i'm having trouble removing something that redirects me every time i click on a google search item. i am using firefox browser.
here is an example
when i google 'malware'
and click on the first item in googles search - in this case a link to wikipedia, i see this address come up
http://www.google.co...3...&kw=malware
then i get redirected to some dodgy page
this happens once, and if i click again on the same link it will take me to wiki although always via an address with 'click' in it.
very annoying and quite worrying.
anyone got any ideas? i have run various things but not been able to root it out. so far have tried spybot, ccleaner, avg, spyware blaster, malwarebytes (although it wouldn't update) with no joy.
also ran combofix once before realising should only do that on request - here is the log anyway in case you can use it
can anyone help?
many thanks,
dan
ComboFix 09-08-09.04 - User 08/10/2009 17:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.502.222 [GMT 1:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-07-30 17:59 . 2009-03-10 21:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-30 17:59 . 2009-07-30 17:59 -------- d-----w- c:\windows\system32\KB905474
2009-07-30 17:59 . 2009-03-10 21:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-30 13:48 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-30 13:48 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-30 13:47 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-30 13:47 . 2009-02-06 09:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-30 13:47 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-07-30 13:47 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-30 13:47 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-30 13:47 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-30 13:47 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-30 13:47 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-30 13:47 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-30 13:40 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-30 13:35 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-28 15:16 . 2009-07-28 15:16 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-28 15:16 . 2009-07-28 15:16 -------- d-----w- c:\windows\system32\xircom
2009-07-28 15:16 . 2009-07-28 15:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\system32\scripting
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\l2schemas
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\system32\en
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\system32\bits
2009-07-28 13:49 . 2007-06-13 11:26 1033216 ----a-w- c:\windows\system32\dllcache\explorer.exe
2009-07-28 13:48 . 2006-06-26 17:37 8192 ----a-w- c:\windows\system32\dllcache\rasadhlp.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 17:09 . 2007-05-03 07:37 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-08-06 21:13 . 2008-01-04 14:32 -------- d-----w- c:\documents and settings\User\Application Data\BitTorrent
2009-07-30 18:17 . 2008-10-03 08:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 13:01 . 2007-03-17 02:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-30 12:56 . 2009-07-03 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-29 17:33 . 2009-07-07 14:54 334544 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-28 15:20 . 2007-03-17 03:04 334544 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 14:52 . 2009-07-07 14:52 -------- d-----w- c:\documents and settings\Guest\Application Data\Trusteer
2009-07-05 14:08 . 2009-07-05 14:08 -------- d-----w- c:\program files\CCleaner
2009-07-03 23:01 . 2007-05-03 07:36 -------- d-----w- c:\program files\Google
2009-07-03 22:37 . 2009-07-03 22:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-01 11:42 . 2008-07-07 17:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-01 11:42 . 2008-06-11 14:31 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 11:42 . 2007-05-03 13:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 15:59 . 2005-10-13 00:14 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2004-08-03 21:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2004-08-03 21:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2001-08-23 11:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:24 . 2005-10-13 00:25 1291264 ----a-w- c:\windows\system32\quartz.dll
2007-10-04 00:05 . 2007-10-04 00:05 1808 ----a-w- c:\program files\HP Digital Imaging Monitor.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 766041]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-19 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-07-19 2879488]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-13 88204]
c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-17 113664]
DO!.txt [2009-8-9 13488]
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-7-3 908280]
~$DIARY.doc [2008-3-1 162]
~$G HOURS.doc [2008-2-22 162]
~$nvoice.doc [2008-3-1 162]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-01 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 3:31 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 3:31 PM 108552]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2/26/2009 7:24 AM 57320]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2/26/2009 7:24 AM 238952]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 6:58 PM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 6:58 PM 298776]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [6/1/2009 9:53 AM 648424]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [7/28/2009 2:48 PM 15104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2009-08-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-30 21:18]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-RegistryMechanic - (no file)
HKU-Default-RunOnce-IETI - c:\program files\Skype\Phone\IEPlugin\unins000.exe
Notify-WgaLogon - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
.
------- Supplementary Scan -------
.
uStart Page = hxxp://warpmail.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\oyr2coqe.default\
FF - prefs.js: browser.startup.homepage - hxxp://hernandez.blog.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 18:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2900)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\docume~1\User\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Trusteer\Rapport\bin\RapportService.exe
.
**************************************************************************
.
Completion time: 2009-08-10 18:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 17:15
Pre-Run: 13,402,587,136 bytes free
Post-Run: 13,593,669,632 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
220 --- E O F --- 2009-07-30 18:01