I recently removed "Antivirus 2009" malware from a friend's computer using Malwarebytes. That process seemed to go smoothly, however there remains a problem with Google search results being hijacked.
Google opens fine, however the search results page doesn't look quite right (font too large, and random characters like "9h" appears at top of page just prior to the search results). The list of results themselves look reasonable, but when you click on one, a new window opens containing a page generally unrelated to the link clicked. The web addresses in the new window are always preceded by "go." for example "
www.go.blahblahblah.com"
Any ideas?
Here's the logfile from Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 1:55:00 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\spools
v.exe
c:\program files\common files\logishrd\lvmvfm\LVPr
cSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
tsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgamsv
r.exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgupsv
c.exe
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Softex\OmniPass\Omni
serv.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\Program Files\Softex\OmniPass\OPXP
App.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.
exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgemc.
exe
C:\PROGRA~1\Grisoft\AVGFRE
~1\avgcc.e
xe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Malwarebytes' Anti-Malware\Chew.exe
C:\WINDOWS\system32\wuaucl
t.exe
C:\DOCUME~1\Owner\LOCALS~1
\Temp\Temp
orary Directory 3 for 4 hijackthis.zip\HijackThis.
exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d
ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
4DAF1D92D4
3} - C:\Program Files\Java\jre1.6.0_03\bin
\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0
5D28BCF79F
5} - c:\program files\hewlett-packard\digi
tal imaging\bin\hpdtlk02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-A
A305ED9D92
2} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE
~1\avgemc.
exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
~1\avgcc.e
xe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
r\Binaries
\MSConfig.
exe /auto
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\backupnotify.e
xe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\
search.htm
l
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office10\
EXCEL.EXE/
3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.6.0_03\bin
\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.6.0_03\bin
\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B
4C75499B57
8} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
FC0DE4A789
7} - C:\WINDOWS\System32\shdocv
w.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A
9046DEA8A2
1} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone:
http://*.lvarmls.comO15 - Trusted Zone: abqrealtors.rapmls.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone:
http://*.rapmls.comO15 - Trusted Zone:
http://*.vvmls.comO16 - DPF: ImageUploader -
http://www.assetval.com/app/ImageUploader.CABO16 - DPF: {17492023-C23A-453E-A040-C
7C580BBF70
0} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {30528230-99f7-4bb4-88d8-f
a1d4f56a2a
b} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsth
elper.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0
DDAB3484CF
7} (Image Uploader Control) -
http://www.riocentral.com/Image%20Uploader/ImageUploader4.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
060082AA75
C} (GpcContainer Class) -
https://fisdesktop.webex.com/client/T26L/training/ieatgpc.cabO16 - DPF: {E87F6C8E-16C0-11D3-BEF7-0
0902743800
3} (Persits Software XUpload) -
https://www.assetlinklp.com/AssetLinkPortal/XUpload.ocxO16 - DPF: {EDFCB7CB-942C-4822-AF14-F
0B68740984
8} (Image Uploader Control) -
http://www.riocentral.com/Image%20Uploader/ImageUploader4.cabO16 - DPF: {FD0B6769-6490-4A91-AA0A-B
5AE0DC75AC
9} (Performance Viewer Activex Control) -
https://secure.logmein.com/activex/ractrl.cab?lmi=100O17 - HKLM\System\CCS\Services\T
cpip\..\{1
0898C23-79
68-45D2-83
F5-EC6F4C4
50B6D}: NameServer = 208.67.222.222,208.67.220.
220
O17 - HKLM\System\CS2\Services\T
cpip\..\{1
0898C23-79
68-45D2-83
F5-EC6F4C4
50B6D}: NameServer = 208.67.222.222,208.67.220.
220
O17 - HKLM\System\CS4\Services\T
cpip\..\{1
0898C23-79
68-45D2-83
F5-EC6F4C4
50B6D}: NameServer = 208.67.222.222,208.67.220.
220
O20 - AppInit_DLLs: idnhkh.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dims
ntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
vc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIini
t.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxp
gina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
on.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
4D524869DB
5} - C:\WINDOWS\system32\WPDShS
erviceObj.
dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
tsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
~1\avgamsv
r.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
~1\avgupsv
c.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPr
cSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\Srv
Lnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
2.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omni
serv.exe
