Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I get redirected after clicking a link from google.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I get redirected after clicking a link from google.

Unread postby boodude186 » January 5th, 2012, 1:28 pm

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Run by wartorn at 13:05:48 on 2012-01-05
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3328.2466 [GMT -5:00]
.
AV: Immunet 3.0 *Enabled/Updated* {065276D9-6EBF-968C-B5ED-7B8B1DCF4059}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Immunet\3.0.5\agent.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\Windows\Explorer.EXE
C:\Program Files\Immunet\3.0.5\iptray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z006&form=ZGAPHP
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Immunet Protect] "c:\program files\immunet\3.0.5\iptray.exe"
dRun: [winupd] c:\windows\TEMP:winupd.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_Plugin.exe -update plugin
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
TCP: Interfaces\{65EB6294-79D0-4A7E-945D-DCBF3E2F4212} : NameServer = 24.247.15.53,66.189.0.100,24.178.162.3
TCP: Interfaces\{65EB6294-79D0-4A7E-945D-DCBF3E2F4212} : DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
TCP: Interfaces\{80241D6A-7AB9-470A-AEE9-4472A346D03C} : DhcpNameServer = 24.247.15.53 24.247.24.53 68.115.71.53
TCP: Interfaces\{F0EB41F8-E0DA-43C8-9A7D-BFD31E8BE52B} : DhcpNameServer = 24.247.15.53 24.247.24.53 68.115.71.53
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{72b90932-6338-4345-9fc4-4f94984ed241}\components\FFExternalAlert.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{72b90932-6338-4345-9fc4-4f94984ed241}\components\RadioWMPCore.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko5.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko6.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko7.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko8.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko9.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\engine@conduit.com\components\FFExternalAlert.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(yahoo.homepage.dontask, true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [2011-12-14 50976]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [2011-12-14 34080]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-6-11 20968]
R2 ImmunetProtect;Immunet 3.0;c:\program files\immunet\3.0.5\agent.exe [2011-12-14 776008]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2011-12-14 1514304]
R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\drivers\WMP54Gv41x86.sys [2010-4-7 376160]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2011-12-12 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-12-29 1153368]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2009-7-13 20992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-15 1343400]
.
=============== Created Last 30 ================
.
2012-01-05 16:08:20 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-01-05 14:26:37 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2012-01-05 14:26:37 21312 ----a-w- c:\windows\system32\authuitu.dll
2012-01-05 14:25:53 -------- d-----w- c:\users\wartorn\appdata\roaming\TuneUp Software
2012-01-05 14:25:41 -------- d-----w- c:\program files\TuneUp Utilities 2012
2012-01-05 14:24:19 -------- d-----w- c:\programdata\TuneUp Software
2012-01-05 14:23:41 -------- d-sh--w- c:\programdata\{32364CEA-7855-4A3C-B674-53D8E9B97936}
2011-12-31 09:28:58 -------- d-----w- c:\users\wartorn\appdata\local\TransMac
2011-12-31 09:28:57 -------- d-----w- c:\program files\TransMac
2011-12-31 02:21:14 -------- d-----w- c:\program files\LinuxLive USB Creator
2011-12-30 02:29:14 -------- d-----w- c:\users\wartorn\appdata\roaming\SUPERAntiSpyware.com
2011-12-30 02:29:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-30 01:49:18 300544 ----a-w- c:\users\wartorn\appdata\local\kgs.exe
2011-12-29 17:28:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-29 17:28:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-29 09:43:06 -------- d-----w- c:\programdata\PC Tools
2011-12-29 09:38:30 -------- d-----w- c:\users\wartorn\appdata\roaming\GetRightToGo
2011-12-27 09:24:52 -------- d-----w- C:\Perfect World Entertainment
2011-12-27 08:14:03 -------- d-----w- c:\program files\Pando Networks
2011-12-25 11:59:45 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{82e9111f-22c7-44b5-87a2-9a4d41ddf025}\mpengine.dll
2011-12-22 19:49:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-21 00:12:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-21 00:12:15 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-21 00:12:15 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-21 00:12:15 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-21 00:12:15 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-21 00:12:15 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-21 00:12:15 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-21 00:12:15 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-20 07:24:06 -------- d-----w- c:\users\wartorn\appdata\local\Chromium
2011-12-20 07:22:26 -------- d-----w- c:\users\wartorn\appdata\roaming\GiftBoxPlus
2011-12-20 07:22:18 -------- d-----w- c:\program files\GiftBoxPlus
2011-12-20 00:41:45 -------- d-----w- c:\users\wartorn\.swt
2011-12-20 00:41:40 -------- d-----w- c:\users\wartorn\appdata\roaming\Azureus
2011-12-20 00:39:28 -------- d-----w- c:\users\wartorn\appdata\local\Conduit
2011-12-19 23:17:56 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-12-19 23:11:55 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-12-19 22:39:03 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 22:39:01 860672 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-12-19 22:33:06 417792 ----a-w- c:\windows\system32\msdri.dll
2011-12-19 22:32:02 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-12-19 22:32:02 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-12-19 22:31:27 541184 ----a-w- c:\windows\system32\kerberos.dll
2011-12-19 22:31:23 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-12-19 22:31:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-12-19 22:31:00 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-12-19 22:30:55 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-12-19 22:30:36 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-19 22:30:13 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-12-19 22:30:13 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-12-19 22:30:13 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-12-19 22:30:04 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-12-19 22:30:04 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-12-19 22:29:59 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-19 22:29:52 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-12-19 22:29:52 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-12-19 22:29:52 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-12-19 22:29:52 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-12-19 22:29:52 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-12-19 22:29:34 516096 ----a-w- c:\program files\windows mail\wab.exe
2011-12-19 22:29:30 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-12-19 22:29:19 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 22:29:10 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-12-19 22:28:54 109056 ----a-w- c:\windows\system32\t2embed.dll
2011-12-19 22:28:45 1401856 ----a-w- c:\windows\system32\mssrch.dll
2011-12-19 22:28:44 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-12-19 22:28:44 428032 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-12-19 22:28:44 1553920 ----a-w- c:\windows\system32\tquery.dll
2011-12-19 22:28:43 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-12-19 22:28:43 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-12-19 22:28:43 337408 ----a-w- c:\windows\system32\mssph.dll
2011-12-19 22:28:43 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-12-19 22:28:43 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-12-19 22:28:03 224256 ----a-w- c:\windows\system32\schannel.dll
2011-12-19 22:26:49 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-12-19 22:26:48 850432 ----a-w- c:\windows\system32\sbe.dll
2011-12-19 22:26:47 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-12-19 22:25:40 1289536 ----a-w- c:\windows\system32\ntdll.dll
2011-12-19 22:25:32 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-19 22:25:26 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-12-19 22:25:09 204288 ----a-w- c:\windows\system32\upnp.dll
2011-12-19 22:25:08 1389568 ----a-w- c:\windows\system32\msxml6.dll
2011-12-19 22:25:07 1236992 ----a-w- c:\windows\system32\msxml3.dll
2011-12-19 22:25:06 80384 ----a-w- c:\windows\system32\davclnt.dll
2011-12-19 22:25:06 350720 ----a-w- c:\windows\system32\winhttp.dll
2011-12-19 22:25:06 204800 ----a-w- c:\windows\system32\WebClnt.dll
2011-12-19 22:25:05 73728 ----a-w- c:\windows\system32\wscsvc.dll
2011-12-19 22:25:05 51200 ----a-w- c:\windows\system32\wscapi.dll
2011-12-19 22:25:05 14336 ----a-w- c:\windows\system32\slwga.dll
2011-12-19 22:24:55 164864 ----a-w- c:\program files\windows media player\wmplayer.exe
2011-12-19 22:24:54 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2011-12-19 22:24:50 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-12-19 22:24:46 2614784 ----a-w- c:\windows\explorer.exe
2011-12-19 22:24:43 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-19 22:24:37 314368 ----a-w- c:\windows\system32\webio.dll
2011-12-19 22:21:48 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-12-19 22:21:48 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2011-12-19 22:21:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-12-19 22:21:47 801792 ----a-w- c:\windows\system32\FntCache.dll
2011-12-19 22:21:47 3181568 ----a-w- c:\windows\system32\mf.dll
2011-12-19 22:21:45 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-12-19 22:21:45 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-12-19 22:21:45 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2011-12-19 22:21:45 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2011-12-19 22:21:44 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-12-19 22:19:52 3957104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-19 22:19:52 3901808 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-19 22:18:52 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-12-19 22:18:48 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-12-19 22:16:51 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-12-19 22:16:50 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-12-19 22:16:41 168448 ----a-w- c:\windows\system32\srvsvc.dll
2011-12-19 22:16:33 81920 ----a-w- c:\windows\system32\odbccr32.dll
2011-12-19 22:16:33 319488 ----a-w- c:\windows\system32\odbcjt32.dll
2011-12-19 22:16:33 122880 ----a-w- c:\windows\system32\odbccp32.dll
2011-12-19 22:16:32 94208 ----a-w- c:\program files\common files\system\ole db\msdaosp.dll
2011-12-19 22:16:32 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-12-19 22:16:31 163840 ----a-w- c:\windows\system32\odbctrac.dll
2011-12-19 22:16:08 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2011-12-19 22:16:07 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-12-19 22:15:42 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-12-19 22:15:42 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-12-19 22:15:26 738816 ----a-w- c:\windows\system32\wmpmde.dll
2011-12-19 22:14:06 101760 ----a-w- c:\windows\system32\consent.exe
2011-12-19 22:10:33 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2011-12-19 22:10:14 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-12-19 22:06:41 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-12-19 22:06:36 759296 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2011-12-19 22:05:50 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-12-19 22:05:49 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-12-19 22:05:49 107520 ----a-w- c:\windows\system32\cdd.dll
2011-12-19 22:04:00 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-12-14 23:24:34 -------- d-----w- c:\windows\.jagex_cache_32
2011-12-14 22:18:44 -------- d-----w- c:\users\wartorn\appdata\local\Immunet
2011-12-14 22:18:44 -------- d-----w- c:\programdata\Immunet
2011-12-14 22:18:27 34080 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2011-12-14 22:18:24 50976 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2011-12-14 22:18:20 304712 ----a-w- c:\windows\system32\drivers\Trufos.sys
2011-12-14 22:18:17 -------- d-----w- c:\program files\Immunet
.
==================== Find3M ====================
.
2011-11-05 04:34:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 03:28:41 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD16 rev.02.0 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x90E67EA0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x82E55458] -> \Device\Harddisk0\DR0[0x86A795F8]
3 CLASSPNP[0x8BF9659E] -> ntkrnlpa!IofCallDriver[0x82E55458] -> [0x86D45BF8]
\Driver\00000440[0x86D45D30] -> IRP_MJ_CREATE -> 0x90E67EA0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000064 -> \??\SCSI#Disk&Ven_WDC_WD16&Prod_00JS-00MHB0#4&137cd3ca&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 312579693 (+7): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:07:22.73 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 6/11/2010 9:43:55 PM
System Uptime: 1/5/2012 12:57:30 PM (1 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | M57SLI-S4
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket M2 | 2200/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 108.849 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASDIFSV
Device ID: ROOT\LEGACY_SASDIFSV\0000
Manufacturer:
Name: SASDIFSV
PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
Service: SASDIFSV
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASKUTIL
Device ID: ROOT\LEGACY_SASKUTIL\0000
Manufacturer:
Name: SASKUTIL
PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
Service: SASKUTIL
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.0
Apple Software Update
Call of Duty(R) 4 - Modern Warfare(TM) 1.1 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CCleaner
CPUID CPU-Z 1.54
GiftBox+
ImgBurn
Immunet 3.0
Java Auto Updater
Java(TM) 6 Update 21
League of Legends
LinuxLive USB Creator
Microsoft .NET Framework 4 Client Profile
Mozilla Firefox 8.0.1 (x86 en-US)
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
SpeechRedist
Spybot - Search & Destroy
System Requirements Lab
TransMac version 10.2
TuneUp Utilities 2012
TuneUp Utilities Language Pack (en-US)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
VS10RuntimeWin32
War of the Immortals
.
==== Event Viewer Messages From Past Week ========
.
12/31/2011 3:50:44 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070420'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7034] - The Windows Update service terminated unexpectedly. It has done this 2 time(s).
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 6:01:36 AM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
12/30/2011 2:10:45 AM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/29/2011 9:19:29 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
12/29/2011 9:19:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
12/29/2011 9:19:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
12/29/2011 9:19:20 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/29/2011 9:19:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
12/29/2011 9:18:54 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ImmunetProtectDriver ImmunetSelfProtectDriver spldr TfFsMon TfSysMon Wanarpv6
12/29/2011 9:18:53 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
12/29/2011 4:48:55 AM, Error: Service Control Manager [7030] - The ThreatFire service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
12/29/2011 11:54:47 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
12/29/2011 11:54:38 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
12/29/2011 10:23:14 PM, Error: Service Control Manager [7034] - The Sendori service terminated unexpectedly. It has done this 1 time(s).
1/5/2012 12:59:11 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL TfFsMon TfSysMon
1/5/2012 12:59:08 PM, Error: Service Control Manager [7023] - The SPService service terminated with the following error: The specified module could not be found.
1/5/2012 12:58:55 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
1/5/2012 12:58:55 PM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
1/5/2012 12:58:55 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
1/5/2012 12:58:50 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
1/5/2012 12:16:57 PM, Error: Service Control Manager [7023] - The SPP Notification Service service terminated with the following error: Access is denied.
1/5/2012 1:03:17 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/5/2012 1:03:17 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070422'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
1/4/2012 2:48:35 AM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
1/4/2012 2:46:36 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TfSysMon
.
==== End Of File ===========================


I hope that's all you need. Thanks!

I edited the post with a new log, I had a p2p file. Sorry about that. Also cleaned up older programs - bought the pc used, so I am not really sure which programs I need, and which ones I don't.
boodude186
Active Member
 
Posts: 3
Joined: January 5th, 2012, 1:22 pm
Advertisement
Register to Remove

Re: I get redirected after clicking a link from google.

Unread postby Gary R » January 6th, 2012, 3:20 am

Looking over your log, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I get redirected after clicking a link from google.

Unread postby Gary R » January 6th, 2012, 3:42 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "malware removal" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi boodude186

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

I'd also recommend that you create a System Restore Point that we can restore to if necessary.

  • Click Start, and type Create a restore point into the Search programs and files box.
  • Now click on the Create a restore point icon at the top of the find list.
  • This will open a System Properties box, with the System Protection tab open ...
    • Click on the Create button in the lower part of the window.
    • Type Pre Malware Cleanup into the description box, then click Create.
    • Windows will now create a Restore Point and notify you when finished.
    • Exit any open windows.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • As you're using Windows7, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Your logs show you have a very infected machine, including a rootkit infection known as Zero Access. Some versions of this infection are very difficult to remove, and it is possible that your computer may not be able to connect to the Internet after we attempt to remove it.

If that happens we will make all efforts to restore your connection, but can make no guarantee that you may not have to reformat your hard drive and re-install Windows to get connectivity back.

As I've already stated above, I strongly recommend that you back up your personal files and folders before proceeding further.

If you decide to proceed .....

Download ComboFix from one of these locations and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I get redirected after clicking a link from google.

Unread postby boodude186 » January 6th, 2012, 8:16 am

Thank you Gary R., here is the log.

ComboFix 12-01-04.02 - wartorn 01/06/2012 6:41.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3328.2740 [GMT -5:00]
Running from: c:\users\wartorn\Desktop\ComboFix.exe
AV: Immunet 3.0 *Enabled/Updated* {065276D9-6EBF-968C-B5ED-7B8B1DCF4059}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\wartorn\AppData\Local\kgs.exe
c:\users\wartorn\AppData\Roaming\Mozilla\Firefox\Profiles\pkuu9k8c.default\searchplugins\bing-zugo.xml
c:\windows\$NtUninstallKB22656$ . . . . Failed to delete
c:\windows\$NtUninstallKB22656$\239619289
c:\windows\$NtUninstallKB22656$\3353190237\@
c:\windows\$NtUninstallKB22656$\3353190237\bckfg.tmp
c:\windows\$NtUninstallKB22656$\3353190237\cfg.ini
c:\windows\$NtUninstallKB22656$\3353190237\Desktop.ini
c:\windows\$NtUninstallKB22656$\3353190237\keywords
c:\windows\$NtUninstallKB22656$\3353190237\kwrd.dll
c:\windows\$NtUninstallKB22656$\3353190237\L\xadqgnnk
c:\windows\$NtUninstallKB22656$\3353190237\lsflt7.ver
c:\windows\$NtUninstallKB22656$\3353190237\U\00000001.@
c:\windows\$NtUninstallKB22656$\3353190237\U\00000002.@
c:\windows\$NtUninstallKB22656$\3353190237\U\00000004.@
c:\windows\$NtUninstallKB22656$\3353190237\U\80000000.@
c:\windows\$NtUninstallKB22656$\3353190237\U\80000004.@
c:\windows\$NtUninstallKB22656$\3353190237\U\80000032.@
c:\windows\system32\odbcad32.exe
.
----- File Replicators -----
.
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\NOS\Adobe_Downloads\arh.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_SPService
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-05 16:08 . 2012-01-05 18:03 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-01-05 14:26 . 2011-12-14 17:47 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2012-01-05 14:26 . 2011-12-14 17:46 21312 ----a-w- c:\windows\system32\authuitu.dll
2012-01-05 14:25 . 2012-01-05 15:04 -------- d-----w- c:\users\wartorn\AppData\Roaming\TuneUp Software
2012-01-05 14:25 . 2012-01-05 14:26 -------- d-----w- c:\program files\TuneUp Utilities 2012
2012-01-05 14:24 . 2012-01-05 14:26 -------- d-----w- c:\programdata\TuneUp Software
2012-01-05 14:23 . 2012-01-05 14:23 -------- d-sh--w- c:\programdata\{32364CEA-7855-4A3C-B674-53D8E9B97936}
2011-12-31 09:28 . 2011-12-31 09:28 -------- d-----w- c:\users\wartorn\AppData\Local\TransMac
2011-12-31 09:28 . 2011-12-31 09:28 -------- d-----w- c:\program files\TransMac
2011-12-31 02:21 . 2011-12-31 02:21 -------- d-----w- c:\program files\LinuxLive USB Creator
2011-12-30 02:29 . 2011-12-30 02:29 -------- d-----w- c:\users\wartorn\AppData\Roaming\SUPERAntiSpyware.com
2011-12-30 02:29 . 2011-12-30 02:29 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-12-29 17:28 . 2012-01-05 17:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-29 17:28 . 2011-12-29 17:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-29 09:43 . 2011-12-29 17:17 -------- d-----w- c:\programdata\PC Tools
2011-12-29 09:38 . 2011-12-29 09:41 -------- d-----w- c:\users\wartorn\AppData\Roaming\GetRightToGo
2011-12-27 09:24 . 2011-12-27 09:24 -------- d-----w- C:\Perfect World Entertainment
2011-12-27 08:14 . 2011-12-27 08:14 -------- d-----w- c:\program files\Pando Networks
2011-12-25 11:59 . 2011-11-30 07:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{82E9111F-22C7-44B5-87A2-9A4D41DDF025}\mpengine.dll
2011-12-22 19:49 . 2011-12-22 19:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-21 00:12 . 2011-11-21 04:04 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-21 00:12 . 2011-11-21 04:04 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-21 00:12 . 2011-11-21 04:04 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-21 00:12 . 2011-11-21 04:04 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-21 00:12 . 2011-11-21 04:04 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-21 00:12 . 2011-11-21 04:04 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-21 00:12 . 2011-11-21 01:04 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-21 00:12 . 2011-11-21 01:04 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-20 23:00 . 2011-12-20 23:31 -------- d-----w- c:\users\wartorn\AppData\Roaming\ImgBurn
2011-12-20 22:53 . 2011-12-20 22:53 -------- d-----w- c:\program files\ImgBurn
2011-12-20 07:24 . 2011-12-20 07:24 -------- d-----w- c:\users\wartorn\AppData\Local\Chromium
2011-12-20 07:22 . 2011-12-20 07:22 -------- d-----w- c:\users\wartorn\AppData\Roaming\GiftBoxPlus
2011-12-20 07:22 . 2011-12-21 22:44 -------- d-----w- c:\program files\GiftBoxPlus
2011-12-20 00:41 . 2011-12-20 00:41 -------- d-----w- c:\users\wartorn\.swt
2011-12-20 00:41 . 2012-01-05 17:02 -------- d-----w- c:\users\wartorn\AppData\Roaming\Azureus
2011-12-20 00:39 . 2012-01-05 17:55 -------- d-----w- c:\users\wartorn\AppData\Local\Conduit
2011-12-19 23:17 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-12-19 23:11 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-12-19 22:39 . 2011-11-05 04:35 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 22:39 . 2011-11-05 04:33 860672 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-12-19 22:33 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll
2011-12-19 22:32 . 2010-08-31 04:32 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-12-19 22:32 . 2010-08-31 04:32 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-12-19 22:31 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
2011-12-19 22:31 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-12-19 22:31 . 2011-02-19 05:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-12-19 22:31 . 2011-02-19 03:37 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-12-19 22:30 . 2011-10-01 04:43 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-12-19 22:30 . 2011-11-05 04:30 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-19 22:30 . 2011-04-29 02:57 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-12-19 22:30 . 2011-04-29 02:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-12-19 22:30 . 2011-04-29 02:57 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-12-19 22:30 . 2011-03-03 05:29 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-12-19 22:30 . 2011-03-03 05:27 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-12-19 22:29 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-19 22:29 . 2011-08-17 04:26 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-12-19 22:29 . 2011-08-17 04:22 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-12-19 22:29 . 2011-08-17 04:22 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-12-19 22:29 . 2011-08-17 04:22 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-12-19 22:29 . 2011-08-17 04:22 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-12-19 22:29 . 2010-10-12 04:25 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2011-12-19 22:29 . 2011-09-29 15:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-12-19 22:29 . 2011-11-24 04:23 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 22:29 . 2011-02-18 05:36 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-12-19 22:28 . 2010-08-26 04:39 109056 ----a-w- c:\windows\system32\t2embed.dll
2011-12-19 22:28 . 2011-05-04 04:52 1401856 ----a-w- c:\windows\system32\mssrch.dll
2011-12-19 22:28 . 2011-05-04 04:53 1553920 ----a-w- c:\windows\system32\tquery.dll
2011-12-19 22:28 . 2011-05-04 04:52 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-12-19 22:28 . 2011-05-04 04:52 428032 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-12-19 22:28 . 2011-05-04 04:52 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-12-19 22:28 . 2011-05-04 04:52 337408 ----a-w- c:\windows\system32\mssph.dll
2011-12-19 22:28 . 2011-05-04 04:52 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-12-19 22:28 . 2011-05-04 04:52 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-12-19 22:28 . 2011-05-04 04:52 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-12-19 22:28 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll
2011-12-19 22:26 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-12-19 22:26 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll
2011-12-19 22:26 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-12-19 22:25 . 2010-10-27 04:40 1289536 ----a-w- c:\windows\system32\ntdll.dll
2011-12-19 22:25 . 2011-10-26 04:25 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-19 22:25 . 2011-03-12 11:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-12-19 22:25 . 2010-12-21 05:38 204288 ----a-w- c:\windows\system32\upnp.dll
2011-12-19 22:25 . 2010-12-21 05:36 1389568 ----a-w- c:\windows\system32\msxml6.dll
2011-12-19 22:25 . 2010-12-21 05:36 1236992 ----a-w- c:\windows\system32\msxml3.dll
2011-12-19 22:25 . 2010-12-21 05:38 350720 ----a-w- c:\windows\system32\winhttp.dll
2011-12-19 22:25 . 2010-12-21 05:38 204800 ----a-w- c:\windows\system32\WebClnt.dll
2011-12-19 22:25 . 2010-12-21 05:34 80384 ----a-w- c:\windows\system32\davclnt.dll
2011-12-19 22:25 . 2010-12-21 05:38 73728 ----a-w- c:\windows\system32\wscsvc.dll
2011-12-19 22:25 . 2010-12-21 05:38 51200 ----a-w- c:\windows\system32\wscapi.dll
2011-12-19 22:25 . 2010-12-21 05:38 14336 ----a-w- c:\windows\system32\slwga.dll
2011-12-19 22:24 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-12-19 22:24 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2011-12-19 22:24 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-12-19 22:24 . 2011-02-26 05:33 2614784 ----a-w- c:\windows\explorer.exe
2011-12-19 22:24 . 2011-10-15 05:48 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-19 22:24 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll
2011-12-19 22:21 . 2010-11-02 04:35 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-12-19 22:21 . 2010-11-02 04:35 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2011-12-19 22:21 . 2010-11-02 04:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-12-19 22:21 . 2010-11-02 04:36 801792 ----a-w- c:\windows\system32\FntCache.dll
2011-12-19 22:21 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2011-12-19 22:21 . 2010-11-02 04:35 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-12-19 22:21 . 2010-06-26 05:14 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2011-12-19 22:21 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2011-12-19 22:21 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-12-19 22:21 . 2010-11-02 04:41 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-12-19 22:19 . 2011-10-26 04:42 3901808 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-19 22:19 . 2011-10-26 04:42 3957104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-19 22:18 . 2011-01-17 05:38 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-12-19 22:18 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-12-19 22:16 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-12-19 22:16 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-12-19 22:16 . 2010-08-27 05:46 168448 ----a-w- c:\windows\system32\srvsvc.dll
2011-12-19 22:16 . 2011-06-15 09:04 81920 ----a-w- c:\windows\system32\odbccr32.dll
2011-12-19 22:16 . 2011-06-15 09:04 319488 ----a-w- c:\windows\system32\odbcjt32.dll
2011-12-19 22:16 . 2011-06-15 09:04 122880 ----a-w- c:\windows\system32\odbccp32.dll
2011-12-19 22:16 . 2011-06-15 09:04 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-12-19 22:16 . 2011-06-15 09:04 94208 ----a-w- c:\program files\Common Files\System\Ole DB\msdaosp.dll
2011-12-19 22:16 . 2011-06-15 09:04 163840 ----a-w- c:\windows\system32\odbctrac.dll
2011-12-19 22:16 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-12-19 22:16 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2011-12-19 22:15 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-12-19 22:15 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-12-19 22:15 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll
2011-12-19 22:14 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 04:04 . 2011-12-21 00:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-13 23:12 . 64B8E8AAE320DF0FC3679F9D20984BF0 . 74240 . . [------] . . c:\windows\System32\drivers\tdx.sys
.
[-] 2010-06-20 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^wartorn^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\wartorn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2010-04-30 09:24 9210400 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\DRIVERS\ImmunetProtect.sys [x]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\DRIVERS\ImmunetSelfProtect.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\wartorn\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\wartorn\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ImmunetProtect;Immunet 3.0;c:\program files\Immunet\3.0.5\agent.exe [x]
R3 ALSysIO;ALSysIO;c:\users\wartorn\AppData\Local\Temp\ALSysIO.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-15 1343400]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-03-31 20968]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [2011-12-14 1514304]
S3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2010-04-07 376160]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [2011-12-13 10064]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z006&form=ZGAPHP
mStart Page = hxxp://www.yahoo.com
TCP: DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
TCP: Interfaces\{65EB6294-79D0-4A7E-945D-DCBF3E2F4212}: NameServer = 24.247.15.53,66.189.0.100,24.178.162.3
FF - ProfilePath - c:\users\wartorn\AppData\Roaming\Mozilla\Firefox\Profiles\pkuu9k8c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(yahoo.homepage.dontask, true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
HKU-Default-Run-winupd - c:\windows\TEMP:winupd.exe
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
MSConfigStartUp-Logitech Vid - c:\program files\Logitech\Logitech Vid\vid.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-Steam - c:\program files\Steam\steam.exe
AddRemove-InstallShield_{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F} - c:\program files\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe
AddRemove-InstallShield_{3BD633E0-4BF8-4499-9149-88F0767D449C} - c:\program files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe
AddRemove-InstallShield_{5D7767FA-7FE8-4627-9F09-AEF7A25F1E07} - c:\program files\InstallShield Installation Information\{5D7767FA-7FE8-4627-9F09-AEF7A25F1E07}\setup.exe
AddRemove-InstallShield_{8503C901-85D7-4262-88D2-8D8B2A7B08B8} - c:\program files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe
AddRemove-InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE} - c:\program files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe
AddRemove-InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498} - c:\program files\InstallShield Installation Information\{931C37FC-594D-43A9-B10F-A2F2B1F03498}\setup.exe
AddRemove-InstallShield_{E5141379-B2D9-4BBC-BB2A-5805541571DD} - c:\program files\InstallShield Installation Information\{E5141379-B2D9-4BBC-BB2A-5805541571DD}\setup.exe
.
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD16 rev.02.0 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86D6049F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d67738]; MOV EAX, [0x86d678ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82E52458] -> \Device\Harddisk0\DR0[0x86A7A1C8]
3 CLASSPNP[0x8BF9859E] -> ntkrnlpa!IofCallDriver[0x82E52458] -> [0x86778700]
5 ACPI[0x836233B2] -> ntkrnlpa!IofCallDriver[0x82E52458] -> \00000065[0x86286030]
\Driver\nvstor[0x86DA7A90] -> IRP_MJ_CREATE -> 0x86D6049F
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000065 -> \??\SCSI#Disk&Ven_WDC_WD16&Prod_00JS-00MHB0#4&137cd3ca&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 312579693 (+7): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2689706804-3339804068-1537889722-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5BA98AA-4347-0E86-04F7-B68174A90881}*]
"oamlafiallkjpmhogklpnlogjhcpcn"=hex:6b,61,64,68,63,64,62,61,6a,6d,68,63,6d,6f,
65,62,66,6e,65,62,6a,6f,00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DbgagD\1*]
"value"="?\0c\02\14\00(+\13"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
c:\windows\system32\conhost.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2012-01-06 07:04:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-06 12:04
.
Pre-Run: 115,979,497,472 bytes free
Post-Run: 115,813,494,784 bytes free
.
- - End Of File - - DF8D7532ECD758BD5473C5466E417268
boodude186
Active Member
 
Posts: 3
Joined: January 5th, 2012, 1:22 pm

Re: I get redirected after clicking a link from google.

Unread postby Gary R » January 6th, 2012, 11:08 am

  • Click Start type Notepad.exe in the Search programs and files box then hit Enter.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
File::
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\NOS\Adobe_Downloads\arh.exe

Folder::
c:\documents and settings\All Users\Application Data\Application Data
c:\programdata\Application Data\Application Data
c:\users\All Users\Application Data\Application Data

DDS::
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{72b90932-6338-4345-9fc4-4f94984ed241}\components\FFExternalAlert.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\{72b90932-6338-4345-9fc4-4f94984ed241}\components\RadioWMPCore.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\engine@conduit.com\components\FFExternalAlert.dll
FF - component: c:\users\wartorn\appdata\roaming\mozilla\firefox\profiles\pkuu9k8c.default\extensions\engine@conduit.com\components\RadioWMPCore.dll

Regnull::
[HKEY_USERS\S-1-5-21-2689706804-3339804068-1537889722-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5BA98AA-4347-0E86-04F7-B68174A90881}*]

  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.

Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I get redirected after clicking a link from google.

Unread postby boodude186 » January 6th, 2012, 11:59 am

I did that, during the process, it crashed. I tried it twice, the second time, I lost connection to the internet, and can't seem to regain that. The CFScript which was on my desktop is now gone, and nowhere to be found as well.
boodude186
Active Member
 
Posts: 3
Joined: January 5th, 2012, 1:22 pm

Re: I get redirected after clicking a link from google.

Unread postby Gary R » January 6th, 2012, 12:09 pm

Please download Farbar Service Scanner ... by Farbar and save it to your Desktop.

Since you don't have a connection, you'll have to download on another computer and transfer it to your infected machine using a USB drive.

  • Double click FSS.exe to run it. (Vista - W7 users: Please right click on FSS.exe and select Run As Administrator).
  • Press the Scan button.
  • When finished, a text file named FSS.txt will be created on your desktop.
  • Copy/Paste the contents in your reply please.

See if Combofix created a log, it should be in C:\Combofix.txt if there's not one there, please look for one at C:\qoobox\ComboFix2.txt

If present, please post that in your next reply also.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: I get redirected after clicking a link from google.

Unread postby Gary R » January 9th, 2012, 3:40 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 270 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware