TechSpot

Google search results hijacked under IE

By gwiz_oz
Feb 5, 2007
Topic Status:
Not open for further replies.
  1. after performing a search from google.com a set of results is returned.
    When doing a mouseover on the results the correct URL is shown in the status bar.
    When clicking the hyperlink the status bar shows a URL of http://85.255.119.186
    and then redirects to a page other than the one selected in google.

    I have attached the HJT logfile.

    Any suggestions greatly appreciated.

    Grant

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I can see nothing in your HJT log that would account for your problem. However, that doesn`t necessarily mean your system is clean.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Regards Howard :)

    This thread is for the use of gwiz_oz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. gwiz_oz

    gwiz_oz TS Rookie Topic Starter

    Logs attached as requested

    Thanks for the prompt response Howard.
    The logs are attached as requested

    Cheers
    Grant

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your system is infected with a rootkit. Whether we can get rid of it or not is another thing.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Download and run the Blacklight programme. follow all the instructions carefully.

    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above. I also require a fresh Combofix log and the results of the Blacklight scan.

    Regards Howard :wave: :wave:

    This thread is for the use of only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. gwiz_oz

    gwiz_oz TS Rookie Topic Starter

    All scan programs reported negative...
    However the blacklight utility showed up a reference to ;
    1. hidden file called c:\windows\system32\kdwzr.exe
    2. registry entry to same file
    The clean removed the entry from the registry

    Ran a few searches and they link cleanly to the correct pages.

    Cheers
    Grant

    HJT Logs attached
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: FlashFetcher - {16E8A050-74CE-43D5-8DC0-BADD7347B2DD} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

    O9 - Extra button: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

    O9 - Extra 'Tools' menuitem: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{515E235D-FA3C-42FB-B0DD-B07E7AA5EE63}: NameServer = 85.255.116.126,85.255.112.119

    O17 - HKLM\System\CCS\Services\Tcpip\..\{857C3104-9D83-46EE-91DE-51B902C30C4F}: NameServer = 85.255.116.126,85.255.112.119

    O17 - HKLM\System\CCS\Services\Tcpip\..\{91BA0903-30B4-4065-930D-A2952CDD6EBF}: NameServer = 85.255.116.126,85.255.112.119

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A9109EDE-1256-4A8C-8478-FB359757D384}: NameServer = 85.255.116.126,85.255.112.119

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Click on the fix checked button.

    Close HJT and reboot your computer.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of gwiz_oz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. gwiz_oz

    gwiz_oz TS Rookie Topic Starter

    HJT Logs attaches as requested.

    HJT Logs attaches as requested.
    Cheers
    Grant
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of gwiz_oz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. wamo00

    wamo00 TS Rookie

    IE Google Search Results Hijacked

    I've basically ran everything that I could, still no luck, its such a pest, here is my hijackthis log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.