Home
High
Med
Low
AWA
ASA
News
Google Forum

Double Your Adwords Profits in 7 minutes!

Tools

$7 Secrets
People are making thousands of dollars using the techniques and scripts included with this popular report. And it costs only $7! [Read more...]

AdWords Secrets
Free 5-day course that can help you make money using Google AdWords.

Articles for 25 Cents Each
Get 400 exact keyword optimized articles, delivered to your inbox, every month. A new and inexpensive way to build keyword rich web sites that can make money, month after month.

Trade Links with 5,000+ Sites
This is not an automated link system. The Add URL Directory is a directory that lists over 5,000 "add url" pages that have forms that you can use to add your site and exchange links. The directory is divided into categories, helping you find sites in your topic area.

Backlink Analyzer
Automatically analyze the anchor text of all of your backlinks. Analyze your competitors' backlinks to see how you compare in the anchor text department.

SEO Web Site Templates
Web site templates that have been designed specifically for search engine optimization (SEO).




My sponsered child, Hama from Niger, Africa
A portion of the proceeds from this site help sponsor Hama from Niger. Learn more about Child Sponsorship.

Spyware shows fake Google results



العربيه

Author Message
GoogleGuy Says







PostPosted: December 16, 2003 5:22 PM 

Importance: Medium

GG replies in this thread about a spyware/scumware app that shows a fake "page 1" of Google results and then real results on "page 2", etc.

GoogleGuy Says: [Link to quote]

Bing, you've got spyware! ;)

Try spybot first, then ad-adware, and if it still comes up then I'd write to the user support at Google (help [at] google.com) and they'll try to help you figure out how to pry it loose from your PC..


Tom

Posts: 5

Reply: 1



PostPosted: December 20, 2003 1:37 PM 

Oh no they wont! I have this problem and I've contacted Google. They sent me the standard form-letter response telling me that they do not support the actions of anyone that employs technology that redirects page calls and that it's something on my system (gee, thanks...I hadn't figured that one out!) so it's my problem, good luck.

They were NO help whatsoever. I've used the very latest versions of AdAware, Search & Destroy, Spy Sweeper, AVG, Trend Micro, Symantec, and Norton. None of these tools detect whatever software is doing this.

All calls to Google and Yahoo search results are redirected to http://www.searchassistant.net/rd.php?affiliate=cm1&Terms=test&t=uggc%3A%2F%2Fhf05.kzyfrnepu.svaqjung.pbz%2Fova%2Fsvaqjung.qyy%3Fpyvpxguebhtu%40l%5E82089%40k%5ENAQ%3BrWqgEDSZGFv7D1SZLKdaaqw9qDcIEyCU%3AEu5VovyYJq2gy1Uc19L4%3BxRaUJ71FQSZyhb2ozfqyKGIZKtRDB1ubcEDI%3B%248&b=%200.07&e=SvaqJung&abctime=1071945449&hash=a90abce2edcdac83d2a12fc250e28c05

or

http://216.221.138.95/redir2.mod?X=uEvgptuWmDeWjEFeptyWntyZjENxsuq9ntEYnt2UmCzrpuuVntiXmTEUmTuGrvBuptaGuUFeptaGue9tptuGvvq93gvT3a

Any help would be appreciated!

Tom

Mark Carey

Posts: no

Reply: 2



PostPosted: December 20, 2003 1:41 PM 

Have you manually checked your HOSTS files? Search your hard drives for "HOSTS" and open each one in a text editor. Look for Google and Yahoo entries.

Some scumware apps also change your DNS server configuration to point to a different one. If the HOSTS files are clean, this could be it...

Tom

Posts: 5

Reply: 3



PostPosted: December 20, 2003 1:53 PM 

Yep, checked all the hosts files. They're all clean. Not sure on the DNS server config though...knowing what I "do" know about it, that seems logical enough. I'm running Win2KPro...not exactly sure how to check the DNS server config in here. Thanks for the reply and if you have any info on checking the DNS server config...I would certainly welcome those! This search thing is getting REALLY annoying. Uhhg.

Tom

Mark Carey

Posts: no

Reply: 4



PostPosted: December 20, 2003 10:48 PM 

To check the DNS config check the Network Connection properties (Either via Control Panel>Networking or by double-clicking on the connection task-tray icon and choosing Deatils or Properties. Then select the TCP/IP protocol and look at the settings under DNS. Typical ISP connection will be set to "Automatically detect DNS". If there is an IP address listed instead, you should check to make sure that it is the correct one for your ISP, and not a bad one placed there by scumware. Also, some of these apps are smart enough to run every time you reboot and change the settings back, so be careful... Hope that helps.

In the meantime, you can bookmark http://216.239.37.99 for Google searching...

Tom

Posts: 5

Reply: 5



PostPosted: December 21, 2003 12:20 PM 

This is interesting. There is no TCP/IP. It just shows my LAN connection (I'm on DSL) and that's it. No bindings to any services, clients, or protocols. hmmmmm. I guess I'm doomed. I do thank you for all the help though! Thank you VERY MUCH!

Tom

rafael

Posts: 1

Reply: 6



PostPosted: December 29, 2003 12:17 AM 

Tom,
I have the same problem. Any progress on finding the source of the issue?


Rafael

Tom

Posts: 5

Reply: 7



PostPosted: December 29, 2003 7:50 PM 

Good news...it's fixed. Download and run CWShredder. Simple little tool and the only one that took care of the problem.

Tom

Shannon

Posts: 1

Reply: 8



PostPosted: January 20, 2004 1:56 PM 

I wanted to say thanks to Tom. I used your advice and was finally able to remove that damn thing from a friends PC! Now I have 2 more PC's to fix!

Tom

Posts: 5

Reply: 9



PostPosted: January 20, 2004 9:47 PM 

Shannon:

Good to hear! I'm glad that someone aside from myself was able to benefit from that info. Good luck!

Tom

joey

Posts: 1

Reply: 10



PostPosted: March 13, 2004 1:20 PM 

thanks!! ive tried three different spyware apps and none worked. although the two new ones i have used after adaware picked up over 1,000 traces of spyware and adware and dialers and trojans that adaware did not. i recommend running all four of these great programs -

adaware
spybot
spy sweeper

and now the great...

CWShredder !

thanks tom!

Dave

Posts: no

Reply: 11



PostPosted: May 3, 2004 10:33 PM 

Another CWShredder superfan! God bless this site and everything it stands for! Thanks for pointing me in the right direction!

Malcolm

Posts: no

Reply: 12



PostPosted: May 5, 2004 6:52 AM 

Thanks tom for recomending such a great litlle program. I ran Ad-aware, norton, and spybot with no luck, but this little program did it in 1 minute. :D

Matia Schultz

Posts: 1

Reply: 13



PostPosted: May 25, 2004 10:59 AM 

Thank you VERY MUCH!!! I tried Ad-aware and Spybot (both great programs) but my google searches were still being hijacked.

Thank you for your service, and for recommending CWShredder.exe.

Joe

Posts: 1

Reply: 14



PostPosted: June 10, 2004 4:20 PM 

CWShredder worked for me too!!! THanks!!!!

Ben

Posts: no

Reply: 15



PostPosted: June 20, 2004 4:39 PM 

Thanks, after hours of searching, the is the first site with the exact description of my problem. CWShredder fixed it great. Thank you!

Damon

Posts: 1

Reply: 16



PostPosted: October 31, 2004 5:11 AM 

CWShredder --- I'll have to give that a try --- nothing else worked -- the problem isn't limited to Google, since it shows up on yahoo and other main search engines.

Dogpile worked fine, but InternetExplorer has problems with almost every other search I tried.

I can't uninstall IE, since I have XP. The solution was to use NETSCAPE instead, but that's not a real fix.

Thanks, CWShredder here I come!

Melissa

Posts: 1

Reply: 17



PostPosted: November 30, 2004 1:33 PM 

I have the same google problem. I tried CWShredder and it is telling me "CoolWebSearch was not found on your system.". Is there another program that does the same thing? I am sooo frustrated. Any help would be greatly appreciated!!

Thanks,
Melissa
:cry:

John

Posts: 1

Reply: 18



PostPosted: January 16, 2005 11:52 PM 

I've been having the same problem with IE where all my search results are being redirected. There is "remove adware" link at the bottom of the bogus "page 1" search results that leads you to an .exe file.

Do i dare try running it?

(the redirected search results always lead to http://61.131.54.618.cc/)

I've tried CWShredder, it didn't pick up anything either.

James

Posts: 1

Reply: 19



PostPosted: January 17, 2005 3:42 AM 

i have the same problem. the seach results get redirected to http://61.131.54.618.cc/ in google and yahoo.

anyone know of a solution?

Thanks

Aashish

Posts: 1

Reply: 20



PostPosted: January 18, 2005 5:54 AM 

Hi,
I'm with you Melissa and John, the problem still exists, only looking in my face!!! CWshredder didnt go far. I'm looking for a solution I'll post here If I get one.

My Poor PC.

Aashish

James

Posts: no

Reply: 21



PostPosted: January 18, 2005 7:00 PM 

Hey someone helped me over at Spyware Warrior. Here is the fourm if you want to check it out http://spywarewarrior.com/viewtopic.php?t=9500&sid=ad46762de2c18f51928d1295a768b2a7

hardtohit

Posts: 2

Reply: 22



PostPosted: January 19, 2005 4:14 AM 

okay i tried what faust said and... strangly worked.... i don't know if this programer just started to feel bad or what... but on click and like boom out it's gone... really werid

hardtohit

Posts: 2

Reply: 23



PostPosted: January 19, 2005 4:24 AM 

i think the issue here is that the adware installsas a IE Plug-in which i believe the spyware scanners normally ignore those softwares...

Elias

Posts: 1

Reply: 24



PostPosted: January 19, 2005 3:03 PM 

Hi
i am facing the same problem. I tried the suggestion from the last third threat but i could not find the program viewpoint and consequently i could not remove it.#
If anyone got some info for me i would be very grateful
Thankfully, Elias

Smile

Posts: 2

Reply: 25



PostPosted: January 20, 2005 2:41 PM 

ohh gosh ... i'm totally furious with this spy.... i tried all these programs... (Ad-aware, Spy bot, Spy sweeper, Adware away, CWShredder) and none of them fixed this problem... could u please help me!... i've found some tips, but it's for win 2000/xp... mine is 98...

Smile

Nomad

Posts: no

Reply: 26



PostPosted: January 21, 2005 12:03 AM 

Hi folks, I'v been having the same problem. Did all the same scumware scans. cwshredder did'nt find this bug for me either.I was all ready to do that complicated Hijack this process. But after a few hours of research I got the idea that this thing might be a BHO (browser helper object). So I tried my new favorite program and disabled the piece of crap! Just give BHODemon a try, worked like charm for me! Good luck, let me know how it goes.

Nomad

Posts: no

Reply: 27



PostPosted: January 21, 2005 1:03 AM 

I just thought of somthing, seems like this bug and alot of other junk showed up on my pc right after I uninstalled a nonworking copy of Spybot SD. This copy I had for 1 year, but there were never any updates. Anyone else heared of this? Also one other note. A program called Winpatrol picked up this bug first. I didn't feel comfortable using it on this entry (DNmanger.dll) or something like that because the only option was to delete. BHODemon let me disable to see if that was the problem. It was and I just used Winpatrol to wipe it out. :lol:

Wa$ter

Posts: no

Reply: 28



PostPosted: January 21, 2005 11:05 AM 

I dont know where i got this damn spy from. I have up to date firewall, antivirus and all the latest updates from Microsoft. Still this lurker got in and took control of my search engines. Only program worked for me was bhodemon. Thanks Nomad!

Smile

Posts: 2

Reply: 29



PostPosted: January 21, 2005 11:35 AM 

heyy everybody.... thank u all for the help...
I got this fucking spy in a crack site.... i suffered a lot to rid it... the only program that fixed it was BHODemon... thx Nomad!! :D

cemoi

Posts: 1

Reply: 30



PostPosted: January 23, 2005 10:13 AM 

Hello everybody

I'm french and I'm fallen on this site when I search explanations about this bug, a second solution is possible to fix it. With HijackThis program. In this program click on scan and check this line :
"O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL"
when is done click "fix checked" and the bug is fixed.
Enjoy it :wink:

Tog

Posts: no

Reply: 31



PostPosted: January 23, 2005 2:21 PM 

What a saviour this link has been ! 3 days of looking for a needle. I followed Nomad's lead and came up with the BHO (DSmanager.dll). I have deleted it with no hazardous effect and learnt about BHOdemon and WinPatrol in the process, which will be invaluable in the future. No more bogus search results - fantastic !! Thanks everyone. :D

saiwa

Posts: 1

Reply: 32



PostPosted: January 25, 2005 11:10 AM 

The simplest thing to do is to download their uninstall program (uninstall.exe) located at the bottom of the first fake page: remove AdWare.
Execute it and no more annoyance...
bye, saiwa

casperbuh

Posts: 1

Reply: 33



PostPosted: January 25, 2005 6:48 PM 

for Saiwa, thanks!!!
ha sido la solución a mis problemas... muchas gracias :D

Steve T

Posts: 1

Reply: 34



PostPosted: January 27, 2005 12:34 PM 

Same issue with google returning false results. Funny thing is home page said google search results appeared just like a google page with google heading but results were bogus. Spent a good 6 hours trying everything from Norton, spybot, adaware and cwshredder finally installed BHOdemon and resolved the problem. Thanks for the posted info. ST

Durk the Dog

Posts: 1

Reply: 35



PostPosted: February 1, 2005 11:12 AM 

I had the same problem. The solution was simple and correct: after trying one and all spyware-things, Saiwa's advice simply worked. Great!



Posts: no

Reply: 36



PostPosted: February 6, 2005 11:26 AM 

AT the bottom of the bogus search page theres a button "remove spyware"

1. Download the uninstaller (9.5kb)
2. Close all Internet Explorer windows
3. Run uninstaller
I did this and everything is back to normal.

Cheers!

:)

Posts: no

Reply: 37



PostPosted: February 6, 2005 2:42 PM 

Thank you, you have right, after i read your comment(last) i went to the first google resultsite and at the bottom is the button for removing the spy.

Thx again its very easy :)

Nomad

Posts: no

Reply: 38



PostPosted: February 9, 2005 4:51 PM 

Hey can we realy trust the same jerks who made this bug to also remove it for us? :roll:

Osiris26

Posts: 1

Reply: 39



PostPosted: February 14, 2005 10:26 AM 

Hi everybody,
I had the same problem. And I fix it with this program: Hijack This. And remove this entry: O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL and everything work fine after.

jenn

Posts: no

Reply: 40



PostPosted: February 16, 2005 9:07 PM 

Help! I've run both the BHO Demon and Hijack this and I'm still getting the bogus Google, Yahoo, MSN search results. Anything else I should try?

Tony

Posts: no

Reply: 41



PostPosted: February 18, 2005 1:33 AM 

I FIXED IT! I first ran spybot S&D, cleared temp files and cookies, set my homepage back to normal, and last but not least...
There is a link at the bottom of the bogus page. It says "remove adware". Click it and follow the directions. It worked for me.

Arra

Posts: no

Reply: 42



PostPosted: February 18, 2005 11:05 PM 

Check in your windows\system32 directory for: dsmanager.dll (25kb)
Rename the file and restart your browser.
If the problem is fixed, delete the file.

Arra

Posts: no

Reply: 43



PostPosted: February 18, 2005 11:07 PM 

Check in your windows\system32 directory for: dsmanager.dll (25kb)

Or check for any .DLL files that are around 25kb and created around the time you started noticing the problem

Rename these files and try rebooting your machine.

If the problem is now fixed, delete the files.

Arran

Posts: no

Reply: 44



PostPosted: February 18, 2005 11:08 PM 

Check in your windows\system32 directory for: dsmanager.dll (25kb)


Rename thes file and restart your browser.

If is fixed the problem, delete the file.

Arra

Posts: 1

Reply: 45



PostPosted: February 18, 2005 11:10 PM 

Check in your windows\system32 directory for: dsmanager.dll (25kb)


Rename thes file and restart your browser.

If is fixed the problem, delete the file.

BTEK02

Posts: 1

Reply: 46



PostPosted: February 24, 2005 7:17 PM 

Hey peeps,
I have read everyones comments on here. I have a similar situation with the fake Google results, but I think I may have a more servere version of this worm.

When I searched for "Google Fake result" on Google.com, my Internet Explorer would crash. If it didn't, the first several results would be fakes and mid-way down would be real legit results. I even looked for the "uninstall adware" button ya'll were talking about, and there's nothing.

So I went to Askjeeves.com, looked up the same topic, and found you guys on the board. I have used Ad-Aware,CWShredder, Spybot S & D, and they all don't seem to be detecting anything.

I guess my last option was to use Hi Jack This. Here are my results:

Logfile of HijackThis v1.99.1
Scan saved at 5:57:39 PM, on 2/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\AOL\110430~1\EE\AOLHOS~1.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\COMMON~1\AOL\110430~1\EE\AOLServiceHost.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104302107\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: mSpace Toolbar - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - (no file)
O9 - Extra 'Tools' menuitem: mSpace Toolbar - {ED46E61C-C391-49ED-82F8-A3DCAA44671F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - http://www.support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

Should there be any computer professionals, gladly would appreciate some feedback. Thanks!

primehalo

Posts: no

Reply: 47



PostPosted: February 27, 2005 4:55 AM 

I'm having the exact same problem as you, and I've also tried everything to get rid of this thing, which just started happening on the 25th. I can't see anything in my log file that would possibly be causing this problem:

Logfile of HijackThis v1.99.1
Scan saved at 1:50:46 AM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\WallpaperCycler3\WallpaperCycler Lite.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Ken\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NuonSoft Wallpaper Cycler 3 StartupHelper] C:\Program Files\WallpaperCycler3\StartupHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

max

Posts: no

Reply: 48



PostPosted: February 28, 2005 12:14 PM 

Another possible fix:
look in windir\system32\ for mslsp.dll
if it's there download LSP-fix, execute it, select mslsp.dll, check i know what i'm doing and press finish.
reboot and delete the dll... you are done:D

primehalo

Posts: 1

Reply: 49



PostPosted: March 4, 2005 12:46 AM 

Yeah, that was one of the things I tried, but as with everything else it had no effect. I finally had to just give in and reinstall Windows XP.

Paddy

Posts: 1

Reply: 50



PostPosted: March 8, 2005 4:27 AM 

I have had a lot of spyware over the years including this crappy one. There is obviously some spyware out there that just keeps sneaking through that removal tools can't find. I have windows xp and am a huge fan of the system restore tool. If you go to windows help and support and type in 'system restore' and choose 'system restore wizard'you can restore your system to an earlier point in time with minimal system changes. This has worked for me everytime I have had something nasty like this.

chris

Posts: 1

Reply: 51



PostPosted: April 11, 2005 9:59 PM 

OMG I WAS HAVING THAT SAME EXACT PROBLEM!!! IT WAS SO ANNOYING. I COULDNT GO ON YAHOO OR MSN OR GOOGLE, THEY WERE ALL THESE PAGES THAT LIKE SOMEONE ELSE MADE AND THEY WERENT THE REAL THING, AND THANKS TO MARK CAREY I FIXED IT! YAY!!!!!! THANK YOU SOOOOOOOO MUCH!!! :wink:

Patrice

Posts: no

Reply: 52



PostPosted: April 26, 2005 3:37 PM 

It took me two month to find the solution of wrong Google answer. You gave it to me. Thank you so much..... :lol:



Posts: no

Reply: 53



PostPosted: May 17, 2005 5:11 PM 

None of these work for me, only the first two results are fake though. Very annoying.

Mukhtar

Posts: no

Reply: 54



PostPosted: June 19, 2005 9:47 AM 

:cry: I ahve he same problem aswell i wont leave me i cant find it anywhere i cant find it :evil:

Hubert

Posts: no

Reply: 55



PostPosted: July 5, 2005 8:57 PM 

I've been having the same 'fake-google' homepage with the fake and annoying results. I know for sure that I got this from a crack site. I'm still using Windows 98 and have limited experience. I've tried Spybot S&D, Ad-Aware SE & CWShredder with no results. Ask Jeeves was one of the only other search engine I knew, and that's how I stumbled across this great site. Reading people's ideas, methods & success was great info. I downloaded & ran Spyware Doctor which cleaned everything but the google problem. It wouldn't want to clear it. After I printed its detail list, I ran the HighJack This program. Using my print out, I had more confidence in knowing what to delete. After a reboot, everything was back to normal. After 3 weeks, what a relief ! :lol:

Chiron

Posts: 1

Reply: 56



PostPosted: September 16, 2005 1:15 PM 

I tried all of the above to no avail then i checked in the HKLM\software\microsoft\windows\currentversion\run key and found an entry for dmkif.exe so i deleted it. Next time i looked it was called dmdyo.exe then dmgls.exe eventually i booted into safe mode and deleted the file iteslf from C:\windows\system32 and the problem was ( i think ) solved!

ted smith

Posts: 4

Reply: 57



PostPosted: January 1, 2006 7:25 PM 

Guys,

While I was basking in the Barbados, my son was home from college (Duke) for Xmas. When we got back, he said his computer was taken over by some adware including a fake Google. We ran Spy Sweeper and other ad ware detectors, with no results. I then ran XP Sytem Restore, applied a restore point of several days before the infection was detected, and the problem went away.

Like magic.

If you don't have System Restore, there are cheap programs you can download which will do the same thing.

Cheers

ted smith

Posts: 4

Reply: 58



PostPosted: January 1, 2006 7:25 PM 

Guys,

While I was basking in the Barbados, my son was home from college (Duke) for Xmas. When we got back, he said his computer was taken over by some adware including a fake Google. We ran Spy Sweeper and other ad ware detectors, with no results. I then ran XP Sytem Restore, applied a restore point of several days before the infection was detected, and the problem went away.

Like magic.

If you don't have System Restore, there are cheap programs you can download which will do the same thing.

Cheers

ted smith

Posts: 4

Reply: 59



PostPosted: January 1, 2006 7:29 PM 

Guys,

While I was basking in the Barbados, my son was home from college (Duke) for Xmas. When we got back, he said his computer was taken over by some adware including a fake Google. We ran Spy Sweeper and other ad ware detectors, with no results. I then ran XP Sytem Restore, applied a restore point of several days before the infection was detected, and the problem went away.

Like magic.

If you don't have System Restore, there are cheap programs you can download which will do the same thing.

Cheers

ted smith

Posts: 4

Reply: 60



PostPosted: January 1, 2006 7:31 PM 

Guys,

While I was basking in the Barbados, my son was home from college (Duke) for Xmas. When we got back, he said his computer was taken over by some adware including a fake Google. We ran Spy Sweeper and other ad ware detectors, with no results. I then ran XP Sytem Restore, applied a restore point of several days before the infection was detected, and the problem went away.

Like magic.

If you don't have System Restore, there are cheap programs you can download which will do the same thing.

Cheers

olaf

Posts: xxx

Reply: 61



PostPosted: October 6, 2006 12:46 PM 

I have noticed this fake google search problem too, including the porn queries. Now, I have noticed the following : everytime I get on the Net and I click on some suspicious link, my Spybot Teatimer resident gives me a warning : a registry key will be changed - click yes or no. Apparently this warning displays the path to the PC where the registry change will take place. Lo and behold, it displays the windows/system32/ path, usually followed by an unknown *.exe file. When I look into the system32 map, it is full of such entries, and they are all 1 kb big. Now, I don't understand why, but trying to ignore the change in teatimer doesn't help. And manually deleting those entries in system32 doesn't help me either.

Shoel

Posts: xxx

Reply: 62



PostPosted: November 12, 2006 3:27 AM 

im getting hijacked to some weird site that has an address like this http://85.255.116.218/click.php?PHPSESSID=D1190FBBBC63413596BFE0D5DCAFB568&qq=1b95bc925eabc37f3b33b3dcfa0fbda7&id=1&qnaes={D1190FBB-BC63-4135-96BF-E0D5DCAFB568}
when it loads the site name changes dynamically
its just too weird
tried everything , nothing detects it

any suggestions?

Techhead

Posts: xxx

Reply: 63



PostPosted: November 22, 2006 9:12 PM 

Well I have read all the posts tryed all the suggestions to no avail except for using http://216.239.37.99/ as suggested in an earlier post. My google searches still get hijacked if my address is goole.com.

I have even downloaded CCleaner, did a great job of getting rid of all temp and other garbage on my harddrive.

I like to think that I keep my PC clean from jackers. I use adaware with ad-watch on at all times.

Logfile of HijackThis v1.99.1
Scan saved at 9:11:42 PM, on 11/22/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Documents and Settings\Administrator\My Documents\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://216.239.37.99/
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Joe Winocki

Posts: xxx

Reply: 64



PostPosted: January 10, 2007 4:44 PM 

Hello - I had the same problem.

I am using Windows XP. Since it seemed to be tied in to the system I went back two restore points and did a "Systems Restore".

End of problem. Just note the most recent point and don't ever restore to that date.



Posts: no

Reply: 65



PostPosted: January 10, 2007 8:51 PM 

C:\WINDOWS\System32

Rob

Posts: xxx

Reply: 66



PostPosted: January 18, 2007 6:43 PM 

Hi Shoel,

I have exactly the same problem - i.e google results in internet explorer get hijacked to http://85.255.116.218/click.php?....... or similar.

I also have intermittent issues with windows explorer hanging when i attempt to do a file search. Not sure if this is related, though it appeared at approx. the same time.

Have you found a solution???

I have tried all th usual detection/removal methods e.g hijackthis(which initially picked up references to DNS nameservers 85,255,..,.. and which i subsequently removed), adaware, shredder, but i still can't find the problem, nor can i find any obvious hijack settings in DNS or registry....

Any ideas?

Thanks in advance,
Rob


Subscribe to this discussion: Email

Join the conversation:









Remember personal info?





Check to Subscribe to this Comment:
(email field must be filled in)



Subscribe Without Commenting