how do you get rid of "britannia search"

randy lug

every time i google something and try to go to link it gives me it ends up going to this britannia search thing. i scanned the computer with free avg but nothing came up... any tips?

Lisheo

Download free malwarebytes antimalware from http://malwarebytes.org/ and run it. Sounds like a virus, if youre using google's website.

wolfric

Check your hosts file. Try another browser, Is it just on your pc or on all pcs on the network. Use opendns, check for proxies in your browser.

randy lug

i tried the link to malwarebytes thing but i wasn't able to upload it

Lisheo

randy lug wrote: »

i tried the link to malwarebytes thing but i wasn't able to upload it

Okay, you've got malware, if it wouldn't let you download MBAM, I'm afraid to say.
Try and download it using a different computer, and transfer it over using a usb stick, if you can. Also, rename the program to something different, like myprogram.exe
Please download this http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html, and send me a private message with the log. Run it as admin, too.

If for some reason you can't download hijackthis or transfer files from another computer, please get back to me immediately.

randy lug

I downloaded the mbam thing on to a usb stick and transfered it onto my computer, did the scan but it didn't get rid of it.

Tried the hijack this thing anf got these results:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:37, on 02/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\webserver\webserver.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eircom.net./
R3 - URLSearchHook: Best Security Tips Toolbar - {da30eff8-ccc6-4162-a20d-67402a26a215} - C:\Program Files\Best_Security_Tips\tbBes1.dll
O3 - Toolbar: Best Security Tips Toolbar - {da30eff8-ccc6-4162-a20d-67402a26a215} - C:\Program Files\Best_Security_Tips\tbBes1.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] c:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [IEO1t3n] C:\WINDOWS\qsngsd.exe
O4 - HKLM\..\Run: [<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsngsd.exe
O4 - HKLM\..\Run: [<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsngsd.exe
O4 - HKLM\..\Run: [<°ÜZJÝYMÝlY«Q°aüžõgMC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qsngsd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: tuvSIbcB - tuvSIbcB.dll (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: webserver - Unknown owner - C:\Program Files\webserver\webserver.exe
--
End of file - 4551 bytes


There is another menu about deleting stuff but I'm not sure what to do...

Lisheo

Right, this: qsngsd.exe looks to me like malware alright. I've never heard of it before, and it's running a lot of instances on your computer, and none of them look especially healthy.
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} and @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe also appear to be trojans.
C:\WINDOWS\sySTEM32\SvchoSt.ExE looks suspicious too.
If you downloaded any unusual programs/applications recently, before this redirect, could you PM me what they were? It would help greatly.
Please don't fix anything just yet, I've never heard of this one before, so I want to be sure before I recommend any action that involves deleting files.
To be honest with you though, like I said, I've never heard of some of the things you have here, so I would recommend a clean install of windows. Cleaning your computer of this would probably be a painstakingly slow and difficult business. It would, however really be great if you could send me a pm of a link to whatever you downloaded, though, so I can get it disassembled and looked at.
EDIT: have contacted a more experienced friend. This is either really really rare, or brand new. I would REALLY appreciate the source.

Lisheo

Looking over this again, you have more infections than I thought.
R3 - URLSearchHook: Best Security Tips Toolbar - {da30eff8-ccc6-4162-a20d-67402a26a215} - C:\Program Files\Best_Security_Tips\tbBes1.dll
O3 - Toolbar: Best Security Tips Toolbar - {da30eff8-ccc6-4162-a20d-67402a26a215} - C:\Program Files\Best_Security_Tips\tbBes1.dll O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
appear to be trojans, and webserver.exe could be a trojan that creates a backdoor, unless you're running that one yourself.
tuvSIbcB - tuvSIbcB.dll (file missing), that missing .dll, I've not heard of.
It is this: O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
that's the part causing the Britannia search redirect problem.