I think I have malware

[skeptikaltruth]

Once again, I turn to the good people of TomsHardware for help. I think my computer has malware but I am unable to find it.

When I search on Yahoo or Google, almost every link bring me to an incorrect site, mostly spammy sites. It does this on both Mozilla Firefox and Internet Explorer.

I tried scanning with MalwareBytes, AVG, Spyware Terminator and CCleaner. Nothing has come up.

I'm not sure how to fix my problem. I'm worried that these links have downloaded additional malware and/or viruses which are also not coming up. I hope my programs haven't been compromised.

I have Windows XP SP2.

Thanks in advance for any and all help!

 

[Pyree]

It looks like there is a very tough to remove malware redirecting all your traffic with the host entry. The root of the problem is still the malware. Unfortunately I do not have a better idea on how to remove malware than the other posts already suggested. I am sorry, but that is the best I can do apart from suggesting a fresh installation of window. Maybe someone with more knowledge can guide you to get rid of the malware.

 

[nikorr]

skeptikaltruth u can try to scan the boot drive too by selecting the drive - takes about 20min.(Trojan Remover) , it will scan all the files.

-------------------
-It looks like a tough one-

 

[skeptikaltruth]

That's the conclusion I was starting to come to about the malware and you just verified it for me. I'll give it a few more days and hopefully someone else from TH can help me. I've made progress with clearing out some of the more malicious stuff. It seems to just be the hijacking that I need to be concerned about, I think.

Thank you so much for your time and effort; I really appreciate it. You've already taught me a few things which will not be forgotten.

By the way, Happy National Day!

Edit: Nikorr, thank you, I didn't realize I could do that. By boot drive, I assume you mean the main drive (C) I am scanning it now. However, it is almost 5 in the morning my time and I need to finally get some sleep. I will leave the scan to run and I will let you know the progress when I wake up. Wish me luck!

 

[Pyree]

Although I am not currently in Taiwan, but in Australia, I thank you skeptikalttuth. 10-10-2011 is truly a day for free Chinese to celebrate as it marks the overthrowing of the old imperial government and the establishment of the new democratic Republic of China, also the birthplace of Republic of Gamers (geek talk)!!

 

[nikorr]

That's the conclusion I was starting to come to about the malware and you just verified it for me. I'll give it a few more days and hopefully someone else from TH can help me. I've made progress with clearing out some of the more malicious stuff. It seems to just be the hijacking that I need to be concerned about, I think.

Thank you so much for your time and effort; I really appreciate it. You've already taught me a few things which will not be forgotten.

By the way, Happy National Day!

Edit: Nikorr, thank you, I didn't realize I could do that. By boot drive, I assume you mean the main drive (C) I am scanning it now. However, it is almost 5 in the morning my time and I need to finally get some sleep. I will leave the scan to run and I will let you know the progress when I wake up. Wish me luck!

Good luck! 2AM here
Fingers crossed

 

[aford10]

You can remove the drive, and slave it into another computer. You can then scan the drive, without it even being in use.

If you haven't already, you can create a rescue disc. You can boot off the rescue disc, and initiate a malware scan from there.
http/www.avg.com/us-en/avg-rescue-cd

You can also run a Hijackthis scan, and paste the log here.
http/free.antivirus.com/hijackthis/

 

[skeptikaltruth]

Pyree, you're very welcome. I am not Chinese but I have nothing but respect for Chinese culture. My daughter is also half Chinese so I have learned a great deal about culture through her grandparents. Even though I am not with my daughters mother anymore, I still follow many traditions. In fact, I will be giving my daughter's grandparents a red envelope with 8 quarters and a moon cake with 2 yolk. I love moon cakes!

Back to business, Nikorr, I have scanned my entire C drive (It's the only one I have) and it found just one error. It is a Malware file for a program that i have downloaded from Cnet. However, being that I never actually installed the program yet, it can't be the problem. I deleted the file anyway and my searches are still being hijacked.

Aford, for obvious reasons, I will try the easiest one first. Here is the log from hijackthis. If this does not help, I will try the AVG rescue disk and then removing the hard drive if need be.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:06:50 PM, on 10/6/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\issc\IS89C35\wwu.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbsecsvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http/go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http/go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http/go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [BCU] "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WWU.lnk = C:\Program Files\issc\IS89C35\wwu.exe
O8 - Extra context menu item: Add to AVI Converter... - C:\Program Files\MP3 Player Utilities 5.09\AVIConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res/C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http/www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280098937265
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http/download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: wbsecsvc - Integrated System Solution Corp. - C:\WINDOWS\system32\wbsecsvc.exe

--
End of file - 6543 bytes


Thanks again everyone!

 

[aford10]

I would remove the following. The last 2 entries are likely the cause of your browser redirects.

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)


O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

 

[skeptikaltruth]

Nope, still being hijacked.

Not sure if it's related but right after I removed those 3 entries, I lost my internet connection (on two different computers) and had to restart my internet provider box. The other one now can't connect to Facebook for some reason.

 

[aford10]

Removing local files, wouldn't have any effect on a 2nd computer. And if restarting the router fixed the issue, then it was hardware/connection related.

1 more time, try booting into safe mode with networking. Uninstall combofix. Reinstall combofix. Then run combofix.