I just got my system from a friend who repaired it. I installed suitable security software (kaspersky, spybot and zonealarm) and went online. Then, whenever I try to go onto any search engine (google, ask, yahoo ect) my browser (both firefox and IE) open up a different site to whatever I typed into the address bar, however, the address still stays the same. For example, I type in 'www.google.com' and my browser takes me to a site called boobs.net or hq2go.com or something different all the time. But the address to google still stays in the address bar. Both these sites offer some sort of search tool but mostly for porn, cars and other crap. Im starting to get the feeling someones spying on me? Spybot picks up tracker cookies but Kaspersky finds no viruses. Im baffled and cautious to type my passwords or personal details. Help!

I'm posting a self help guide, because I still have faith in the internet and its users. http://forums.tomcoyote.org/index.p... Learning whats out to get you is half the battle.

Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM "dmafp.exe"=- ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\DMEYN.exe 60,451 2004-08-03 Other suspects. Directory of C:\WINDOWS\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool.

Fixed! thanks!

Glad it helped. You should go to one of these sites, click on Browse and upload the following file. DMEYN.EXE http://www.kaspersky.com/scanforvir... http://www.virustotal.com/en/indexf... http://virusscan.jotti.org/ Very good chance that file is infected, if so delete it. 017 lines in a hijackthis log with this NameServer = 85.255.115.58,85.255.112.15 should be removed. In some cases, removing this infection causes Internet connection problems. If this happens in your case, go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer. This will solve the Internet connection problems.

Yeah, sometimes when a page is loaded it says 'done' but its actually white, other times it just says that page cannot be displayed, I'l do as you said and report back, in the meantime, heres a HJT log. Logfile of HijackThis v1.99.1 Scan saved at 12:06:23, on 02/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\WINDOWS\Explorer.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe D:\DAEMON Tools\daemon.exe D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\wuauclt.exe D:\PROGRA~1\FlashGet\flashget.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\HP\digital imaging\bin\hpqtra08.exe D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\xxx\Desktop\HijackThis.exe C:\WINDOWS\SoftwareDistribution\Download\82a44777d56c8f1e0182cf5a94f8b14a\update\update.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [DAEMON Tools] "D:\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: Download All by FlashGet - D:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - D:\PROGRA~1\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000 O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing) O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hi, The 017 you have is the same bad entry. 85.255.116.43 You can double check here; http://www.dnsstuff.com/ 85.255.112.0 - 85.255.127.255 inhoster Inhoster hosting company OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine Canned speech taken from sjpritch25, because I lost everything in My old computer. Run HijackThis, and press "Do a System Scan Only". 1. When the scan is complete place a check mark next to the following entries: O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.145 2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." 1) Go to Start > Control Panel >Network Connections. Right click your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on Properties. * Make a note of the settings before you change them just in case you need to put them back how they were. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice. 2) Go to Start > Run, enter CMD and click OK. * At the Dos Prompt Screen, type in cd\ and then press <ENTER>. * Now type in ipconfig /flushdns and then press <ENTER>. (notice the space after ipconfig) * Close the command prompt window. This is a free anti spyware tool to clean up any leftovers. http://www.superantispyware.com/