after performing a search from google.com a set of results is returned.
When doing a mouseover on the results the correct URL is shown in the status bar.
When clicking the hyperlink the status bar shows a URL of http://85.255.119.186
and then redirects to a page other than the one selected in google.

I have attached the HJT logfile.

Any suggestions greatly appreciated.

Grant

Attached Files

hijackthis.log (8.6 KB, 8 views)

I can see nothing in your HJT log that would account for your problem. However, that doesn`t necessarily mean your system is clean.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Regards Howard

[color=red]This thread is for the use of[/color] gwiz_oz [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color]

Thanks for the prompt response Howard.
The logs are attached as requested

Cheers
Grant

Attached Files

	hijackthis.log (8.5 KB, 6 views)
	ComboFix.txt (9.0 KB, 17 views)

Your system is infected with a rootkit. Whether we can get rid of it or not is another thing.

[color=red]Very Important:[/color] Before deciding whether you should clean or reformat your system, go and read this thread [color=blue]HERE[/color] and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Download and run the Blacklight programme. follow all the instructions carefully.

Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and [color=red]AVG Antispyware[/color] logs as attachments into this thread, only after doing the above. I also require a fresh Combofix log and the results of the Blacklight scan.

Regards Howard

[color=red]This thread is for the use of[/color] [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color]

All scan programs reported negative...
However the blacklight utility showed up a reference to ;
1. hidden file called c:\windows\system32\kdwzr.exe
2. registry entry to same file
The clean removed the entry from the registry

Ran a few searches and they link cleanly to the correct pages.

Cheers
Grant

HJT Logs attached

Attached Files

hijackthis.log (8.8 KB, 2 views)

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: FlashFetcher - {16E8A050-74CE-43D5-8DC0-BADD7347B2DD} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

O9 - Extra button: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

O9 - Extra 'Tools' menuitem: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{515E235D-FA3C-42FB-B0DD-B07E7AA5EE63}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\..\{857C3104-9D83-46EE-91DE-51B902C30C4F}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\..\{91BA0903-30B4-4065-930D-A2952CDD6EBF}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9109EDE-1256-4A8C-8478-FB359757D384}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Click on the fix checked button.

Close HJT and reboot your computer.

Post a fresh HJT log.

Regards Howard

[color=red]This thread is for the use of[/color] gwiz_oz [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color]

HJT Logs attaches as requested.
Cheers
Grant

Attached Files

hijackthis.log (7.3 KB, 2 views)

Your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

[color=red]This thread is for the use of[/color] gwiz_oz [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color]

I've basically ran everything that I could, still no luck, its such a pest, here is my hijackthis log.

Attached Files

hijackthis.log (12.6 KB, 1 views)