I picked up the virus that redirects browser searches to random sites. I am running XP Media Edition and use Firefox although redirects also occur in IE Explorer. I have run Spybot, PC doctor, Malwarebytes, CCleaner, Hijackthis, Combofix but nothing has worked ( although I did clean up some other malware along the way). I read in another link on this site that I might just have to reformat and start anew but others seem to have had success in removing this. I have had this for about a week and have taken it as far as I can on my own. I am hoping some kind soul will take me on, and read my logs, as the thought of reloading windows is just too painful.
This is my latest log from CombFix:
ComboFix 09-11-26.01 - Gord 11/26/2009 18:49.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.566 [GMT -5:00]
Running from: c:\documents and settings\Gord\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-26 02:10 . 2009-11-26 02:11 31836 ----a-w- c:\documents and settings\Gord\Application Data\Desktopicon\uninst.exe
2009-11-26 02:10 . 2009-11-26 02:10 -------- d-----w- c:\documents and settings\Gord\Application Data\Desktopicon
2009-11-26 02:10 . 2009-11-26 02:10 -------- d-----w- c:\program files\Unlocker
2009-11-26 02:03 . 2009-11-26 02:03 -------- d-----w- c:\documents and settings\Gord\Application Data\EMCO
2009-11-25 23:24 . 2009-11-25 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-25 23:23 . 2009-11-26 14:41 -------- d-----w- c:\documents and settings\Gord\Application Data\SUPERAntiSpyware.com
2009-11-25 23:23 . 2009-11-26 14:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-25 17:28 . 2009-11-25 17:28 -------- d-----w- c:\documents and settings\Gord\Application Data\Malwarebytes
2009-11-25 17:28 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 17:28 . 2009-11-25 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 17:28 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 17:28 . 2009-11-25 17:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 08:57 . 2009-11-25 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\RegAce
2009-11-25 08:56 . 2009-11-25 09:09 -------- d-----w- c:\program files\RegAce
2009-11-25 05:04 . 2009-11-25 05:04 -------- d-----w- c:\program files\Trend Micro
2009-11-25 04:23 . 2009-11-25 04:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-14 16:01 . 2009-11-14 16:07 -------- d-----w- c:\program files\TradeStation 8.6 (Build 2696)
2009-11-11 08:11 . 2009-11-11 08:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 23:42 . 2006-04-28 01:23 22232 ----a-w- c:\documents and settings\Gord\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-26 14:41 . 2008-10-27 05:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-25 21:10 . 2006-03-14 20:54 -------- d-----w- c:\program files\Dell
2009-11-25 06:44 . 2007-07-03 21:46 -------- d-----w- c:\program files\blstoolbar
2009-11-25 04:54 . 2006-12-14 08:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-25 04:15 . 2007-04-25 01:39 -------- d-----w- c:\documents and settings\Gord\Application Data\Smart PC Solutions
2009-11-24 21:04 . 2007-08-27 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-22 20:35 . 2006-04-28 18:24 -------- d-----w- c:\program files\PokerStars
2009-11-21 21:53 . 2008-08-24 04:27 1 ----a-w- c:\documents and settings\Gord\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-11-21 21:53 . 2006-05-02 03:56 -------- d-----w- c:\documents and settings\Gord\Application Data\OpenOffice.org2
2009-11-21 05:07 . 2007-01-26 23:37 -------- d-----w- c:\program files\Sportsbook Poker
2009-11-13 19:50 . 2008-05-09 01:13 -------- d-----w- c:\program files\Odds Maker
2009-10-24 17:31 . 2006-03-14 20:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2008-02-11 00:48 . 2006-12-12 19:48 131584 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-28 01:46 . 2006-04-28 05:05 152 --sh--r- c:\windows\system32\B18E5F931D.sys
2009-01-28 01:46 . 2006-04-28 05:05 7050 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-25_08.39.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-04-27 23:45 . 2009-11-26 19:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-04-27 23:45 . 2009-11-25 07:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-04-27 23:45 . 2009-11-25 07:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-04-27 23:45 . 2009-11-26 19:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-11 08:11 . 2009-11-25 07:05 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-11 08:11 . 2009-11-26 19:49 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-04-27 23:45 . 2009-11-26 19:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-04-27 23:45 . 2009-11-25 07:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-5-7 1757]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-6-27 221247]
Digital Line Detect.lnk.disabled [2006-3-14 493]
HP Digital Imaging Monitor.lnk.disabled [2006-4-27 1808]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DW6"=
"DW4"=
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HelpCenter4.1"=c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe"
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"BellSouthAlertManager.exe"="c:\program files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"SigmatelSysTrayApp"=stsystra.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Odds Maker\\client.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
R3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2/6/2008 3:48 PM 20160]
S2 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [4/30/2006 3:31 PM 10379]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/14/2006 4:05 PM 29744]
.
Contents of the 'Scheduled Tasks' folder
2009-11-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-04-25 19:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: {0E5F73A1-4F7B-4C1F-B61D-CB6A4284CDD3} - hxxps://www.tradestation.com/chatclient ... tschat.cab
DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} - hxxps://www.tradestation.com/tscom/Clie ... tsTemp.cab
FF - ProfilePath - c:\documents and settings\Gord\Application Data\Mozilla\Firefox\Profiles\vaodwwym.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/1.html/|http://ne ... .yahoo.com
FF - component: c:\documents and settings\Gord\Application Data\Mozilla\Firefox\Profiles\vaodwwym.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaxctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npfemz.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 19:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F41170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7556f28
\Driver\ACPI -> ACPI.sys @ 0xf73e9cb8
\Driver\atapi -> atapi.sys @ 0xf737b852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-26 19:08
ComboFix-quarantined-files.txt 2009-11-27 00:08
ComboFix2.txt 2009-11-25 21:49
ComboFix3.txt 2009-11-25 19:16
ComboFix4.txt 2009-11-25 08:45
Pre-Run: 36,535,361,536 bytes free
Post-Run: 36,499,210,240 bytes free
- - End Of File - - 8A4ADC5BCFE218A6504DB366C93D3FBA
Thanks
