Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Google redirect problem  (Read 10541 times)

0 Members and 1 Guest are viewing this topic.

bicyclist

    Topic Starter


    Rookie

    • Experience: Beginner
    • OS: Windows XP
    Google redirect problem
    « on: June 10, 2011, 07:40:33 PM »
    Hello,

    I am having a problem when using Google.  When I click on the search results I am usually directed to other websites that sometimes are related to the topic I searched.  If I go back one page while the computer is being redirected and then hit the same desired search result again, the computer is usually not redirected and instead goes to the desired webpage.  Sometimes I have to go back and forth several times to get to the desired webpage.   

    Also I am having problems connecting to the internet and I think it might be related to the redirect problem--happened about the same time.   I also don't have any sound coming from my speakers--I did not notice when that problem started.   

    I've scanned the computer with PC Tools Spyware Doctor and Shield Deluxe Services virus checkers and they can't find the infection.  I'm running Microsoft Windows XP, Version 2002, Service Pack 3.

    Please help.



    SuperDave

    • Malware Removal Specialist


    • Genius
    • Thanked: 991
    • Certifications: List
    • Experience: Expert
    • OS: Windows 8
    Re: Google redirect problem
    « Reply #1 on: June 10, 2011, 07:55:48 PM »
    Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
    *********************************************************
    SUPERAntiSpyware

    If you already have SUPERAntiSpyware be sure to check for updates before scanning!


    Download SuperAntispyware Free Edition (SAS)
    * Double-click the icon on your desktop to run the installer.
    * When asked to Update the program definitions, click Yes
    * If you encounter any problems while downloading the updates, manually download and unzip them from here
    * Next click the Preferences button.

    •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
    * Click the Scanning Control tab.
    * Under Scanner Options make sure only the following are checked:

    •Close browsers before scanning
    •Scan for tracking cookies
    •Terminate memory threats before quarantining
    Please leave the others unchecked

    •Click the Close button to leave the control center screen.

    * On the main screen click Scan your computer
    * On the left check the box for the drive you are scanning.
    * On the right choose Perform Complete Scan
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK
    * Make sure everything in the white box has a check next to it, then click Next
    * It will quarantine what it found and if it asks if you want to reboot, click Yes

    •To retrieve the removal information please do the following:
    •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    •Click Preferences. Click the Statistics/Logs tab.

    •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

    •It will open in your default text editor (preferably Notepad).
    •Save the notepad file to your desktop by clicking (in notepad) File > Save As...

    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    *Copy and Paste the log in your post.
    *******************************************
    Please download Malwarebytes Anti-Malware from here.
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
    ***********************************************
    Download DDS from HERE or HERE and save it to your desktop.

    Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    * XP users Double click on dds to run it.
    * If your antivirus or firewall try to block DDS then please allow it to run.
    * When finished DDS will open two (2) logs.

    1) DDS.txt
    2) Attach.txt

    * Save both logs to your desktop.
    * Please copy and paste the entire contents of both logs in your next reply.

    Note: DDS will instruct you to post the Attach.txt log as an attachment.
    Please just post it as you would any other log by copying and pasting it into the reply.
    Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

    bicyclist

      Topic Starter


      Rookie

      • Experience: Beginner
      • OS: Windows XP
      Re: Google redirect problem
      « Reply #2 on: June 13, 2011, 03:31:31 PM »
      Hi Dave,

      Thank you for responding and helping me with my problem.  The SuperAntiSpyware (SAS) doesn't seem to be running on my computer.  Maybe the infection recognizes it and does not let it run?   I do not get the SAS control center screen mentioned in your instructions (the prompts for Update, Preferences, Start-Up Options, etc.).  So I never get to the scan command.  :(   

      Here is a little more detail.  After downloading SAS and pasting the file to my desktop and clicking on the SAS icon on the desktop, I get a window from my other spyware software that asks me if I want to run the SAS.  I then clicked on the "run" in that window and the computer goes back to desktop view with the SAS icon highlighted and the only other activity is the hourglass appears occasionally next to my pointer/arrow. 

      I also heard a little murmur/electronic sound coming from my computer as though something was engaging.  I let SAS "run" (?) in this fashion for an hour or two and nothing happened.  I then deleted SAS and downloaded it again and then tried to run it again for about ten minutes with no luck.   

      By the way, I did check on the SAS file size (10.8 MB) on my computer and therefore I think SAS has downloaded successfully onto my computer.

      What should I do next?  ???  Maybe I need to run the SAS for several hours or overnight?  I don't have problems running other  programs such as the word processing software or the other anti-spyware programs on my computer.  I'm stumped. 

      SuperDave

      • Malware Removal Specialist


      • Genius
      • Thanked: 991
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: Google redirect problem
      « Reply #3 on: June 13, 2011, 05:57:43 PM »
      Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
      Save Rkill to your desktop.

      There are 7 different versions. If one of them won't run then download and try to run the other one.
       
      Vista and Win7 users need to right click Rkill and choose Run as Administrator
       

      You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

      * Rkill.exe
      * Rkill.com
      * Rkill.scr
      * WiNlOgOn.exe
      * uSeRiNiT.exe
      * iExplore.exe
      * eXplorer.exe
      Once you've gotten one of them to run then try to immediately run the following.

      Now try running MBAM, SAS and DDS and post the logs.
      If that still doesn't work, re-boot in Safe Mode with NetWorking and run MBAM. Reboot in Normal mode and try running MBAM again

      Here's how to get into Safe Mode.
      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

      bicyclist

        Topic Starter


        Rookie

        • Experience: Beginner
        • OS: Windows XP
        Re: Google redirect problem
        « Reply #4 on: June 14, 2011, 02:05:34 PM »
        I think Rkill did not run; I tried all seven versions you listed.  I got a similar message for all those versions:  "Processes terminated by Rkill or while it was running:   Rkill completed on 06/13/2011 at 20:54:18."  While that message was being generated, I tried to run SAS and it did not run (SAS icon highlighted only).  :( 

        As you instructed, I downloaded and installed Malwarebytes Anti-Malware (MBAM) while in normal mode, rebooted the system in "Safe Mode with Networking", and tried unsuccessfully to run MBAM in Safe Mode.  :(  I don't have problems running other programs such as my word processing software while in Safe Mode.

        By the way, I did check on the MBAM file size (4.69 MB) installed on my computer and therefore I think MBAM is installed successfully.  The file I downloaded in order to install MBAM (mbam-setup.exe) was a larger file (7.37 MB).   

        What should I do next?  ???

        SuperDave

        • Malware Removal Specialist


        • Genius
        • Thanked: 991
        • Certifications: List
        • Experience: Expert
        • OS: Windows 8
        Re: Google redirect problem
        « Reply #5 on: June 14, 2011, 05:12:10 PM »
        Did you try running the DDS scan?

        Please download ComboFix from BleepingComputer.com

        Alternate link: GeeksToGo.com

        and save it to your Desktop.
        It would be easiest to download using Internet Explorer.
        If you insist on using Firefox, make sure that your download settings are as follows:

        * Tools->Options->Main tab
        * Set to "Always ask me where to Save the files".

        Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
        Double click ComboFix.exe & follow the prompts.
        As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
        Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

        Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

        Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


        Click on Yes, to continue scanning for malware.
        When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

        If you have problems with ComboFix usage, see How to use ComboFix
        Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

        bicyclist

          Topic Starter


          Rookie

          • Experience: Beginner
          • OS: Windows XP
          Re: Google redirect problem
          « Reply #6 on: June 26, 2011, 08:28:21 PM »
          Sorry for the delayed response; I had a sick family member. 

          The dds.txt scan results:

          .
          DDS (Ver_2011-06-12.02) - NTFSx86
          Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_07
          Run by User at 16:37:40 on 2011-06-14
          Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1527.1073 [GMT -7:00]
          .
          AV: The Shield Deluxe Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
          AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
          FW: McAfee Firewall *Enabled*
          .
          ============== Running Processes ===============
          .
          C:\WINDOWS\system32\svchost -k DcomLaunch
          svchost.exe
          C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Update Service\livesrv.exe
          C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\vsserv.exe
          svchost.exe
          svchost.exe
          svchost.exe
          C:\Program Files\Spyware Doctor\pctsAuxs.exe
          C:\Program Files\Spyware Doctor\pctsSvc.exe
          C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
          C:\Program Files\Spyware Doctor\pctsTray.exe
          C:\WINDOWS\Explorer.EXE
          C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
          C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe
          C:\Program Files\QuickTime\qttask.exe
          C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
          C:\Program Files\iTunes\iTunesHelper.exe
          C:\WINDOWS\system32\igfxtray.exe
          C:\WINDOWS\system32\igfxpers.exe
          C:\WINDOWS\system32\hkcmd.exe
          C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
          C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
          C:\WINDOWS\system32\ctfmon.exe
          C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
          C:\Program Files\eFax Messenger 4.3\J2GTray.exe
          C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
          C:\Program Files\Psion\PsiWin\Psconsv.exe
          C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
          C:\Program Files\iPod\bin\iPodService.exe
          C:\Program Files\Alarm95\Alarm95.exe
          C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
          C:\PROGRA~1\Psion\PsiWin\Elogerr.exe
          C:\WINDOWS\System32\svchost.exe -k HTTPFilter
          C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
          C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
          C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\system32\svchost.exe -k netsvcs
          .
          ============== Pseudo HJT Report ===============
          .
          uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
          uSearchAssistant = hxxp://www.google.com/ie
          uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
          BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
          BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
          BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
          BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
          TB: The Shield Deluxe 2010 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\the shield deluxe\the shield deluxe 2010\IEToolbar.dll
          TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
          uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
          uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
          mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
          mRun: [BitDefender Antiphishing Helper] "c:\program files\the shield deluxe\the shield deluxe 2010\IEShow.exe"
          mRun: [BDAgent] "c:\program files\the shield deluxe\the shield deluxe 2010\bdagent.exe"
          mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
          mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
          mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
          mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
          mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
          mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
          mRun: [igfxtray] c:\windows\system32\igfxtray.exe
          mRun: [igfxpers] c:\windows\system32\igfxpers.exe
          mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
          mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
          mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
          mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
          StartupFolder: c:\docume~1\user\startm~1\programs\startup\alarm9~2.lnk - c:\windows\winhelp.exe
          StartupFolder: c:\docume~1\user\startm~1\programs\startup\alarm9~1.lnk - c:\program files\alarm95\Alarm95.exe
          StartupFolder: c:\docume~1\user\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
          StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
          StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
          StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\psiwin~1.lnk - c:\program files\psion\psiwin\Psconsv.exe
          StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
          IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
          IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
          IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
          IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
          IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
          Trusted Zone: google.com\earth
          Trusted Zone: internet
          Trusted Zone: mcafee.com
          DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
          DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
          DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
          DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
          DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
          TCP: DhcpNameServer = 192.168.1.1
          TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13} : DhcpNameServer = 192.168.1.1
          Notify: igfxcui - igfxdev.dll
          AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
          SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
          .
          ================= FIREFOX ===================
          .
          FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\
          FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
          FF - prefs.js: browser.search.selectedEngine - Secure Search
          FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
          FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
          FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
          FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
          FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
          FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
          FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
          FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
          FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
          FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
          FF - plugin: c:\program files\picasa2\npPicasa2.dll
          FF - plugin: c:\program files\picasa2\npPicasa3.dll
          .
          ============= SERVICES / DRIVERS ===============
          .
          R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-12-18 40840]
          R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-16 130936]
          R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-12-18 66952]
          R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-12-18 81288]
          R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2010-3-6 20480]
          R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-9-17 152328]
          R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2010-3-7 264576]
          S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-16 34248]
          S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-16 40552]
          S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
          .
          =============== Created Last 30 ================
          .
          2011-06-14 04:49:15   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
          2011-06-14 04:49:11   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
          2011-06-14 04:49:11   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
          .
          ==================== Find3M  ====================
          .
          .
          =================== ROOTKIT  ====================
          .
          Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
          Windows 5.1.2600 Disk: WDC_WD800JB-00JJC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
          .
          device: opened successfully
          user: MBR read successfully
          .
          Disk trace:
          called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x88FC5EC5]<<
          _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88570872; SUB DWORD [EBP-0x4], 0x8857012e; PUSH EDI; CALL 0xffffffffffffdf33;  }
          1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x898DCAB8]
          3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005c[0x8971D8E8]
          5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8965D940]
          [0x891C0218] -> IRP_MJ_CREATE -> 0x88FC5EC5
          kernel: MBR read successfully
          _asm { CALL 0x115;  }
          detected disk devices:
          \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJC0______________________05.01C05#5&31036641&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
          detected hooks:
          \Driver\atapi DriverStartIo -> 0x88FC5AEA
          user & kernel MBR OK
          sectors 156301486 (+255): user != kernel
          Warning: possible TDL3 rootkit infection !
          .
          ============= FINISH: 16:41:17.98 ===============


          The attach.txt file:

          .
          UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
          IF REQUESTED, ZIP IT UP & ATTACH IT
          .
          DDS (Ver_2011-06-12.02)
          .
          Microsoft Windows XP Professional
          Boot Device: \Device\HarddiskVolume1
          Install Date: 2/3/2007 3:05:34 PM
          System Uptime: 6/14/2011 11:56:59 AM (5 hours ago)
          .
          Motherboard: Hewlett-Packard |  | 090Ch
          Processor:               Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2792/533mhz
          .
          ==== Disk Partitions =========================
          .
          C: is FIXED (NTFS) - 75 GiB total, 54.458 GiB free.
          D: is CDROM ()
          E: is Removable
          F: is Removable
          G: is Removable
          H: is Removable
          .
          ==== Disabled Device Manager Items =============
          .
          ==== System Restore Points ===================
          .
          RP1: 6/10/2011 11:23:04 AM - System Checkpoint
          .
          ==== Installed Programs ======================
          .
          Adobe AIR
          Adobe Flash Player 10 Plugin
          Adobe Flash Player ActiveX
          Adobe Reader 9.4.0
          Alarm95
          ArcSoft PhotoImpression 4
          Audacity 1.2.6
          Broadcom Management Programs
          Broadcom NetXtreme Ethernet Controller
          Camera Driver
          Compatibility Pack for the 2007 Office system
          Critical Update for Windows Media Player 11 (KB959772)
          eFax Messenger 4.3
          GIMP 2.4.5
          Google Desktop
          Google Earth
          Google Photos Screensaver
          Google Toolbar for Firefox
          Google Toolbar for Internet Explorer
          Google Update Helper
          Google Updater
          GTK+ Runtime 2.12.8 rev a (remove only)
          Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
          Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
          Hotfix for Windows Internet Explorer 7 (KB947864)
          Hotfix for Windows Media Format 11 SDK (KB929399)
          Hotfix for Windows Media Player 11 (KB939683)
          Hotfix for Windows XP (KB2158563)
          Hotfix for Windows XP (KB2443685)
          Hotfix for Windows XP (KB952287)
          Hotfix for Windows XP (KB954550-v5)
          Hotfix for Windows XP (KB961118)
          Hotfix for Windows XP (KB970653-v3)
          Hotfix for Windows XP (KB976098-v2)
          Hotfix for Windows XP (KB979306)
          Hotfix for Windows XP (KB981793)
          Intel(R) Extreme Graphics 2 Driver
          iTunes
          Java(TM) 6 Update 4
          Java(TM) 6 Update 7
          Joost (tm) Beta 1.1.4
          LizardTech DjVu Control
          Malwarebytes' Anti-Malware
          McAfee Security Scan Plus
          MediaCoder 0.6.1
          Microsoft .NET Framework 1.1
          Microsoft .NET Framework 1.1 Security Update (KB2416447)
          Microsoft .NET Framework 1.1 Security Update (KB979906)
          Microsoft .NET Framework 2.0 Service Pack 2
          Microsoft .NET Framework 3.0 Service Pack 2
          Microsoft .NET Framework 3.5 SP1
          Microsoft Compression Client Pack 1.0 for Windows XP
          Microsoft Internationalized Domain Names Mitigation APIs
          Microsoft Money
          Microsoft National Language Support Downlevel APIs
          Microsoft Office Excel Viewer
          Microsoft Office Word Viewer 2003
          Microsoft User-Mode Driver Framework Feature Pack 1.0
          Miro
          Mozilla Firefox 4.0.1 (x86 en-US)
          Mozilla Thunderbird (2.0.0.17)
          MSXML 6.0 Parser (KB933579)
          OpenOffice.org 2.4
          Picasa 3
          Pidgin
          POV-Ray for Windows v3.6.1b
          PsiWin 2.3
          QuickTime
          Rhapsody Player Engine
          Santa Clara County Water Wise Gardening
          Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
          Security Update for Windows Internet Explorer 7 (KB938127)
          Security Update for Windows Internet Explorer 7 (KB942615)
          Security Update for Windows Internet Explorer 7 (KB950759)
          Security Update for Windows Internet Explorer 7 (KB953838)
          Security Update for Windows Internet Explorer 7 (KB956390)
          Security Update for Windows Internet Explorer 7 (KB958215)
          Security Update for Windows Internet Explorer 7 (KB960714)
          Security Update for Windows Internet Explorer 7 (KB961260)
          Security Update for Windows Internet Explorer 7 (KB963027)
          Security Update for Windows Internet Explorer 7 (KB969897)
          Security Update for Windows Internet Explorer 8 (KB2183461)
          Security Update for Windows Internet Explorer 8 (KB2360131)
          Security Update for Windows Internet Explorer 8 (KB2416400)
          Security Update for Windows Internet Explorer 8 (KB2482017)
          Security Update for Windows Internet Explorer 8 (KB2497640)
          Security Update for Windows Internet Explorer 8 (KB2510531)
          Security Update for Windows Internet Explorer 8 (KB969897)
          Security Update for Windows Internet Explorer 8 (KB971961)
          Security Update for Windows Internet Explorer 8 (KB972260)
          Security Update for Windows Internet Explorer 8 (KB974455)
          Security Update for Windows Internet Explorer 8 (KB976325)
          Security Update for Windows Internet Explorer 8 (KB978207)
          Security Update for Windows Internet Explorer 8 (KB981332)
          Security Update for Windows Internet Explorer 8 (KB982381)
          Security Update for Windows Media Player (KB2378111)
          Security Update for Windows Media Player (KB911564)
          Security Update for Windows Media Player (KB952069)
          Security Update for Windows Media Player (KB954155)
          Security Update for Windows Media Player (KB968816)
          Security Update for Windows Media Player (KB973540)
          Security Update for Windows Media Player (KB975558)
          Security Update for Windows Media Player (KB978695)
          Security Update for Windows Media Player 11 (KB936782)
          Security Update for Windows Media Player 11 (KB954154)
          Security Update for Windows Media Player 6.4 (KB925398)
          Security Update for Windows Media Player 9 (KB936782)
          Security Update for Windows XP (KB2079403)
          Security Update for Windows XP (KB2115168)
          Security Update for Windows XP (KB2121546)
          Security Update for Windows XP (KB2160329)
          Security Update for Windows XP (KB2229593)
          Security Update for Windows XP (KB2259922)
          Security Update for Windows XP (KB2279986)
          Security Update for Windows XP (KB2286198)
          Security Update for Windows XP (KB2296011)
          Security Update for Windows XP (KB2296199)
          Security Update for Windows XP (KB2347290)
          Security Update for Windows XP (KB2360937)
          Security Update for Windows XP (KB2387149)
          Security Update for Windows XP (KB2393802)
          Security Update for Windows XP (KB2412687)
          Security Update for Windows XP (KB2419632)
          Security Update for Windows XP (KB2423089)
          Security Update for Windows XP (KB2436673)
          Security Update for Windows XP (KB2440591)
          Security Update for Windows XP (KB2443105)
          Security Update for Windows XP (KB2476687)
          Security Update for Windows XP (KB2478960)
          Security Update for Windows XP (KB2478971)
          Security Update for Windows XP (KB2479628)
          Security Update for Windows XP (KB2479943)
          Security Update for Windows XP (KB2481109)
          Security Update for Windows XP (KB2483185)
          Security Update for Windows XP (KB2485376)
          Security Update for Windows XP (KB2485663)
          Security Update for Windows XP (KB2503658)
          Security Update for Windows XP (KB2506212)
          Security Update for Windows XP (KB2506223)
          Security Update for Windows XP (KB2507618)
          Security Update for Windows XP (KB2508272)
          Security Update for Windows XP (KB2508429)
          Security Update for Windows XP (KB2509553)
          Security Update for Windows XP (KB2511455)
          Security Update for Windows XP (KB2524375)
          Security Update for Windows XP (KB923561)
          Security Update for Windows XP (KB938464)
          Security Update for Windows XP (KB941569)
          Security Update for Windows XP (KB946648)
          Security Update for Windows XP (KB950760)
          Security Update for Windows XP (KB950762)
          Security Update for Windows XP (KB950974)
          Security Update for Windows XP (KB951066)
          Security Update for Windows XP (KB951376-v2)
          Security Update for Windows XP (KB951698)
          Security Update for Windows XP (KB951748)
          Security Update for Windows XP (KB952004)
          Security Update for Windows XP (KB952954)
          Security Update for Windows XP (KB953839)
          Security Update for Windows XP (KB954211)
          Security Update for Windows XP (KB954459)
          Security Update for Windows XP (KB954600)
          Security Update for Windows XP (KB955069)
          Security Update for Windows XP (KB956391)
          Security Update for Windows XP (KB956572)
          Security Update for Windows XP (KB956744)
          Security Update for Windows XP (KB956802)
          Security Update for Windows XP (KB956803)
          Security Update for Windows XP (KB956841)
          Security Update for Windows XP (KB956844)
          Security Update for Windows XP (KB957095)
          Security Update for Windows XP (KB957097)
          Security Update for Windows XP (KB958644)
          Security Update for Windows XP (KB958687)
          Security Update for Windows XP (KB958690)
          Security Update for Windows XP (KB958869)
          Security Update for Windows XP (KB959426)
          Security Update for Windows XP (KB960225)
          Security Update for Windows XP (KB960715)
          Security Update for Windows XP (KB960803)
          Security Update for Windows XP (KB960859)
          Security Update for Windows XP (KB961371)
          Security Update for Windows XP (KB961373)
          Security Update for Windows XP (KB961501)
          Security Update for Windows XP (KB968537)
          Security Update for Windows XP (KB969059)
          Security Update for Windows XP (KB969898)
          Security Update for Windows XP (KB969947)
          Security Update for Windows XP (KB970238)
          Security Update for Windows XP (KB970430)
          Security Update for Windows XP (KB971468)
          Security Update for Windows XP (KB971486)
          Security Update for Windows XP (KB971557)
          Security Update for Windows XP (KB971633)
          Security Update for Windows XP (KB971657)
          Security Update for Windows XP (KB972270)
          Security Update for Windows XP (KB973346)
          Security Update for Windows XP (KB973354)
          Security Update for Windows XP (KB973507)
          Security Update for Windows XP (KB973525)
          Security Update for Windows XP (KB973869)
          Security Update for Windows XP (KB973904)
          Security Update for Windows XP (KB974112)
          Security Update for Windows XP (KB974318)
          Security Update for Windows XP (KB974392)
          Security Update for Windows XP (KB974571)
          Security Update for Windows XP (KB975025)
          Security Update for Windows XP (KB975467)
          Security Update for Windows XP (KB975560)
          Security Update for Windows XP (KB975561)
          Security Update for Windows XP (KB975562)
          Security Update for Windows XP (KB975713)
          Security Update for Windows XP (KB977165)
          Security Update for Windows XP (KB977816)
          Security Update for Windows XP (KB977914)
          Security Update for Windows XP (KB978037)
          Security Update for Windows XP (KB978251)
          Security Update for Windows XP (KB978262)
          Security Update for Windows XP (KB978338)
          Security Update for Windows XP (KB978542)
          Security Update for Windows XP (KB978601)
          Security Update for Windows XP (KB978706)
          Security Update for Windows XP (KB979309)
          Security Update for Windows XP (KB979482)
          Security Update for Windows XP (KB979559)
          Security Update for Windows XP (KB979683)
          Security Update for Windows XP (KB979687)
          Security Update for Windows XP (KB980195)
          Security Update for Windows XP (KB980218)
          Security Update for Windows XP (KB980232)
          Security Update for Windows XP (KB980436)
          Security Update for Windows XP (KB981322)
          Security Update for Windows XP (KB981852)
          Security Update for Windows XP (KB981957)
          Security Update for Windows XP (KB981997)
          Security Update for Windows XP (KB982132)
          Security Update for Windows XP (KB982214)
          Security Update for Windows XP (KB982665)
          Security Update for Windows XP (KB982802)
          SoundMAX
          Spyware Doctor 6.0
          The Shield Deluxe 2010
          TRENDnet TEW-424UB Wireless USB 2.0 Adapter
          Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
          Update for Windows Internet Explorer 8 (KB976662)
          Update for Windows Internet Explorer 8 (KB976749)
          Update for Windows Internet Explorer 8 (KB980182)
          Update for Windows XP (KB2141007)
          Update for Windows XP (KB2345886)
          Update for Windows XP (KB2467659)
          Update for Windows XP (KB951072-v2)
          Update for Windows XP (KB951978)
          Update for Windows XP (KB955759)
          Update for Windows XP (KB955839)
          Update for Windows XP (KB967715)
          Update for Windows XP (KB968389)
          Update for Windows XP (KB971029)
          Update for Windows XP (KB971737)
          Update for Windows XP (KB973687)
          Update for Windows XP (KB973815)
          WebEx
          WebFldrs XP
          Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
          Windows Genuine Advantage Notifications (KB905474)
          Windows Genuine Advantage Validation Tool (KB892130)
          Windows Imaging Component
          Windows Internet Explorer 7
          Windows Internet Explorer 8
          Windows Media Format 11 runtime
          Windows Media Player 11
          Windows Presentation Foundation
          Windows XP Service Pack 3
          XML Paper Specification Shared Components Pack 1.0
          Yahoo! Install Manager
          Yahoo! Widgets
          .
          ==== Event Viewer Messages From Past Week ========
          .
          6/9/2011 8:34:28 PM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
          6/9/2011 10:54:45 PM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
          6/9/2011 10:33:17 PM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
          6/8/2011 9:52:07 PM, error: W32Time [17]  - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
          6/8/2011 5:45:32 PM, error: Service Control Manager [7034]  - The Print Spooler service terminated unexpectedly.  It has done this 4 time(s).
          6/8/2011 12:48:59 PM, error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
          6/8/2011 10:32:07 PM, error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
          6/8/2011 10:30:15 PM, error: Dhcp [1001]  - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014D148339E.  The following error occurred:  The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
          6/8/2011 1:50:51 PM, error: Service Control Manager [7034]  - The Print Spooler service terminated unexpectedly.  It has done this 3 time(s).
          6/13/2011 12:39:43 PM, error: DCOM [10005]  - DCOM got error "%109" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
          6/13/2011 12:08:56 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the iPodService service to connect.
          6/13/2011 12:08:56 PM, error: Service Control Manager [7000]  - The iPodService service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
          6/13/2011 12:06:44 PM, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
          6/10/2011 7:24:13 PM, error: Service Control Manager [7034]  - The Print Spooler service terminated unexpectedly.  It has done this 7 time(s).
          6/10/2011 6:53:41 PM, error: Service Control Manager [7034]  - The Print Spooler service terminated unexpectedly.  It has done this 6 time(s).
          6/10/2011 6:23:49 PM, error: Service Control Manager [7034]  - The Print Spooler service terminated unexpectedly.  It has done this 5 time(s).
          6/10/2011 11:49:57 AM, error: Ftdisk [49]  - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
          6/10/2011 11:49:57 AM, error: Ftdisk [45]  - The system could not sucessfully load the crash dump driver.
          6/10/2011 11:44:57 AM, error: Service Control Manager [7023]  - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:  The system cannot find the file specified.
          6/10/2011 11:44:57 AM, error: Service Control Manager [7023]  - The IPSEC Services service terminated with the following error:  The requested service provider could not be loaded or initialized.
          .
          ==== End Of File ===========================


          I'm in the process of disabling my virus checkers and firewalls in order to run ComboFix.  I have disabled two virus checkers that are in regular use on my system:  the Shield Deluxe and PC Tools Spyware's IntelliGuard.   I cannot display the Windows firewall settings on my computer.   :(   

          I do have a Windows Firewall icon in my Control Panel window; so I think there may be a Windows firewall on my system.  By the way, I no longer have the McAfee Security Scan Plus service and I think I have deleted that software from my computer (I don't know why it shows up in the DDS scans--maybe I should investigate?).  I have downloaded but not successfully run the Malwarebytes' Anti-Malware nor the SAS software on my system as I mentioned in my earlier post; therefore, I don't think I need to disable those programs.     

          When I followed the directions from BleepingComputer to see if the Windows Firewall is running ("To check if the Windows Firewall is turned on or off, go to Start > Run and type: firewall.cpl  press OK ") I got a window that said "Window Firewall settings cannot be displayed because the  associated service is not running".   When I clicked "Yes" to start the Internet Connection Service, I got a window that said "Windows cannot start the Windows/Internet Connection Sharing (ICS) service".

          What should I do next?   ???

          SuperDave

          • Malware Removal Specialist


          • Genius
          • Thanked: 991
          • Certifications: List
          • Experience: Expert
          • OS: Windows 8
          Re: Google redirect problem
          « Reply #7 on: June 27, 2011, 03:39:59 PM »
          Download OTL to your desktop.

          * Open OTL
          * Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

          Code: [Select]
          :OTL
          Trusted Zone: google.com\earth
          Trusted Zone: internet
          Trusted Zone: mcafee.com

          :COMMANDS
          [resethosts]
          [purity]
          [emptytemp]
          [start explorer]

          * Click Run Fix
          * OTLI2 may ask to reboot the machine. Please do so if asked.
          * Click OK
          * A report will open. Copy and Paste that report in your next reply.
          *************************************************************

          • Download TDSSKiller and save it to your Desktop.
          • Extract its contents to your desktop.
          • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
          • If an infected file is detected, the default action will be Cure, click on Continue.
          • If a suspicious file is detected, the default action will be Skip, click on Continue.
          • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
          • Click the Report button and copy/paste the contents of it into your next reply
          Note:It will also create a log in the C:\ directory..
          Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

          bicyclist

            Topic Starter


            Rookie

            • Experience: Beginner
            • OS: Windows XP
            Re: Google redirect problem
            « Reply #8 on: July 01, 2011, 07:49:22 PM »
            Dave,

            After following your instructions in your last post, I'm not having redirect problems anymore.   :)  The TDSSKiller found a problem and cured it.  Thank you.

            I there anything else I need to do?

             

            The OTL report:

            All processes killed
            ========== OTL ==========
            ========== COMMANDS ==========
            C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
            HOSTS file reset successfully
             
            [EMPTYTEMP]
             
            User: All Users
             
            User: Default User
            ->Temp folder emptied: 0 bytes
            ->Temporary Internet Files folder emptied: 33170 bytes
            ->Flash cache emptied: 56545 bytes
             
            User: LocalService
            ->Temp folder emptied: 66016 bytes
            ->Temporary Internet Files folder emptied: 2643102 bytes
            ->FireFox cache emptied: 4545144 bytes
            ->Flash cache emptied: 567 bytes
             
            User: NetworkService
            ->Temp folder emptied: 0 bytes
            ->Temporary Internet Files folder emptied: 33170 bytes
             
            User: User
            ->Temp folder emptied: 1602551775 bytes
            ->Temporary Internet Files folder emptied: 135845320 bytes
            ->Java cache emptied: 8733415 bytes
            ->FireFox cache emptied: 112916619 bytes
            ->Flash cache emptied: 78437 bytes
             
            %systemdrive% .tmp files removed: 0 bytes
            %systemroot% .tmp files removed: 2163145 bytes
            %systemroot%\System32 .tmp files removed: 2577 bytes
            %systemroot%\System32\dllcache .tmp files removed: 0 bytes
            %systemroot%\System32\drivers .tmp files removed: 0 bytes
            Windows Temp folder emptied: 139871984 bytes
            %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 227530693 bytes
            %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
            RecycleBin emptied: 0 bytes
             
            Total Files Cleaned = 2,133.00 mb
             
             
            OTL by OldTimer - Version 3.2.25.0 log created on 07012011_130002

            Files\Folders moved on Reboot...

            Registry entries deleted on Reboot...



            The TDSSKiller report:

            2011/07/01 14:53:43.0671 3812   TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
            2011/07/01 14:53:43.0687 3812   ================================================================================
            2011/07/01 14:53:43.0687 3812   SystemInfo:
            2011/07/01 14:53:43.0687 3812   
            2011/07/01 14:53:43.0687 3812   OS Version: 5.1.2600 ServicePack: 3.0
            2011/07/01 14:53:43.0687 3812   Product type: Workstation
            2011/07/01 14:53:43.0687 3812   ComputerName: KENCOMPUTER
            2011/07/01 14:53:43.0687 3812   UserName: User
            2011/07/01 14:53:43.0687 3812   Windows directory: C:\WINDOWS
            2011/07/01 14:53:43.0687 3812   System windows directory: C:\WINDOWS
            2011/07/01 14:53:43.0687 3812   Processor architecture: Intel x86
            2011/07/01 14:53:43.0687 3812   Number of processors: 1
            2011/07/01 14:53:43.0687 3812   Page size: 0x1000
            2011/07/01 14:53:43.0687 3812   Boot type: Normal boot
            2011/07/01 14:53:43.0687 3812   ================================================================================
            2011/07/01 14:53:48.0984 3812   Initialize success
            2011/07/01 14:54:05.0312 3920   ================================================================================
            2011/07/01 14:54:05.0312 3920   Scan started
            2011/07/01 14:54:05.0312 3920   Mode: Manual;
            2011/07/01 14:54:05.0312 3920   ================================================================================
            2011/07/01 14:54:05.0859 3920   ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
            2011/07/01 14:54:05.0921 3920   ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
            2011/07/01 14:54:06.0031 3920   aeaudio         (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
            2011/07/01 14:54:06.0125 3920   aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
            2011/07/01 14:54:06.0187 3920   AegisP          (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
            2011/07/01 14:54:06.0250 3920   AFD             (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
            2011/07/01 14:54:06.0578 3920   AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
            2011/07/01 14:54:06.0625 3920   atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
            2011/07/01 14:54:06.0703 3920   Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
            2011/07/01 14:54:06.0750 3920   audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
            2011/07/01 14:54:06.0843 3920   b57w2k          (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
            2011/07/01 14:54:06.0921 3920   BDFM            (2b4257ff280b93e3c503925f61d24cba) C:\WINDOWS\system32\drivers\bdfm.sys
            2011/07/01 14:54:07.0015 3920   bdfsfltr        (9b281f5f673cbc5b9ec886d59e0b4f26) C:\WINDOWS\system32\drivers\bdfsfltr.sys
            2011/07/01 14:54:07.0125 3920   bdftdif         (bf1088ece2236621aa31d9108afcc53c) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Firewall\bdftdif.sys
            2011/07/01 14:54:07.0218 3920   BDSelfPr        (5eaf583c0b1cc2499761ea3b065f5db2) C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\bdselfpr.sys
            2011/07/01 14:54:07.0312 3920   Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
            2011/07/01 14:54:07.0437 3920   Blfp            (07a758bffb297819252aa72bab0e6611) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
            2011/07/01 14:54:07.0515 3920   cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
            2011/07/01 14:54:07.0578 3920   CCDECODE        (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
            2011/07/01 14:54:07.0656 3920   Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
            2011/07/01 14:54:07.0921 3920   Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
            2011/07/01 14:54:07.0968 3920   Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
            2011/07/01 14:54:08.0234 3920   Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
            2011/07/01 14:54:08.0343 3920   dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
            2011/07/01 14:54:08.0453 3920   dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
            2011/07/01 14:54:08.0562 3920   dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
            2011/07/01 14:54:08.0625 3920   DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
            2011/07/01 14:54:08.0703 3920   drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
            2011/07/01 14:54:08.0781 3920   Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
            2011/07/01 14:54:08.0843 3920   Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
            2011/07/01 14:54:08.0906 3920   Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
            2011/07/01 14:54:08.0968 3920   Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
            2011/07/01 14:54:09.0031 3920   FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
            2011/07/01 14:54:09.0109 3920   Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
            2011/07/01 14:54:09.0156 3920   Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
            2011/07/01 14:54:09.0234 3920   GEARAspiWDM     (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
            2011/07/01 14:54:09.0312 3920   Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
            2011/07/01 14:54:09.0406 3920   HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
            2011/07/01 14:54:09.0546 3920   HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
            2011/07/01 14:54:09.0703 3920   i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
            2011/07/01 14:54:09.0796 3920   ialm            (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
            2011/07/01 14:54:09.0953 3920   IKFileSec       (ff9f262494fc23d77a6148d49d87d2de) C:\WINDOWS\system32\drivers\ikfilesec.sys
            2011/07/01 14:54:10.0000 3920   IKSysFlt        (7e359671fd9595ecb1b0a33fb4184b19) C:\WINDOWS\system32\drivers\iksysflt.sys
            2011/07/01 14:54:10.0062 3920   IKSysSec        (a44cb3cf3af266665261a6e6c9cac27c) C:\WINDOWS\system32\drivers\iksyssec.sys
            2011/07/01 14:54:10.0109 3920   Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
            2011/07/01 14:54:10.0218 3920   IntelIde        (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
            2011/07/01 14:54:10.0296 3920   intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
            2011/07/01 14:54:10.0343 3920   Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
            2011/07/01 14:54:10.0406 3920   IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
            2011/07/01 14:54:10.0500 3920   IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
            2011/07/01 14:54:10.0578 3920   IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
            2011/07/01 14:54:10.0640 3920   IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
            2011/07/01 14:54:10.0750 3920   IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
            2011/07/01 14:54:10.0796 3920   isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
            2011/07/01 14:54:10.0859 3920   Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
            2011/07/01 14:54:10.0906 3920   kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
            2011/07/01 14:54:10.0968 3920   kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
            2011/07/01 14:54:11.0031 3920   KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
            2011/07/01 14:54:11.0125 3920   mferkdk         (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
            2011/07/01 14:54:11.0187 3920   mfesmfk         (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
            2011/07/01 14:54:11.0250 3920   mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
            2011/07/01 14:54:11.0359 3920   Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
            2011/07/01 14:54:11.0421 3920   Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
            2011/07/01 14:54:11.0484 3920   mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
            2011/07/01 14:54:11.0546 3920   MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
            2011/07/01 14:54:11.0625 3920   MR97310_USB_DUAL_CAMERA (1aae79a4176a957bf2bb679812f04655) C:\WINDOWS\system32\DRIVERS\mr97310c.sys
            2011/07/01 14:54:11.0718 3920   MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
            2011/07/01 14:54:11.0796 3920   Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
            2011/07/01 14:54:11.0859 3920   MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
            2011/07/01 14:54:11.0906 3920   MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
            2011/07/01 14:54:11.0953 3920   MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
            2011/07/01 14:54:12.0031 3920   mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
            2011/07/01 14:54:12.0093 3920   MSTEE           (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
            2011/07/01 14:54:12.0187 3920   Mup             (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
            2011/07/01 14:54:12.0375 3920   NABTSFEC        (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
            2011/07/01 14:54:12.0546 3920   NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
            2011/07/01 14:54:12.0703 3920   NdisIP          (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
            2011/07/01 14:54:12.0750 3920   NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
            2011/07/01 14:54:12.0796 3920   Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
            2011/07/01 14:54:12.0875 3920   NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
            2011/07/01 14:54:12.0937 3920   NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
            2011/07/01 14:54:12.0984 3920   NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
            2011/07/01 14:54:13.0093 3920   Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
            2011/07/01 14:54:13.0171 3920   Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
            2011/07/01 14:54:13.0281 3920   Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
            2011/07/01 14:54:13.0375 3920   NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
            2011/07/01 14:54:13.0453 3920   NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
            2011/07/01 14:54:13.0546 3920   Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
            2011/07/01 14:54:13.0625 3920   PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
            2011/07/01 14:54:13.0687 3920   ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
            2011/07/01 14:54:13.0750 3920   PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
            2011/07/01 14:54:13.0828 3920   PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
            2011/07/01 14:54:13.0890 3920   Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
            2011/07/01 14:54:13.0984 3920   PCTCore         (aa9cfa67850893fbb168b9c4e4c86952) C:\WINDOWS\system32\drivers\PCTCore.sys
            2011/07/01 14:54:14.0296 3920   PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
            2011/07/01 14:54:14.0421 3920   Profos          (d90a33660d328a9f587580f0b38c85de) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Threat Scanner\profos.sys
            2011/07/01 14:54:14.0484 3920   Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
            2011/07/01 14:54:14.0562 3920   PxHelp20        (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
            2011/07/01 14:54:14.0750 3920   RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
            2011/07/01 14:54:14.0828 3920   Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
            2011/07/01 14:54:14.0906 3920   RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
            2011/07/01 14:54:14.0937 3920   Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
            2011/07/01 14:54:15.0000 3920   RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
            2011/07/01 14:54:15.0062 3920   rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
            2011/07/01 14:54:15.0171 3920   RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
            2011/07/01 14:54:15.0234 3920   redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
            2011/07/01 14:54:15.0390 3920   RTL8187B        (fe999b16e967c84790be6dc1b4e78f2d) C:\WINDOWS\system32\DRIVERS\RTL8187B.sys
            2011/07/01 14:54:15.0515 3920   Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
            2011/07/01 14:54:15.0609 3920   serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
            2011/07/01 14:54:15.0671 3920   Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
            2011/07/01 14:54:15.0750 3920   Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
            2011/07/01 14:54:15.0906 3920   SLIP            (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
            2011/07/01 14:54:15.0984 3920   smwdm           (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
            2011/07/01 14:54:16.0156 3920   splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
            2011/07/01 14:54:16.0218 3920   sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
            2011/07/01 14:54:16.0296 3920   streamip        (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
            2011/07/01 14:54:16.0359 3920   swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
            2011/07/01 14:54:16.0421 3920   swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
            2011/07/01 14:54:16.0609 3920   sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
            2011/07/01 14:54:16.0687 3920   Tcpip           (a7d39994cf210133afd8c6ed090765b1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
            2011/07/01 14:54:16.0687 3920   Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: a7d39994cf210133afd8c6ed090765b1, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
            2011/07/01 14:54:16.0703 3920   Tcpip - detected Rootkit.Win32.TDSS.tdl3 (0)
            2011/07/01 14:54:16.0765 3920   TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
            2011/07/01 14:54:16.0828 3920   TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
            2011/07/01 14:54:16.0921 3920   TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
            2011/07/01 14:54:17.0109 3920   Trufos          (b16d66a71de03285e14e9f165b59eda4) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Threat Scanner\trufos.sys
            2011/07/01 14:54:17.0203 3920   Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
            2011/07/01 14:54:17.0328 3920   Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
            2011/07/01 14:54:17.0390 3920   usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
            2011/07/01 14:54:17.0640 3920   usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
            2011/07/01 14:54:17.0703 3920   USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
            2011/07/01 14:54:17.0781 3920   usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
            2011/07/01 14:54:17.0859 3920   VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
            2011/07/01 14:54:17.0968 3920   VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
            2011/07/01 14:54:18.0046 3920   Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
            2011/07/01 14:54:18.0125 3920   wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
            2011/07/01 14:54:18.0234 3920   WLNdis50        (bb2c5a7a555b387b85481b8bde5370d7) C:\WINDOWS\system32\DRIVERS\wlndis50.sys
            2011/07/01 14:54:18.0343 3920   WSTCODEC        (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
            2011/07/01 14:54:18.0437 3920   WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
            2011/07/01 14:54:18.0500 3920   WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
            2011/07/01 14:54:18.0593 3920   MBR (0x1B8)     (5f8b5082f3482cc06b72ec5806598ae9) \Device\Harddisk0\DR0
            2011/07/01 14:54:18.0671 3920   Boot (0x1200)   (c7994081284bdc325ed2291034ec901e) \Device\Harddisk0\DR0\Partition0
            2011/07/01 14:54:18.0671 3920   ================================================================================
            2011/07/01 14:54:18.0671 3920   Scan finished
            2011/07/01 14:54:18.0671 3920   ================================================================================
            2011/07/01 14:54:18.0687 2804   Detected object count: 1
            2011/07/01 14:54:18.0687 2804   Actual detected object count: 1
            2011/07/01 14:54:34.0218 2804   Tcpip           (a7d39994cf210133afd8c6ed090765b1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
            2011/07/01 14:54:34.0218 2804   Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: a7d39994cf210133afd8c6ed090765b1, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
            2011/07/01 14:54:40.0937 2804   Backup copy found, using it..
            2011/07/01 14:54:41.0765 2804   C:\WINDOWS\system32\DRIVERS\tcpip.sys - will be cured after reboot
            2011/07/01 14:54:41.0765 2804   Rootkit.Win32.TDSS.tdl3(Tcpip) - User select action: Cure
            2011/07/01 14:55:00.0265 2888   Deinitialize success
             

               

            SuperDave

            • Malware Removal Specialist


            • Genius
            • Thanked: 991
            • Certifications: List
            • Experience: Expert
            • OS: Windows 8
            Re: Google redirect problem
            « Reply #9 on: July 02, 2011, 06:06:04 PM »
            Quote
            I there anything else I need to do?
            I want to run some more scans to make sure everything is gone.

            Please download ComboFix from BleepingComputer.com

            Alternate link: GeeksToGo.com

            and save it to your Desktop.
            It would be easiest to download using Internet Explorer.
            If you insist on using Firefox, make sure that your download settings are as follows:

            * Tools->Options->Main tab
            * Set to "Always ask me where to Save the files".

            Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
            Double click ComboFix.exe & follow the prompts.
            As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
            Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

            Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

            Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


            Click on Yes, to continue scanning for malware.
            When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

            If you have problems with ComboFix usage, see How to use ComboFix
            Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

            bicyclist

              Topic Starter


              Rookie

              • Experience: Beginner
              • OS: Windows XP
              Re: Google redirect problem
              « Reply #10 on: July 09, 2011, 11:16:10 PM »
              Dave,

              I ran ComboFix somewhat successfully.  Please find the log below. 

              It lost the Internet connection while it was trying to create the new system restore point.  It was trying to connect to get the MS Recovery Console--I never got the console.

              I did not touch the computer at all when Combofix was trying to run so I was not the cause of the disconnection.   It prompted me to make the connection but there was nothing for me to do to reconnect; the Internet connection icon in the system tray was indicating intermittent Internet connection (icon went back and forth between red "X" and wave symbol next to the monitor symbol). 

              By the way, ComboFix prompted me earlier to allow them to update their software to the newest version and I clicked 'OK".  It was able to download a newer version so I had an Internet connection at that point (I had an earlier version because I downloaded it a week ago at your direction noted in your post of June 14).   

              In order to get something going, I went ahead and clicked "OK" in the "Kindly connect before clicking OK" in the ComboFix window.  The next window said that it was aborting because it could not download files and I clicked "OK" in that window to continue the scan for bad files. 

              On the automatic rebooting of the system, the ComboFix log was eventually posted but the Internet connection was still lost.  On the next (manual) reboot the connection was restored.

              I disabled my Windows XP firewall as well as my Shield Deluxe antivirus protection before running ComboFix. 

              I noticed in the ComboFix log that a McAfee firewall might still be on my machine.  I don't know where or how to disable this; I do not have an icon in my system tray for that program.  I cancelled that service months ago and, if I remember correctly, I thought I uninstalled it.  It is possible that I deleted their files rather than used them to uninstall their features--I don't think McAfee gave me clear directions on the correct uninstall procedures at the time I cancelled their service.  I know I deleted some McAfee program files after I cancelled their service.  Should I contact McAfee to see what I need to do?   ???       

              My computer is still working well; no redirect problem.   :)

              What should I do next?  Should I try to run ComboFix after figuring out the firewall issue?  ???




              ComboFix log:


              ComboFix 11-07-09.03 - User 07/09/2011  19:47:51.1.1 - x86
              Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1527.1080 [GMT -7:00]
              Running from: c:\documents and settings\User\Desktop\ComboFix.exe
              AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
              AV: The Shield Deluxe Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
              FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
              .
              WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
              .
              .
              (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              c:\windows\system32\$winnt$.inf
              c:\windows\system32\closeapp.exe
              c:\windows\vb.ini
              .
              .
              (((((((((((((((((((((((((   Files Created from 2011-06-10 to 2011-07-10  )))))))))))))))))))))))))))))))
              .
              .
              2011-07-06 06:23 . 2011-07-06 06:23   2106216   ----a-w-   c:\program files\Mozilla Firefox\D3DCompiler_43.dll
              2011-07-06 06:23 . 2011-07-06 06:23   1998168   ----a-w-   c:\program files\Mozilla Firefox\d3dx9_43.dll
              2011-07-01 20:00 . 2011-07-01 20:00   --------   d-----w-   C:\_OTL
              2011-06-27 00:10 . 2011-06-27 00:10   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITC4.tmp
              2011-06-24 20:34 . 2011-06-24 20:34   --------   d-----w-   c:\program files\Common Files\InstallShield
              2011-06-19 01:34 . 2011-06-19 01:34   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBD.tmp
              2011-06-19 01:17 . 2011-06-19 01:17   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBC.tmp
              2011-06-15 06:11 . 2011-04-21 13:37   105472   -c----w-   c:\windows\system32\dllcache\mup.sys
              2011-06-14 04:49 . 2010-12-21 01:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
              2011-06-14 04:49 . 2011-06-14 04:49   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
              2011-06-14 04:49 . 2010-12-21 01:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
              .
              .
              .
              ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2011-07-01 21:55 . 2004-08-04 12:00   361600   ----a-w-   c:\windows\system32\drivers\tcpip.sys
              2011-05-02 15:31 . 2007-02-03 23:00   692736   ----a-w-   c:\windows\system32\inetcomm.dll
              2011-04-29 17:25 . 2004-08-04 12:00   151552   ----a-w-   c:\windows\system32\schannel.dll
              2011-04-29 16:19 . 2004-08-04 12:00   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
              2011-04-25 16:11 . 2004-08-04 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
              2011-04-25 16:11 . 2004-08-04 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
              2011-04-25 16:11 . 2004-08-04 12:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
              2011-04-25 12:01 . 2004-08-04 12:00   385024   ----a-w-   c:\windows\system32\html.iec
              2011-04-21 13:37 . 2004-08-04 12:00   105472   ----a-w-   c:\windows\system32\drivers\mup.sys
              2011-07-06 06:23 . 2011-04-30 21:08   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
              2009-09-14 05:10 . 2010-08-07 21:24   47104   ----a-w-   c:\program files\mozilla firefox\components\FFComm.dll
              2011-07-01 22:45 . 2008-06-03 17:15   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
              .
              .
              (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              *Note* empty entries & legit default entries are not shown
              REGEDIT4
              .
              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
              .
              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
              "BitDefender Antiphishing Helper"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\IEShow.exe" [2009-09-14 71152]
              "BDAgent"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe" [2009-09-24 1114536]
              "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-04 282624]
              "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
              "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
              "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
              "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-15 278528]
              "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
              "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
              "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
              "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-07-01 30192]
              "eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
              "DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
              .
              c:\documents and settings\User\Start Menu\Programs\Startup\
              Alarm 95 Help.lnk - c:\windows\winhelp.exe [2004-8-4 256192]
              Alarm 95.lnk - c:\program files\Alarm95\Alarm95.exe [2009-8-23 426496]
              Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
              .
              c:\documents and settings\All Users\Start Menu\Programs\Startup\
              eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-9-6 629248]
              PsiWin 2.3 Connection Server.lnk - c:\program files\Psion\PsiWin\Psconsv.exe [2008-7-16 286720]
              Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2010-3-7 368640]
              .
              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
              @=""
              .
              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
              @=""
              .
              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
              @=""
              .
              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
              "LMIRescue_05cc69be-ef6c-40d9-a32e-51b51a08a20b"=2 (0x2)
              .
              [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
              "DisableMonitoring"=dword:00000001
              .
              [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
              "DisableMonitoring"=dword:00000001
              .
              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
              "EnableFirewall"= 0 (0x0)
              .
              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
              "%windir%\\system32\\sessmgr.exe"=
              "c:\\Program Files\\iTunes\\iTunes.exe"=
              "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
              "c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
              .
              R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/16/2009 3:34 PM 130936]
              R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/6/2010 5:51 PM 20480]
              R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [9/17/2009 4:12 PM 152328]
              R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [3/7/2010 4:25 PM 264576]
              S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
              S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-424UB\WLSVC.exe [3/7/2010 4:25 PM 167936]
              S3 Arrakis3;The Shield Deluxe Arrakis Server;c:\program files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [9/13/2009 11:31 PM 183880]
              S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2007 12:00 PM 30192]
              S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
              S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/2/2008 10:18 AM 348752]
              S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
              .
              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
              bdx   REG_MULTI_SZ      scan
              .
              Contents of the 'Scheduled Tasks' folder
              .
              2011-07-10 c:\windows\Tasks\Google Software Updater.job
              - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 03:27]
              .
              2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc076dadee6214.job
              - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
              .
              2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
              - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
              .
              .
              ------- Supplementary Scan -------
              .
              uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
              uSearchAssistant = hxxp://www.google.com/ie
              uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
              IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
              IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
              Trusted Zone: google.com\earth
              Trusted Zone: internet
              Trusted Zone: mcafee.com
              TCP: DhcpNameServer = 192.168.1.1
              TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13}: DhcpNameServer = 192.168.1.1
              FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lc6vgsqt.default\
              FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
              FF - prefs.js: browser.search.selectedEngine - Secure Search
              FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
              FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
              .
              - - - - ORPHANS REMOVED - - - -
              .
              SafeBoot-22771467.sys
              AddRemove-InstallShield_{54C0D94A-F467-4ABC-9D02-6E58748668D4} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
              AddRemove-InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
              AddRemove-MSMONEYV4 - c:\program files\Microsoft Money\setup.exe
              .
              .
              .
              **************************************************************************
              .
              catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2011-07-09 20:04
              Windows 5.1.2600 Service Pack 3 NTFS
              .
              scanning hidden processes ... 
              .
              scanning hidden autostart entries ...
              .
              scanning hidden files ... 
              .
              scan completed successfully
              hidden files: 0
              .
              **************************************************************************
              .
              --------------------- DLLs Loaded Under Running Processes ---------------------
              .
              - - - - - - - > 'explorer.exe'(2084)
              c:\windows\system32\WININET.dll
              c:\progra~1\WINDOW~2\wmpband.dll
              c:\windows\system32\ieframe.dll
              c:\windows\system32\webcheck.dll
              c:\windows\system32\WPDShServiceObj.dll
              c:\windows\system32\PortableDeviceTypes.dll
              c:\windows\system32\PortableDeviceApi.dll
              .
              ------------------------ Other Running Processes ------------------------
              .
              c:\program files\Analog Devices\SoundMAX\SMAgent.exe
              c:\windows\system32\wscntfy.exe
              c:\program files\iPod\bin\iPodService.exe
              .
              **************************************************************************
              .
              Completion time: 2011-07-09  20:08:20 - machine was rebooted
              ComboFix-quarantined-files.txt  2011-07-10 03:08
              .
              Pre-Run: 59,208,437,760 bytes free
              Post-Run: 59,103,842,304 bytes free
              .
              - - End Of File - - C8C30CBA04197C1CFEA51D93309AA454

              SuperDave

              • Malware Removal Specialist


              • Genius
              • Thanked: 991
              • Certifications: List
              • Experience: Expert
              • OS: Windows 8
              Re: Google redirect problem
              « Reply #11 on: July 10, 2011, 04:57:10 PM »
              I forgot to mention that the Security check indicates that you have Panda Antivirus Pro 2012 and Norton 360 running at the same time on your computer. One of these AV's will have to be disabled/uninstalled. 
              *********************************************
              Re-running ComboFix to remove infections:

              • Close any open browsers.
              • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
              • Open notepad and copy/paste the text in the quotebox below into it:
                Quote
                KillAll::

                File::
                C:\found.005
                C:\found.004
                C:\found.003
                C:\found.002
                C:\found.001

                DirLook::
                C:\40d9b26e2a8b3f767a
                C:\ef60c58cdd1f56bf95401cfaf20940ef

                Firefox::
                Trusted Zone: internet
                Trusted Zone: mcafee.com

              • Save this as CFScript.txt, in the same location as ComboFix.exe



              • Referring to the picture above, drag CFScript into ComboFix.exe
              • When finished, it shall produce a log for you at C:\ComboFix.txt
              • Please post the contents of the log in your next reply.
              *********************************************************
              Please go to Jotti's malware scan
              (If more than one file needs scanned they must be done separately and links posted for each one)

              * Copy the file path in the below Code box:

              Code: [Select]
              c:\windows\system32\x64
              c:\windows\system32\igxpun.exe
              c:\windows\system32\Drivers\utkwnty5.sys 

              * At the upload site, click once inside the window next to Browse.
              * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
              * Next click Submit file
              * Your file will possibly be entered into a queue which normally takes less than a minute to clear.
              * This will perform a scan across multiple different virus scanning engines.
              * Important: Wait for all of the scanning engines to complete.
              * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
              Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

              bicyclist

                Topic Starter


                Rookie

                • Experience: Beginner
                • OS: Windows XP
                Re: Google redirect problem
                « Reply #12 on: August 10, 2011, 09:17:09 AM »
                Dave,

                Sorry about the delayed response; I have some family members that are sick and it takes most of my free time (elderly father and mother in-law).  I could not find the Panda Antivirus Pro 2012 nor the Norton 360 after scanning my system.  Did I miss something?   

                I ran the combo fix and it was able to download the Microsoft Windows recovery console and complete its scan.    The log is below.

                I was not able to scan the files you indicated with Jott's malware scanner.   When I pasted each file (one at a time) into the file upload window, I got a window that says "file not found".

                By the way I might have picked up another redirecting virus (slow/intermittent connection to internet, the hard drive runs unusually fast on start-up as if something is loading, and I lose my internet connection after a few minutes) prior to my running ComboFix.  I don't  think CobmboFix cured it.  I re-enabled my Deluxe Shield as well as my PC Tools Spyware Doctor antivirus checkers and ran them after the ComboFix scan.   I'm not sure I did a good thing.  The PC Tools Spyware caught a lot of items, though did not defined what items it caught, and fixed those files and the system does not run better.     

                I appreciate all the help you have provided.  Let me know what I should do next. 

                Ken


                The ComboFix log:

                ComboFix 11-08-09.02 - User 08/09/2011  19:23:46.2.1 - x86
                Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1527.1115 [GMT -7:00]
                Running from: c:\documents and settings\User\Desktop\ComboFix.exe
                Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
                AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
                AV: The Shield Deluxe Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
                FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
                .
                FILE ::
                "C:\found.001"
                "C:\found.002"
                "C:\found.003"
                "C:\found.004"
                "C:\found.005"
                .
                .
                (((((((((((((((((((((((((   Files Created from 2011-07-10 to 2011-08-10  )))))))))))))))))))))))))))))))
                .
                .
                .
                .
                .
                ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                .
                2011-07-01 21:55 . 2004-08-04 12:00   361600   ----a-w-   c:\windows\system32\drivers\tcpip.sys
                2011-06-27 00:10 . 2011-06-27 00:10   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITC4.tmp
                2011-06-19 01:34 . 2011-06-19 01:34   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBD.tmp
                2011-06-19 01:17 . 2011-06-19 01:17   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBC.tmp
                2011-06-02 14:02 . 2004-08-04 12:00   1858944   ----a-w-   c:\windows\system32\win32k.sys
                2011-07-06 06:23 . 2011-04-30 21:08   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
                2009-09-14 05:10 . 2010-08-07 21:24   47104   ----a-w-   c:\program files\mozilla firefox\components\FFComm.dll
                2011-07-01 22:45 . 2008-06-03 17:15   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
                .
                .
                ((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                .
                ---- Directory of C:\40d9b26e2a8b3f767a ----
                .
                .
                ---- Directory of C:\ef60c58cdd1f56bf95401cfaf20940ef ----
                .
                .
                .
                (((((((((((((((((((((((((((((   [email protected]_03.04.24   )))))))))))))))))))))))))))))))))))))))))
                .
                + 2009-12-14 07:08 . 2011-04-26 11:07   33280              c:\windows\system32\dllcache\csrsrv.dll
                - 2009-12-14 07:08 . 2010-12-09 14:30   33280              c:\windows\system32\dllcache\csrsrv.dll
                - 2004-08-04 12:00 . 2010-12-09 14:30   33280              c:\windows\system32\csrsrv.dll
                + 2004-08-04 12:00 . 2011-04-26 11:07   33280              c:\windows\system32\csrsrv.dll
                + 2011-08-07 06:47 . 2011-08-07 06:47   22016              c:\windows\Installer\1024b4.msi
                - 2004-08-04 12:00 . 2010-06-18 17:45   293376              c:\windows\system32\winsrv.dll
                + 2004-08-04 12:00 . 2011-04-26 11:07   293376              c:\windows\system32\winsrv.dll
                + 2007-02-03 14:53 . 2011-07-13 16:42   142832              c:\windows\system32\FNTCACHE.DAT
                - 2007-02-03 14:53 . 2011-06-09 05:19   142832              c:\windows\system32\FNTCACHE.DAT
                + 2010-06-18 17:45 . 2011-04-26 11:07   293376              c:\windows\system32\dllcache\winsrv.dll
                - 2010-06-18 17:45 . 2010-06-18 17:45   293376              c:\windows\system32\dllcache\winsrv.dll
                + 2008-10-15 04:07 . 2011-06-02 14:02   1858944              c:\windows\system32\dllcache\win32k.sys
                + 2007-12-18 20:16 . 2011-07-13 08:54   49089992              c:\windows\system32\MRT.exe
                .
                (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                .
                .
                *Note* empty entries & legit default entries are not shown
                REGEDIT4
                .
                [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
                .
                [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
                "BitDefender Antiphishing Helper"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\IEShow.exe" [2009-09-14 71152]
                "BDAgent"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe" [2009-09-24 1114536]
                "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-04 282624]
                "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
                "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
                "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
                "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-15 278528]
                "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
                "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
                "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
                "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-07-01 30192]
                "eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
                "DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
                .
                c:\documents and settings\User\Start Menu\Programs\Startup\
                Alarm 95 Help.lnk - c:\windows\winhelp.exe [2004-8-4 256192]
                Alarm 95.lnk - c:\program files\Alarm95\Alarm95.exe [2009-8-23 426496]
                Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
                .
                c:\documents and settings\All Users\Start Menu\Programs\Startup\
                eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-9-6 629248]
                PsiWin 2.3 Connection Server.lnk - c:\program files\Psion\PsiWin\Psconsv.exe [2008-7-16 286720]
                Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2010-3-7 368640]
                .
                [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
                @=""
                .
                [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
                @=""
                .
                [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
                @=""
                .
                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                "LMIRescue_05cc69be-ef6c-40d9-a32e-51b51a08a20b"=2 (0x2)
                .
                [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
                "DisableMonitoring"=dword:00000001
                .
                [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
                "DisableMonitoring"=dword:00000001
                .
                [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                "%windir%\\system32\\sessmgr.exe"=
                "c:\\Program Files\\iTunes\\iTunes.exe"=
                "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
                "c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
                .
                R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/16/2009 3:34 PM 130936]
                R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/6/2010 5:51 PM 20480]
                R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [9/17/2009 4:12 PM 152328]
                R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [3/7/2010 4:25 PM 264576]
                S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
                S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-424UB\WLSVC.exe [3/7/2010 4:25 PM 167936]
                S3 Arrakis3;The Shield Deluxe Arrakis Server;c:\program files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [9/13/2009 11:31 PM 183880]
                S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2007 12:00 PM 30192]
                S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
                S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/2/2008 10:18 AM 348752]
                S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
                .
                [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
                bdx   REG_MULTI_SZ      scan
                .
                Contents of the 'Scheduled Tasks' folder
                .
                2011-08-10 c:\windows\Tasks\Google Software Updater.job
                - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 03:27]
                .
                2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc076dadee6214.job
                - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
                .
                2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
                - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
                .
                .
                ------- Supplementary Scan -------
                .
                uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
                uSearchAssistant = hxxp://www.google.com/ie
                uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
                IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
                IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
                Trusted Zone: google.com\earth
                Trusted Zone: internet
                Trusted Zone: mcafee.com
                TCP: DhcpNameServer = 192.168.1.1
                TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13}: DhcpNameServer = 192.168.1.1
                FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lc6vgsqt.default\
                FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
                FF - prefs.js: browser.search.selectedEngine - Bing
                FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
                FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
                .
                .
                **************************************************************************
                .
                catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                Rootkit scan 2011-08-09 19:55
                Windows 5.1.2600 Service Pack 3 NTFS
                .
                scanning hidden processes ... 
                .
                scanning hidden autostart entries ...
                .
                scanning hidden files ... 
                .
                scan completed successfully
                hidden files: 0
                .
                **************************************************************************
                .
                --------------------- DLLs Loaded Under Running Processes ---------------------
                .
                - - - - - - - > 'explorer.exe'(2368)
                c:\windows\system32\WININET.dll
                c:\progra~1\WINDOW~2\wmpband.dll
                c:\windows\system32\ieframe.dll
                c:\windows\system32\webcheck.dll
                c:\windows\system32\WPDShServiceObj.dll
                c:\windows\system32\PortableDeviceTypes.dll
                c:\windows\system32\PortableDeviceApi.dll
                .
                ------------------------ Other Running Processes ------------------------
                .
                c:\program files\Analog Devices\SoundMAX\SMAgent.exe
                c:\windows\system32\wscntfy.exe
                c:\program files\iPod\bin\iPodService.exe
                .
                **************************************************************************
                .
                Completion time: 2011-08-09  20:00:06 - machine was rebooted
                ComboFix-quarantined-files.txt  2011-08-10 03:00
                ComboFix2.txt  2011-07-10 03:08
                .
                Pre-Run: 59,016,167,424 bytes free
                Post-Run: 59,009,564,672 bytes free
                .
                WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
                [boot loader]
                timeout=2
                default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
                [operating systems]
                c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
                UnsupportedDebug="do not select this" /debug
                multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
                .
                - - End Of File - - 7CCFC895A45A57F525FADF7D75C17742

                SuperDave

                • Malware Removal Specialist


                • Genius
                • Thanked: 991
                • Certifications: List
                • Experience: Expert
                • OS: Windows 8
                Re: Google redirect problem
                « Reply #13 on: August 10, 2011, 05:55:41 PM »
                Quote
                Sorry about the delayed response; I have some family members that are sick and it takes most of my free time (elderly father and mother in-law).  I could not find the Panda Antivirus Pro 2012 nor the Norton 360 after scanning my system.  Did I miss something?
                I'm really sorry about your relatives and also the mix-up I caused. I must have confused your thread with another thread. I was juggling too many balls at once.
                Are you still getting the re-directs?


                Quote
                By the way I might have picked up another redirecting virus (slow/intermittent connection to internet, the hard drive runs unusually fast on start-up as if something is loading, and I lose my internet connection after a few minutes) prior to my running ComboFix.  I don't  think CobmboFix cured it.  I re-enabled my Deluxe Shield as well as my PC Tools Spyware Doctor antivirus checkers and ran them after the ComboFix scan.   I'm not sure I did a good thing.
                That could becuse it appears that you two AV programs running at one; McAfee Anti-Virus and Anti-Spyware and The Shield Deluxe Antivirus You should only have one AV running. 

                Please download: HiJackThis to your Desktop.
                Open HijackThis and select Do a system scan only

                Place a check mark next to the following entries: (if there)

                Trusted Zone: google.com\earth
                Trusted Zone: internet
                Trusted Zone: mcafee.com


                Important: Close all open windows except for HijackThis and then click Fix checked.

                Once completed, exit HijackThis.
                ************************************************
                * Download the following tool: RootRepeal - Rootkit Detector
                * Direct download link is here: RootRepeal.zip

                * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
                * Click this link to see a list of such programs and how to disable them.

                * Extract the program file to a new folder such as C:\RootRepeal
                * Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
                * Select ALL of the checkboxes and then click OK and it will start scanning your system.
                * If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
                * When done, click on Save Report
                * Save it to the same location where you ran it from, such as C:RootRepeal
                * Save it as rootrepeal.txt
                * Then open that log and select all and copy/paste it back on your next reply please.
                * Close RootRepeal.
                Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

                bicyclist

                  Topic Starter


                  Rookie

                  • Experience: Beginner
                  • OS: Windows XP
                  Re: Google redirect problem
                  « Reply #14 on: August 14, 2011, 11:38:32 PM »
                  Dave,

                  The major re-direct problem I originally was having has been solved so my system works much better since I ran the TDSSKiller several posts ago per your instructions.   :)   Mozilla Firefox is preventing a few re-directs but those are mostly during my visits to commercial websites so I think that might be OK--I overreacted to the few redirects I got after all the work we did.   

                  By the way , the sound on my system has been restored again due to running the TDSSKiller several posts ago per your instructions.    :)

                  I seem to be having trouble hooking up to the internet.  I understand the need to have only have one AV running at a time.  I'll try contacting McAfee about how to uninstall their anti-virus software that might still be on my system (I may have inadvertently deleted it rather than uninstalled it when I cancelled their service).

                  I could not get the HiJackThis to run on my system.  When I tried to run it I got a window that said "C:\Documents & Settings\User\Desktop\HiJackThisInstaller.exe is not a valid win32 application". 

                  Thought I should not run RootRepeal until we finished with HiJackThis---OK?   

                  What should I do next?

                  Ken