TechSpot

More Google Results Hijacked log included

By Ethered
Oct 8, 2007
  1. The first three times I click on any result I am redirected to some other search engine. I have attached my hijackthis log file. Thanks in advance for any help.

    -Eric
     
  2. Daveskater

    Daveskater Banned Posts: 1,687

    Hello, Ethered, and welcome to Techspot :wave:

    Please take a look at the following threads to make your experience here as enjoyable as possible :)

    Message for all newcomers

    SNGX1275's Guide to making a good post/thread

    The Techspot FAQ

    If you could take a minute to fill in some of your profile information that would be helpful to all members of the forum :)
    Knowing someone's location in the world can be extremely helpful, even if you just put a country.

    Also remember to post any problems or questions that you have in the appropriate forums

    With regards to your problem, have hjt fix these entries:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127

    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

    With that many running processes i'm surprised your pc even manages to get as far as google :D
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system has been hijacked. Please ignore Daveskater's instructions as he is still learning.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Then, Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, please post the C:\fixwareout\report.txt.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. Daveskater

    Daveskater Banned Posts: 1,687

    your malware removal knowledge clearly surpasses me, howard :)

    i've been contemplating whether to join the malware removal university but haven't quite made my mind up yet, i may do it but it's having the time to do it

    however i'll leave you to it now because this isn't a discussion thread, we have a serious matter at hand ;)
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No worries mate, it`d be really good to have you helping out in this forum. I could sure use the help.

    The MRU is very good and thorough, but is quite involved and time consuming.

    If that`s what you want to do, then you have my utmost respect and appreciation.

    Just for future reference, this is the hijacker.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127

    If ever you see that IP address as a 017 entry in a HJT log, you`ll know it`s been hijacked.

    Regards Howard :)
     
  6. Daveskater

    Daveskater Banned Posts: 1,687

    yeah i work random(ish) hours through the week and i have driving lessons going on at the moment so if i can find the time then i'll go for it

    thanks :) if i see an ip like that i usually check it on dnsstuff.com and that one came up as being in Ukraine or something so it didn't look so good :D
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    inhoster
    descr: Inhoster hosting company
    descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

    It used to be a lot more common. I haven`t seen it for a while.

    Regards Howard :)
     
  8. Daveskater

    Daveskater Banned Posts: 1,687

    well let's just hope it doesn't come back, eh :)

    hopefully i'll recognise that ip in future but i don't usually remember combinations of numbers unless i think of them a few times or type them a few times. for example i could tell you that typing in 5000128271165 into the till at work will come up with a 69p cucumber :D but that's not really helpful here ;)
     
  9. Ethered

    Ethered TS Rookie Topic Starter

    Howard,

    Thanks for the help this far. I have followed almost all the instructions in the Viruses/Spyware/Malware, preliminary removal instructions. I could only get one of the 3 tools in step 10 to run besides that I am good. I have attached the 3 log files you requested. Finally the Panda Antirootkit scan did not find anything.
    Also I am no longer experiencing the problem.

    Once again thank you for your help to this point. Same to you Daveskater.

    -Eric
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{48227AEB-DC8E-4A90-A274-0B4A39D699B1}"" (User 'SYSTEM')

    Click on the fix checked button.

    Close HJT and reboot your system.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Jase123

    Jase123 Banned Posts: 1,012

    Daveskater, you should join the MRU.

    But bear in mind, there is alot of reading involved and loads of information to take in.

    I've also heard about SWI Bootcamp, here. That is meant to be a good malware training site.

    But i'll shut up now lol. As this thread is for Ethered. lol

    I would take a look into this Ethered mate, but i'm going bed now. lol

    Regards Jase :)
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s ok Jase, I`m already on it. ;)

    Regards Howard :)
     
  13. Jase123

    Jase123 Banned Posts: 1,012

    Yes, your great Howard mate. :)

    Regards Jase :)
     
  14. Ethered

    Ethered TS Rookie Topic Starter

    Howard,

    Here is my latest HJT log. Once again thanks for your help.

    -Eric
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Ethered only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...