after performing a search from google.com a set of results is returned.
When doing a mouseover on the results the correct URL is shown in the status bar.
When clicking the hyperlink the status bar shows a URL of http://85.255.119.186
and then redirects to a page other than the one selected in google.

I have attached the HJT logfile.

Any suggestions greatly appreciated.

Grant

Attached Files

hijackthis.log (8.6 KB, 5 views)

I can see nothing in your HJT log that would account for your problem. However, that doesn`t necessarily mean your system is clean.

Download [URL="http://download.bleepingcomputer.com/sUBs/combofix.exe"]combofix.exe[/URL]. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. [b]Caution - do not touch your mouse/keyboard until the scan has completed.[/b] The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Regards Howard

[color=red][b]This thread is for the use of[/color] gwiz_oz [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

Thanks for the prompt response Howard.
The logs are attached as requested

Cheers
Grant

Attached Files

	hijackthis.log (8.5 KB, 4 views)
	ComboFix.txt (9.0 KB, 8 views)

Your system is infected with a rootkit. Whether we can get rid of it or not is another thing.

[b][color=red]Very Important:[/color] Before deciding whether you should clean or reformat your system, go and read this thread [b][URL="http://www.techspot.com/vb/topic65943.html"][color=blue]HERE[/color][/URL][/b] and decide what it is you want to do.[/b]

If after reading the above, you wish to clean your system, do the following.

Download and run the [URL="http://www.f-secure.com/blacklight/try_blacklight.html"]Blacklight programme.[/URL] follow all the instructions carefully.

Then, go and read the [b][URL="http://www.techspot.com/vb/topic58138.html"]Viruses/Spyware/Malware, preliminary removal instructions.[/URL][/b] Follow all the instructions exactly.

Post fresh [b]HJT[/b] and [b][color=red]AVG Antispyware[/color] logs as attachments[/b] into this thread, only after doing the above. I also require a fresh Combofix log and the results of the Blacklight scan.

Regards Howard

[color=red][b]This thread is for the use of[/color] [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

All scan programs reported negative...
However the blacklight utility showed up a reference to ;
1. hidden file called c:\windows\system32\kdwzr.exe
2. registry entry to same file
The clean removed the entry from the registry

Ran a few searches and they link cleanly to the correct pages.

Cheers
Grant

HJT Logs attached

Attached Files

hijackthis.log (8.8 KB, 2 views)

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: FlashFetcher - {16E8A050-74CE-43D5-8DC0-BADD7347B2DD} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)

O9 - Extra button: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

O9 - Extra 'Tools' menuitem: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{515E235D-FA3C-42FB-B0DD-B07E7AA5EE63}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\..\{857C3104-9D83-46EE-91DE-51B902C30C4F}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\..\{91BA0903-30B4-4065-930D-A2952CDD6EBF}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9109EDE-1256-4A8C-8478-FB359757D384}: NameServer = 85.255.116.126,85.255.112.119

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.126 85.255.112.119

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Click on the fix checked button.

Close HJT and reboot your computer.

Post a fresh HJT log.

Regards Howard

[color=red][b]This thread is for the use of[/color] gwiz_oz [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

HJT Logs attaches as requested.
Cheers
Grant

Attached Files

hijackthis.log (7.3 KB, 2 views)

Your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

[color=red][b]This thread is for the use of[/color] gwiz_oz [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

I've basically ran everything that I could, still no luck, its such a pest, here is my hijackthis log.

Attached Files

hijackthis.log (12.6 KB, 0 views)