| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 128566 | 2012-12-29 23:56:00 | Google throwing up spam results | supertrouper (6665) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1320691 | 2012-12-29 23:56:00 | Now that I'm away on holiday I'm using my laptop and I've started getting spam results in Google searches. If I search for something, I get the normal page of results, but within less than a second of the page appearing, the results change and there are extra results which are all SPAM listings. A common one which appears is "Local mom earns $260 every day?". This can appear at the top, in the middle, or near the bottom of the page. It is quite random. I updated and ran a full MalwareBytes Anti-Malware scan, and it found around 27 items, mostly something called "Funmoods". I removed all of these entries and then found an extension in Firefox called "Funmoods Toolbar" (which I have not seen at all) so I removed that too. Since then I have run full scans with MSE and I've also installed SuperAntiSpyware and run that too. Nothing found. I installed MalwareBytes Anti-rootkit and ran that, nothing found. I did a HijackThis scan and there's nothing obvious there either. [I've had the log checked by others and they can't see anything either]. I can't find anything on Google that might help, so I am running out of ideas. It definitely looks like a hijacker to me, but nothing I try seems to be able to find it. I'm running the latest version of FF (17.0.1) which says it's up to date. Any suggestions? |
supertrouper (6665) | ||
| 1320692 | 2012-12-30 00:18:00 | Can you please run a HijackThis log scan and post the results here. Also, can you preform the same search using internet explorer instead of firefox? Do you still get the spam entries? |
Nick G (16709) | ||
| 1320693 | 2012-12-30 00:35:00 | Thanks for the reply Nick. Good point. I don't get the same issue with IE, so it's obviously a Firefox problem. Here's the HijackThis log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 1:21:01 p.m., on 30/12/2012 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16457) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Winamp\winampa.exe C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe C:\Windows\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Users\Home\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [MobileBroadband] C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O17 - HKLM\System\CCS\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E1FD11-3FAB-41E0-8BF6-329F694E7946}: NameServer = 203.109.191.1 203.118.191.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe O23 - Service: Vodafone Mobile Broadband Service (VmbService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe -- End of file - 5790 bytes |
supertrouper (6665) | ||
| 1320694 | 2012-12-30 00:49:00 | Ok, you are not clean. Please run another HijackThis scan, and select the following items: O17 - HKLM\System\CCS\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E1FD11-3FAB-41E0-8BF6-329F694E7946}: NameServer = 203.109.191.1 203.118.191.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 Now please close all windows apart from HijackThis, and click the 'Fix checked' button. edit - once you have done this, please run another HijackThis scan and again please post the results. |
Nick G (16709) | ||
| 1320695 | 2012-12-30 00:58:00 | I'll add my 2c here too, in addition to the Hijack this check your extentions in FF, I had a very useful & largely legitimate extension in chrome called free video down loader. I hardly used the extension so I got rid of it and left a bollocking review on the app developers page in the chrome store but it's something that might pop up and won't show in a virus scan. These days actual viruses don't really come about, it's more spamware type things that generate money instead of mindlessly crippling PC's. |
The Error Guy (14052) | ||
| 1320696 | 2012-12-30 01:10:00 | Ok, you are not clean. Please run another HijackThis scan, and select the following items: O17 - HKLM\System\CCS\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E1FD11-3FAB-41E0-8BF6-329F694E7946}: NameServer = 203.109.191.1 203.118.191.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1 Now please close all windows apart from HijackThis, and click the 'Fix checked' button. edit - once you have done this, please run another HijackThis scan and again please post the results. Hmmm... I wondered about those entries as well. Anyway, I went through several times and tried to get HJT to remove them but each time I do a new scan, there they are. Stubborn, no way to remove them it seems. I'll add my 2c here too, in addition to the Hijack this check your extentions in FF, I had a very useful & largely legitimate extension in chrome called free video down loader. I hardly used the extension so I got rid of it and left a bollocking review on the app developers page in the chrome store but it's something that might pop up and won't show in a virus scan. I think you might have nailed it there. I installed "Fast Video Downloader" not that long ago. Seemed like a legit FF add-on, but I've just uninstalled it now and my Google searches *appear* to be back to normal. Now I just need to hunt the producer of that app down and find a strong rope... Thank you to you both for your thoughts and ideas. |
supertrouper (6665) | ||
| 1320697 | 2012-12-30 01:17:00 | So you can't remove it? Can you please download ADWcleaner from www.bleepingcomputer.com Install it and run a scan. If it brings up results, delete those items. Next, open up firefox. Type in about:config into the address bar, and press enter. Click through the warning, and you should see a list of entries. Type 'Funmoods' into the search function, and press enter. Right click on any results and click 'reset' Then, type 'Fast Video Downloader' into the search function. Again, right click on any selected entries and click 'reset' Now, please reboot your computer, run yet another HijackThis scan, and post the results here. |
Nick G (16709) | ||
| 1320698 | 2012-12-30 01:32:00 | So you can't remove it? Can you please download ADWcleaner from www.bleepingcomputer.com Install it and run a scan. If it brings up results, delete those items. Next, open up firefox. Type in about:config into the address bar, and press enter. Click through the warning, and you should see a list of entries. Type 'Funmoods' into the search function, and press enter. Right click on any results and click 'reset' Then, type 'Fast Video Downloader' into the search function. Again, right click on any selected entries and click 'reset' Now, please reboot your computer, run yet another HijackThis scan, and post the results here. I'm on mobile BB at the moment and fast chewing up data so I can't download any more programs but the removal of Fast Video Downloader seems to have cured the problem. I have also added a warning to the reviews of that product: addons.mozilla.org I'll see how things go but for now everything seems to be Ok. If it's not, I'll come back here and carry on with the suggestions you've offered, although it may have to wait until I am back home to connect to the BB there. Cheers! |
supertrouper (6665) | ||
| 1320699 | 2012-12-30 01:38:00 | Its fine to skip that step and go straight to steps two and three. They will (hopefully) tell you if funmoods and Fast Video download have been removed. I'd still do step one when you are back on normal internet though. | Nick G (16709) | ||
| 1320700 | 2012-12-30 09:25:00 | If you actually read the reviews right under the download of Fast Video downloader theres some that say its crap and actually contains malware addons.mozilla.org Don't people actually bother to read what other uses report -- The warnings were there :rolleyes: | wainuitech (129) | ||
| 1 2 | |||||