Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser redirect virus / can not open widows xp in safe mode

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

browser redirect virus / can not open widows xp in safe mode

Unread postby gtbfl » November 26th, 2009, 9:01 pm

hi,
I picked up the virus that redirects browser searches to random sites. I am running XP Media Edition and use Firefox although redirects also occur in IE Explorer. I have run Spybot, PC doctor, Malwarebytes, CCleaner, Hijackthis, Combofix but nothing has worked ( although I did clean up some other malware along the way). I read in another link on this site that I might just have to reformat and start anew but others seem to have had success in removing this. I have had this for about a week and have taken it as far as I can on my own. I am hoping some kind soul will take me on, and read my logs, as the thought of reloading windows is just too painful.
This is my latest log from CombFix:

ComboFix 09-11-26.01 - Gord 11/26/2009 18:49.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.566 [GMT -5:00]
Running from: c:\documents and settings\Gord\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-26 02:10 . 2009-11-26 02:11 31836 ----a-w- c:\documents and settings\Gord\Application Data\Desktopicon\uninst.exe
2009-11-26 02:10 . 2009-11-26 02:10 -------- d-----w- c:\documents and settings\Gord\Application Data\Desktopicon
2009-11-26 02:10 . 2009-11-26 02:10 -------- d-----w- c:\program files\Unlocker
2009-11-26 02:03 . 2009-11-26 02:03 -------- d-----w- c:\documents and settings\Gord\Application Data\EMCO
2009-11-25 23:24 . 2009-11-25 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-25 23:23 . 2009-11-26 14:41 -------- d-----w- c:\documents and settings\Gord\Application Data\SUPERAntiSpyware.com
2009-11-25 23:23 . 2009-11-26 14:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-25 17:28 . 2009-11-25 17:28 -------- d-----w- c:\documents and settings\Gord\Application Data\Malwarebytes
2009-11-25 17:28 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 17:28 . 2009-11-25 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 17:28 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 17:28 . 2009-11-25 17:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 08:57 . 2009-11-25 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\RegAce
2009-11-25 08:56 . 2009-11-25 09:09 -------- d-----w- c:\program files\RegAce
2009-11-25 05:04 . 2009-11-25 05:04 -------- d-----w- c:\program files\Trend Micro
2009-11-25 04:23 . 2009-11-25 04:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-14 16:01 . 2009-11-14 16:07 -------- d-----w- c:\program files\TradeStation 8.6 (Build 2696)
2009-11-11 08:11 . 2009-11-11 08:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 23:42 . 2006-04-28 01:23 22232 ----a-w- c:\documents and settings\Gord\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-26 14:41 . 2008-10-27 05:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-25 21:10 . 2006-03-14 20:54 -------- d-----w- c:\program files\Dell
2009-11-25 06:44 . 2007-07-03 21:46 -------- d-----w- c:\program files\blstoolbar
2009-11-25 04:54 . 2006-12-14 08:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-25 04:15 . 2007-04-25 01:39 -------- d-----w- c:\documents and settings\Gord\Application Data\Smart PC Solutions
2009-11-24 21:04 . 2007-08-27 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-22 20:35 . 2006-04-28 18:24 -------- d-----w- c:\program files\PokerStars
2009-11-21 21:53 . 2008-08-24 04:27 1 ----a-w- c:\documents and settings\Gord\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-11-21 21:53 . 2006-05-02 03:56 -------- d-----w- c:\documents and settings\Gord\Application Data\OpenOffice.org2
2009-11-21 05:07 . 2007-01-26 23:37 -------- d-----w- c:\program files\Sportsbook Poker
2009-11-13 19:50 . 2008-05-09 01:13 -------- d-----w- c:\program files\Odds Maker
2009-10-24 17:31 . 2006-03-14 20:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2008-02-11 00:48 . 2006-12-12 19:48 131584 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-28 01:46 . 2006-04-28 05:05 152 --sh--r- c:\windows\system32\B18E5F931D.sys
2009-01-28 01:46 . 2006-04-28 05:05 7050 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_08.39.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-04-27 23:45 . 2009-11-26 19:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-04-27 23:45 . 2009-11-25 07:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-04-27 23:45 . 2009-11-25 07:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-04-27 23:45 . 2009-11-26 19:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-11 08:11 . 2009-11-25 07:05 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-11 08:11 . 2009-11-26 19:49 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-04-27 23:45 . 2009-11-26 19:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-04-27 23:45 . 2009-11-25 07:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-5-7 1757]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-6-27 221247]
Digital Line Detect.lnk.disabled [2006-3-14 493]
HP Digital Imaging Monitor.lnk.disabled [2006-4-27 1808]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DW6"=
"DW4"=
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HelpCenter4.1"=c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe"
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"BellSouthAlertManager.exe"="c:\program files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"SigmatelSysTrayApp"=stsystra.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Odds Maker\\client.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2/6/2008 3:48 PM 20160]
S2 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [4/30/2006 3:31 PM 10379]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/14/2006 4:05 PM 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-04-25 19:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: {0E5F73A1-4F7B-4C1F-B61D-CB6A4284CDD3} - hxxps://www.tradestation.com/chatclient ... tschat.cab
DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} - hxxps://www.tradestation.com/tscom/Clie ... tsTemp.cab
FF - ProfilePath - c:\documents and settings\Gord\Application Data\Mozilla\Firefox\Profiles\vaodwwym.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/p/1.html/|http://ne ... .yahoo.com
FF - component: c:\documents and settings\Gord\Application Data\Mozilla\Firefox\Profiles\vaodwwym.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaxctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npfemz.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 19:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F41170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7556f28
\Driver\ACPI -> ACPI.sys @ 0xf73e9cb8
\Driver\atapi -> atapi.sys @ 0xf737b852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-26 19:08
ComboFix-quarantined-files.txt 2009-11-27 00:08
ComboFix2.txt 2009-11-25 21:49
ComboFix3.txt 2009-11-25 19:16
ComboFix4.txt 2009-11-25 08:45

Pre-Run: 36,535,361,536 bytes free
Post-Run: 36,499,210,240 bytes free

- - End Of File - - 8A4ADC5BCFE218A6504DB366C93D3FBA

Thanks
gtbfl
Active Member
 
Posts: 1
Joined: November 26th, 2009, 8:01 pm
Advertisement
Register to Remove

Re: browser redirect virus / can not open widows xp in safe mode

Unread postby NonSuch » November 28th, 2009, 12:32 am

ComboFix is not a tool that is intended to be used without the direct supervision of a qualified expert. To use ComboFix on your own is to court disaster for your computer. Please stop all attempts at self-fixes for your system's issues as that may only confuse the issue further and cause additional problems as well.

In order for us to help you it is necessary that you provide us with a HijackThis log. Please follow the guideline at the link below to start a new topic and post your HijackThis log. Also include your ComboFix log in the same post.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware