Comments on: Google has been hi-jacked

Question: Google has been hi-jacked

JujuB — Sun, 28 Dec 2008 10:45:06 -0800

Help please. My Google search has been hi-jacked. The first 15 or so returns look promising until you see the website you will be directed to if you click on the link. For example, searching "Anne Bolyen" returns these links: bestweb choices, strikingoffers, freescan.antivirus, web-antivirus, teens-searcher, lowpriceshopper, and findstuff to name a few.

I am using windows xp along with Firefox 3.0.5. I have run Ad-aware and spybot. They both showed some spyware, which I've cleaned up using the respective programs. Trying to google a solution is impossible.

By: k8t

k8t — Sun, 28 Dec 2008 10:50:16 -0800

Have you deleted all of your cookies and cleared your cache?

By: DWRoelands

DWRoelands — Sun, 28 Dec 2008 10:54:06 -0800

Google's page on this issue (http://www.google.com/support/bin/answer.py?answer=8091) suggests using the two software packages you already mentioned, and also MalwareBytes. Other folks reporting this problem have recommended Malwarebytes, saying it cleared the issue.

By: Justinian

Justinian — Sun, 28 Dec 2008 10:54:30 -0800

Have you run a true antivirus program rather than anti-spyware? I believe Trend Micro will run a free scan from http://housecall.trendmicro.com/ . Since it is run from software on their server it is more difficult for whatever virus you picked up to fool with it.

Can you start the task manager and see if there are any weird processes running? Or just post all the running processes if you don't know which ones would qualify as weird.

By: dejah420

dejah420 — Sun, 28 Dec 2008 11:47:09 -0800

If looking at your processes gets you discombobulated, take a look at Process Scanner. It'll list all the processes that are running, and rank them as to their virus potential. (I found it via lifehacker.)

Seconding running the TrendMicro scanner. That thing takes a long time, but it's very effective.

There's also the possibility that there's a problem with your registry. I won't recommend editing it unless you're pretty comfortable with the knowledge that registy edits can mean that you have to nuke the box from space, reformat and reinstall if you do it wrong.

By: sevenstars

sevenstars — Sun, 28 Dec 2008 12:18:56 -0800

Maybe these are set up to catch common misspellings, as in "Bolyen" for "Boleyn"? I remember what happened when a neighbor boy misspelled "google" on our computer--a porn site I couldn't get away from. My husband had to reset our home page.

By: Lyn Never

Lyn Never — Sun, 28 Dec 2008 12:25:09 -0800

This happened to a coworker on Friday, it was an adware cookie. He caught it with one of the usual scanners.

By: JujuB

JujuB — Sun, 28 Dec 2008 12:40:47 -0800

Cleared the cache and cookies. I ran MalwareBytes which detected 7 objects, Trojan.Agent and Hijack.startmenu in the registry key and data key. I deleted them and restarted as per instructions. Google is still having problems.

I am now running Housecall that Justinan recommend. Looks like it is going to take awhile. I'll reply when it is finished, keeping my fingers crossed.

By: vaguelyweird

vaguelyweird — Sun, 28 Dec 2008 13:28:42 -0800

a friend had something similar: all google searches would be redirected to nonsense websites via a go.google redirect. also, certain "helpful" domains would be inaccessible.

I don't know if this is the problem you're having (called TDSS), but I used malwarebytes (renamed install, renamed run) in safe mode, followed by sdfix and combofix.

if this *is* the problem, you can use a free web-proxy to circumvent it & get better info (or, different computer, boot disk, dual-boot, recovery partition w/ networking, etc. i unfortunately had only that computer to work with). i copied & pasted the text of the link (since the actual link was hijacked).

By: vaguelyweird

vaguelyweird — Sun, 28 Dec 2008 13:30:43 -0800

hmm considering that housecall has been blocked for you, it's probably not the same thing.

anyway, good luck.

By: vaguelyweird

vaguelyweird — Sun, 28 Dec 2008 13:32:36 -0800

*hasn't been blocked*, not "has".
woops!

By: Chocolate Pickle

Chocolate Pickle — Sun, 28 Dec 2008 15:33:43 -0800

I've seen reports that OpenDNS hijacks the google domains. Are you using OpenDNS?

By: xenophile

xenophile — Sun, 28 Dec 2008 15:38:19 -0800

I had this happen too. I couldn't download spyware protection til I got rid of it manually. I had to disable the "backdoor" by the following steps. Make sure you boot in Safe Mode when you do this to minimize the likelihood of any more Trojans downloading.

To boot up in Safe Mode, press the F8 key over and over as the computer starts, then select Safe Mode without networking using the arrow keys. When it boots up, select HP Owner and make sure you click on the box that asks if you really want to use Safe Mode.

Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Under Hidden Devices, go down to Non-plug and Play Drivers. Click the plus sign to show those drivers.

Find TDSSserv.sys. This is the Trojan Horse malware that keeps making your searches go to "go.google."

Right click on it and select Disable. Don't uninstall it because it will reinstall every time you start the computer up.

Restart your computer, and immediately go online to download several really good, free spyware programs. I use Avast!, SuperAntiSpyware, and MalwareBytes. I also use CCleaner every time I browse, to clean up cookies and temp files.

You should run full scans with each of these programs immediately. Trojans can let other malware into a system. I once had more than 80 of these nasty things, but I regularly run these programs and haven't had a problem since.

Good luck! Trojans are a bitch.

By: JuiceBoxHero

JuiceBoxHero — Sun, 28 Dec 2008 15:45:09 -0800

My father-in-law's computer had something strange going on with it too. Not quite the same symptoms, but certain pages wouldn't load right. His DNS had been hacked.

Check your DNS:
Go to Start->Control Panel->Network Connections->Local Area Connection (or wireless, if you're using it)->Properties->Click "TCP/IP" and then "Properties"

At the bottom of that window should be a section where you can put in your own DNS servers. See if there's anything in there. If so, you can try clearing it out and clicking OK. If you're using a static IP setup with no DHCP, just leave it alone though.

The hijacked DNS started with 85.255.x.x

By: patnok

patnok — Sun, 28 Dec 2008 16:13:41 -0800

lots of nasty stuff going around. malwarebytes (on a stick) fixed me up several weeks ago. HAD to use the usb stick. could not go to the web site on the infected pc. stuff got on my external HD also but not much.

By: EmpressCallipygos

EmpressCallipygos — Sun, 28 Dec 2008 17:50:48 -0800

Cool Web Shredder. In case you're not able to find it yourself, I've linked to it here. It's a freeware trojan-removing product that targets a particular family of trojans that do the things your computer is doing -- try that.

By: JujuB

JujuB — Sun, 28 Dec 2008 20:17:41 -0800

I am still having the same problem with my searches being re-directed.

xenophile, I was able to view the hidden devices in safe mode, but did not see TDSSser.sys.

I checked my DNS, it is not open, I have a static IP setup.

The free scan of TrendMicro Scanner showed 3 vulnerabilities, all related to MS excel, I download the patches. Second scan shows 0 threats. I downloaded the 30 day trial version of Trend Micro AntiVirus. I was able to update to the latest release. Ran a new scan, it showed 16 threats, those were deleted by TrendMicro.

Hijack This shows all of this is running, but warns some is good and some may be bad. I am now over my head, here is the results from the Hijack This program:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:17 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\SysMonitor.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203469796312
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7304 bytes

Does anybody see anything that looks suspicious?

Thanks for all the help so far, I've tried everything recommended, but can't get rid of this thing that has taken over my searches.

By: telstar

telstar — Sun, 28 Dec 2008 21:57:50 -0800

jujuBe, nothing in particular jumps out at me as suspicious, but you are running a lot of stuff.

Have you tried Security Task Manager? This package has found dangerous stuff running on windows boxes for me more than once. The pay version supposedly provides more info, but I've only needed to use the free version so far. Good luck.

By: dejah420

dejah420 — Mon, 29 Dec 2008 20:12:38 -0800

Do the domains resolve correctly if you boot up in safe mode with networking?

By: JujuB

JujuB — Mon, 29 Dec 2008 20:41:44 -0800

The domains did not load correctly in safe mode.

Well, I never could find the insidious thing that took over my google and yahoo. I could boot up in normal mode and safe mode. The main symptom was redirection of google and yahoo searches. Altavista was not affected and I was able to use it to find the programs that I needed.

I threw in the towel and restored to early December start point. All is well now!

By: dejah420

dejah420 — Tue, 30 Dec 2008 20:12:58 -0800

That is so weird. The steps you followed should have gotten rid of it.

For the record; these guys are top notch at solving malware problems. Here's a thread where they've fixed the go.google redirect problem, should you find yourself facing it again.