Link to home
Create AccountLog in
Avatar of teelions920
teelions920

asked on

My browser is hajacked after a google search

My browser is hajacked after a google search - I click the google link and am taking to another site.
hijackthis.log
ASKER CERTIFIED SOLUTION
Avatar of torimar
torimar
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of rpggamergirl
These entries below are definitely bad which you can fix, the 017 entrie are hijackers.
O4 - HKCU\..\Run: [RegCom32] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\stl web dl-crypt.exe
O4 - HKUS\S-1-5-21-602162358-1123561945-839522115-500\..\Run: [RegCom32] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\stl web dl-crypt.exe (User '?')
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B470882-3A89-4AD7-861B-9F57D4A094C7}: NameServer = 85.255.112.89,85.255.112.201  
O17 - HKLM\System\CCS\Services\Tcpip\..\{F414626D-5639-4D60-85DF-30989F7CA767}: NameServer = 85.255.112.89,85.255.112.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.89,85.255.112.201  
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.89,85.255.112.201

After that run MalwareBytes and or Combofix as already suggested and show us the log.

OR, you can look for any of these FAKE files(Search engine hijackers) and delete them if present.(delete only files located in the system32 folder)

C:\Windows\system32\wdmaud.sys <-- bad
C:\Windows\system32\sysaudio.sys <-- bad
c:\windows\system32\ntnet.drv <-- bad


If the above files are not found in the system, also check the registry key below and check the values of "aux, aux1, aux2, aux3, aux4" to make sure there are no values pointing to random filenames(similar to the ones below)

Start > Run > type in

regedit

Enter and navigate to this subkey:below (look for the aux values and let us know if it's similar to the ones below)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"
"aux"="C:\WINDOWS\system32\..\sjkemx.iqd"
"aux2"= "C:\WINDOWS\system32\..\kvlhurx.niq"
"aux4"="c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna"
Avatar of teelions920
teelions920

ASKER

hotelgroup.com is my company. either the VPN or the online CMS. Don't know which that refers to.

Don't have any of these:
C:\Windows\system32\wdmaud.sys
C:\Windows\system32\sysaudio.sys
c:\windows\system32\ntnet.drv

or these:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"
"aux"="C:\WINDOWS\system32\..\sjkemx.iqd"
"aux2"= "C:\WINDOWS\system32\..\kvlhurx.niq"
"aux4"="c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna"

The Combo + Malwarebytes may have done it. Would love to blow up that Ruski Starbucks.

hijackthis.log
Combo-log.txt
mbam-log-2009-03-16--09-28-25-.txt
All this looks to me like the work is done.

Just one side note: although I don't really expect it to find anything else, you seem to have run only a Quick Scan with MBAM. Whenever you have the time, please update it, boot into Safe Mode, and run a complete scan - be it just for the good feeling ;)