find-answers-fast redirect virus

2011-08-19, 22:44
I've run Asquared, adaware, and malwarebytes, but none of them have been able to find this redirect virus.

Here's my .dds log:

2011-08-25, 06:27
Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

2011-08-25, 10:02
Thank you very much. I'll be watching for your reply. This is getting annoying. It's even forced me to use IE.

2011-08-26, 02:26
Hello Illtempered :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.


Please download aswMBR and save it to your desktop. Click here. (http://public.avast.com/~gmerek/aswMBR.exe)

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click the aswMBR.exe file to run it.
Click on the Scan button to start. The program will launch a scan.
When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
Please post the contents of the log in your next reply.


Scan with RogueKiller

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
Link 1 (http://www.sur-la-toile.com/RogueKiller/)
Link 2 (http://www.geekstogo.com/forum/files/file/413-roguekiller/)

Allow the download if prompted by your security software and please close all your programs.
Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
A program window will open. Type 1 for Scan and press Enter when prompted.
Once finished, Notepad will open with a log called RKreport.txt, located at the desktop.
Please copy and paste the contents of that log in your next reply.


You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

Get me Attach.txt from the earlier DDS run. If you did not save it, please rerun DDS and post back both logs.


Please post back:
1. aswMBR log
2. RogueKiller result
3. MBAM log
4. DDS logs

2011-08-26, 20:15
Couple questions...

When I ran aswMBR it asked me if I wanted to download antivirus software before I could run the scan. Since this step wasn't in the instructions I clicked "no". Is that ok?

I've uninstalled MBAM since this started. Shall I reinstall it?

Here's my aswMBR.txt:

Here's my RKreport.txt:

I've attached the attach.txt. Thanks again!

2011-08-27, 18:40
Hello Illtempered :),

When I ran aswMBR it asked me if I wanted to download antivirus software before I could run the scan. Since this step wasn't in the instructions I clicked "no". Is that ok?

I've uninstalled MBAM since this started. Shall I reinstall it? My intention is to have the antivirus software downloaded with aswMBR because it will used as part of the scanning. No worries since that you have skipped it. For MBAM, please see below instructions.


Upload file(s) to VirusTotal (VT) for an online scan. Click here. (http://www.virustotal.com)

Click on the Browse button or the white box beside it. A File Upload prompt will open.
Copy and paste the following file and its path to upload:

Press Open, then Send file. The file will be uploaded for testing.
If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
Post the results in your next response.

Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti (http://virusscan.jotti.org/) or VirScan (http://virscan.org/) (VS) with similar steps.

A result from either one of the above scanners would be sufficient.


Please download Malwarebytes' Anti-Malware (MBAM)© from Malwarebytes and save it to your desktop. Click here. (http://www.malwarebytes.org/mbam-download.php)


Double click on mbam-setup.exe and follow the prompts to install the program.
At the end of installation, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
MBAM will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update mirror, select one of the websites and click on Check for Updates.
Upon completion of update and loading, select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
When done, you will be prompted. Click OK, then click on Show Results.
Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.


Please download GooredFix© by jpshortstuff and save it to your desktop. Click here. (http://jpshortstuff.247fixes.com/GooredFix.exe)

Run GooredFix

Close all Firefox windows and double click on GooredFix.exe to run it.
When prompted to run the scan, click Yes.
GooredFix will check for infections and a log will open. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).


Please post back:
1. VT result
2. MBAM report
3. GooredFix log

2011-08-27, 21:34
VT Result:



Additional information

Show all

MD5 : fbfc3456b2e155b1bd6514f9589f115b

SHA1 : e47cf96a40cc6a5a833d94c8631002950535b186

SHA256: 6658b26d571b486a1a6a2fc7f747d6a2670647b9aa65c50908b04c34ff7fc546

ssdeep: 6:k7qSM/S6HRb1LItaw8T9wqdt7zWnA8fd5Kfo/GVOcAlS04lUKr6ucTnd6+clTSev:k+N5DYaw

File size : 512 bytes

First seen: 2011-08-27 17:42:34

Last seen : 2011-08-27 17:42:34


publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

MBAM log:

When I tried running GooredFix it crashed soon after I started the scan. It was saved to the desktop, and to run it I double-clicked the exe file there. I got it working by clicking "run" on the IE download window. Here's the log:

2011-08-28, 12:45
Hello Illtempered :),

Please go into the GooredFix Backups folder on the desktop and post back all the earlier logs. They will be named as GooredFix[time_date].txt.

Are you still getting redirected?


Please download OTL© by OldTimer from one of the links below and save it to your desktop.

Link 1 (http://oldtimer.geekstogo.com/OTL.exe)
Link 2 (http://www.itxassociates.com/OT-Tools/OTL.exe)

Scan with OTL

Double click on OTL.exe to run it.
Make sure all the Use SafeList options is checked (ticked). There are six of them.
Check Scan All Users.
At the lower right corner, check LOP Check and Purity Check.
Click on Run Scan at the top left hand corner. This might take a while.
When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
Note: These files are saved as OTL.txt and Extras.txt on the desktop.


Please post back:
1. the answer to my question
2. all earlier GooredFix logs
3. the OTL logs (OTL.txt and Extras.txt)

2011-08-28, 21:16
Here are the gooredfix logs:

GooredFix by jpshortstuff (
Log created at 13:27 on 27/08/2011 (Chris)
Firefox version 6.0 (en-US)

========== GooredScan ==========

GooredFix by jpshortstuff (
Log created at 13:27 on 27/08/2011 (Chris)
Firefox version 6.0 (en-US)

========== GooredScan ==========

GooredFix by jpshortstuff (
Log created at 13:27 on 27/08/2011 (Chris)
Firefox version 6.0 (en-US)

========== GooredScan ==========

GooredFix by jpshortstuff (
Log created at 13:28 on 27/08/2011 (Chris)
Firefox version 6.0 (en-US)

========== GooredScan ==========

In OTL there are five boxes with the option "use safe list". Under modules, the "no company name" option is ticked. The other two options under modules are "none" and "all". Which one do I check?

2011-08-28, 21:17
Oh, and I forgot to mention that yes, I am still getting redirected with Firefox, but not with IE.

2011-08-29, 02:34
Hello Illtempered :),

Please select No Company Name under Modules, run OTL then post the logs.

When you say you are redirected, is it by clicking on any links or results from search providers like Google or Bing, or is it when you want to go to specific sites but reach somewhere else instead?

Where do you get redirected to? Please use this method to provide site addresses: badsites[dot]com.

2011-08-29, 03:56
Here's an example of how I get redirected. I'll type in google search "spybot forums". The first result, Safer-Networking forums, appears to be the right link, in the search results, but if I click on it, I notice the URL changes to bywill.net, then find-fast-answers.net, monstermarketplace.com. These URL's change at random though.

Here's my OTL.txt:

Heres my Extras.txt:

2011-08-29, 11:38
Hello Illtempered :),

Those are long logs, so I will need some time to go through them. In the meantime, please do the following steps.

Upload file(s) to VirusTotal (VT) for an online scan. Click here. (http://www.virustotal.com)

Click on the Browse button or the white box beside it. A File Upload prompt will open.
Copy and paste the following file and its path to upload:

Press Open, then Send file. The file will be uploaded for testing.
If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
Post the results in your next response.

Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti (http://virusscan.jotti.org/) or VirScan (http://virscan.org/) (VS) with similar steps.

A result from either one of the above scanners would be sufficient.


For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Look into folders

Open Notepad. Copy and paste the following text into it:

@echo off
dir "C:\Users\Chris\AppData\Roaming\Mozilla\Extensions" /A /S > "%userprofile%\desktop\look.txt"
dir "C:\Program Files (x86)\Mozilla Firefox\extensions" /A /S >> "%userprofile%\desktop\look.txt"
del %0
Save it as folderlook.bat on the desktop. Make sure the Save as type: is All Files (*.*).
Double click on folderlook.bat to run it. Allow if prompted by any security software.
Post the contents of look.txt. It is found on your desktop.


Please post back:
1. VT result
2. contents of look.txt

2011-08-29, 20:50
I was unable to find a dui701.dll. In that directory. I did find a "dui70.dll", but when I copy that filename into VT's search it says I don't have permission to open the file. So, I manually browsed for the file so I could change the permissions, but couldn't find it.

Here's my look.txt:

Volume in drive C has no label.
Volume Serial Number is 266B-FC94

Directory of C:\Users\Chris\AppData\Roaming\Mozilla\Extensions

08/19/2011 03:08 PM <DIR> .
08/19/2011 03:08 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 625,500,938,240 bytes free
Volume in drive C has no label.
Volume Serial Number is 266B-FC94

Directory of C:\Program Files (x86)\Mozilla Firefox\extensions

08/19/2011 03:08 PM <DIR> .
08/19/2011 03:08 PM <DIR> ..
08/19/2011 03:08 PM <DIR> {972ce4c6-7e08-4474-a285-3208198ce6fd}
0 File(s) 0 bytes

Directory of C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

08/19/2011 03:08 PM <DIR> .
08/19/2011 03:08 PM <DIR> ..
08/11/2011 10:16 PM 2,185 icon.png
08/11/2011 10:16 PM 1,103 install.rdf
08/11/2011 10:16 PM 9,303 preview.png
3 File(s) 12,591 bytes

Total Files Listed:
3 File(s) 12,591 bytes
5 Dir(s) 625,500,934,144 bytes free

2011-08-30, 20:47
Hello Illtempered :),

Zip it up

Open Notepad. Copy and paste the following text into it:

@echo off
for %%g in (
) do zip Files_for_submission %%g
del %0
Save it as grab.bat at the desktop. Make sure the Save as type: is All Files (*.*).
Double click on grab.bat to run it. Allow if prompted by any security software.
A file Files_for_submission.zip will appear on your desktop.

Please upload file(s) for analysis / backup. Click here. (http://www.bleepingcomputer.com/submit-malware.php?channel=126)

You will be taken to a new post page (at a different forum). Please fill in the necessary details and provide a link to this topic.

Upload Files_for_submission.zip from your desktop by clicking Send File.

Please post a reply indicating you have completed the upload.

2011-08-30, 23:18
When I double-click the grab.bat file, a command prompt pops up for a split second, then the grab.bat file disappears. The zip file never shows up on my desktop.

2011-08-31, 12:47
Hello Illtempered :),

We skip the previous step for now, there should a tool executed prior to it.

Fix with OTL

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click on OTL.exe to run it.
Copy and paste the following text into the white box below Custom Scans/Fixes:

O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-2043173444-1837226345-327044386-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2043173444-1837226345-327044386-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2043173444-1837226345-327044386-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2043173444-1837226345-327044386-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
[2011/08/28 13:06:32 | 000,000,312 | -HS- | M] () -- C:\Windows\tasks\Ljruax.job
[2011/08/05 15:59:20 | 000,063,488 | RHS- | M] () -- C:\Windows\SysWow64\dui701.dll

Click Run Fix. Everything on the desktop may disappear, this is normal. Please wait until the tool completes its routine.
Please post the contents of the fix log file back here if you are prompted to open the file. It can also be found at C:\_OTL\Moved Files as MMDDYYY_HHMMSS.log where MMDDYYY is date format and HHMMSS is time format.
If requested to reboot, please do so. The log file will open after restart.
Enable back your security softwares as soon as you completed the OTL fix steps.


Please post back:
1. the OTL fix log

2011-08-31, 22:17
Here's the log:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ not found.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2043173444-1837226345-327044386-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2043173444-1837226345-327044386-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2043173444-1837226345-327044386-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2043173444-1837226345-327044386-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
C:\Windows\Tasks\Ljruax.job moved successfully.
C:\Windows\SysWOW64\dui701.dll moved successfully.
========== COMMANDS ==========
Error creating restore point.
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


User: All Users

User: Chris
->Temp folder emptied: 282468768 bytes
->Temporary Internet Files folder emptied: 20339608 bytes
->Java cache emptied: 49418 bytes
->FireFox cache emptied: 50560653 bytes
->Flash cache emptied: 64340 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 105215076 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84860 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 438.00 mb

OTL by OldTimer - Version log created on 08312011_141335

Files\Folders moved on Reboot...
C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PDECBA4T\showthread[1].htm moved successfully.
C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A91HMN6R\search[1].htm moved successfully.

Registry entries deleted on Reboot...

2011-09-01, 08:21
Hello Illtempered :),

Please zip this folder up using 7-Zip (http://www.7-zip.org/) or a suitable archive utility that handles Zip files:

Then upload the file for analysis. Click here. (http://www.bleepingcomputer.com/submit-malware.php?channel=126)

You will be taken to a new post page (at a different forum). Please fill in the necessary details and provide a link to this topic.

Upload Files_for_submission.zip from your desktop by clicking Send File.

Please post a reply indicating you have completed the upload.


Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

Click here (http://www.eset.com/onlinescan/) to go to ESET Online Scanner page.
Click on Run ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
Then, check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.

If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.


Please post back:
1. if upload is successful
2. ESET online scan result
3. still redirected?

2011-09-01, 10:20
file submitted

2011-09-01, 21:32
ESET found some threats. Heres the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-09-01 06:22:38
# local_time=2011-09-01 01:22:38 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776574 100 94 10002088 66440437 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=166643
# found=3
# cleaned=0
# scan_time=4371
C:\My Files\Tools\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Chris\Desktop\Spybot files\08312011_141335.7z a variant of Win32/Kryptik.RLE trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\08312011_141335\C_Windows\SysWOW64\dui701.dll a variant of Win32/Kryptik.RLE trojan (unable to clean) 00000000000000000000000000000000 I

2011-09-02, 02:40
Hello Illtempered :),

Thank you for the file submission.

Please delete C:\My Files\Tools\Setup_FreeConverter.exe.

The other two files from ESET findings; one is the backup from OTL fix whereas the other is the file that you zipped for upload. You can delete the latter.

How is the computer behaving now?


Your Java Runtime Environment is outdated. Older versions have security vulnerabilities that can be exploited.

Please update JRE to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Java(TM) 6 Update 22 (64-bit)
Java(TM) 6 Update 24

Go to the Java SE download page. Click here. (http://www.java.com/en/download/manual.jsp)
Under the Windows title, click on Windows 7, XP Offline (32-bit) or Windows 7, XP Offline (64-bit) and save the file to your desktop.
Close any programs you may have running, especially your web browser.
Then, from your desktop, double click on the download to install the newest version. Reboot your computer.


Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Mozilla Firefox 5.0 (x86 en-US)

Go to the Mozilla Firefox download page. Click here. (http://www.mozilla.com/en-US/firefox/upgrade.html)
Click on the Free Download button and save the setup file to a convenient location.
Double click on the setup file and follow the steps accordingly.


Please post back:
1. How is the computer behaving now?

2011-09-02, 21:35
Problem appears to be solved. Thank you!

2011-09-03, 10:22
Hello Illtempered :),

Good to hear that. I will give some security recommendations after this.

Rerun OTL

Double click on OTL.exe to run it.
Make sure all the Use SafeList options is checked (ticked). There are five of them.
Under the Modules section, please select No Company Name.
Check Scan All Users.
At the lower right corner, check LOP Check and Purity Check.
Click on Run Scan at the top left hand corner. This might take a while.
When done, two Notepad files will open. Please post only OTL.txt.


Please post back:
1. OTL log
2. any more problems?

2011-09-03, 22:53

OTL logfile created on: 9/3/2011 2:48:46 PM - Run 2
OTL by OldTimer - Version Folder = C:\Users\Chris\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.95 Gb Total Physical Memory | 6.39 Gb Available Physical Memory | 80.45% Memory free
15.90 Gb Paging File | 14.12 Gb Available in Paging File | 88.83% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 676.98 Gb Total Space | 581.55 Gb Free Space | 85.90% Space Free | Partition Type: NTFS
Drive D: | 21.36 Gb Total Space | 3.11 Gb Free Space | 14.56% Space Free | Partition Type: NTFS

Computer Name: CHRIS-HP | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/30 17:59:04 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/08/28 13:09:09 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.exe
PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/06/01 07:44:54 | 002,337,144 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
PRC - [2010/12/11 02:02:24 | 000,136,488 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
PRC - [2010/11/23 13:26:48 | 002,656,280 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2010/11/23 13:26:44 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
PRC - [2010/11/09 18:20:34 | 000,026,680 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
PRC - [2010/11/06 02:54:22 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/09/30 06:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
PRC - [2010/09/11 04:02:22 | 000,399,344 | ---- | M] (Roxio) -- C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe

========== Modules (No Company Name) ==========

MOD - [2011/08/30 17:59:04 | 001,846,232 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2011/08/13 10:24:24 | 006,277,280 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

========== LOP Check ==========

[2011/07/20 15:48:54 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\com.essexreddevelopment.mergepdfmac
[2011/07/03 20:28:43 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Gmote
[2011/07/09 20:37:25 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\iExpert Software
[2011/06/24 15:21:40 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Oridus
[2011/04/28 05:25:05 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Sony Online Entertainment
[2011/04/27 23:50:41 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Stardock
[2011/06/01 13:01:43 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Template
[2011/07/20 00:28:46 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

No more redirects. Thanks again!

2011-09-04, 19:16
Hello Illtempered :),

Please remove all websites from the Trusted Zone in Internet Explorer as a security precaution. I took them out during the OTL fix, but they are back. Have a look at the following article on how to do it.

Security zones: adding or removing websites (http://windows.microsoft.com/en-US/windows-vista/Security-zones-adding-or-removing-websites)

I see signs of Hitman Pro, Sunbelt Antirootkit and McAfee security programs.

Please use AppRemover (http://www.appremover.com/) to remove security programs or their leftovers from incomplete uninstallation.

It appears to me your Microsoft Security Essentials is disabled. Please enable it for active protection.


Congratulations, you are All Clear to go. Glad to hear everything is good and running :). If you have any more problems, please let me know.

Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.

Run OTL by double clicking on OTL.exe. Click on CleanUp, proceed to reboot if prompted.
Delete the aswMBR and RogueKiller files, plus GooredFix and its backup folder on your desktop.
Delete any logs on the desktop.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows 7 (http://windows.microsoft.com/en-us/windows7/Turn-automatic-updating-on-or-off) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Purge System Restore, for this one time only. A recovery feature will only be useful if it is clean from malwares. See Windows 7 System Restore Guide (http://www.sevenforums.com/tutorials/81500-system-restore-enable-disable.html) for some detail explanations.

3. Update your Antivirus program regularly, it is a must for constant protection against viruses. Please keep only one AV installed.

4. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.

5. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications.

6. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts (http://www.mvps.org/winhelp2002/hosts.htm) for this purpose.

7. Install Web of Trust (WOT). WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings.

8. Protect your computer from removable or USB drive infections with MCShield (http://amf.mycity.rs/programs/mc/mcshield/), an effective method to prevent malware from spreading.

9. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.

10. Make full use of Windows 7 firewall to step up the defense (http://www.petri.co.il/windows-7-firewall.htm) against internet dangers.

11. Also look up:
Computer Security - a short guide to staying safer online (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=54766)
PC Safety and Security - What Do I Need? By Glaswegian (http://www.techsupportforum.com/security-center/general-computer-security/525915-pc-safety-security-what-do-i-need.html)
How to prevent malware: By miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)
Microsoft Online Safety (http://www.microsoft.com/protect/default.aspx)

Stay safe.

Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)

2011-09-08, 07:51
As your problems appear to have been resolved, this topic is now closed.

We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)