I had the same problem as Squid.
His Thread can be found at: http://www.malwarebytes.org/forums/index.php?showtopic=13965
My symptoms were also:
-Google Redirecting to Ad Sites
-Websites not loading and giving blank white screen - mcafee, combofix
-Programs crashing (internet explorer)
-MBAM crashing when i would try to update it.
I ran the latest version of Malwarebytes and nothing was detected. I had to do a manual update to update the database to the latest version.
I followed the instructions from this post:
http://www.malwarebytes.org/forums/index.php?showtopic=13967
and ran combofix and posted the log below.
-Google is no longer Redirecting to Ad Sites
-Websites are now loading and not giving blank white screen - mcafee, combofix
-MBAM no longer crashing when i would try to update it.
Is there anything else i should delete based off of the combofix log below:
Thank you all in advance.
-gs
-------------------------------------------------------------------------------------------
ComboFix 09-04-12.03 - UserGS 2009-04-12 10:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1262.694 [GMT -7:00]
Running from: c:\documents and settings\UserGS\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\UserGS\LOCALS~1\xykrve.gjn
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\Temp
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll
c:\windows\Tasks\nlzsguvg.job
c:\windows\wiaserviv.log
----- BITS: Possible infected sites -----
hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.
2009-04-04 19:09 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 19:09 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 19:09 . 2009-04-04 23:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 05:09 . 2006-12-28 00:01 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-12 04:37 . 2008-12-15 05:24 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 02:23 . 2007-03-31 23:02 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-05 00:02 . 2005-08-21 20:27 -------- d-----w c:\program files\Java
2009-03-09 12:19 . 2008-12-30 17:08 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 20:02 . 2007-07-07 18:07 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-23 03:42 . 2009-02-23 03:42 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-23 03:38 . 2008-02-08 20:10 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-23 03:37 . 2008-02-08 20:10 -------- d-----w c:\program files\Common Files\Intuit
2009-02-23 03:34 . 2008-02-08 20:05 -------- d-----w c:\program files\TurboTax
2009-02-21 03:16 . 2009-01-31 06:52 -------- d-----w c:\program files\VirtualDJ
2009-02-18 08:07 . 2009-02-18 08:06 -------- d-----w c:\documents and settings\UserGS\Application Data\Mask Pro 4.0
2009-02-18 08:03 . 2009-02-15 16:52 -------- d-----w c:\program files\onOne Software
2009-02-18 08:03 . 2005-03-25 22:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 16:59 . 2009-02-15 16:59 830 ----a-w C:\OnOneErrorLog.txt
2009-02-15 16:53 . 2009-02-15 16:53 -------- d-----w c:\documents and settings\UserGS\Application Data\onOne Software
2009-02-15 16:52 . 2009-02-15 16:52 -------- d-----w c:\documents and settings\All Users\Application Data\onOne Software
2009-02-09 10:19 . 2004-08-12 14:09 1846272 ----a-w c:\windows\system32\win32k.sys
2007-09-25 02:41 . 2006-12-13 10:38 3553 ----a-w c:\documents and settings\UserGS\Application Data\SAS7_000.DAT
2007-08-20 02:12 . 2007-08-18 19:19 61 ----a-w c:\documents and settings\UserGS\Application Data\LSV6.dat
2005-05-02 17:59 . 2005-05-02 17:59 45 --s---w c:\program files\Common Files\lariat.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 507904]
"BatteryBar"="c:\program files\batterybar\batterybar.exe" [2002-07-05 622592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GoBoingo"="c:\program files\Boingo\GoBoingo\GoBoingo.lnk" [2009-04-12 2155]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-18 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Hercules DJ Series"="c:\program files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe" [2008-12-08 484648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
c:\documents and settings\UserGS\Start Menu\Programs\Startup\
SpeechMike Control Application.lnk - c:\program files\Philips Speech\SpeechMike\Mikeapp.exe [2005-03-30 237568]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-09-25 3581680]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-07-27 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
BTTray.lnk - c:\program files\MSI\Bluetooth Software\BTTray.exe [2004-03-31 507965]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-03-25 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pkrbas.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"pspctrlc"= pspusbct.dll
"vidc.XVID"= xvid.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^UserGS^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=c:\documents and settings\UserGS\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadStudio]
--a------ 2005-05-12 13:22 139264 c:\internet\DownloadStudio\DownloadStudioScheduleMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 15:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 19:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 10:09 49152 c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2005-09-25 18:11 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-10-18 08:49 214560 c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 21:57 30208 c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-18 08:49 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC6Player]
--a------ 2004-05-10 06:55 237568 c:\program files\HHVcdV6Sys\VC6Play.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PspUsbCf]
--------- 2003-10-01 13:23 65536 c:\windows\system32\pspusbcf.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
--a------ 2005-07-28 18:43 331776 c:\windows\system32\WDBtnMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\MSOCache\\MRI_CD\\SERVER32.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Internet\\RealVNC4\\winvnc4.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\ntvdm.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Internet\\CuteFTP 8 Professional\\ftpte.exe"=
"c:\\Internet\\Trillian\\trillian.exe"=
"c:\\Internet\\mIRC\\mirc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Internet\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6667:TCP"= 6667:TCP:6667
"6667:UDP"= 6667:UDP:6667
R3 Bulk;HDJBulk;c:\windows\system32\Drivers\HDJBulk.sys [2008-12-09 83328]
R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2007-10-01 10624]
R3 HDJAsioK;HDJAsioK;c:\windows\system32\Drivers\HDJAsioK.sys [2008-12-09 132608]
R3 HDJMidi;Hercules DJ Console Mk2 MIDI;c:\windows\system32\DRIVERS\HDJMidi.sys [2008-12-05 95872]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [2007-10-01 27008]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Mydeskie#Y]
\Shell\AutoRun\command - Z:\atlas3.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
2009-04-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 21:18]
2009-04-12 c:\windows\Tasks\User_Feed_Synchronization-{00481E23-3B2B-4012-92E2-ECD428C074E5}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-DRL Sheduler - c:\internet\All-in-One Submission 8.0\Scheduler.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1173074343\ee\AOLSoftware.exe
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Zone Labs Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &List Stylesheets - c:\windows\Web\CSS_Stylesheets.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
IE: MasterCook: Select Image - c:\cooking\MasterCook 8\Web\MCIEContext.hta
IE: Send To &Bluetooth - c:\program files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{ffcd98a0-9e1a-11d5-aa62-e2dcf03ff459} - c:\windows\Web\CSS_Stylesheets.html
IE: {{81E75079-39AE-11D4-BAE1-9ACDF973F856} - {617FA36D-39AC-11D4-BAE1-9ACDF973F856} - c:\windows\SYSTEM32\Shdocvw.dll
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 10:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-823518204-507921405-854245398-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9e,66,2d,9c,9b,d8,83,f0,7b,28,dc,dd,ca,94,99,17,eb,83,a9,6d,c4,49,54,
22,4c,33,8a,db,48,ce,5f,97,ee,a8,73,b7,b4,0f,22,cd,f8,2c,27,64,90,ff,0a,6d,\
"??"=hex:1f,52,d1,fe,ad,6a,89,18,d7,c5,2b,55,f5,2d,ed,65
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2604)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\Common Files\Stardock\MCPCore.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\MSI\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\Crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Retrospect\retrorun.exe
c:\windows\system32\java.exe
c:\program files\Retrospect\wdsvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\program files\HHVcdV6Sys\VC6SecS.exe
c:\internet\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Boingo\GoBoingo\GoBoingo.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\graphics\SnagIt 7\SnagIt32.exe
c:\program files\iPod\bin\iPodService.exe
c:\graphics\SnagIt 7\TSCHelp.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-04-12 11:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-12 18:02
Pre-Run: 1,860,874,240 bytes free
Post-Run: 2,074,460,160 bytes free
255 --- E O F --- 2009-03-15 17:44