-
Great, why dont you use your computer for a few days and post back and let me know whats going on, we can dig deeper if need be
-
Hello, generally my PC has been fine but I did get 1 redirect yesterday, perhaps it would be a good idea to dig deeper?
-
Hi,
Thanks for letting me know, you dont have to live with redirects, don't copy and paste the link but tell where your being redirected to ?
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
-
Hello again, here's the combofix log:
ComboFix 11-12-15.02 - Marcus 15/12/2011 22:38:15.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2047.1026 [GMT 0:00]
Running from: c:\users\Marcus\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Norton AntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Marcus\AppData\Local\{1C530A94-FB03-4325-9678-3898A46EC5CF}
c:\users\Marcus\AppData\Local\{1C530A94-FB03-4325-9678-3898A46EC5CF}\chrome.manifest
c:\users\Marcus\AppData\Local\{1C530A94-FB03-4325-9678-3898A46EC5CF}\chrome\content\_cfg.js
c:\users\Marcus\AppData\Local\{1C530A94-FB03-4325-9678-3898A46EC5CF}\chrome\content\overlay.xul
c:\users\Marcus\AppData\Local\{1C530A94-FB03-4325-9678-3898A46EC5CF}\install.rdf
c:\users\Marcus\AppData\Local\usrHelpppm\SystemMain32.dll
c:\users\Marcus\AppData\Roaming\.#
c:\users\Marcus\AppData\Roaming\Microsoft\Windows\Recent\-{SUMOTorrent.pif
c:\users\Marcus\Documents\~WRL0005.tmp
c:\users\Marcus\Documents\~WRL0006.tmp
c:\users\Marcus\Documents\~WRL0059.tmp
c:\users\Marcus\Documents\~WRL0551.tmp
c:\users\Marcus\Documents\~WRL0685.tmp
c:\users\Marcus\Documents\~WRL2768.tmp
c:\users\Marcus\Documents\~WRL3352.tmp
c:\windows\system32\2C830C097D.dll
c:\windows\system32\edgtdhiy.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RKHIT
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-15 22:52 . 2011-12-15 22:52 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-12-15 22:52 . 2011-12-15 22:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-15 18:19 . 2011-12-15 18:23 -------- d-----w- c:\users\Marcus\AppData\Roaming\Media Finder
2011-12-15 18:10 . 2011-12-15 18:10 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-14 18:42 . 2011-12-15 22:51 -------- d-----w- c:\users\Marcus\AppData\Local\usrHelpppm
2011-12-08 19:49 . 2011-12-08 19:49 -------- d-----w- c:\program files\DAR Studio
2011-12-08 19:42 . 2011-12-08 19:43 -------- d-----w- c:\program files\Ask.com
2011-12-06 19:25 . 2011-12-06 19:25 -------- d-----w- C:\_OTL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-16 17:34 . 2011-06-17 12:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-17 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-17 19:29 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-17 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-17 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2006-12-01 95800]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-14 482760]
"IHateThisKey"="c:\program files\ByteGems.com\I Hate This Key\IHateThisKey.exe" [2008-11-08 716800]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]
"ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2010-03-03 1824040]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-27 185896]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"RegKillTray"="c:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-27 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-11-17 901800]
.
c:\users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-17 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 SYMTDIv;Symantec Vista Network Dispatch Driver; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696]
R3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
R3 DfuUsb;DfuUsb;c:\windows\system32\DRIVERS\DFUUsb.sys [2001-11-27 10880]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-09-23 358600]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-04-13 715248]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 2218600]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-07 378472]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 RegKill;RegKill;c:\windows\system32\Drivers\RegKill.sys [2002-11-27 6400]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: &Winamp Toolbar Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C292A6E2-AFFA-4AF4-9307-D9D5C99AAF8E}: DhcpNameServer = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\i5auhz8l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com/?l=dis&o=41648107&gct=hp
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: SearchInOneStep: {8771569D-6C8B-45B5-8D74-5A80DDDF668D} - c:\program files\Mozilla Firefox\extensions\{8771569D-6C8B-45B5-8D74-5A80DDDF668D}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: NCH EN Community Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - %profile%\extensions\{37483b40-c254-4a72-bda4-22ee90182c1e}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
URLSearchHooks-{37483b40-c254-4a72-bda4-22ee90182c1e} - (no file)
WebBrowser-{5B291E6C-9A74-4034-971B-A4B007A0B315} - (no file)
HKCU-Run-SystemMain32 - c:\users\Marcus\AppData\Local\usrHelpppm\SystemMain32.dll
HKCU-Run-Media Finder - c:\program files\Media Finder\MF.exe
HKLM-Run-GSISETUP - E:\setup.exe
AddRemove-Antares Autotune Evo VST RTAS_is1 - c:\program files\Antares Audio Technologies\Uninstall\unins000.exe
AddRemove-HijackThis - c:\users\Marcus\Desktop\HiJackThis\HijackThis.exe
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-SearchIn1Step - c:\program files\SearchIn1Step\uninstall.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1589503311-819724082-689753091-1001\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:98,8b,c0,2a,df,b6,11,00
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2824)
c:\program files\ByteGems.com\I Hate This Key\ihtkh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-12-15 23:05:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-15 23:05
.
Pre-Run: 69,140,598,784 bytes free
Post-Run: 68,608,036,864 bytes free
.
- - End Of File - - 5575D1B6CE3DE488800F86A6BD7101F0
-
-
Haven't had any redirects since the combofix, things are looking good.
-
Again, post back in a few days and let me know how things are running
-
No more redirects since my last post.
Thanks again for your help!
-
-
Since this issue appears resolved this topic is now closed
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules