Searh is redirected

Dell / Mp061
November 23, 2009 at 17:05:17
Specs: Microsoft Windows XP Professional, 1.994 GHz / 2046 MB
My search is redirected.
I have tried ALL ANTI-SPYWARE.
Malewarebyte
Super Anti-Spyware
Ad-Aware
UnHackme
Hijackthis
I can do no more on my own.
I fear i will ruin my computer soon.
Please help.

See More: Searh is redirected

Report •


#1
November 23, 2009 at 17:20:30
Go to add/remove programs and uninstall Ad-aware and Spybot, you can reinstall them later. Then any other antispware you have must be disabled or turned off. Also your antivirus will need to be disabled.They will interfere with Combofix. There is a clickable link "This Link" below that will help you get your security programs disabled.

The baddie, at this point appears to be the Recycler virus.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any other antispyware that you may have. (to completely turnoff AVG click the systray AVG icon then click exit. Next click the desktop AVG icon> resident shield> uncheck the box to the left of resident shield active> save changes.) Restart the computer and recheck the box you unchecked before getting back online.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#2
November 24, 2009 at 05:48:20
ComboFix 09-11-23.04 - Manny Tavares 11/24/2009 8:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1618 [GMT -5:00]
Running from: c:\documents and settings\Manny Tavares\Desktop\toolb.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Manny Tavares\Local Settings\Temporary Internet Files\Grv11.rpt
c:\documents and settings\Manny Tavares\Local Settings\Temporary Internet Files\Grv15.rpt
c:\documents and settings\Manny Tavares\Local Settings\Temporary Internet Files\Grv17.rpt
c:\recycler\NPROTECT
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-18 21:48 . 2009-11-18 21:48 -------- d-----w- C:\rsit
2009-11-18 13:39 . 2009-11-18 13:39 2 --shatr- c:\windows\winstart.bat
2009-11-18 13:39 . 2008-12-22 20:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-11-18 13:39 . 2009-11-18 13:39 -------- d-----w- c:\program files\UnHackMe
2009-11-17 22:45 . 2009-11-17 22:45 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2009-11-17 21:24 . 2009-11-17 21:24 195584 ----a-w- c:\documents and settings\Manny Tavares\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-49f7ee9b-n\WMINative.dll
2009-11-17 18:10 . 2009-11-17 18:10 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-17 18:10 . 2009-11-18 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-17 17:16 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-17 16:05 . 2009-11-17 16:06 -------- d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-11-17 01:40 . 2009-11-17 01:40 15781 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2009-11-17 01:40 . 2009-11-17 01:40 -------- d-----w- c:\program files\D-link AirPlus G DWL-G120 Wireless USB
2009-11-17 01:40 . 1998-06-17 05:00 798773 ----a-w- c:\windows\system32\MFCO42D.DLL
2009-11-17 01:40 . 2004-04-06 23:52 349568 ----a-w- c:\windows\system32\drivers\PRISMA02.sys
2009-11-17 01:40 . 2004-03-27 19:13 286809 ----a-w- c:\windows\system32\PRISMSVR.exe
2009-11-17 01:40 . 2004-03-27 19:10 368729 ----a-w- c:\windows\system32\PRISMAPI.dll
2009-11-17 01:40 . 2004-03-04 19:47 929792 ----a-w- c:\windows\system32\PRISME5.dll
2009-11-17 01:40 . 2004-03-04 19:46 929792 ----a-w- c:\windows\system32\AegisE5.dll
2009-11-17 00:14 . 2009-11-17 00:14 -------- d-----w- c:\documents and settings\Manny Tavares\Local Settings\Application Data\Promosoft Corporation
2009-11-07 16:15 . 2009-11-07 16:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-07 12:39 . 2009-11-17 00:14 -------- d-----w- c:\documents and settings\Manny Tavares\Local Settings\Application Data\hkfwvp
2009-10-26 12:56 . 2009-10-26 12:56 -------- d-----w- c:\documents and settings\Manny Tavares\Application Data\EDrawings
2009-10-26 12:55 . 2009-10-26 12:55 -------- d-----w- c:\documents and settings\Manny Tavares\Local Settings\Application Data\DassaultSystemes
2009-10-26 12:55 . 2009-10-26 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DassaultSystemes
2009-10-26 12:55 . 2009-10-26 12:55 -------- d-----w- c:\documents and settings\Manny Tavares\Application Data\DassaultSystemes
2009-10-26 12:52 . 2009-10-26 12:52 -------- d-----w- c:\program files\Common Files\eDrawings2010

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 12:58 . 2009-11-13 02:59 -------- d-----w- c:\documents and settings\Manny Tavares\Application Data\SUPERAntiSpyware.com
2009-11-24 12:57 . 2008-11-17 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-24 12:57 . 2007-01-02 14:50 -------- d-----w- c:\program files\Lavasoft
2009-11-18 13:35 . 2006-12-19 20:24 87432 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 04:34 . 2007-01-24 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-17 22:52 . 2006-12-19 20:03 -------- d-----w- c:\program files\Microsoft Works
2009-11-17 22:46 . 2006-12-19 20:21 -------- d-----w- c:\program files\Microsoft SQL Server
2009-11-17 01:40 . 2006-12-19 20:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-17 00:14 . 2009-11-17 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-17 00:14 . 2009-11-07 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-17 00:14 . 2009-11-17 00:14 -------- d-----w- c:\program files\Common Files\Scanner
2009-11-17 00:14 . 2009-11-07 18:24 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-11-17 00:14 . 2008-10-26 03:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-17 00:13 . 2009-11-07 19:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-17 00:10 . 2009-11-13 02:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 22:01 . 2009-11-13 22:01 -------- d-----w- c:\program files\Trend Micro
2009-11-13 21:43 . 2009-11-13 21:43 -------- d-----w- c:\program files\AML Products
2009-11-13 21:37 . 2007-07-25 02:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-12 16:45 . 2007-04-16 18:28 -------- d-----w- c:\documents and settings\Manny Tavares\Application Data\SolidWorks
2009-11-07 18:39 . 2009-11-07 18:39 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 15:13 . 2009-10-23 15:13 -------- d-----w- c:\program files\FileExtensionFinder
2009-10-18 18:44 . 2009-10-18 16:24 -------- d-----w- c:\program files\TV Player Pro
2009-10-18 17:05 . 2009-10-18 17:05 -------- d-----w- c:\program files\StreamTorrent 1.0
2009-10-18 17:05 . 2009-10-18 17:05 -------- d-----w- c:\documents and settings\Manny Tavares\Application Data\StreamTorrent
2009-10-08 19:57 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2004-08-11 23:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2004-08-11 23:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-29 15:20 . 2009-09-29 15:14 -------- d-----w- c:\program files\Samurize
2009-09-11 14:18 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-10-26 03:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-10-26 03:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WallpaperChanger"="c:\program files\Wallpaper Master\Wallpaper.exe" [2005-11-08 321536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-04 1032192]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2009-11-16 356432]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MSSQL$TINIUS;MSSQL$TINIUS;c:\program files\Microsoft SQL Server\MSSQL$TINIUS\Binn\sqlservr.exe [5/4/2005 12:04 AM 9158656]
R3 QuarticsWP;QuarticsWP_Display_Driver;c:\windows\system32\drivers\QuarticsWP.sys [2/27/2007 1:55 PM 17497]
R3 QuarticsWPMirror;QuarticsWPMirror_Display_Driver;c:\windows\system32\drivers\QuarticsWPMirror.sys [2/27/2007 1:55 PM 22841]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SQLAgent$TINIUS;SQLAgent$TINIUS;c:\program files\Microsoft SQL Server\MSSQL$TINIUS\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\User_Feed_Synchronization-{D003AD03-8B7B-41EE-B3B0-2632B640E58D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
FF - ProfilePath - c:\documents and settings\Manny Tavares\Application Data\Mozilla\Firefox\Profiles\0s0rzosh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Manny Tavares\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini
AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 08:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\MANNYT~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\BCMLogon.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-24 08:45
ComboFix-quarantined-files.txt 2009-11-24 13:45

Pre-Run: 66,953,383,936 bytes free
Post-Run: 67,237,203,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DC6639CA2B7A51E2C1D4975C67F29B3A


Report •

#3
November 24, 2009 at 05:59:46
It seems to be fixed!
Thank You!
Thank You!
Thank You!

Report •

Related Solutions

#4
November 24, 2009 at 14:48:00
A little clean-up to do.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •


Ask Question