PDA

View Full Version : Google throwing up spam results



supertrouper
30-12-2012, 12:56 PM
Now that I'm away on holiday I'm using my laptop and I've started getting spam results in Google searches.

If I search for something, I get the normal page of results, but within less than a second of the page appearing, the results change and there are extra results which are all SPAM listings.

A common one which appears is "Local mom earns $260 every day?". This can appear at the top, in the middle, or near the bottom of the page. It is quite random.

I updated and ran a full MalwareBytes Anti-Malware scan, and it found around 27 items, mostly something called "Funmoods". I removed all of these entries and then found an extension in Firefox called "Funmoods Toolbar" (which I have not seen at all) so I removed that too.

Since then I have run full scans with MSE and I've also installed SuperAntiSpyware and run that too. Nothing found.

I installed MalwareBytes Anti-rootkit and ran that, nothing found.

I did a HijackThis scan and there's nothing obvious there either. [I've had the log checked by others and they can't see anything either].

I can't find anything on Google that might help, so I am running out of ideas. It definitely looks like a hijacker to me, but nothing I try seems to be able to find it.

I'm running the latest version of FF (17.0.1) which says it's up to date.

Any suggestions?

Nick G
30-12-2012, 01:18 PM
Can you please run a HijackThis log scan and post the results here.

Also, can you preform the same search using internet explorer instead of firefox? Do you still get the spam entries?

supertrouper
30-12-2012, 01:35 PM
Thanks for the reply Nick.

Good point. I don't get the same issue with IE, so it's obviously a Firefox problem.

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:21:01 p.m., on 30/12/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16457)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Winamp\winampa.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Users\Home\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MobileBroadband] C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E1FD11-3FAB-41E0-8BF6-329F694E7946}: NameServer = 203.109.191.1 203.118.191.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Vodafone Mobile Broadband Service (VmbService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe

--
End of file - 5790 bytes

Nick G
30-12-2012, 01:49 PM
Ok, you are not clean.
Please run another HijackThis scan, and select the following items:
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E1FD11-3FAB-41E0-8BF6-329F694E7946}: NameServer = 203.109.191.1 203.118.191.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
Now please close all windows apart from HijackThis, and click the 'Fix checked' button.

edit - once you have done this, please run another HijackThis scan and again please post the results.

The Error Guy
30-12-2012, 01:58 PM
I'll add my 2c here too, in addition to the Hijack this check your extentions in FF, I had a very useful & largely legitimate extension in chrome called free video down loader. I hardly used the extension so I got rid of it and left a bollocking review on the app developers page in the chrome store but it's something that might pop up and won't show in a virus scan.

These days actual viruses don't really come about, it's more spamware type things that generate money instead of mindlessly crippling PC's.

supertrouper
30-12-2012, 02:10 PM
Ok, you are not clean.
Please run another HijackThis scan, and select the following items:
O17 - HKLM\System\CCS\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E1FD11-3FAB-41E0-8BF6-329F694E7946}: NameServer = 203.109.191.1 203.118.191.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{26C5F990-3AEB-4025-B886-97296F448CE9}: NameServer = 203.118.191.1 203.109.191.1
Now please close all windows apart from HijackThis, and click the 'Fix checked' button.

edit - once you have done this, please run another HijackThis scan and again please post the results.

Hmmm... I wondered about those entries as well. Anyway, I went through several times and tried to get HJT to remove them but each time I do a new scan, there they are. Stubborn, no way to remove them it seems.


I'll add my 2c here too, in addition to the Hijack this check your extentions in FF, I had a very useful & largely legitimate extension in chrome called free video down loader. I hardly used the extension so I got rid of it and left a bollocking review on the app developers page in the chrome store but it's something that might pop up and won't show in a virus scan.



I think you might have nailed it there. I installed "Fast Video Downloader" not that long ago. Seemed like a legit FF add-on, but I've just uninstalled it now and my Google searches *appear* to be back to normal.

Now I just need to hunt the producer of that app down and find a strong rope...

Thank you to you both for your thoughts and ideas.

Nick G
30-12-2012, 02:17 PM
So you can't remove it?
Can you please download ADWcleaner from http://www.bleepingcomputer.com/download/adwcleaner/dl/125/. Install it and run a scan. If it brings up results, delete those items.

Next, open up firefox. Type in about:config into the address bar, and press enter. Click through the warning, and you should see a list of entries. Type 'Funmoods' into the search function, and press enter. Right click on any results and click 'reset'

Then, type 'Fast Video Downloader' into the search function. Again, right click on any selected entries and click 'reset'

Now, please reboot your computer, run yet another HijackThis scan, and post the results here.

supertrouper
30-12-2012, 02:32 PM
So you can't remove it?
Can you please download ADWcleaner from http://www.bleepingcomputer.com/download/adwcleaner/dl/125/. Install it and run a scan. If it brings up results, delete those items.

Next, open up firefox. Type in about:config into the address bar, and press enter. Click through the warning, and you should see a list of entries. Type 'Funmoods' into the search function, and press enter. Right click on any results and click 'reset'

Then, type 'Fast Video Downloader' into the search function. Again, right click on any selected entries and click 'reset'

Now, please reboot your computer, run yet another HijackThis scan, and post the results here.

I'm on mobile BB at the moment and fast chewing up data so I can't download any more programs but the removal of Fast Video Downloader seems to have cured the problem.
I have also added a warning to the reviews of that product: https://addons.mozilla.org/en-US/firefox/addon/fast-video-download-with-searc/reviews/

I'll see how things go but for now everything seems to be Ok. If it's not, I'll come back here and carry on with the suggestions you've offered, although it may have to wait until I am back home to connect to the BB there.

Cheers!

Nick G
30-12-2012, 02:38 PM
Its fine to skip that step and go straight to steps two and three. They will (hopefully) tell you if funmoods and Fast Video download have been removed. I'd still do step one when you are back on normal internet though.

wainuitech
30-12-2012, 10:25 PM
If you actually read the reviews right under the download of Fast Video downloader theres some that say its crap and actually contains malware https://addons.mozilla.org/en-us/firefox/addon/fast-video-download-with-searc/ Don't people actually bother to read what other uses report -- The warnings were there :rolleyes:

The Error Guy
01-01-2013, 04:30 PM
Well for me the app was legit for about 8 months before the spam/malware was implemented through an update.