I have run every program there is and nothing turns up. The problems are: 1) Chrome redirects to garbage pages when I hit a sponsored link; 2) randomly I get the same two "audio pop-ups" and 3) Blinkx and other garbage pages open up by themselves.
I ran combofix and here is the read out. Please help me, thanks in advance.
ComboFix 11-06-30.02 - Joel 06/30/2011 12:34:43.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4060.1883 [GMT -5:00]
Running from: c:\users\Joel\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Kaspersky Anti-Virus *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Joel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antivirus Center.lnk
D:\install.exe
.
----- BITS: Possible infected sites -----
.
hxxp://ads1.msads.net
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
.
.
2011-06-30 17:41 . 2011-06-30 17:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-30 17:29 . 2011-06-30 17:33 -------- d-----w- C:\32788R22FWJFW
2011-06-30 12:58 . 2011-06-30 17:32 -------- d-----w- c:\programdata\Lavasoft
2011-06-30 12:41 . 2011-06-30 12:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-30 12:41 . 2011-06-30 12:41 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-06-29 01:53 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-29 01:53 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-28 07:12 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{98D45A5E-3785-46B4-9223-4A022D60686F}\mpengine.dll
2011-06-27 15:26 . 2011-06-27 15:26 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-06-27 15:19 . 2011-06-30 17:27 -------- d-----w- c:\programdata\Symantec
2011-06-27 15:19 . 2011-06-30 17:27 -------- d-----w- c:\programdata\Norton
2011-06-27 13:18 . 2011-06-27 13:18 -------- d-----w- c:\windows\SysWow64\Adobe
2011-06-15 20:01 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-13 19:48 . 2011-06-13 19:48 -------- d-----w- c:\program files (x86)\Kaspersky Lab
2011-06-13 19:48 . 2011-06-30 15:41 -------- d-----w- c:\programdata\Kaspersky Lab
2011-06-13 19:44 . 2011-06-13 19:44 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-13 19:16 . 2011-06-13 19:16 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-06-12 14:08 . 2011-06-12 14:08 388096 ----a-r- c:\users\Joel\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-12 14:08 . 2011-06-12 14:08 -------- d-----w- c:\program files (x86)\Trend Micro
2011-06-07 11:56 . 2009-08-04 08:12 1103872 ----a-w- c:\windows\system32\webservices.dll
2011-06-07 11:56 . 2009-08-04 08:02 754688 ----a-w- c:\windows\SysWow64\webservices.dll
2011-06-01 18:36 . 2011-06-01 18:36 -------- d-----w- c:\program files\7-Zip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 00:14 . 2011-05-03 18:42 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-11 21:55 . 2011-05-16 14:33 45904 ----a-w- c:\windows\system32\sbbd.exe
2011-05-07 06:26 . 2009-04-09 05:07 525792 ----a-w- c:\windows\DIFxAPI.dll
2011-05-01 22:54 . 2011-05-01 22:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-04-29 19:15 . 2011-05-16 14:33 55384 ----a-w- c:\windows\system32\drivers\sbredrv.sys
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\SysWow64\GPhotos.scr
2011-04-06 23:26 . 2011-04-06 23:26 96544 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:26 . 2011-04-06 23:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 23:26 . 2011-04-06 23:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:26 . 2011-04-06 23:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-05-27 15147400]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\mzvkbd3.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]
"MDS_Menu"="c:\program files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe" "c:\program files (x86)\CyberLink\MediaShow4" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1"
"UpdatePDRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\program files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
"Acer Product Registration"="c:\program files (x86)\Acer\Acer Registration\ACE1.exe" /startup
"Acer Assist Launcher"="c:\program files (x86)\Acer\Acer Assist\launcher.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-28 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-28 135664]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-28 21:58]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-28 21:58]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-559202717-4041404406-1480227676-1000Core.job
- c:\users\Joel\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-28 21:56]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-559202717-4041404406-1480227676-1000UA.job
- c:\users\Joel\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-28 21:56]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"Trigger New Acer AlaunchX"="c:\acer\Preload\Command\AlaunchX\AppInRun.exe" [2009-02-17 297984]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-21 7981088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... 2067793666
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... 2067793666
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1 213.109.66.189 213.109.77.61
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
HKLM-Run-mwlDaemon - c:\program files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
HKLM-Run-Setresolution - c:\acer\config\1600X900.cmd
HKLM-Run-MontiorGeo - c:\acer\MonitorGeo.cmd
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10s_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10s_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10s.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10s.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10s.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10s.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2011-06-30 12:47:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-30 17:47
.
Pre-Run: 103,626,002,432 bytes free
Post-Run: 104,313,344,000 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 6A995A058363B0C344EB18B70F57D731