TechSpot

Google is hijacked help please!

By rflynn86
Sep 30, 2010
  1. Hi guys, I need help, my google searches work ok but when i go to click on the link it redirects me to random websites, im also getting occasional pop-ups, ive tried AVG and SUPER anti-spyware but to no avail. I had the same problem last year and you guys sorted me out :) please help... plus is there a way I can stop it happening? i watch a lot of live streaming footie online, usually just on random websites i get on google, do you reckon thats the problem? thanks in advance

    Richard
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome back Richard! Let's see if we can sort you out again.

    We have made some changes in the preliminary progrms, so please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, please paste the logs for review in your next reply .Okay to use more than 1 post if needed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. rflynn86

    rflynn86 TS Rookie Topic Starter

    Logs from anti-virus programs

    Thanks for your reply Bobeye, I've followed the above steps but I dont think the DDS program worked correctly, as it just brought up a notepad file straight away without running any scan and gave no options as to producing different logs?? Iv havent included the entire DDS notepad file as it was mostly random symbols and didnt include any actual words, plus it was huge. I've just included the only parts that made any sense! The logs are pasted below with the name of the program noted above. Thanks again for your help!

    DDS

    MZ   ÿÿ ¸ @ € º ´ Í!¸LÍ!This program cannot be run in DOS mode.

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3"> <v3:security> <v3:requestedPrivileges> <!-- level can be "asInvoker", "highestAvailable", or "requireAdministrator" --> <v3:requestedExecutionLevel level="highestAvailable" /> </v3:requestedPrivileges> </v3:security> </v3:trustInfo> </assembly>

    GMER

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-10-02 16:58:36
    Windows 5.1.2600 Service Pack 2
    Running: yecfkd8b.exe; Driver: C:\DOCUME~1\Richard\LOCALS~1\Temp\kxriikog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA604620]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
    .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C8000A
    .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
    .text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
    .text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
    .text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
    .text C:\WINDOWS\System32\svchost.exe[1064] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00A0000A
    .text C:\WINDOWS\system32\wuauclt.exe[1096] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B4000A
    .text C:\WINDOWS\system32\wuauclt.exe[1096] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B5000A
    .text C:\WINDOWS\system32\wuauclt.exe[1096] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B3000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0149000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 014A000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0103000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3168] USER32.dll!TrackPopupMenu 7E4650EE 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----


    MBAM

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4728

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    01/10/2010 22:20:35
    mbam-log-2010-10-01 (22-20-35).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 231882
    Time elapsed: 1 hour(s), 18 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\cpu.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please uninstall whatever you have for DDS and run the scan again. Are you running it in the same mode as the other programs? It looks like you were in DOS mode.
     
  5. rflynn86

    rflynn86 TS Rookie Topic Starter

    Google Hijacked - cant download dds

    I cant seem to get it to work for me the same thing keeps happening everytime i try, I have even tried other links to the program but the same thing happens? I just click on run, is there a way to disable DOS mode??
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please tell me the origin of the operating system. Did you buy computer with Windows XP installed? Have you ever replaced Windows XP? Is the a legitimate copy of Windows XP?
     
  7. rflynn86

    rflynn86 TS Rookie Topic Starter

    Origin of windows

    I don't think it's a legitimate copy of windows sorry I got it off a friend of mine, is there anything I need to do then?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your friend didn't do you a favor. The only thing for you to do is get rid of the pirated OS and reformat/install a legitimate copy.

    We do not support pirated software.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...