browser redirect from google search with dds [Archive]

View Full Version : browser redirect from google search with dds

alsbot

2011-06-10, 21:12

Hi,

About a month ago I started having this problem. Almost every time I click a link from a google search it redirects me to a different page instead of the page I clicked on. I have been getting around this by just copying the link directly into the url bar. I usually use chrome but it happens when I use internet explorer also. I don't know what could have caused the problem; I don't think I visited any creepy sites or ran anything blatantly bad.

I ran a full scan of malwarebytes and nothing came up. Then I tried kaspersky rescue disk 2010 and nothing came up at all. Again with Spybot nothing unusual came up. And with TDSSkiller nothing came up.

When it redirects me it usually goes to scour.com or different fake anti-virus sites.

I have windows 7 32 bit.

Thanks for your help

DDS:

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Alyssa at 12:06:31 on 2011-06-10
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2038.906 [GMT -6:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\AsusService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Windows\AsScrPro.exe
C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\EeePC\CapsHook\CapsHook.exe
C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DAEMON Tools\DTLite.exe
C:\Users\Alyssa\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\SearchIndexer.exe
C:\Users\Alyssa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Alyssa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\rundll32.exe
C:\Users\Alyssa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alyssa\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\taskeng.exe
C:\Users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe
C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\taskhost.exe
C:\Users\Alyssa\AppData\Local\Google\Update\Install\{CCF4C376-B71B-40B6-A232-5172382910F9}\chrome_updater.exe
C:\Users\Alyssa\AppData\Local\Temp\CR_E1450.tmp\setup.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://asus.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools\DTLite.exe" -autorun
uRun: [SansaDispatch] c:\users\alyssa\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\users\alyssa\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe
mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe
mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe
mRun: [LiveUpdate] AsusSender.exe c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [CapsHook] AsusSender.exe c:\program files\eeepc\capshook\CapsHook.exe
mRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe autorun
mRun: [ASUS WebStorage] c:\program files\asus\asus webstorage\service\AsusWSService.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [OOBESetup] c:\program files\asus\ooberegbackup\ooberegbackup.exe /restore -"c:\program files\asus\ooberegbackup\OOBEReg.ini"
mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
mRun: [ASUSPRP] c:\program files\asus\aprp\APRP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\alyssa\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0A8AA83C-B92B-4DBE-9470-69B093A37B1E} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0A8AA83C-B92B-4DBE-9470-69B093A37B1E}\157756374775966496 : DhcpNameServer = 192.168.9.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{0A8AA83C-B92B-4DBE-9470-69B093A37B1E}\45869637D416368696E656 : DhcpNameServer = 68.87.85.102 68.87.69.150
TCP: Interfaces\{0A8AA83C-B92B-4DBE-9470-69B093A37B1E}\66F627564586F6577686470284F6473707F647 : DhcpNameServer = 192.168.30.2 192.168.31.2
TCP: Interfaces\{0A8AA83C-B92B-4DBE-9470-69B093A37B1E}\C696E6B6379737F5353484 : DhcpNameServer = 68.87.85.102 68.87.69.150
TCP: Interfaces\{99D99479-53FF-461A-BCC8-D80652D0FF75} : DhcpNameServer = 10.0.96.10 205.171.3.65 205.171.2.65
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\aibelive\voice command\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\nvinit.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;c:\windows\system32\drivers\nvpciflt.sys [2010-7-12 19656]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-6-24 11448]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [2010-6-24 219136]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2010-9-19 1616488]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-6-21 68208]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-17 1153368]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-1 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-6-22 68200]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-7 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-15 1343400]
.
=============== Created Last 30 ================
.
2011-06-09 02:08:10 388096 ----a-r- c:\users\alyssa\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-09 02:08:10 -------- d-----w- c:\program files\Trend Micro
2011-06-07 14:17:11 -------- d-----w- c:\windows\system32\SPReview
2011-06-07 14:15:31 -------- d-----w- c:\windows\system32\EventProviders
2011-06-07 13:59:59 9166336 ----a-w- c:\program files\dvd maker\OmdBase.dll
2011-06-07 13:58:58 97280 ----a-w- c:\windows\system32\dwmredir.dll
2011-06-07 13:57:27 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-06-07 13:57:27 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-06-07 13:57:27 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2011-06-07 13:57:27 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-06-07 13:57:19 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-06-07 13:57:12 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-06-07 13:57:12 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-06-07 13:56:39 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-06-07 13:56:39 257024 ----a-w- c:\windows\system32\dpx.dll
2011-06-06 19:17:20 -------- d-----w- C:\$RECYCLE.BIN
2011-06-06 19:15:23 -------- d-----w- c:\users\alyssa\appdata\local\temp
2011-06-06 19:03:39 98816 ----a-w- c:\windows\sed.exe
2011-06-06 19:03:39 518144 ----a-w- c:\windows\SWREG.exe
2011-06-06 19:03:39 256512 ----a-w- c:\windows\PEV.exe
2011-06-06 19:03:39 208896 ----a-w- c:\windows\MBR.exe
2011-06-06 10:11:50 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-05-25 13:57:12 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-18 17:46:49 -------- d-----w- c:\users\alyssa\appdata\local\ElevatedDiagnostics
2011-05-18 17:32:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-18 17:14:33 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-05-18 17:14:33 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-05-18 17:14:23 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-18 00:39:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-18 00:39:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-11 19:00:54 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 19:00:53 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2011-06-07 14:27:09 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-04 10:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-09 05:02:04 390656 ----a-w- c:\windows\system32\ipcoin815.dll
.
============= FINISH: 12:09:06.65 ===============

Jack&Jill

2011-06-19, 19:28

Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

alsbot

2011-06-21, 00:23

Thanks for helping with this problem.

I subscribed to the thread so I should be able to respond quickly when given advise.

Jack&Jill

2011-06-21, 08:52

Hello alsbot :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Lets start with uninstalling Spybot Search & Destroy because its real time protection will interfere with the fixes.

You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

Please post the TDSSKiller log as well. It will be named TDSSKiller.Version_Date_Time_log.txt at C:\, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.

--------------------

I see signs of Combofix on your computer.

While you may see ComboFix being used quite often and without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool).

Going forward, I highly recommend you heed such instructions.

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there are any rootkits present and how they could affect our tools. Thus, we use preliminary scans like DDS and GMER and their logs to map our strategy for attack.

With these logs, we can determine the infections present and decide whether to deploy ComboFix.

That said, the log it produced contains valuable information. Kindly post the ComboFix log, C:\ComboFix.txt.

--------------------

Please download aswMBR and save it to your desktop. Click here. (http://public.avast.com/~gmerek/aswMBR.exe)

Double click the aswMBR.exe file to run it.
Click on the Scan button to start. The program will launch a scan.
When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
Please post the contents of the log in your next reply.

--------------------

Please post back:
1. previous MBAM report
2. TDSSKiller log
3. ComboFix log
4. aswMBR result

alsbot

2011-06-23, 03:58

I removed Spybot.

MBAM:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6912

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

6/21/2011 4:55:30 PM
mbam-log-2011-06-21 (16-55-30).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 265005
Time elapsed: 55 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TDSSKiller:

2011/06/22 18:25:37.0861 1704 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
2011/06/22 18:25:43.0057 1704 Perform update action was selected
2011/06/22 18:25:43.0095 2508 Deinitialize success

ComboFix:

ComboFix 11-06-06.01 - Alyssa 06/06/2011 13:05:47.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1264 [GMT -6:00]
Running from: c:\users\Alyssa\Desktop\prog.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\system32\Thumbs.db
.
c:\windows\system32\userinit.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-06-06 19:03 . 2011-06-06 19:03 -------- d-----w- C:\32788R22FWJFW
2011-06-06 10:11 . 2011-06-06 12:07 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-05-25 13:57 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-18 17:46 . 2011-05-18 17:46 -------- d-----w- c:\users\Alyssa\AppData\Local\ElevatedDiagnostics
2011-05-18 17:32 . 2011-05-18 17:32 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-18 17:31 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-05-18 17:14 . 2011-01-17 05:38 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-05-18 17:14 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-18 00:39 . 2011-05-18 03:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-18 00:39 . 2011-05-18 00:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-11 19:00 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 19:00 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-09 03:05 . 2011-05-09 03:05 -------- d-----w- c:\users\Alyssa\AppData\Local\Apple Computer
2011-05-07 20:09 . 2011-05-07 20:09 -------- d-----w- c:\users\Alyssa\AppData\Local\SKIDROW
2011-05-07 19:29 . 2011-05-07 19:29 -------- d-----w- c:\program files\Valve
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-09 05:02 . 2011-04-09 05:02 390656 ----a-w- c:\windows\system32\ipcoin815.dll
2011-03-13 02:17 . 2010-06-24 17:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-12 11:31 . 2011-04-26 23:35 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:44 . 2011-04-26 23:35 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:44 . 2011-04-26 23:35 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:44 . 2011-04-26 23:35 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:44 . 2011-04-26 23:35 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:43 . 2011-04-26 23:35 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:43 . 2011-04-26 23:35 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:43 . 2011-04-26 23:35 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:40 . 2011-04-14 13:30 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40 . 2011-04-14 13:30 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:39 . 2011-04-26 23:35 1686016 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:37 . 2011-04-26 23:35 74240 ----a-w- c:\windows\system32\fsutil.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
[HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
[HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools\DTLite.exe" [2010-04-01 357696]
"SansaDispatch"="c:\users\Alyssa\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-12-28 79872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-13 1594664]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2010-04-13 83240]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2010-06-24 3058304]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"HotkeyMon"="AsusSender.exe" [2010-05-24 35304]
"HotkeyService"="AsusSender.exe" [2010-05-24 35304]
"SuperHybridEngine"="AsusSender.exe" [2010-05-24 35304]
"LiveUpdate"="AsusSender.exe" [2010-05-24 35304]
"CapsHook"="AsusSender.exe" [2010-05-24 35304]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2010-03-29 415920]
"ASUS WebStorage"="c:\program files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe" [2010-03-16 1754448]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-05-27 9177632]
"OOBESetup"="c:\program files\asus\OOBERegBackup\OOBERegBackup.exe" [2009-12-11 334848]
"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2010-09-13 2429]
"ASUSPRP"="c:\program files\ASUS\APRP\APRP.EXE" [2010-06-24 2018032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-25 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-25 150552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-03-09 68200]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-15 1343400]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2010-07-12 19656]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-14 691696]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-04-13 11448]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2010-07-12 1616488]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-06-21 68208]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3218672656-4015062725-2155474722-1001Core.job
- c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-02 01:50]
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3218672656-4015062725-2155474722-1001UA.job
- c:\users\Alyssa\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-02 01:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://asus.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.96.10 205.171.3.65 205.171.2.65
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,55,cc,e5,37,68,22,43,bf,68,7a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,62,55,cc,e5,37,68,22,43,bf,68,7a,\
.
[HKEY_USERS\S-1-5-21-3218672656-4015062725-2155474722-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3218672656-4015062725-2155474722-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1712)
c:\progra~1\ASUS\ASUSWE~1\service\ASUSWS~1.DLL
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\ASUS\ASUS WebStorage\LogicNP.EZNamespaceExtensions.dll
c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
c:\windows\system32\wpdshext.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2011-06-06 13:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-06 19:22
.
Pre-Run: 56,869,036,032 bytes free
Post-Run: 56,792,010,752 bytes free
.
- - End Of File - - 5A85877B1F84BD57AFB3CCF1A0C8DC66

aswMBR:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-22 18:42:25
-----------------------------
18:42:25.931 OS Version: Windows 6.1.7601 Service Pack 1
18:42:25.933 Number of processors: 4 586 0x1C0A
18:42:25.937 ComputerName: BENDER UserName: Alyssa
18:42:26.613 Initialize success
18:42:35.065 AVAST engine defs: 11062201
18:42:49.170 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
18:42:49.176 Disk 0 Vendor: ST925031 0003 Size: 238475MB BusType: 3
18:42:49.182 Disk 0 MBR read error 0
18:42:49.191 Disk 0 MBR scan
18:42:49.202 Disk 0 unknown MBR code
18:42:49.211 MBR BIOS signature not found 0
18:42:49.223 Disk 0 scanning sectors +488397168
18:42:49.235 Disk 0 scanning C:\windows\system32\drivers
18:43:07.833 Service scanning
18:43:08.951 Disk 0 trace - called modules:
18:43:09.031 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys spgo.sys >>UNKNOWN [0x8523f938]<<
18:43:09.043 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86a811c0]
18:43:09.066 3 CLASSPNP.SYS[895b459e] -> nt!IofCallDriver -> [0x86015360]
18:43:09.083 5 ACPI.sys[88fb53d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8528c028]
18:43:09.980 AVAST engine scan C:\windows
18:53:24.424 AVAST engine scan C:\Users\Alyssa
18:53:24.490 AVAST engine scan C:\ProgramData
18:53:24.492 Scan finished successfully
18:54:09.289 Disk 0 MBR has been saved successfully to "C:\Users\Alyssa\Desktop\MBR.dat"
18:54:09.312 The log file has been saved successfully to "C:\Users\Alyssa\Desktop\aswMBR.txt"

Okay I think that's everything: Thanks!

Jack&Jill

2011-06-23, 19:46

Hello alsbot :),

Disable CD Emulation drivers

Please download DeFogger© by jpshortstuff and save it to your desktop. Click here. (http://www.jpshortstuff.247fixes.com/Defogger.exe)
Double click on DeFogger.exe to run the tool.
The application window will appear.
Click the Disable button to disable your CD Emulation drivers.
Click Yes to continue.
A Finished! message will appear, then click OK.
DeFogger will now ask to reboot the machine, click OK.
DO NOT re-enable these drivers until otherwise instructed.

If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

--------------------

Delete the TDSSKiller copy that you have. Get the latest one and run it as below.

Please download TDSSKiller© from Kaspersky and save it to your desktop. Click here. (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)

Alternatively, you may get the zip version (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract the file to the desktop.
Double click on TDSSKiller.exe to execute it.
Press Start scan to begin.
If anything is found, please change all the actions to Skip only. <-- Important, please select Skip only, DO NOT Cure yet.
Then click on Continue at the lower right corner.
You may be prompted to reboot your computer, please consent.
Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
Please post the contents of this log.

--------------------

Repeat the aswMBR scan and post back the new log.

--------------------

Please download MiniToolBox© by farbar and save it to your desktop. Click here. (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe)

Double click on MiniToolBox.exe to run it.
Please check (tick) the following options:
Flush DNS
Report IE Proxy Settings
List content of Hosts
List IP configuration
List last 10 Event Viewer Errors
List Users, Partitions and Memory size.
Click on the GO button. A log will open.
Please post this log as attachment. It can also be found on the desktop as Result.txt.

On the Reply to Thread page, you will see the Additional Options section below the text box that you use for replying. Click Manage Attachment and a new window will open. Browse... and look for the file, then double click on it. Next, click on Upload. You may close the window when done. Please do not post any other logs as attachment unless I request.

--------------------

Please post back:
1. new TDSSKiller result
2. fresh aswMBR log
3. MiniToolBox result as attachment

Jack&Jill

2011-06-26, 17:32

Hello alsbot :),

I usually close the topic after 3 days without any reply, and it has already been 3 days since my last post. Do you still need help? Any problems following my instructions? Need more time?

If I do not get any response within the next 24 hours, this topic will be closed.

Jack&Jill

2011-06-28, 04:34

Due to lack of response, this topic is now closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. How to post a DDS log. (http://forums.spybot.info/showpost.php?p=1150&postcount=2)

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm) to me or a MOD. A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.