The first three times I click on any result I am redirected to some other search engine. I have attached my hijackthis log file. Thanks in advance for any help.

-Eric

Attached Files

hijackthis.log (15.4 KB, 4 views)

[B]Hello, Ethered, and welcome to Techspot[/B]

Please take a look at the following threads to make your experience here as enjoyable as possible

[URL="http://www.techspot.com/vb/topic51543.html"]Message for all newcomers[/URL]

[URL="http://www.techspot.com/vb/topic33297.html"]SNGX1275's Guide to making a good post/thread[/URL]

[URL="http://www.techspot.com/extras/forum_guidelines/faq.shtml"]The Techspot FAQ[/URL]

If you could take a minute to fill in some of [URL="http://www.techspot.com/vb/profile.php?do=editprofile"]your profile information[/URL] that would be helpful to all members of the forum
Knowing someone's location in the world can be extremely helpful, even if you just put a country.

Also remember to post any problems or questions that you have in the appropriate [URL="http://www.techspot.com/vb/"]forums[/URL]

With regards to your problem, have hjt fix these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.3 85.255.112.127

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

With that many running processes i'm surprised your pc even manages to get as far as google

[B]Hello and welcome to Techspot.[/B]

Your system has been hijacked. Please ignore Daveskater's instructions as he is still learning.

[b][color=red]Very Important:[/color] Before deciding whether you should clean or reformat your system, go and read this thread [b][URL="http://www.techspot.com/vb/topic65943.html"][color=blue]HERE[/color][/URL][/b] and decide what it is you want to do.[/b]

If after reading the above, you wish to clean your system, do the following.

Please download FixWareout from one of these sites:
[url]http://downloads.subratam.org/Fixwareout.exe[/url]
[url]http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe[/url]

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Then, Go and read the [b][URL="http://www.techspot.com/vb/topic58138.html"]Viruses/Spyware/Malware, preliminary removal instructions.[/URL][/b] Follow all the instructions exactly.

Post fresh [b]HJT[/b], [b][color=red]AVG Antispyware[/color] and Combofix logs as [color=blue]attachments[/color][/b] into this thread, only after doing the above.

Also, please post the C:\fixwareout\report.txt.

[b]Also, let me know the results of the Panda Antirootkit scan.[/b]

Regards Howard

[color=red][b]This thread is for the use of[/color] Ethered [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

your malware removal knowledge clearly surpasses me, howard

i've been contemplating whether to join the malware removal university but haven't quite made my mind up yet, i may do it but it's having the time to do it

however i'll leave you to it now because this isn't a discussion thread, we have a serious matter at hand

No worries mate, it`d be really good to have you helping out in this forum. I could sure use the help.

The MRU is very good and thorough, but is quite involved and time consuming.

If that`s what you want to do, then you have my utmost respect and appreciation.

Just for future reference, this is the hijacker.

O17 - HKLM\System\CCS\Services\Tcpip\..\{4EEB5DDB-00AF-4CF4-A0EF-BFE908DF32E3}: NameServer = 85.255.115.3,85.255.112.127

If ever you see that IP address as a 017 entry in a HJT log, you`ll know it`s been hijacked.

Regards Howard

yeah i work random(ish) hours through the week and i have driving lessons going on at the moment so if i can find the time then i'll go for it

thanks if i see an ip like that i usually check it on dnsstuff.com and that one came up as being in Ukraine or something so it didn't look so good

inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

It used to be a lot more common. I haven`t seen it for a while.

Regards Howard

well let's just hope it doesn't come back, eh

hopefully i'll recognise that ip in future but i don't usually remember combinations of numbers unless i think of them a few times or type them a few times. for example i could tell you that typing in 5000128271165 into the till at work will come up with a 69p cucumber but that's not really helpful here

Howard,

Thanks for the help this far. I have followed almost all the instructions in the Viruses/Spyware/Malware, preliminary removal instructions. I could only get one of the 3 tools in step 10 to run besides that I am good. I have attached the 3 log files you requested. Finally the Panda Antirootkit scan did not find anything.
Also I am no longer experiencing the problem.

Once again thank you for your help to this point. Same to you Daveskater.

-Eric

Attached Files

	AVG_Report-Scan-20071009-165644.txt (3.7 KB, 1 views)
	hijackthis.log (15.0 KB, 1 views)
	combofix.txt (12.2 KB, 1 views)

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to([b]if there[/b]).

O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{48227AEB-DC8E-4A90-A274-0B4A39D699B1}"" (User 'SYSTEM')

Click on the fix checked button.

Close HJT and reboot your system.

Post a fresh HJT log.

Regards Howard

[color=red][b]This thread is for the use of[/color] Ethered [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Daveskater, you should join the MRU.

But bear in mind, there is alot of reading involved and loads of information to take in.

I've also heard about SWI Bootcamp, [URL="http://forums.spywareinfo.com/index.php?showtopic=34"]here[/URL]. That is meant to be a good malware training site.

But i'll shut up now lol. As this thread is for Ethered. lol

I would take a look into this Ethered mate, but i'm going bed now. lol

Regards Jase

It`s ok Jase, I`m already on it.

Regards Howard

Yes, your great Howard mate.

Regards Jase

Howard,

Here is my latest HJT log. Once again thanks for your help.

-Eric

Attached Files

hijackthis.log (14.6 KB, 1 views)

Your HJT log is clean.

[b]Turn off system restore.(XP/ME only)[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial56.html"]HERE[/URL].

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

[color=red][b]This thread is for the use of[/color] Ethered [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]