Check out my HJT log

[andrewjs18]

It looked clean to me, but please take a peek..my google search results are F*cked up and malwarebytes is coming up clean...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:32 PM, on 10/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TetherBerry\TBService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TetherBerry\TetherBerry.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Startup: ScreenHunter 5.1 Free.lnk = C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E38634D-67B7-4EAC-A41B-82F66E1C1225}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TetherBerry - Unknown owner - C:\Program Files\TetherBerry\TBService.exe

--
End of file - 2740 bytes

[Skawke]

Hello, I will be your helper today.

Your computer seems completely clean. Are you experiencing any odd errors, or/and activity?

[andrewjs18]

Hello, I will be your helper today.

Your computer seems completely clean. Are you experiencing any odd errors, or/and activity?

yes...I'll search something in google say.... these forums for example and it'll show results as apartmentfinder.com and other random, non-related sites...that's the weird thing. I'd automatically assume it's a hijacked browser, but in my case it doesn't appear to be.

[Skawke]

yes...I'll search something in google say.... these forums for example and it'll show results as apartmentfinder.com and other random, non-related sites...that's the weird thing. I'd automatically assume it's a hijacked browser, but in my case it doesn't appear to be.

I assume it's because you're using OpenDNS?

[andrewjs18]

I assume it's because you're using OpenDNS?

that can't be the problem. I've been using opendns for years without any problem.

[Skawke]

that can't be the problem. I've been using opendns for years without any problem.

Can you show us a screenshot of it happening?

Also, OpenDNS redirects Google traffic:
http://www.labnol.org/software/browsers/...r-ie/2662/

http://forums.opendns.com/comments.php?DiscussionID=226

[andrewjs18]

Can you show us a screenshot of it happening?

Also, OpenDNS redirects Google traffic:
http://www.labnol.org/software/browsers/...r-ie/2662/

http://forums.opendns.com/comments.php?DiscussionID=226

yep, on Friday when I'm back in work. it's happening on my personal work computer.

[ktmrider530]

This happened to me. When you do a search, a new page pops up. Look at the url of that page www.xxx1xxx.com. So you would put "www.xxx1xxx.com virus" into google. Click on the one that best suits you. And click "view cached page" or something of the like, it will provide removal instructions.

[Kutmustakurt]

Please Post a fresh HJT log,

Update MBAM to latest version and perform a full system scan.

Post both the logs in your next reply.


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to Yes, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan
  Wait for the scan to finish
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[andrewjs18]

Can you show us a screenshot of it happening?

Also, OpenDNS redirects Google traffic:
http://www.labnol.org/software/browsers/...r-ie/2662/

http://forums.opendns.com/comments.php?DiscussionID=226