Browser redirecting to scour.com, infomash, etc.

Been a while since I've visited the site...haven't had issues until recently when I'm being redirected from yahoo and google to some random-sounding search engines like scour.com and infomash.com. Help would be greatly appreciated!

 

Now with logs.

Apologies for the "bump," I couldn't find a way to edit the original post.

 

Hello klc237

- Rescan with HitmanPro, when it finds C:$VBR_625137345 - Rootkit, allow it to perform the recommended default action
Leave any other detections alone (Ignore them).
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
After the computer has rebooted, run an additional scan with HitmanPro and attach its latest log.

 

Hello, thisisu!

Attached is the latest log. Thanks!

 

Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

__

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain after you have completed these steps.

 

Still getting redirected.

Logs are attached.

 

For x64 bit systems please download Listparts64
Run the tool, click Scan and attach the log (Result.txt) it makes. (How to attach)

 

Log attached.

It listed a suspicious, hidden partition. I did not click "fix."

I really appreciate all your help.

 

Yes it's a malware partition.

__

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fix.txt

• Save fix.txt to the same directory as ListParts64.exe
• It must be in the same directory otherwise this fix will not work.

Run ListParts64 and press the Fix button just once and wait.
The tool will make a log (Result.txt) in the same directory the tool was run from.
Please attach this to your next message. (How to attach)

 

Running the tool and selecting "Fix" did not create a file "Result.txt" but did create one named "PLfixlog.txt" so I attached both.

After running the scan again, looks like it deleted the malicious partition.

Still redirecting though. (Not trying to be snarky...I know malware gets its hooks in and can be difficult to completely remove. Looking forward to the next step)

 

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Scan done...log attached.

 

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files (x86)\SpywareGuard\dlprotect.dll ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files (x86)\SpywareGuard\spywareguard.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/15 20:07:53 | 000,000,044 | R--- | M] () - D:\Autorun.inf -- [ UDF ]
O33 - MountPoints2\{025b3f21-79ea-11e1-8b9e-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{025b3f21-79ea-11e1-8b9e-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Launch.exe -- [2007/12/18 05:29:19 | 004,657,152 | R--- | M] (Macrovision Corporation)
O33 - MountPoints2\{85eaa090-35cc-11e1-a4bc-005056c00008}\Shell - "" = AutoRun
O33 - MountPoints2\{85eaa090-35cc-11e1-a4bc-005056c00008}\Shell\AutoRun\command - "" = F:\setup.exe -a
O33 - MountPoints2\{c0f06164-8541-11e1-a551-005056c00008}\Shell - "" = AutoRun
O33 - MountPoints2\{c0f06164-8541-11e1-a551-005056c00008}\Shell\AutoRun\command - "" = G:\setup.exe -a
[2012/07/09 22:07:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpywareGuard
[2012/07/09 22:07:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareGuard
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:0B4227B4
[2011/11/24 11:44:06 | 000,001,945 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\o7v9l39u.default\searchplugins\bing-zugo.xml
[1832/11/28 23:30:07 | 000,004,819 | ---- | M] () (No name found) -- C:\USERS\OWNER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\O7V9L39U.DEFAULT\EXTENSIONS\KKZJQJIBGC@KKZJQJIBGC.ORG.XPI
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml.old
O4 - Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files (x86)\SpywareGuard\sgmain.exe
[COLOR="DarkRed"]:files[/COLOR]
C:\Users\Owner\AppData\Local\Temp\CcJ6nQR3.flv.part
C:\Program Files (x86)\SpywareGuard /d
ipconfig /flushdns /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Let me know if the problem is still occurring after completing the above.

 

If you are still getting redirecting after running the above, let me know which browsers you experience redirects in. Is it only one of them or all of them?

 

Log attached.

 

No more redirects!

I'm using firefox 13.0.1.

 

Nice

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

If you ever feel inclined, I'd love a detailed (within reason) description of the tools used and actions taken in a PM.

I have a BS in Computer Science and am a bit of a tech geek. Unfortunately, my job is IT management so I don't get to get down into the weeds as much as I'd like.

 

I'll try to but you will have to wait a bit as the forums are quite busy these days and others need help with their infected computers.

 

No problem...You guys do look very busy so I wouldn't expect a request for info to take precedence over serious issues.

Thanks again!