I need a little assistance removing a google redirect virus/malware. I downloaded combofix and ran it. It worked but after rebooting the virus is back. Attached is the latest combofix report.
Any help would be greatly appreciated!
Thanks,
ComboFix 09-12-09.04 - Lincoln 12/11/2009 11:35:08.9.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1306 [GMT -5:00]
Running from: c:\users\Lincoln\Desktop\Combo-Fix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.
2009-12-11 16:46 . 2009-12-11 16:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-11 16:46 . 2009-12-11 16:46 -------- d-----w- c:\users\Mark Warren\AppData\Local\temp
2009-12-11 16:46 . 2009-12-11 16:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-10 22:16 . 2009-12-10 22:37 -------- d-----w- C:\Combo-Fix2585C
2009-12-10 15:26 . 2009-12-11 16:46 -------- d-----w- c:\users\Lincoln\AppData\Local\temp
2009-12-10 15:06 . 2009-12-10 15:26 -------- d-----w- C:\Combo-Fix
2009-12-09 20:30 . 2009-12-09 20:30 388096 ----a-r- c:\users\Lincoln\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-09 20:30 . 2009-12-09 20:30 -------- d-----w- c:\program files\TrendMicro
2009-12-09 19:55 . 2009-12-09 20:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-09 19:55 . 2009-12-09 20:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-09 18:27 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-09 18:23 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 18:23 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 18:23 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 18:21 . 2009-12-09 18:32 -------- d-----w- c:\users\Lincoln\AppData\Roaming\Mask Pro 4.0
2009-12-09 17:55 . 2009-12-09 17:55 -------- d-----w- c:\users\Lincoln\AppData\Roaming\Malwarebytes
2009-12-09 17:54 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 17:54 . 2009-12-09 17:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 17:54 . 2009-12-09 17:54 -------- d-----w- c:\programdata\Malwarebytes
2009-12-09 17:54 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 17:45 . 2009-12-09 17:45 108032 --sha-r- c:\windows\system32\igfxressu.dll
2009-12-08 19:06 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 19:06 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-06 10:07 . 2009-12-06 10:07 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-25 05:03 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 05:03 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 21:57 . 2008-10-01 19:07 -------- d-----w- c:\users\Lincoln\AppData\Roaming\FileZilla
2009-12-10 21:26 . 2008-10-24 15:19 -------- d-----w- c:\users\Lincoln\AppData\Roaming\WTablet
2009-12-10 21:25 . 2009-07-09 21:18 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-12-10 21:25 . 2009-07-09 20:05 51200 ----a-w- c:\windows\system32\rpcnet.dll
2009-12-09 22:16 . 2009-07-09 21:19 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-12-09 20:49 . 2009-10-19 14:15 -------- d-----w- c:\program files\ICC Profile Toolkit
2009-12-09 19:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 19:06 . 2008-06-10 07:28 -------- d-----w- c:\program files\Java
2009-12-09 18:29 . 2008-06-10 07:23 -------- d-----w- c:\programdata\Microsoft Help
2009-12-09 17:52 . 2009-02-09 14:36 -------- d-----w- c:\program files\onOne Software
2009-12-09 17:52 . 2008-06-10 07:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-08 15:51 . 2008-09-28 13:27 103504 ----a-w- c:\users\Lincoln\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-24 23:54 . 2009-02-20 17:37 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:50 . 2009-02-20 17:37 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-02-20 17:37 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-02-20 17:37 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-24 23:49 . 2009-02-20 17:37 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-02-20 17:37 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-02-20 17:37 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-18 19:18 . 2008-10-01 19:07 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-27 13:20 . 2009-12-08 19:10 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-08 19:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-08 19:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-22 20:10 . 2009-02-19 21:10 40512 ----a-w- c:\windows\system32\drivers\Usbkey.sys
2009-10-22 20:10 . 2009-02-19 21:10 40512 ----a-w- c:\windows\inf\Usbkey.sys
2009-10-22 20:10 . 2009-02-19 21:10 20912 ----a-w- c:\windows\system32\drivers\parclass.sys
2009-10-22 20:10 . 2009-02-19 21:10 8968 ----a-w- c:\windows\system32\KL2DLL.DLL
2009-10-22 20:10 . 2009-02-19 21:10 86016 ----a-w- c:\windows\system32\KL2DLL32.DLL
2009-10-22 20:10 . 2009-02-19 21:10 7440 ----a-w- c:\windows\system32\ppmon.dll
2009-10-22 20:10 . 2009-02-19 21:10 24136 ----a-w- c:\windows\system32\ppmon.exe
2009-10-22 20:10 . 2009-02-19 21:10 126976 ----a-w- c:\windows\system32\NWKL2_32.DLL
2009-10-22 20:10 . 2009-02-19 21:10 12480 ----a-w- c:\windows\system32\KL2N.DLL
2009-10-22 20:10 . 2009-10-22 20:10 -------- d-----w- c:\program files\SafeNet Sentinel
2009-10-22 20:10 . 2009-10-22 20:10 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
2009-10-21 16:45 . 2008-01-22 01:43 33792 ----a-w- c:\windows\system32\identprv.dll
2009-10-19 14:57 . 2009-10-19 14:57 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-10-19 14:57 . 2009-10-19 14:57 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-10-19 14:57 . 2009-10-19 14:57 383 ----a-w- c:\windows\system32\haspdos.sys
2009-10-19 14:15 . 2009-10-19 14:15 1078 ----a-r- c:\users\Lincoln\AppData\Roaming\Microsoft\Installer\{9AA8C063-F105-4F17-AFE4-1F3C1AC19F69}\_7fa97d60.exe
2009-10-14 17:37 . 2009-10-14 17:25 -------- d-----w- c:\program files\Profile-Xpert Software
2009-10-14 17:35 . 2009-10-14 17:35 -------- d-----w- c:\program files\DIFX
2009-10-14 15:45 . 2009-10-14 15:45 -------- d-----w- c:\program files\Common Files\Aladdin Shared
2009-10-14 15:38 . 2008-11-21 16:09 -------- d-----w- c:\program files\GretagMacbeth
2009-10-13 14:10 . 2009-10-13 14:10 34 ----a-w- c:\windows\system32\BD5240.DAT
2009-10-13 14:00 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2009-10-13 13:56 . 2009-10-13 13:56 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-11 09:17 . 2008-12-12 14:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-17 19:35 . 2009-09-17 19:35 13312 ----a-w- c:\windows\system32\DIAGDLL64.DLL
2009-09-14 09:44 . 2009-10-15 17:52 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-10_15.18.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-12-10 21:28 43910 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2009-12-09 22:18 79836 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-12-10 21:28 79836 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-28 13:27 . 2009-12-10 21:28 10852 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-710243377-3777013803-3809824090-1000_UserData.bin
+ 2008-09-28 13:24 . 2009-12-11 13:28 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-28 13:24 . 2009-12-10 14:21 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-10 00:40 . 2009-12-11 13:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-10 00:40 . 2009-12-10 14:21 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-28 13:24 . 2009-12-11 13:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-28 13:24 . 2009-12-10 14:21 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-09 22:15 . 2009-12-09 22:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-10 21:24 . 2009-12-10 21:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-09 22:15 . 2009-12-09 22:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-10 21:24 . 2009-12-10 21:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-12-10 21:32 650192 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-12-09 22:23 650192 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-12-10 21:32 122690 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-12-09 22:23 122690 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe ASO-616B5711-6DAE-4795-A05F-39A1E5104020" [X]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe -hide" [X]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe -atboottime" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-10 29744]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\ProfileMaker Professional 5.0.5\CalibrationLoader.exe [2009-10-19 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-11-21 954368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-710243377-3777013803-3809824090-1000]
"EnableNotificationsRef"=dword:00000001
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2/20/2009 12:37 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2/20/2009 12:37 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2/20/2009 12:37 PM 53328]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 PDIHWCTL;PDIHWCTL;c:\windows\System32\drivers\pdihwctl.sys [11/21/2008 11:10 AM 14416]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [12/9/2009 2:55 PM 1153368]
R2 TabletServicePen;TabletServicePen;c:\windows\System32\Pen_Tablet.exe [10/24/2008 10:16 AM 3032360]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [11/17/2008 2:40 PM 3668480]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/10/2008 2:27 AM 29744]
S3 i1display;i1 Display;c:\windows\System32\drivers\i1display.sys [10/18/2007 3:35 PM 44344]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
S3 Spyder2;ColorVision Spyder2;c:\windows\System32\drivers\Spyder2.sys [2/13/2007 5:16 PM 12288]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\System32\drivers\wacmoumonitor.sys [10/24/2008 10:16 AM 15144]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
FF - ProfilePath - c:\users\Lincoln\AppData\Roaming\Mozilla\Firefox\Profiles\nr2s7yry.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 11:46
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-12-11 11:51:58
ComboFix-quarantined-files.txt 2009-12-11 16:51
ComboFix2.txt 2009-12-10 22:37
ComboFix3.txt 2009-12-10 15:26
Pre-Run: 11,365,023,744 bytes free
Post-Run: 11,743,662,080 bytes free
- - End Of File - - A2D43A7F622A55A10A9C4ABF20A140A6