[mbluesky]

My computer problems all started when I had a huge influx of adware installed on my computer. I download Malwarebytes Anti Malware and it got rid of it all, at least I thought it had... Approx. 2 weeks later something happened. I cannot run a search in either Yahoo or Google. So I downloaded and tried running HijackThis. But it appeared that the hijacks were attached to my 'hosts' so that program would not work, or I just couldn't figure it out. Then I found Combofix, installed, and ran the program. Below is the log that it produced. Any help would be greatly appreciated!



ComboFix 09-09-25.01 - mbluesky 09/25/2009 14:22.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3292.2580 [GMT -6:00]
Running from: c:\documents and settings\mbluesky\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Mozilla Firefox\searchplugins\search.xml

----- BITS: Possible infected sites -----

hxxp://lv-fs-01:8530
.
((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.

2009-09-25 16:19 . 2009-09-25 16:19 -------- d-----w- c:\program files\Trend Micro
2009-09-14 18:18 . 2009-09-14 18:18 -------- d-----w- c:\program files\The Weather Channel FW
2009-09-11 20:48 . 2009-09-11 20:48 -------- d-----w- c:\program files\Lame for Audacity
2009-09-11 20:31 . 2009-09-11 20:31 -------- d-----w- c:\program files\Audacity
2009-09-11 20:27 . 2009-09-11 20:27 -------- d-----w- c:\program files\Ratajik Software
2009-09-10 15:06 . 2009-09-10 15:06 -------- d-----w- c:\documents and settings\mbluesky\Local Settings\Application Data\Apple_Inc
2009-09-10 15:05 . 2009-04-24 02:55 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2009-09-10 15:05 . 2009-09-10 15:05 -------- d-----w- c:\program files\Nitro PDF
2009-09-09 21:27 . 2009-09-09 21:27 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-09 21:26 . 2009-09-09 21:26 -------- d-----w- c:\program files\iPod
2009-09-09 21:26 . 2009-09-09 21:26 -------- d-----w- c:\program files\iTunes
2009-09-09 21:26 . 2009-09-09 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 21:25 . 2009-09-09 21:25 -------- d-----w- c:\program files\QuickTime
2009-09-09 20:19 . 2009-09-09 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-09 20:19 . 2009-09-09 20:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-09 16:54 . 2009-09-09 16:54 -------- d-----w- c:\documents and settings\mbluesky\Application Data\Malwarebytes
2009-09-09 16:51 . 2009-09-09 16:51 -------- d-----w- c:\documents and settings\mbluesky\Local Settings\Application Data\Symantec
2009-09-09 16:42 . 2009-09-09 16:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-09 16:41 . 2009-03-16 15:15 91976 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2009-09-09 16:40 . 2009-09-09 16:40 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-09 16:40 . 2009-09-09 16:40 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-09 16:38 . 2009-09-09 16:42 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-09 16:38 . 2009-09-09 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-09 16:38 . 2009-09-09 16:40 -------- d-----w- c:\program files\Symantec
2009-09-09 16:13 . 2009-09-09 16:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-09 16:12 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-09 16:12 . 2009-09-09 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 16:12 . 2009-09-09 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-09 16:12 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 15:59 . 2009-09-09 15:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-09-09 15:11 . 2009-09-09 19:48 -------- d-sh--w- c:\documents and settings\All Users\Application Data\28bbcaa
2009-09-09 08:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-02 19:35 . 2009-09-02 19:35 -------- d-----w- c:\program files\Microsoft Research

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 15:16 . 2009-03-16 15:15 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-09-10 15:09 . 2008-04-25 21:42 419000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-09 21:39 . 2009-04-21 17:12 -------- d-----w- c:\documents and settings\mbluesky\Application Data\Apple Computer
2009-09-09 21:26 . 2009-04-21 17:11 -------- d-----w- c:\program files\Common Files\Apple
2009-09-09 16:40 . 2009-09-09 16:40 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-09 16:40 . 2009-09-09 16:40 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-09 16:32 . 2009-04-17 16:05 6508 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-09 15:16 . 2009-07-13 16:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 14:12 . 2009-02-18 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-29 01:42 . 2009-04-21 17:11 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 01:42 . 2009-04-21 17:11 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-24 22:38 . 2009-01-10 04:31 -------- d-----w- c:\program files\Java
2009-08-21 22:05 . 2009-08-21 22:05 -------- d-----w- c:\program files\NCI GIS Tools
2009-08-21 17:37 . 2009-08-21 17:37 -------- d-----w- c:\documents and settings\mbluesky\Application Data\QuosaDDM
2009-08-19 22:00 . 2009-08-19 22:00 -------- d-----w- c:\program files\YouTube Downloader
2009-08-12 21:15 . 2009-07-15 21:19 -------- d-----w- c:\program files\Safari
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 20:14 . 2009-07-29 20:14 -------- d-----w- c:\program files\Alwil Software
2009-07-25 11:23 . 2009-02-18 20:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:14 . 2009-07-16 17:14 68632 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-14 05:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2008-04-25 16:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-08-27 1044480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-08-06 182808]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-02 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-02 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-02 150040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-16 115560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-842925246-839522115-62891\Scripts\Logoff\0\0]
"Script"=logout.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-842925246-839522115-62891\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-842925246-839522115-71010\Scripts\Logoff\0\0]
"Script"=logout.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-842925246-839522115-71010\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [1/10/2009 1:21 AM 24064]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [1/10/2009 1:21 AM 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2009 8:20 AM 102448]
S2 gupdate1c9f3649afc1c3a;Google Update Service (gupdate1c9f3649afc1c3a);c:\program files\Google\Update\GoogleUpdate.exe [6/22/2009 12:09 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [3/16/2009 9:15 AM 23888]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 18:09]

2009-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 18:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\mbluesky\Application Data\Mozilla\Firefox\Profiles\h7lblakn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
SafeBoot-Symantec Antvirus
AddRemove-SearchAssist - c:\dell\SearchAssist\UninstSA.bat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 14:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(988)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-09-25 14:28
ComboFix-quarantined-files.txt 2009-09-25 20:28

Pre-Run: 128,270,143,488 bytes free
Post-Run: 128,623,521,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

200 --- E O F --- 2009-09-09 14:13