Wednesday, January 24, 2007

Google Hijacked?

Has Google been hijacked? Some people think it has but no, it hasn't. Someone has created a new Trojan Downloader that infects peoples system through Google. It is my belief that it downloads zipfiles secretly that contain your most often Google searches in the name. These zipfiles continuously download spyware, adware and Trojans onto your computer without you even knowing. The Google toolbar most likely contributes to your vulnerability to this virus. As far as I know, this infection if Windows only. (Lucky Macs) It is a system infection, not just a virus. (Both Internet Explorer and Firefox on the same computer has noted the infection.) A good program to use to find this Virus is HijackThis!, a program that detects your processes on your computer and any system changes mad since you got it. This allows you to see the virus or viruses and remove them. Any regular anti-virus or anti-spyware programs freeze up when it gets to the virus.

Here is a post by someone who has been infected by this virus, at Experts-Exchange.
(http://www.experts-exchange.com/Security/Q_21454153.html)


Title: Google Hijack
asked by moeman99 on 06/10/2005 10:13AM PDT

My Google has been taken over, please help! This is not just an IE issue as this same behavior is present in Firefox.When I type a search into Google it takes me to a results page that looks something like Google but the returned links seem to be paid advertisements that may or may not have anything to do with what I was searching for.None of the links on my Google page work either. (ie, Images, Groups, Advanced Search, etc.) . When click one of these, the page does not change but the address in my address bar changes from "http://google.com/" to "http://google.com/#".I am unable to connect to gmail either, when I try, it takes me to "The page cannot be found" page. I've done a virus scan (McAfee) and found nothing. I've run Spybot, Ad-Aware, and XoftSpy with no luck.I've hunted this site for help but have not been successful. I'm running XP Pro (SP 2).Below is a log from HijackThis: Logfile of HijackThis v1.99.1Scan saved at 12:07:48 PM, on 6/10/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Common Files\Virtual Token\vtserver.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Momentum\MHVPN Client\cvpnd.exeC:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\Mcshield.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exeC:\WINDOWS\System32\QCONSVC.EXEC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\TpKmpSVC.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\TpShocks.exeC:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exeC:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\WINDOWS\system32\dla\tfswctrl.exeC:\IBMTOOLS\UTILS\ibmprc.exeC:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Network Associates\Common Framework\UpdaterUI.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Documents and Settings\tthalman\Desktop\New Folder\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/O1 - Hosts: 213.219.251.78 www.google.comO1 - Hosts: 213.219.251.78 google.comO1 - Hosts: 213.219.251.78 www.google.co.ukO1 - Hosts: 213.219.251.78 google.co.ukO1 - Hosts: 213.219.251.78 www.google.caO1 - Hosts: 213.219.251.78 google.caO1 - Hosts: 213.219.251.78 www.google.esO1 - Hosts: 213.219.251.78 google.esO1 - Hosts: 213.219.251.78 www.google.deO1 - Hosts: 213.219.251.78 google.deO1 - Hosts: 213.219.251.78 www.google.frO1 - Hosts: 213.219.251.78 google.frO1 - Hosts: 213.219.251.78 www.google.com.auO1 - Hosts: 213.219.251.78 google.com.auO1 - Hosts: 213.219.251.79 www.yahoo.comO1 - Hosts: 213.219.251.79 yahoo.comO1 - Hosts: 66.218.75.184 mail.yahoo.comO1 - Hosts: 213.219.251.81 astalavista.comO1 - Hosts: 213.219.251.81 www.astalavista.comO1 - Hosts: 213.219.251.81 astalavista.box.skO1 - Hosts: 213.219.251.81 www.astalavista.box.skO1 - Hosts: 213.219.251.81 cracks.comO1 - Hosts: 213.219.251.81 www.cracks.comO1 - Hosts: 213.219.251.80 www.msn.comO1 - Hosts: 213.219.251.80 msn.comO1 - Hosts: 213.219.251.80 search.msn.comO1 - Hosts: 213.219.251.80 www.search.msn.comO1 - Hosts: 213.219.251.80 go.comO1 - Hosts: 213.219.251.80 www.go.comO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exeO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helperO4 - HKLM\..\Run: [TpShocks] TpShocks.exeO4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exeO4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startupO4 - HKLM\..\Run: [TP4EX] tp4ex.exeO4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exeO4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exeO4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXEO4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXEO4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitorO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Momentum Healthware MHVPN Client.lnk = C:\Program Files\Momentum\MHVPN Client\vpngui.exeO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exeO9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exeO9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [JAVA_IBM] Java (IBM)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = momentumhealthware.localO17 - HKLM\Software\..\Telephony: DomainName = momentumhealthware.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = momentumhealthware.localO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dllO20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Momentum\MHVPN Client\cvpnd.exeO23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exeO23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exeO23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exeO23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exeO23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXEO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exeO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exeO23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

************** The solution of the problem is here; (https://secure.experts-exchange.com/register.jsp?rsid=20&srid=jmPTpeX%2BuRrquVBPHbhquQ%3D%3D&redirectURL=%2FSecurity%2FQ_21454153.html%3Fqid%3D21454153) But you have to subscribe to the website in order to view it :(. If you know what you are looking for, then you should be ok.

This is just so you people can be aware of this new infection of computers that is spreading....

Thanks for viewing,
Adam

No comments: