When doing a Google Search...I get redirected to Ad sites...Needs Help!

View previous topic View next topic Go down

When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Sun Nov 15, 2009 8:49 pm

For the past week, I have been dealing with an issue where when I do a google search, I get a list of results but when I click on a result I get redirected to another website. On occasion, my Spy Sweeper will deny access to the redirection stating that it has blocked the website with an ip address of 64.11.196.117 and typically the websites begin with r3953724.cn/__________. I have tried Malware by Anti-malware, SDfix, SuperAntiware, Spy Sweeper, and Spybot to try to get rid of this issue but have had no luck. Please help!

This is the log that I got after running HijackThis!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:52 PM, on 11/15/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] "RtHDVCpl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegClean] "C:\Program Files\RegClean\RegClean.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [HPADVISOR] "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autorun=AUTORUN
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = ?
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O13 - Gopher Prefix:
O16 - DPF: ActiveGS.cab - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - [You must be registered and logged in to see this link.]
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O16 - DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} (CPlayFirstWeddingDasControl Object) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: c:\programdata\kisiviya\kisiviya.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Sentinel LM - SafeNet, Inc. - C:\Program Files\SURFWARE\Network Server8\Server\WinNT\lservnt.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12936 bytes

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Sun Nov 15, 2009 8:56 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Sun Nov 15, 2009 9:17 pm

Malwarebytes' Anti-Malware 1.41
Database version: 3159
Windows 6.0.6000

11/13/2009 12:31:59 AM
mbam-log-2009-11-13 (00-31-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 287830
Time elapsed: 1 hour(s), 26 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\bobebeji\bobebeji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\dozilibe\dozilibe.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\ProgramData\jiruludi\jiruludi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\jitoyeyu\jitoyeyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\nekewupo\nekewupo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ProgramData\noyajego\noyajego.exe (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
C:\ProgramData\vedihome\vedihome.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Ka\AppData\Local\sgkfuh\nefesysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Ka\AppData\Local\Temp\vsfrtfcc7.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\Users\Ka\AppData\Local\Temp\0.4845888339014577.exe (Malware.Packer) -> Quarantined and deleted successfully.
C:\Users\Ka\AppData\Local\Temp\b026473e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Ka\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\799a240d-7fefa726 (Malware.Packer) -> Quarantined and deleted successfully.
C:\Windows\System32\yukikono.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\zeladugu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\RegClean Scheduled Scan.job (Rogue.RegClean) -> Quarantined and deleted successfully.

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Sun Nov 15, 2009 9:21 pm

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Sun Nov 15, 2009 10:06 pm

Dragon Master Jay....I did everything as you asked with SDfix and was fine with it up until running my pc in safe mode. When I tried to open the RunThis.bat file, I would get another blue window pop open but then it would immediately close itself. I thought it may be due to it not recognizing that I have administrative privleges (which I do) since I've had problems with running programs due to this before but when I right clicked to choose "Run as Administrator" the same thing happens again. What do you suggest I do?

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Sun Nov 15, 2009 10:50 pm

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Mon Nov 16, 2009 12:55 am

Here is my ComboFix log for you as requested:

ComboFix 09-11-16.03 - Ka 11/15/2009 18:34..2 - FAT32x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.1752 [GMT -6:00]
Running from: c:\users\Ka\Desktop\commy.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Microsoft Security Essentials *disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Webroot Spy Sweeper *disabled* (Updated) {13B21AD6-3C95-4498-81A6-C5A79EF30475}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-294473244-1242961503-3298849250-500
c:\$recycle.bin\S-1-5-21-3704042418-4224051671-3462806213-500
c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\tmpPrst.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-16 00:46 . 2009-11-16 00:47 -------- d-----w- c:\users\Ka\AppData\Local\temp
2009-11-16 00:46 . 2009-11-16 00:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-16 00:46 . 2009-11-16 00:46 -------- d-----w- c:\users\bee_112\AppData\Local\temp
2009-11-16 00:18 . 2009-11-16 00:18 1025 ----a-w- c:\windows\system32\serauth2.dll
2009-11-16 00:18 . 2009-11-16 00:18 1025 ----a-w- c:\windows\system32\serauth1.dll
2009-11-15 22:51 . 2009-11-15 22:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-13 08:17 . 2009-11-13 08:17 -------- d-----w- c:\program files\Trend Micro
2009-11-13 07:45 . 2009-11-13 07:45 117760 ----a-w- c:\users\Ka\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 07:44 . 2009-11-13 07:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-13 07:43 . 2009-11-13 07:43 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 07:43 . 2009-11-13 07:43 -------- d-----w- c:\users\Ka\AppData\Roaming\SUPERAntiSpyware.com
2009-11-13 06:59 . 2009-11-15 22:33 4096 d-----w- C:\SDFix
2009-11-13 05:02 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 05:02 . 2009-11-13 06:31 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 05:02 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 04:37 . 2009-11-13 04:37 4096 d-----w- c:\users\Ka\AppData\Roaming\muvee Technologies
2009-11-11 18:02 . 2009-08-15 21:08 2032128 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 17:59 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-11 07:27 . 2009-11-11 07:27 -------- d-----w- c:\program files\Playrix Entertainment
2009-11-10 00:54 . 2009-11-10 00:54 -------- d-----w- c:\program files\MSSOAP
2009-11-10 00:54 . 2009-10-22 15:50 1563008 ----a-w- c:\windows\WRSetup.dll
2009-11-10 00:54 . 2009-11-10 00:59 -------- d-----w- c:\programdata\Webroot
2009-11-10 00:54 . 2009-11-10 00:54 -------- d-----w- c:\users\Ka\AppData\Roaming\Webroot
2009-11-10 00:54 . 2009-11-10 00:54 -------- d-----w- c:\program files\Webroot
2009-11-10 00:49 . 2009-11-10 00:54 164 ----a-w- c:\windows\install.dat
2009-11-09 23:22 . 2009-11-09 23:22 4096 d-----w- c:\program files\setup
2009-11-09 22:37 . 2009-11-13 06:31 -------- d-----w- c:\programdata\dozilibe
2009-11-09 22:37 . 2009-11-13 05:56 -------- d-----w- c:\programdata\bobebeji
2009-11-09 22:33 . 2009-11-09 22:33 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{68E8C4DB-EC4A-96FF-1532-2B7B1B96E9F9}-msa.exe
2009-11-09 21:49 . 2009-11-09 21:49 -------- d-----w- c:\users\Ka\AppData\Roaming\Malwarebytes
2009-11-09 21:49 . 2009-11-09 21:49 -------- d-----w- c:\programdata\Malwarebytes
2009-11-09 18:59 . 2009-11-09 18:59 8704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{036D435A-0EB8-5F8F-398C-9270EA5BD513}-isllv.exe
2009-11-09 18:59 . 2009-11-09 18:59 233216 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{5D508FC7-0527-15B8-3BE7-3BAF151232A3}-nefesysguard.exe
2009-11-09 18:59 . 2009-11-09 18:59 22016 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{E2913423-6A3E-E608-7BF4-5360228F8614}-gsho.exe
2009-11-09 18:59 . 2009-11-09 18:59 110592 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{CBB5A34C-2994-043A-A575-313304E735DF}-sique.exe
2009-11-09 18:52 . 2009-11-13 06:31 -------- d-----w- c:\programdata\jitoyeyu
2009-11-09 18:52 . 2009-11-13 06:31 -------- d-----w- c:\programdata\vedihome
2009-11-09 18:52 . 2009-11-13 06:31 -------- d-----w- c:\programdata\noyajego
2009-11-09 18:52 . 2009-11-13 05:56 -------- d-----w- c:\programdata\jiruludi
2009-11-09 18:48 . 2009-11-13 05:55 -------- d-----w- c:\users\Ka\AppData\Local\sgkfuh
2009-11-09 18:47 . 2009-11-09 22:58 -------- d-----w- c:\programdata\kisiviya
2009-11-09 18:47 . 2009-11-13 05:41 -------- d-----w- c:\programdata\nekewupo
2009-11-09 18:47 . 2009-11-10 00:56 -------- d-----w- c:\programdata\guhobeso
2009-11-09 16:26 . 2009-11-09 16:26 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{DBA3821E-327D-3047-0EA0-538AA4E37885}-msa.exe
2009-11-09 05:30 . 2009-11-09 05:30 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2A9DED24-11C1-96AB-0C53-9D4B6041E159}-msa.exe
2009-11-09 04:30 . 2009-11-09 04:30 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{0A7AE3C2-C1B0-16F1-E7CF-8213DFB73D5B}-msa.exe
2009-11-09 03:54 . 2009-11-09 03:54 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{6AF631A8-F327-F090-E2CB-EFF67FA4E24D}-msa.exe
2009-11-09 03:18 . 2009-11-09 03:18 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F141CCBC-1792-424C-88FC-8CD864ACBC48}-msa.exe
2009-11-09 03:11 . 2009-11-09 03:11 -------- d-----w- c:\windows\Sun
2009-11-09 02:41 . 2009-11-09 02:41 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{1A356351-8251-595E-10B2-2B2F2D922EDB}-msa.exe
2009-11-09 01:51 . 2009-11-09 01:51 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{0A298331-4F50-D71A-1C7E-B82B9F40F8B6}-msa.exe
2009-11-09 01:31 . 2009-11-09 01:31 162304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{64F6D0EB-E16A-F141-F440-9ADE4137F26E}-msa.exe
2009-11-04 16:08 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-04 16:08 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-04 16:08 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-04 16:08 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-04 16:08 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-04 16:08 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-04 16:08 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-04 16:08 . 2009-08-07 01:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-04 16:08 . 2009-08-07 00:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-28 16:02 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 16:02 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 16:02 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 16:02 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 05:12 . 2009-10-27 05:12 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-27 05:07 . 2008-06-12 10:09 33088 ----a-w- c:\users\Ka\AppData\Roaming\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-10-27 05:07 . 2009-10-27 05:07 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-10-27 05:06 . 2009-10-27 16:18 4096 d-----w- c:\programdata\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 22:50 . 2007-08-05 05:00 55072 ----a-w- c:\windows\system32\jureg.exe
2009-11-15 22:50 . 2007-08-05 05:00 386872 ----a-w- c:\windows\system32\jucheck.exe
2009-11-15 22:50 . 2007-08-05 05:00 149280 ----a-w- c:\windows\system32\jusched.exe
2009-11-15 22:50 . 2007-08-05 05:00 4096 d-----w- c:\program files\Java
2009-11-15 22:43 . 2009-08-28 01:55 -------- d-----w- c:\program files\MSN Games
2009-11-13 07:43 . 2008-04-02 22:27 4096 d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 06:34 . 2009-10-05 16:22 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-13 06:02 . 2009-10-05 16:22 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-13 05:56 . 2009-08-27 17:59 -------- d-----w- c:\users\Ka\AppData\Roaming\RegClean
2009-11-12 22:48 . 2008-07-08 18:11 1892489 ----a-w- c:\programdata\NeoEdge Networks\MostFun_AtlantisQuest\IAF.dll
2009-11-12 22:48 . 2009-08-28 02:01 4096 d-----w- c:\programdata\NeoEdge Networks
2009-11-11 19:57 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 18:32 . 2009-08-17 18:15 8192 d-----w- c:\programdata\Microsoft Help
2009-11-03 02:42 . 2009-10-02 15:52 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-19 15:46 . 2009-08-01 15:49 92016 ----a-w- c:\users\Ka\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-18 08:03 . 2007-08-05 05:01 24576 d-----w- c:\program files\Microsoft Works
2009-10-12 19:47 . 2007-08-05 04:33 4096 d-----w- c:\program files\Hewlett-Packard
2009-10-12 19:43 . 2009-10-12 19:43 -------- d-----w- c:\users\Ka\AppData\Roaming\WinBatch
2009-10-05 15:46 . 2009-10-05 15:45 4096 d-----w- c:\program files\Microsoft Security Essentials
2009-10-05 07:01 . 2009-10-05 07:01 -------- d-----w- c:\programdata\FreshGames
2009-10-01 14:41 . 2009-10-01 14:41 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-01 05:15 . 2009-10-01 05:15 -------- d-----w- c:\programdata\Oberon Media
2009-10-01 05:14 . 2009-10-01 05:14 -------- d-----w- c:\program files\Oberon Media
2009-09-22 16:29 . 2009-09-22 16:29 4096 d-----w- c:\program files\InterActual
2009-09-21 05:39 . 2009-08-02 05:48 -------- d-----w- c:\programdata\Sandlot Games
2009-09-21 05:37 . 2009-08-28 02:01 4096 d-----w- c:\program files\MostFun
2009-09-20 21:45 . 2009-09-20 21:45 4096 ----a-w- c:\windows\d3dx.dat
2009-09-20 08:01 . 2009-09-20 08:01 -------- d-----w- c:\users\Ka\AppData\Roaming\Friday's games
2009-09-19 00:48 . 2009-08-19 05:57 -------- d-----w- c:\users\Ka\AppData\Roaming\Roxio
2009-09-18 19:42 . 2009-09-18 19:42 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-09-18 19:42 . 2009-09-18 19:42 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-09-18 19:42 . 2009-09-18 19:42 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-09-14 09:50 . 2009-10-15 17:40 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:38 . 2009-10-15 17:42 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 06:51 . 2009-09-04 22:42 34216128 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\crystalix-setup.exe
2009-09-04 22:42 . 2009-09-04 22:38 35559856 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\pantheon-setup.exe
2009-09-04 22:38 . 2009-09-04 22:34 32333632 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\memoryloops-setup.exe
2009-09-04 22:34 . 2009-09-04 22:32 23108120 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\{ABFC4D3B-308C-4617-ADF8-D1999A58A96F}.exe
2009-09-04 22:32 . 2009-09-01 07:58 40687000 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\dreamchronicles-setup.exe
2009-09-04 12:38 . 2009-10-15 17:40 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 07:58 . 2009-09-01 07:49 29319160 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\bigkahunareef-setup.exe
2009-09-01 07:49 . 2009-08-29 07:46 143278200 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\lumines-setup.exe
2009-08-31 15:21 . 2009-10-15 17:41 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:17 . 2009-10-15 17:41 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-08-31 15:16 . 2009-10-15 17:41 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 07:46 . 2009-08-29 07:42 38891000 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\pokersuperstars3-setup.exe
2009-08-29 07:42 . 2009-08-29 07:37 42764312 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\jewelcraft-setup.exe
2009-08-29 07:37 . 2009-08-29 07:29 54281112 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\jojosfashionshow-setup.exe
2009-08-29 07:29 . 2009-08-29 07:24 34961808 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\deepbluesea-setup.exe
2009-08-29 07:24 . 2009-08-29 07:20 30743096 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\fairlyoddroachrampage-setup.exe
2009-08-29 07:20 . 2008-03-09 03:18 39975768 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\farmfrenzy-setup.exe
2009-08-29 07:17 . 2007-12-19 05:24 15386664 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2009-08-29 03:41 . 2009-09-04 04:18 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-04 04:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31 . 2009-09-04 04:18 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02 . 2009-10-15 17:42 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-15 17:41 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-15 17:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-15 17:41 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-15 17:41 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-15 17:41 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-01-29 23:29 . 2008-01-29 23:29 22 --sha-w- c:\windows\SMINST\HPCD.sys
2007-08-05 05:16 . 2007-08-05 05:11 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1232896]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-09-03 94208]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-08-05 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-15 1358384]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-10-22 6515784]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\users\Ka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-8-19 229376]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2009-8-19 253952]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-6-13 2498560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"HP Health Check Scheduler"=c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"hpsysdrv"=c:\hp\support\hpsysdrv.exe
"KBD"=c:\hp\KBD\KbdStub.EXE
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 ssfs0bbc;ssfs0bbc;c:\windows\System32\drivers\ssfs0bbc.sys [9/18/2009 1:42 PM 29808]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080215.002\IDSvix86.sys [2/15/2008 4:44 PM 261680]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [4/23/2007 9:50 AM 25896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/5/2009 10:22 AM 1153368]
R2 Sentinel LM;Sentinel LM;c:\program files\SURFWARE\Network Server8\Server\WinNT\lservnt.exe [2/11/2008 10:53 PM 811008]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [11/9/2009 6:55 PM 1201640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/15/2008 4:46 PM 109616]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [6/18/2009 5:48 PM 42480]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v3.sys [8/10/2009 8:40 PM 289280]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [10/3/2008 1:14 PM 37936]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr28u.sys [5/7/2009 7:01 PM 655872]
S3 WUSB54GSCv2.NTx86;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\System32\drivers\WUSB54GSCV2_X86.sys [8/10/2009 5:53 PM 238072]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-08 14:59]

2009-11-10 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - bee_112.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 02:09]

2009-11-16 c:\windows\Tasks\User_Feed_Synchronization-{637F0A34-2B57-4584-94E9-00E0362AEA76}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-11-10 c:\windows\Tasks\wrSpySweeper_L179F7D151F40440AA5A74CC6CDAECF94.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-11-10 15:50]

2009-11-10 c:\windows\Tasks\wrSpySweeper_L179F7D151F40440AA5A74CC6CDAECF94.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-11-10 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: ActiveGS.cab - [You must be registered and logged in to see this link.]
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-15 18:46
Windows 6.0.6000 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\users\Ka\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hȋdden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x852F150C]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-15 18:50
ComboFix-quarantined-files.txt 2009-11-16 00:50

Pre-Run: 346,033,344,512 bytes free
Post-Run: 346,665,021,440 bytes free

- - End Of File - - 4722EF69E6F8289F6ADBD6962B80A8F8

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Mon Nov 16, 2009 12:59 am

Please run [You must be registered and logged in to see this link.] online scan.

  • Click Scan now.
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Mon Nov 16, 2009 6:12 am

I tried running Trend Micro Housecall 4x and whenever it pasts the 50% mark it stops working. Do you have an alternative for me? Thanks!

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Mon Nov 16, 2009 6:26 am

Please use Internet Explorer and run a [You must be registered and logged in to see this link.]

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan
Please post the results in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Mon Nov 16, 2009 12:39 pm

Here's my results from BitDefender:

BitDefender Online Scanner



Scan report generated at: Mon, Nov 16, 2009 - 02:42:51





Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;







Statistics

Time
01:13:03

Files
514989

Folders
23270

Boot Sectors
0

Archives
5870

Packed Files
37303




Results

Identified Viruses
5

Infected Files
17

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
29




Engines Info

Virus Definitions
4551768

Engine build
AVCORE v2.1 Windows/i386 11.0.0.26 (Oct 20 2009)

Scan plugins
17

Archive plugins
44

Unpack plugins
8

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A298331-4F50-D71A-1C7E-B82B9F40F8B6}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A298331-4F50-D71A-1C7E-B82B9F40F8B6}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A298331-4F50-D71A-1C7E-B82B9F40F8B6}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A298331-4F50-D71A-1C7E-B82B9F40F8B6}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A7AE3C2-C1B0-16F1-E7CF-8213DFB73D5B}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A7AE3C2-C1B0-16F1-E7CF-8213DFB73D5B}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A7AE3C2-C1B0-16F1-E7CF-8213DFB73D5B}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{0A7AE3C2-C1B0-16F1-E7CF-8213DFB73D5B}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{1A356351-8251-595E-10B2-2B2F2D922EDB}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{1A356351-8251-595E-10B2-2B2F2D922EDB}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{1A356351-8251-595E-10B2-2B2F2D922EDB}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{1A356351-8251-595E-10B2-2B2F2D922EDB}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{2A9DED24-11C1-96AB-0C53-9D4B6041E159}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{2A9DED24-11C1-96AB-0C53-9D4B6041E159}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{2A9DED24-11C1-96AB-0C53-9D4B6041E159}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{2A9DED24-11C1-96AB-0C53-9D4B6041E159}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{5D508FC7-0527-15B8-3BE7-3BAF151232A3}-nefesysguard.exe=>(Quarantine-PE)
Infected with: Trojan.Generic.2651217

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{5D508FC7-0527-15B8-3BE7-3BAF151232A3}-nefesysguard.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{5D508FC7-0527-15B8-3BE7-3BAF151232A3}-nefesysguard.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{64F6D0EB-E16A-F141-F440-9ADE4137F26E}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{64F6D0EB-E16A-F141-F440-9ADE4137F26E}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{64F6D0EB-E16A-F141-F440-9ADE4137F26E}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{64F6D0EB-E16A-F141-F440-9ADE4137F26E}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{68E8C4DB-EC4A-96FF-1532-2B7B1B96E9F9}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{68E8C4DB-EC4A-96FF-1532-2B7B1B96E9F9}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{68E8C4DB-EC4A-96FF-1532-2B7B1B96E9F9}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{68E8C4DB-EC4A-96FF-1532-2B7B1B96E9F9}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{6AF631A8-F327-F090-E2CB-EFF67FA4E24D}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{6AF631A8-F327-F090-E2CB-EFF67FA4E24D}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{6AF631A8-F327-F090-E2CB-EFF67FA4E24D}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{6AF631A8-F327-F090-E2CB-EFF67FA4E24D}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{CBB5A34C-2994-043A-A575-313304E735DF}-sique.exe=>(Quarantine-PE)
Infected with: Trojan.Generic.2661885

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{CBB5A34C-2994-043A-A575-313304E735DF}-sique.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{CBB5A34C-2994-043A-A575-313304E735DF}-sique.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{DBA3821E-327D-3047-0EA0-538AA4E37885}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{DBA3821E-327D-3047-0EA0-538AA4E37885}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{DBA3821E-327D-3047-0EA0-538AA4E37885}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{DBA3821E-327D-3047-0EA0-538AA4E37885}-msa.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{E2913423-6A3E-E608-7BF4-5360228F8614}-gsho.exe=>(Quarantine-PE)
Infected with: Trojan.Generic.2653035

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{E2913423-6A3E-E608-7BF4-5360228F8614}-gsho.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{E2913423-6A3E-E608-7BF4-5360228F8614}-gsho.exe
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{F141CCBC-1792-424C-88FC-8CD864ACBC48}-msa.exe=>(Quarantine-PE)
Infected with: Gen:Trojan.Heur.Renos.juW@baX8pHo

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{F141CCBC-1792-424C-88FC-8CD864ACBC48}-msa.exe=>(Quarantine-PE)
Disinfection failed

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{F141CCBC-1792-424C-88FC-8CD864ACBC48}-msa.exe=>(Quarantine-PE)
Deleted

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{F141CCBC-1792-424C-88FC-8CD864ACBC48}-msa.exe
Deleted

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9ZD7U7W7\block[1].htm
Infected with: Trojan.FakeAlert.BFW

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9ZD7U7W7\block[1].htm
Deleted

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R9291APW\block[1].htm
Infected with: Trojan.FakeAlert.BFW

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R9291APW\block[1].htm
Deleted

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R9291APW\block[2].htm
Infected with: Trojan.FakeAlert.BFW

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R9291APW\block[2].htm
Deleted

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R9291APW\block[3].htm
Infected with: Trojan.FakeAlert.BFW

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R9291APW\block[3].htm
Deleted

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UI60G1JB\block[1].htm
Infected with: Trojan.FakeAlert.BFW

C:\Users\Ka\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UI60G1JB\block[1].htm
Deleted




BitDefender Online Scanner - Real Time Virus Report



Generated at: Mon, Nov 16, 2009 - 06:36:10


--------------------------------------------------------------------------------





Scan Info



Scanned Files
538641

Infected Files
17








Virus Detected



Trojan.Generic.2653035
1

Trojan.FakeAlert.BFW
5

Trojan.Generic.2661885
1

Trojan.Generic.2651217
1

Gen:Trojan.Heur.Renos.juW@baX8pHo
9










--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Mon Nov 16, 2009 7:13 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

==

Please download CKScanner by askey127 from [You must be registered and logged in to see this link.]

Save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Tue Nov 17, 2009 1:18 am

Here is my log for Malwarebytes' Anti-malware as requested:

Malwarebytes' Anti-Malware 1.41
Database version: 3183
Windows 6.0.6000

11/16/2009 7:02:50 PM
mbam-log-2009-11-16 (19-02-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 283845
Time elapsed: 1 hour(s), 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

And here is the one for CKscanner:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\hp games\bejeweled 2 deluxe\sounds\cached_firecrackle.wav
c:\program files\hp games\bejeweled 2 deluxe\sounds\firecrackle.ogg
c:\program files\hp games\blasterball 3\data\art\bitmaps\enemies\boss2_crack.jpg.wkz
c:\program files\hp games\insaniquarium deluxe\images\eggcrack1.gif
c:\program files\hp games\insaniquarium deluxe\images\eggcrack2.gif
c:\program files\hp games\insaniquarium deluxe\images\_eggcrack1.gif
c:\program files\hp games\insaniquarium deluxe\images\_eggcrack2.gif
c:\program files\hp games\mah jong quest\images\tile_firecracker-1.pnge
c:\program files\hp games\mah jong quest\images\tile_firecracker-2.pnge
c:\program files\hp games\mah jong quest\images\tile_firecracker-3.pnge
c:\program files\hp games\mah jong quest\images\tile_firecracker1.pnge
c:\program files\hp games\mah jong quest\images\kwazi3\level5-1cracktop.jpge
c:\program files\hp games\mah jong quest\images\kwazi5\5_lvl_5a_postcrack1.jpge
c:\program files\hp games\mah jong quest\images\kwazi5\5_lvl_5a_postcrack2.jpge
c:\programdata\oberon media\bejeweled2\cached\sounds\firecrackle.wav
c:\users\ka\appdata\roaming\macromedia\flash player\#sharedobjects\snpfake4\[You must be registered and logged in to see this link.]
c:\users\ka\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\#[You must be registered and logged in to see this link.]
c:\users\ka\documents\crack.rar
c:\users\ka\favorites\fishdom key warez download crack serial keygen full version free.url
c:\users\ka\favorites\fishdom key warez download crack serial keygen full version free.url
scanner sequence 3.ZZ.11
----- EOF -----

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Tue Nov 17, 2009 4:53 am

c:\users\ka\documents\crack.rar
c:\users\ka\favorites\fishdom key warez download crack serial keygen full version free.url
c:\users\ka\favorites\fishdom key warez download crack serial keygen full version free.url

Referring to the quoted text from the CKScanner log, your computer has keygens, which is a form of software piracy. What is so bad about Cracks, Hacks, Pirated software, warez, or Keygens?

Most popular cracks or keygens I see, are for Adobe CS3, a lot of different games, Nero, Kaspersky antivirus, and much more. All of these cracks and keygens have what is called "cloaked malware" which is a form of spyware or viruses or trojans that hide themselves inside the keygen or crack files. Most hacks for games that come in the form of a program or installer, will also be infected. It is the opportunity for attackers to present a seemingly safe situation where the opportunity to steal something is in play, while the malware infects your system in the process. Yes, it will install what you were looking for, but also allow malware to potentially take control of your computer.

Lastly, it is illegal. I will counsel you that we do not report such incidents. However, it is not good practice to pirate software.

==

Please use Internet Explorer and run a [You must be registered and logged in to see this link.]

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan
Please post the results in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Tue Nov 17, 2009 7:53 am

Here's my log from BitDefener.

See the results of the current computer scan
No viruses were found on your computer
500331 analized, 0 threat(s) found, 0 threats eliminated

I deleted the files you stated as keygens. But despite all the scans so far the virus is still affecting my computer. Where do I go from here?

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Tue Nov 17, 2009 8:04 am

Please re-run ComboFix and post a log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Tue Nov 17, 2009 10:47 pm

ComboFix is not working on my PC. Attempted scan three times with the last scan lasting over 5 hours but if apparently stops working. Do you have another program that I can try? Plus, do you know exactly what specific type of issue is going on (ie virus, malware, or spyware)?

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Wed Nov 18, 2009 1:22 am

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    winlogon.exe
    comres.dll
    crypt32.dll
    gpedit.dll
    rundll32.exe
    sfc.dll
    svchost.exe
    cngaudit.dll
    beep.sys
    wscntfy.exe
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Wed Nov 18, 2009 3:22 am

Here's the SystemLook file:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:15 on 17/11/2009 by Ka (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\Windows\ERDNT\cache\scecli.dll --a--- 176640 bytes [00:49 16/11/2009] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [03:55 08/05/2009] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\System32\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61

Searching for "netlogon.dll"
C:\Windows\ERDNT\cache\netlogon.dll --a--- 559616 bytes [00:49 16/11/2009] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [03:57 08/05/2009] [07:35 19/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\Windows\System32\netlogon.dll --a--- 559616 bytes [08:45 02/11/2006] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B
C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll --a--- 559616 bytes [08:45 02/11/2006] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B

Searching for "eventlog.dll"
No files found.

Searching for "winlogon.exe"
C:\Windows\ERDNT\cache\winlogon.exe --a--- 308224 bytes [00:48 16/11/2009] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a--- 314880 bytes [03:56 08/05/2009] [07:33 19/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
C:\Windows\System32\winlogon.exe --a--- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe --a--- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD

Searching for "comres.dll"
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [03:56 08/05/2009] [05:48 19/01/2008] 4211249955AF9133E2E357CC92B54DFD
C:\Windows\System32\comres.dll --a--- 1236992 bytes [07:29 02/11/2006] [08:50 02/11/2006] 4843A1784BA6434DFF80F841DDC592C6
C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6000.16386_none_2a7a18dbe946c84f\comres.dll --a--- 1236992 bytes [07:29 02/11/2006] [08:50 02/11/2006] 4843A1784BA6434DFF80F841DDC592C6

Searching for "crypt32.dll"
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\crypt32.dll --a--- 977408 bytes [03:56 08/05/2009] [07:34 19/01/2008] D4D86075510C02F887528207D8E0D713
C:\Windows\System32\crypt32.dll --a--- 974336 bytes [05:12 05/08/2007] [05:12 05/08/2007] 3233F31FF7046A5C54A312B6687C5376
C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6000.16386_none_5938ffdfe0e8b606\crypt32.dll --a--- 974336 bytes [08:43 02/11/2006] [09:46 02/11/2006] 360191D2A50180C3E0673BAB7F5529E0
C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6000.16425_none_5978e103e0b8f230\crypt32.dll --a--- 974336 bytes [05:12 05/08/2007] [05:12 05/08/2007] 3233F31FF7046A5C54A312B6687C5376
C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6000.20523_none_5a007d3af9d85f4c\crypt32.dll --a--- 974336 bytes [05:12 05/08/2007] [05:12 05/08/2007] 6E4B8D43AABE3EC49AA925FD68F0C265

Searching for "gpedit.dll"
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_ce322c9564e76885\gpedit.dll --a--- 936960 bytes [03:56 08/05/2009] [07:34 19/01/2008] E3DDEB38C6303086F79C6B7E83C372C8
C:\Windows\System32\gpedit.dll --a--- 935936 bytes [08:46 02/11/2006] [09:46 02/11/2006] 1C2761A389791C98E8A11A1539D6BB71
C:\Windows\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6000.16386_none_cbfb6a9967fc57b1\gpedit.dll --a--- 935936 bytes [08:46 02/11/2006] [09:46 02/11/2006] 1C2761A389791C98E8A11A1539D6BB71

Searching for "rundll32.exe"
C:\Windows\System32\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A
C:\Windows\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_d5ce8f93adff8210\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A

Searching for "sfc.dll"
C:\Windows\ERDNT\cache\sfc.dll --a--- 4608 bytes [00:49 16/11/2009] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\System32\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6000.16386_none_a4ff01505f4694a4\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8
C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_a735c34c5c31a578\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8

Searching for "svchost.exe"
C:\Windows\ERDNT\cache\svchost.exe --a--- 22016 bytes [00:49 16/11/2009] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe --a--- 21504 bytes [03:55 08/05/2009] [07:33 19/01/2008] 3794B461C45882E06856F282EEF025AF
C:\Windows\System32\svchost.exe --a--- 22016 bytes [08:35 02/11/2006] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe --a--- 22016 bytes [08:35 02/11/2006] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09

Searching for "cngaudit.dll"
C:\Windows\ERDNT\cache\cngaudit.dll --a--- 11776 bytes [00:49 16/11/2009] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\Windows\System32\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D
C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

Searching for "beep.sys"
C:\Windows\ERDNT\cache\beep.sys --a--- 6144 bytes [00:48 16/11/2009] [08:51 02/11/2006] AC3DD1708B22761EBD7CBE14DCC3B5D7
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys --a--- 6144 bytes [03:54 08/05/2009] [05:49 19/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6
C:\Windows\System32\drivers\beep.sys --a--- 6144 bytes [08:51 02/11/2006] [08:51 02/11/2006] AC3DD1708B22761EBD7CBE14DCC3B5D7
C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6000.16386_none_c1e9df570ab23787\beep.sys --a--- 6144 bytes [08:51 02/11/2006] [08:51 02/11/2006] AC3DD1708B22761EBD7CBE14DCC3B5D7

Searching for "wscntfy.exe"
No files found.

Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 21560 bytes [00:48 16/11/2009] [17:37 16/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [03:55 08/05/2009] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [17:37 16/02/2008] [17:37 16/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\drivers\atapi.sys --a--- 21560 bytes [17:37 16/02/2008] [17:37 16/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [17:37 16/02/2008] [17:37 16/02/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [17:37 16/02/2008] [17:37 16/02/2008] E03E8C99D15D0381E02743C36AFC7C6F

-=End Of File=-

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Wed Nov 18, 2009 4:45 am

Please download a clean copy of a system file you are missing, called eventlog.dll from [You must be registered and logged in to see this link.] and save it to your Desktop. Do not open the file from its location as it is not possible to do.

Move the file to the following folder using Windows Explorer: C:\Windows\System32

==

Reboot, and try ComboFix again.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by vangk15 on Wed Nov 18, 2009 12:07 pm

Followed your instructions. Ran ComboFix again and still did not finish scanning after over 6 hours.

vangk15
Novice
Novice

Status :
Online
Offline

Posts Posts : 11
Joined Joined : 2009-11-15
OS OS : Vista

View user profile

Back to top Go down

Re: When doing a Google Search...I get redirected to Ad sites...Needs Help!

Post by Dr Jay on Thu Nov 19, 2009 6:39 am

Please download the Kaspersky AVP Tool from [You must be registered and logged in to see this link.].
  • Save it to your desktop.
  • Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked:

    • System Memory
    • Startup Objects
    • Disk Boot Sectors.
    • My Computer.
    • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum