Browser google hijack how do I remove?

[lozp]

hi
ime new to this forum but after searching the internet for a day i cannot remove this hijack.

i have a dell desktop running microsoft XP home sp3

The basics are that every search from google i click on it redirects me to another website, usually another search engine with a similar search. i also foun that i cannot use the system restore as the next button on the restore wont work. evey so often i also get the bule screen on start up. Ad-aware will not connect to the server to download new updates and i have problems just downloading files (keeps on going page cannot be displayed)

Ive tried what other people have sujested but with no luck. Ive used Ad-aware but the thing just keeps on coming back

Heres a log from Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:41:40, on 09/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E}: NameServer = 85.255.113.206;85.255.112.76
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.206;85.255.112.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.206;85.255.112.76
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 2124 bytes




Here is some of a log from Ad-Aware;

Ad-Aware Build
Log File Created on: 2008-12-09 15:39:59

Using Definitions File: C:\Documents and Settings\mike\Desktop\core.aawdef
Computer name: CAMBER
Name of user performing scan: SYSTEM

System information
===========================
Number of processors: 1
Processor type: Intel(R) Pentium(R) 4 CPU 3.00GHz
Memory Available: 43%
Total Physical Memory: 534872064 Bytes
Available Physical Memory: 225234944 Bytes
Total Page File Size: 1307762688 Bytes
Available On Page File: 957546496 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 1101746176 Bytes
OS: Microsoft Windows XP Service Pack 3 (Build 2600)

Ad-Aware Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3


Extended Ad-Aware Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Create and save WebUpdate log file

Databaseinfo
===========================
Version number: 143
Build Number: 3
Build Date and Time: 2008/12/03 13:27:03

Scan Statistics
===========================
Method: Smart
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: Off

Item Scanned: 96889
Infections Detected: 8
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 0 0
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 0 0
File Hash Scan..: 0 0

Infections Found
===========================
Family Id: 538 Name: Possible Browser Hijack attempt Category: Malware TAI:3
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters Value: NameServer Data: 85.255.113.206;85.255.112.76
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: NameServer Data: 85.255.113.206;85.255.112.76
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters Value: NameServer Data: 85.255.113.206;85.255.112.76
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: NameServer Data: 85.255.113.206;85.255.112.76


PLEASE HELP

 

[rf6647]

Your HJT log is far from typical (unless trimmed to keep under limit). But give the following a try.

Scan with HJT. Tick & Fix the following. Exit. Restart the computer.

O17 - HKLM\System\CCS\Services\Tcpip\..\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E}: NameServer = 85.255.113.206;85.255.112.76
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.206;85.255.112.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.206;85.255.112.76

It is more likely you need to follow link under 'attempt this method'.
In case of difficulty, attempt this method

• Message # 1 - Effective against other non-plug and play exploits
• Message #3 - link to 'fixit download' has demonstrated its effectiveness in many cases. Go to message # 3 'fixit download'

Here is some preaching just shared with another user.

After being here for over a year, I have no sense how difficult it is to figure out all the rules. Help > FAQ > sub items lead to posting attachments. I believe that posting log file attachments is permitted with the first post.

Those same FAQ sub items will help you edit out the log from the body of the thread. Put the 3 logs into yet a new reply. This signals a status change (new logs). The moderators have the option to clean up the thread, since this is a good faith effort to get started.

• For anyone seeking help with malware removal, the volunteers expect 3 logs: MBAM, SAS, & HJT.
  
  
• Following the Guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions creates a common beginning for an initial assessment.
  
  
• Just a few key symptoms can better focus the efforts.