Google Results - Very Strange

slumped

Hi All,

I did a search on Google this morning for clane adult education

And see the results I got below



The title in the result is for Clane Adult Education, and the synopsis is for Clane Adult Education but the link is to adultfriendfinder.com

Anyone else getting these results on google.ie or google.com

S

MOH

Nope, I get the same results, but with the proper links.

Virus?

[edit]
Although in the sidebar, I do get a sponsored link to Bored Clane Women!!!

slumped

MOH wrote: »

Nope, I get the same results, but with the proper links.

Virus?

AVG not showing anything and updated it this morning....

Tried other searches without the term adult

"Pet Photography" gives the same type of replies.

monstermarketcoupon.com seems to be popular site also.

How could a virus infiltrate google searches?

S

Feelgood

AVG wont pick up this if you are just running the basic free edition...

forbairt

You've probably been infected by spyware of some sort download some spyware scanners (as opposed to AVG)

slumped

forbairt wrote: »

You've probably been infected by spyware of some sort download some spyware scanners (as opposed to AVG)

Did the search on Yahoo.co.uk and results are fine.

Currently scanning - will let you know results.

Can someone search for "Pet Photography" on google.com

then click on IRELAND ONLY and see if results are strange.

Ta.

S

Evil Phil

It's fine for me.

Feelgood

slumped wrote: »

Did the search on Yahoo.co.uk and results are fine.

Currently scanning - will let you know results.

Can someone search for "Pet Photography" on google.com

then click on IRELAND ONLY and see if results are strange.

Ta.

S

Results are fine, its the PC your working on. Its got bloody spyware and adware on it!. AVG free doesn't pick these up you need to install another product such as Spybot to sort it out.

Your web browser has been successfully hijacked, try searching the results yourself on a different machine in the classroom and see if you get the same problem..

MOH

slumped wrote: »

Did the search on Yahoo.co.uk and results are fine.

Currently scanning - will let you know results.

Can someone search for "Pet Photography" on google.com

then click on IRELAND ONLY and see if results are strange.

Ta.

S

Nope, results are fine.

Have you tried a different browser?

I've had fierce problems before with malware hijacking URLs, though never in a list of google results.

[edit]
If it's only happening on google, you try running regedit and searching for google, see if anything odd shows up (but don't change anything!)

Evil Phil

Try Adaware from Lavasoft, and choose your pr0n sites more carefully in future :pac:

slumped

Evil Phil wrote: »

Try Adaware from Lavasoft, and choose your pr0n sites more carefully in future :pac:

LOL!

No P0rn sites on this machine! Guaranted!


AVG - nothing showing up (paid edition)

AdAware - running now.


Did another Google search and results were fine.......?

slumped

Adaware reported no threats (aside from cookies).

Running SpyBot now

S

slumped

SpyBot came back clear.


So - AVG, Adaware and SpyBot all show my system as being clean

How the hell am I getting these results from Google?

S

Feelgood

slumped wrote: »

SpyBot came back clear.


So - AVG, Adaware and SpyBot all show my system as being clean

How the hell am I getting these results from Google?

S

How long did Spybot take to do a scan?. That was a bit fast?. Should take around 45 mins to do a complete scan?.

slumped

Feelgood wrote: »

How long did Spybot take to do a scan?. That was a bit fast?. Should take around 45 mins to do a complete scan?.

took around 20 mins.

not a whole lot of files on the machine

will check it and run again.

Feelgood

Surprised that nothing is being picked up alright, very strange.

I had the exact same problem on a laptop a few weeks ago, though Spybot sorted it out for me.

Have you got multiple browsers on the machines, IE and Mozilla?. Is it the same problem with both?

aidan_walsh

Moved from Web Development.

slumped

A second spybot search shows nothing.

Only got IE and it's as up to date as possible also.

I'm very particular about keeping my computer clean and up to date.

I've got a mate who works for Google, might ask him to elevate it to tech support there and see what happens..

Any else able to replicate issues?


S

Feelgood

I wouldn't bother going the Google route to be honest, even if one person could replicate this issue the chances of a Google server having spyware / adware problems are extremely slim.

Are you in a classroom environment?. Do all the PC's in the classroom have the same problem or just this one?.

Can you try to download Mozillia and see if the same problem occurs?, I suspect it will though if your PC is infected.

This problems symtoms are typical of a browser hijack to be honest. You could also try running Windows defender and see what the outcome is.

aidan_walsh

Have you tried going through the sticky at the head of the forum, OP?

PaddyTheNth

Try SuperAntiSpyware and Malwarebytes Anti-Malware, if they don't find anything I'll be astonished. Both have free versions.

Vokes

PaddyTheNth wrote: »

Try SuperAntiSpyware and Malwarebytes Anti-Malware, if they don't find anything I'll be astonished. Both have free versions.

Second this. And the sticky as per aidan's rec.

Also check out your hosts file for new entries.

slumped

PaddyTheNth wrote: »

Try SuperAntiSpyware and Malwarebytes Anti-Malware, if they don't find anything I'll be astonished. Both have free versions.

Didn't find anything!!

Registry Mechanic found a few minor issues but not the cause.

It would appear that there is a virus/malware out there that has no fix yet.

If anyone hears of a fix let me know!!!
S

Dartz

Is it doing it now? It could be that Google got DNS spoofed or something.

slumped

Dartz wrote: »

Is it doing it now? It could be that Google got DNS spoofed or something.

yes...still doing it.

When I search at www.google.ie I get the problem but when I use http://www.google.ie/advanced_search? I don't - which leads me to believe that there is malware which is not being picked up.

Live search appears to be affected but Yahoo have fixed the problem to prevent it from happening.

S

PaddyTheNth

Lets see a HijackThis log...as per:

http://www.boards.ie/vbulletin/showpost.php?p=55658498&postcount=5

slumped

PaddyTheNth wrote: »

Lets see a HijackThis log...as per:

http://www.boards.ie/vbulletin/showpost.php?p=55658498&postcount=5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:28, on 03/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\XXXXXXXXX EDITED BY SLUMPED\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=4080315
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ie/hws/sb/dell-row/en/side.html?channel=ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie/hws/sb/dell-row/en/side.html?channel=ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/advanced_search?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ie/hws/sb/dell-row/en/side.html?channel=ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=4080315
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206647108653
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206647280012
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B173BAD-AFFE-4D37-B450-5FD05478CE61}: NameServer = 213.233.128.1 213.233.128.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B173BAD-AFFE-4D37-B450-5FD05478CE61}: NameServer = 213.233.128.1 213.233.128.19
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

PaddyTheNth

Bizarre, there's nothing that jumps out at me there.

Not intending to insult you...I've missed sillier things before, but the url of the page you're on is actually http://www.google.ie/search?etcetc isn't it? You chopped that bit off in the screenshot

If you want to keep trying, do all three steps in the post I linked to - get wrapper going, then do a new HijackThis scan, then do a rooter scan, and post the new hijack and rooter log here.

Another option if they don't catch anything might be to download Wireshark and capture all the traffic when you do a google search - that should show up any communication to non-google servers which would confirm that there's something malicious going on.

Do you have access to another computer at the same location? Could you get a buddy to bring over a laptop maybe and do a search using your connection? Cos if it happens to him too it would mean there's a problem in between you and google's servers.

slumped

PaddyTheNth wrote: »

Another option if they don't catch anything might be to download Wireshark and capture all the traffic when you do a google search - that should show up any communication to non-google servers which would confirm that there's something malicious going on.

Wireshark showed up the following



some sort of "Retransmission" detected after I clicked search.

???

PaddyTheNth

It's the ip addresses that will show if your browser is getting data from servers it shouldn't be...

eg



That's just the main window after doing a search and then stopping the capture.

You could also go to Statistics -> Conversations and copy/screenshot any tab that has info on it which would list the IPs you're connecting to, eg IPv4 and TCP in my case.



If there's DNS poisoning going on it should be identifiable here.

slumped

OK

Have done a WHOIS check on the IP addresses found the following

66.102.9.100 = Google
78.152.254.74 = RIPE Network Coordination Centre
216.239.59.118 = Google
195.25.76.250 = RIPE Network Coordination Centre
213.233.128.1 = RIPE Network Coordination Centre

RIPE info http://www.ripe.net/info/ncc/index.html

NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS.LACNIC.NET


S