 google.fr
O1 - Hosts: 66.180.173.39 google.gg
O1 - Hosts: 66.180.173.39 google.gl
O1 - Hosts: 66.180.173.39 google.gm
O1 - Hosts: 66.180.173.39 google.hn
O1 - Hosts: 66.180.173.39 google.ie
O1 - Hosts: 66.180.173.39 google.it
O1 - Hosts: 66.180.173.39 google.kz
O1 - Hosts: 66.180.173.39 google.li
O1 - Hosts: 66.180.173.39 google.lt
O1 - Hosts: 66.180.173.39 google.lu
O1 - Hosts: 66.180.173.39 google.lv
O1 - Hosts: 66.180.173.39 google.mn
O1 - Hosts: 66.180.173.39 google.ms
O1 - Hosts: 66.180.173.39 google.mu
O1 - Hosts: 66.180.173.39 google.mw
O1 - Hosts: 66.180.173.39 google.nl
O1 - Hosts: 66.180.173.39 google.no
O1 - Hosts: 66.180.173.39 google.off.ai
O1 - Hosts: 66.180.173.39 google.pl
O1 - Hosts: 66.180.173.39 google.pn
O1 - Hosts: 66.180.173.39 google.pt
O1 - Hosts: 66.180.173.39 google.ro
O1 - Hosts: 66.180.173.39 google.ru
O1 - Hosts: 66.180.173.39 google.rw
O1 - Hosts: 66.180.173.39 google.se
O1 - Hosts: 66.180.173.39 google.sh
O1 - Hosts: 66.180.173.39 google.sk
O1 - Hosts: 66.180.173.39 google.sm
O1 - Hosts: 66.180.173.39 google.td
O1 - Hosts: 66.180.173.39 google.tm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [mtmtw] C:\WINDOWS\System32\mtmtw.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116704552773
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
winx62
06-12-2005, 03:00 PM
I deleted all those google entries and a few others, rebooted and now the search returns the correct results, thank you very much for your idea.

Many thanks!

Dane
david eaton
06-12-2005, 04:19 PM
I hope that and a few others were the ones below! And that you deleted the relevant files!

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - (no file)

O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [mtmtw] C:\WINDOWS\System32\mtmtw.exe

Reboot and delete

files
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\scrsvc.exe
C:\WINDOWS\System32\mtmtw.exe

These may be hidden files. See HERE (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) for how to show hidden files.