Author Topic: Google redirect problem (Read 17753 times)

bicyclist · « **on:** June 10, 2011, 07:40:33 PM »

Hello,

I am having a problem when using Google. When I click on the search results I am usually directed to other websites that sometimes are related to the topic I searched. If I go back one page while the computer is being redirected and then hit the same desired search result again, the computer is usually not redirected and instead goes to the desired webpage. Sometimes I have to go back and forth several times to get to the desired webpage.

Also I am having problems connecting to the internet and I think it might be related to the redirect problem--happened about the same time. I also don't have any sound coming from my speakers--I did not notice when that problem started.

I've scanned the computer with PC Tools Spyware Doctor and Shield Deluxe Services virus checkers and they can't find the infection. I'm running Microsoft Windows XP, Version 2002, Service Pack 3.

Please help.

SuperDave · « **Reply #1 on:** June 10, 2011, 07:55:48 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*********************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*******************************************

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

bicyclist · « **Reply #2 on:** June 13, 2011, 03:31:31 PM »

Hi Dave,

Thank you for responding and helping me with my problem. The SuperAntiSpyware (SAS) doesn't seem to be running on my computer. Maybe the infection recognizes it and does not let it run? I do not get the SAS control center screen mentioned in your instructions (the prompts for Update, Preferences, Start-Up Options, etc.). So I never get to the scan command.

Here is a little more detail. After downloading SAS and pasting the file to my desktop and clicking on the SAS icon on the desktop, I get a window from my other spyware software that asks me if I want to run the SAS. I then clicked on the "run" in that window and the computer goes back to desktop view with the SAS icon highlighted and the only other activity is the hourglass appears occasionally next to my pointer/arrow.

I also heard a little murmur/electronic sound coming from my computer as though something was engaging. I let SAS "run" (?) in this fashion for an hour or two and nothing happened. I then deleted SAS and downloaded it again and then tried to run it again for about ten minutes with no luck.

By the way, I did check on the SAS file size (10.8 MB) on my computer and therefore I think SAS has downloaded successfully onto my computer.

What should I do next?

Maybe I need to run the SAS for several hours or overnight? I don't have problems running other programs such as the word processing software or the other anti-spyware programs on my computer. I'm stumped.

SuperDave · « **Reply #3 on:** June 13, 2011, 05:57:43 PM »

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 7 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* WiNlOgOn.exe
* uSeRiNiT.exe
* iExplore.exe
* eXplorer.exe
Once you've gotten one of them to run then try to immediately run the following.

Now try running MBAM, SAS and DDS and post the logs.
If that still doesn't work, re-boot in Safe Mode with NetWorking and run MBAM. Reboot in Normal mode and try running MBAM again
Here's how to get into Safe Mode.

bicyclist · « **Reply #4 on:** June 14, 2011, 02:05:34 PM »

I think Rkill did not run; I tried all seven versions you listed. I got a similar message for all those versions: "Processes terminated by Rkill or while it was running: Rkill completed on 06/13/2011 at 20:54:18." While that message was being generated, I tried to run SAS and it did not run (SAS icon highlighted only).

As you instructed, I downloaded and installed Malwarebytes Anti-Malware (MBAM) while in normal mode, rebooted the system in "Safe Mode with Networking", and tried unsuccessfully to run MBAM in Safe Mode.

I don't have problems running other programs such as my word processing software while in Safe Mode.

By the way, I did check on the MBAM file size (4.69 MB) installed on my computer and therefore I think MBAM is installed successfully. The file I downloaded in order to install MBAM (mbam-setup.exe) was a larger file (7.37 MB).

What should I do next?

SuperDave · « **Reply #5 on:** June 14, 2011, 05:12:10 PM »

Did you try running the DDS scan?

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

bicyclist · « **Reply #6 on:** June 26, 2011, 08:28:21 PM »

Sorry for the delayed response; I had a sick family member.

The dds.txt scan results:

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Run by User at 16:37:40 on 2011-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1073 [GMT -7:00]
.
AV: The Shield Deluxe Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Update Service\livesrv.exe
C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\vsserv.exe
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Psion\PsiWin\Psconsv.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alarm95\Alarm95.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\PROGRA~1\Psion\PsiWin\Elogerr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: The Shield Deluxe 2010 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\the shield deluxe\the shield deluxe 2010\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\the shield deluxe\the shield deluxe 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\the shield deluxe\the shield deluxe 2010\bdagent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\alarm9~2.lnk - c:\windows\winhelp.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\alarm9~1.lnk - c:\program files\alarm95\Alarm95.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\psiwin~1.lnk - c:\program files\psion\psiwin\Psconsv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-12-18 40840]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-16 130936]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-12-18 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-12-18 81288]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2010-3-6 20480]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-9-17 152328]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2010-3-7 264576]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-16 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-16 40552]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
.
=============== Created Last 30 ================
.
2011-06-14 04:49:15   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 04:49:11   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-14 04:49:11   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JB-00JJC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x88FC5EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88570872; SUB DWORD [EBP-0x4], 0x8857012e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x898DCAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005c[0x8971D8E8]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8965D940]
[0x891C0218] -> IRP_MJ_CREATE -> 0x88FC5EC5
kernel: MBR read successfully
_asm { CALL 0x115; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJC0______________________05.01C05#5&31036641&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x88FC5AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:41:17.98 ===============

The attach.txt file:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/3/2007 3:05:34 PM
System Uptime: 6/14/2011 11:56:59 AM (5 hours ago)
.
Motherboard: Hewlett-Packard | | 090Ch
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2792/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 54.458 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 6/10/2011 11:23:04 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.4.0
Alarm95
ArcSoft PhotoImpression 4
Audacity 1.2.6
Broadcom Management Programs
Broadcom NetXtreme Ethernet Controller
Camera Driver
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
eFax Messenger 4.3
GIMP 2.4.5
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GTK+ Runtime 2.12.8 rev a (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
iTunes
Java(TM) 6 Update 4
Java(TM) 6 Update 7
Joost (tm) Beta 1.1.4
LizardTech DjVu Control
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
MediaCoder 0.6.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer
Microsoft Office Word Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Miro
Mozilla Firefox 4.0.1 (x86 en-US)
Mozilla Thunderbird (2.0.0.17)
MSXML 6.0 Parser (KB933579)
OpenOffice.org 2.4
Picasa 3
Pidgin
POV-Ray for Windows v3.6.1b
PsiWin 2.3
QuickTime
Rhapsody Player Engine
Santa Clara County Water Wise Gardening
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Spyware Doctor 6.0
The Shield Deluxe 2010
TRENDnet TEW-424UB Wireless USB 2.0 Adapter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebEx
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Yahoo! Widgets
.
==== Event Viewer Messages From Past Week ========
.
6/9/2011 8:34:28 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
6/9/2011 10:54:45 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/9/2011 10:33:17 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
6/8/2011 9:52:07 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/8/2011 5:45:32 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 4 time(s).
6/8/2011 12:48:59 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/8/2011 10:32:07 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
6/8/2011 10:30:15 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014D148339E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
6/8/2011 1:50:51 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
6/13/2011 12:39:43 PM, error: DCOM [10005] - DCOM got error "%109" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/13/2011 12:08:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPodService service to connect.
6/13/2011 12:08:56 PM, error: Service Control Manager [7000] - The iPodService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/13/2011 12:06:44 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
6/10/2011 7:24:13 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 7 time(s).
6/10/2011 6:53:41 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 6 time(s).
6/10/2011 6:23:49 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 5 time(s).
6/10/2011 11:49:57 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
6/10/2011 11:49:57 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
6/10/2011 11:44:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
6/10/2011 11:44:57 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The requested service provider could not be loaded or initialized.
.
==== End Of File ===========================

I'm in the process of disabling my virus checkers and firewalls in order to run ComboFix. I have disabled two virus checkers that are in regular use on my system: the Shield Deluxe and PC Tools Spyware's IntelliGuard. I cannot display the Windows firewall settings on my computer.

I do have a Windows Firewall icon in my Control Panel window; so I think there may be a Windows firewall on my system. By the way, I no longer have the McAfee Security Scan Plus service and I think I have deleted that software from my computer (I don't know why it shows up in the DDS scans--maybe I should investigate?). I have downloaded but not successfully run the Malwarebytes' Anti-Malware nor the SAS software on my system as I mentioned in my earlier post; therefore, I don't think I need to disable those programs.

When I followed the directions from BleepingComputer to see if the Windows Firewall is running ("To check if the Windows Firewall is turned on or off, go to Start > Run and type: firewall.cpl press OK ") I got a window that said "Window Firewall settings cannot be displayed because the associated service is not running". When I clicked "Yes" to start the Internet Connection Service, I got a window that said "Windows cannot start the Windows/Internet Connection Sharing (ICS) service".

What should I do next?

SuperDave · « **Reply #7 on:** June 27, 2011, 03:39:59 PM »

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
*************************************************************

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory..

bicyclist · « **Reply #8 on:** July 01, 2011, 07:49:22 PM »

Dave,

After following your instructions in your last post, I'm not having redirect problems anymore.

The TDSSKiller found a problem and cured it. Thank you.

I there anything else I need to do?

The OTL report:

All processes killed
========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56545 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 2643102 bytes
->FireFox cache emptied: 4545144 bytes
->Flash cache emptied: 567 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: User
->Temp folder emptied: 1602551775 bytes
->Temporary Internet Files folder emptied: 135845320 bytes
->Java cache emptied: 8733415 bytes
->FireFox cache emptied: 112916619 bytes
->Flash cache emptied: 78437 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2163145 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 139871984 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 227530693 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,133.00 mb

OTL by OldTimer - Version 3.2.25.0 log created on 07012011_130002

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

The TDSSKiller report:

2011/07/01 14:53:43.0671 3812   TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
2011/07/01 14:53:43.0687 3812   ================================================================================
2011/07/01 14:53:43.0687 3812   SystemInfo:
2011/07/01 14:53:43.0687 3812
2011/07/01 14:53:43.0687 3812   OS Version: 5.1.2600 ServicePack: 3.0
2011/07/01 14:53:43.0687 3812   Product type: Workstation
2011/07/01 14:53:43.0687 3812   ComputerName: KENCOMPUTER
2011/07/01 14:53:43.0687 3812   UserName: User
2011/07/01 14:53:43.0687 3812   Windows directory: C:\WINDOWS
2011/07/01 14:53:43.0687 3812   System windows directory: C:\WINDOWS
2011/07/01 14:53:43.0687 3812   Processor architecture: Intel x86
2011/07/01 14:53:43.0687 3812   Number of processors: 1
2011/07/01 14:53:43.0687 3812   Page size: 0x1000
2011/07/01 14:53:43.0687 3812   Boot type: Normal boot
2011/07/01 14:53:43.0687 3812   ================================================================================
2011/07/01 14:53:48.0984 3812   Initialize success
2011/07/01 14:54:05.0312 3920   ================================================================================
2011/07/01 14:54:05.0312 3920   Scan started
2011/07/01 14:54:05.0312 3920   Mode: Manual;
2011/07/01 14:54:05.0312 3920   ================================================================================
2011/07/01 14:54:05.0859 3920   ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/01 14:54:05.0921 3920   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/01 14:54:06.0031 3920   aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/07/01 14:54:06.0125 3920   aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/01 14:54:06.0187 3920   AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/01 14:54:06.0250 3920   AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/01 14:54:06.0578 3920   AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/01 14:54:06.0625 3920   atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/01 14:54:06.0703 3920   Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/01 14:54:06.0750 3920   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/01 14:54:06.0843 3920   b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/07/01 14:54:06.0921 3920   BDFM (2b4257ff280b93e3c503925f61d24cba) C:\WINDOWS\system32\drivers\bdfm.sys
2011/07/01 14:54:07.0015 3920   bdfsfltr (9b281f5f673cbc5b9ec886d59e0b4f26) C:\WINDOWS\system32\drivers\bdfsfltr.sys
2011/07/01 14:54:07.0125 3920   bdftdif (bf1088ece2236621aa31d9108afcc53c) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Firewall\bdftdif.sys
2011/07/01 14:54:07.0218 3920   BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\bdselfpr.sys
2011/07/01 14:54:07.0312 3920   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/01 14:54:07.0437 3920   Blfp (07a758bffb297819252aa72bab0e6611) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2011/07/01 14:54:07.0515 3920   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/01 14:54:07.0578 3920   CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/01 14:54:07.0656 3920   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/01 14:54:07.0921 3920   Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/01 14:54:07.0968 3920   Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/01 14:54:08.0234 3920   Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/01 14:54:08.0343 3920   dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/01 14:54:08.0453 3920   dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/01 14:54:08.0562 3920   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/01 14:54:08.0625 3920   DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/01 14:54:08.0703 3920   drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/01 14:54:08.0781 3920   Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/01 14:54:08.0843 3920   Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/01 14:54:08.0906 3920   Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/01 14:54:08.0968 3920   Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/01 14:54:09.0031 3920   FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/01 14:54:09.0109 3920   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/01 14:54:09.0156 3920   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/01 14:54:09.0234 3920   GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/07/01 14:54:09.0312 3920   Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/01 14:54:09.0406 3920   HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/01 14:54:09.0546 3920   HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/01 14:54:09.0703 3920   i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/01 14:54:09.0796 3920   ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/01 14:54:09.0953 3920   IKFileSec (ff9f262494fc23d77a6148d49d87d2de) C:\WINDOWS\system32\drivers\ikfilesec.sys
2011/07/01 14:54:10.0000 3920   IKSysFlt (7e359671fd9595ecb1b0a33fb4184b19) C:\WINDOWS\system32\drivers\iksysflt.sys
2011/07/01 14:54:10.0062 3920   IKSysSec (a44cb3cf3af266665261a6e6c9cac27c) C:\WINDOWS\system32\drivers\iksyssec.sys
2011/07/01 14:54:10.0109 3920   Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/01 14:54:10.0218 3920   IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/01 14:54:10.0296 3920   intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/01 14:54:10.0343 3920   Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/01 14:54:10.0406 3920   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/01 14:54:10.0500 3920   IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/01 14:54:10.0578 3920   IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/01 14:54:10.0640 3920   IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/01 14:54:10.0750 3920   IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/01 14:54:10.0796 3920   isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/01 14:54:10.0859 3920   Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/01 14:54:10.0906 3920   kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/01 14:54:10.0968 3920   kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/01 14:54:11.0031 3920   KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/01 14:54:11.0125 3920   mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/07/01 14:54:11.0187 3920   mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/07/01 14:54:11.0250 3920   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/01 14:54:11.0359 3920   Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/01 14:54:11.0421 3920   Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/01 14:54:11.0484 3920   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/01 14:54:11.0546 3920   MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/01 14:54:11.0625 3920   MR97310_USB_DUAL_CAMERA (1aae79a4176a957bf2bb679812f04655) C:\WINDOWS\system32\DRIVERS\mr97310c.sys
2011/07/01 14:54:11.0718 3920   MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/01 14:54:11.0796 3920   Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/01 14:54:11.0859 3920   MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/01 14:54:11.0906 3920   MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/01 14:54:11.0953 3920   MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/01 14:54:12.0031 3920   mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/01 14:54:12.0093 3920   MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/01 14:54:12.0187 3920   Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/01 14:54:12.0375 3920   NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/01 14:54:12.0546 3920   NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/01 14:54:12.0703 3920   NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/01 14:54:12.0750 3920   NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/01 14:54:12.0796 3920   Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/01 14:54:12.0875 3920   NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/01 14:54:12.0937 3920   NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/01 14:54:12.0984 3920   NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/01 14:54:13.0093 3920   Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/01 14:54:13.0171 3920   Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/01 14:54:13.0281 3920   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/01 14:54:13.0375 3920   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/01 14:54:13.0453 3920   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/01 14:54:13.0546 3920   Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/01 14:54:13.0625 3920   PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/01 14:54:13.0687 3920   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/01 14:54:13.0750 3920   PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/01 14:54:13.0828 3920   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/01 14:54:13.0890 3920   Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/01 14:54:13.0984 3920   PCTCore (aa9cfa67850893fbb168b9c4e4c86952) C:\WINDOWS\system32\drivers\PCTCore.sys
2011/07/01 14:54:14.0296 3920   PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/01 14:54:14.0421 3920   Profos (d90a33660d328a9f587580f0b38c85de) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Threat Scanner\profos.sys
2011/07/01 14:54:14.0484 3920   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/01 14:54:14.0562 3920   PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/01 14:54:14.0750 3920   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/01 14:54:14.0828 3920   Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/01 14:54:14.0906 3920   RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/01 14:54:14.0937 3920   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/01 14:54:15.0000 3920   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/01 14:54:15.0062 3920   rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/01 14:54:15.0171 3920   RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/01 14:54:15.0234 3920   redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/01 14:54:15.0390 3920   RTL8187B (fe999b16e967c84790be6dc1b4e78f2d) C:\WINDOWS\system32\DRIVERS\RTL8187B.sys
2011/07/01 14:54:15.0515 3920   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/01 14:54:15.0609 3920   serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/01 14:54:15.0671 3920   Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/01 14:54:15.0750 3920   Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/01 14:54:15.0906 3920   SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/01 14:54:15.0984 3920   smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/01 14:54:16.0156 3920   splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/01 14:54:16.0218 3920   sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/01 14:54:16.0296 3920   streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/01 14:54:16.0359 3920   swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/01 14:54:16.0421 3920   swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/01 14:54:16.0609 3920   sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/01 14:54:16.0687 3920   Tcpip (a7d39994cf210133afd8c6ed090765b1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/01 14:54:16.0687 3920   Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: a7d39994cf210133afd8c6ed090765b1, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2011/07/01 14:54:16.0703 3920   Tcpip - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/07/01 14:54:16.0765 3920   TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/01 14:54:16.0828 3920   TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/01 14:54:16.0921 3920   TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/01 14:54:17.0109 3920   Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Threat Scanner\trufos.sys
2011/07/01 14:54:17.0203 3920   Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/01 14:54:17.0328 3920   Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/01 14:54:17.0390 3920   usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/01 14:54:17.0640 3920   usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/01 14:54:17.0703 3920   USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/01 14:54:17.0781 3920   usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/01 14:54:17.0859 3920   VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/01 14:54:17.0968 3920   VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/01 14:54:18.0046 3920   Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/01 14:54:18.0125 3920   wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/01 14:54:18.0234 3920   WLNdis50 (bb2c5a7a555b387b85481b8bde5370d7) C:\WINDOWS\system32\DRIVERS\wlndis50.sys
2011/07/01 14:54:18.0343 3920   WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/01 14:54:18.0437 3920   WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/01 14:54:18.0500 3920   WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/01 14:54:18.0593 3920   MBR (0x1B8) (5f8b5082f3482cc06b72ec5806598ae9) \Device\Harddisk0\DR0
2011/07/01 14:54:18.0671 3920   Boot (0x1200) (c7994081284bdc325ed2291034ec901e) \Device\Harddisk0\DR0\Partition0
2011/07/01 14:54:18.0671 3920   ================================================================================
2011/07/01 14:54:18.0671 3920   Scan finished
2011/07/01 14:54:18.0671 3920   ================================================================================
2011/07/01 14:54:18.0687 2804   Detected object count: 1
2011/07/01 14:54:18.0687 2804   Actual detected object count: 1
2011/07/01 14:54:34.0218 2804   Tcpip (a7d39994cf210133afd8c6ed090765b1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/01 14:54:34.0218 2804   Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: a7d39994cf210133afd8c6ed090765b1, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2011/07/01 14:54:40.0937 2804   Backup copy found, using it..
2011/07/01 14:54:41.0765 2804   C:\WINDOWS\system32\DRIVERS\tcpip.sys - will be cured after reboot
2011/07/01 14:54:41.0765 2804   Rootkit.Win32.TDSS.tdl3(Tcpip) - User select action: Cure
2011/07/01 14:55:00.0265 2888   Deinitialize success

SuperDave · « **Reply #9 on:** July 02, 2011, 06:06:04 PM »

Quote

I there anything else I need to do?

I want to run some more scans to make sure everything is gone.

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

bicyclist · « **Reply #10 on:** July 09, 2011, 11:16:10 PM »

Dave,

I ran ComboFix somewhat successfully. Please find the log below.

It lost the Internet connection while it was trying to create the new system restore point. It was trying to connect to get the MS Recovery Console--I never got the console.

I did not touch the computer at all when Combofix was trying to run so I was not the cause of the disconnection. It prompted me to make the connection but there was nothing for me to do to reconnect; the Internet connection icon in the system tray was indicating intermittent Internet connection (icon went back and forth between red "X" and wave symbol next to the monitor symbol).

By the way, ComboFix prompted me earlier to allow them to update their software to the newest version and I clicked 'OK". It was able to download a newer version so I had an Internet connection at that point (I had an earlier version because I downloaded it a week ago at your direction noted in your post of June 14).

In order to get something going, I went ahead and clicked "OK" in the "Kindly connect before clicking OK" in the ComboFix window. The next window said that it was aborting because it could not download files and I clicked "OK" in that window to continue the scan for bad files.

On the automatic rebooting of the system, the ComboFix log was eventually posted but the Internet connection was still lost. On the next (manual) reboot the connection was restored.

I disabled my Windows XP firewall as well as my Shield Deluxe antivirus protection before running ComboFix.

I noticed in the ComboFix log that a McAfee firewall might still be on my machine. I don't know where or how to disable this; I do not have an icon in my system tray for that program. I cancelled that service months ago and, if I remember correctly, I thought I uninstalled it. It is possible that I deleted their files rather than used them to uninstall their features--I don't think McAfee gave me clear directions on the correct uninstall procedures at the time I cancelled their service. I know I deleted some McAfee program files after I cancelled their service. Should I contact McAfee to see what I need to do?

My computer is still working well; no redirect problem.

What should I do next? Should I try to run ComboFix after figuring out the firewall issue?

ComboFix log:

ComboFix 11-07-09.03 - User 07/09/2011 19:47:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1080 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: The Shield Deluxe Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\$winnt$.inf
c:\windows\system32\closeapp.exe
c:\windows\vb.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2011-07-06 06:23 . 2011-07-06 06:23   2106216   ----a-w-   c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-06 06:23 . 2011-07-06 06:23   1998168   ----a-w-   c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-01 20:00 . 2011-07-01 20:00   --------   d-----w-   C:\_OTL
2011-06-27 00:10 . 2011-06-27 00:10   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITC4.tmp
2011-06-24 20:34 . 2011-06-24 20:34   --------   d-----w-   c:\program files\Common Files\InstallShield
2011-06-19 01:34 . 2011-06-19 01:34   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBD.tmp
2011-06-19 01:17 . 2011-06-19 01:17   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBC.tmp
2011-06-15 06:11 . 2011-04-21 13:37   105472   -c----w-   c:\windows\system32\dllcache\mup.sys
2011-06-14 04:49 . 2010-12-21 01:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 04:49 . 2011-06-14 04:49   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-06-14 04:49 . 2010-12-21 01:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 21:55 . 2004-08-04 12:00   361600   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2011-05-02 15:31 . 2007-02-03 23:00   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 12:00   151552   ----a-w-   c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00   105472   ----a-w-   c:\windows\system32\drivers\mup.sys
2011-07-06 06:23 . 2011-04-30 21:08   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2009-09-14 05:10 . 2010-08-07 21:24   47104   ----a-w-   c:\program files\mozilla firefox\components\FFComm.dll
2011-07-01 22:45 . 2008-06-03 17:15   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BitDefender Antiphishing Helper"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\IEShow.exe" [2009-09-14 71152]
"BDAgent"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe" [2009-09-24 1114536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-04 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-15 278528]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-07-01 30192]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Alarm 95 Help.lnk - c:\windows\winhelp.exe [2004-8-4 256192]
Alarm 95.lnk - c:\program files\Alarm95\Alarm95.exe [2009-8-23 426496]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-9-6 629248]
PsiWin 2.3 Connection Server.lnk - c:\program files\Psion\PsiWin\Psconsv.exe [2008-7-16 286720]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2010-3-7 368640]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LMIRescue_05cc69be-ef6c-40d9-a32e-51b51a08a20b"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/16/2009 3:34 PM 130936]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/6/2010 5:51 PM 20480]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [9/17/2009 4:12 PM 152328]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [3/7/2010 4:25 PM 264576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-424UB\WLSVC.exe [3/7/2010 4:25 PM 167936]
S3 Arrakis3;The Shield Deluxe Arrakis Server;c:\program files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [9/13/2009 11:31 PM 183880]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2007 12:00 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/2/2008 10:18 AM 348752]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx   REG_MULTI_SZ     scan
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 03:27]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc076dadee6214.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13}: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lc6vgsqt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-22771467.sys
AddRemove-InstallShield_{54C0D94A-F467-4ABC-9D02-6E58748668D4} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
AddRemove-MSMONEYV4 - c:\program files\Microsoft Money\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 20:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2084)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-09 20:08:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-10 03:08
.
Pre-Run: 59,208,437,760 bytes free
Post-Run: 59,103,842,304 bytes free
.
- - End Of File - - C8C30CBA04197C1CFEA51D93309AA454

SuperDave · « **Reply #11 on:** July 10, 2011, 04:57:10 PM »

I forgot to mention that the Security check indicates that you have Panda Antivirus Pro 2012 and Norton 360 running at the same time on your computer. One of these AV's will have to be disabled/uninstalled.
*********************************************
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
C:\found.005
C:\found.004
C:\found.003
C:\found.002
C:\found.001

DirLook::
C:\40d9b26e2a8b3f767a
C:\ef60c58cdd1f56bf95401cfaf20940ef

Firefox::
Trusted Zone: internet
Trusted Zone: mcafee.com
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

*********************************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\x64
c:\windows\system32\igxpun.exe
c:\windows\system32\Drivers\utkwnty5.sys

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

bicyclist · « **Reply #12 on:** August 10, 2011, 09:17:09 AM »

Dave,

Sorry about the delayed response; I have some family members that are sick and it takes most of my free time (elderly father and mother in-law). I could not find the Panda Antivirus Pro 2012 nor the Norton 360 after scanning my system. Did I miss something?

I ran the combo fix and it was able to download the Microsoft Windows recovery console and complete its scan. The log is below.

I was not able to scan the files you indicated with Jott's malware scanner. When I pasted each file (one at a time) into the file upload window, I got a window that says "file not found".

By the way I might have picked up another redirecting virus (slow/intermittent connection to internet, the hard drive runs unusually fast on start-up as if something is loading, and I lose my internet connection after a few minutes) prior to my running ComboFix. I don't think CobmboFix cured it. I re-enabled my Deluxe Shield as well as my PC Tools Spyware Doctor antivirus checkers and ran them after the ComboFix scan. I'm not sure I did a good thing. The PC Tools Spyware caught a lot of items, though did not defined what items it caught, and fixed those files and the system does not run better.

I appreciate all the help you have provided. Let me know what I should do next.

Ken

The ComboFix log:

ComboFix 11-08-09.02 - User 08/09/2011 19:23:46.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1115 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: The Shield Deluxe Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"C:\found.001"
"C:\found.002"
"C:\found.003"
"C:\found.004"
"C:\found.005"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 21:55 . 2004-08-04 12:00   361600   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2011-06-27 00:10 . 2011-06-27 00:10   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITC4.tmp
2011-06-19 01:34 . 2011-06-19 01:34   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBD.tmp
2011-06-19 01:17 . 2011-06-19 01:17   0   ---ha-w-   c:\documents and settings\User\Local Settings\Application Data\BITBC.tmp
2011-06-02 14:02 . 2004-08-04 12:00   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-07-06 06:23 . 2011-04-30 21:08   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2009-09-14 05:10 . 2010-08-07 21:24   47104   ----a-w-   c:\program files\mozilla firefox\components\FFComm.dll
2011-07-01 22:45 . 2008-06-03 17:15   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\40d9b26e2a8b3f767a ----
.
.
---- Directory of C:\ef60c58cdd1f56bf95401cfaf20940ef ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-10_03.04.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-14 07:08 . 2011-04-26 11:07   33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2010-12-09 14:30   33280 c:\windows\system32\dllcache\csrsrv.dll
- 2004-08-04 12:00 . 2010-12-09 14:30   33280 c:\windows\system32\csrsrv.dll
+ 2004-08-04 12:00 . 2011-04-26 11:07   33280 c:\windows\system32\csrsrv.dll
+ 2011-08-07 06:47 . 2011-08-07 06:47   22016 c:\windows\Installer\1024b4.msi
- 2004-08-04 12:00 . 2010-06-18 17:45   293376 c:\windows\system32\winsrv.dll
+ 2004-08-04 12:00 . 2011-04-26 11:07   293376 c:\windows\system32\winsrv.dll
+ 2007-02-03 14:53 . 2011-07-13 16:42   142832 c:\windows\system32\FNTCACHE.DAT
- 2007-02-03 14:53 . 2011-06-09 05:19   142832 c:\windows\system32\FNTCACHE.DAT
+ 2010-06-18 17:45 . 2011-04-26 11:07   293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2010-06-18 17:45   293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-10-15 04:07 . 2011-06-02 14:02   1858944 c:\windows\system32\dllcache\win32k.sys
+ 2007-12-18 20:16 . 2011-07-13 08:54   49089992 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BitDefender Antiphishing Helper"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\IEShow.exe" [2009-09-14 71152]
"BDAgent"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe" [2009-09-24 1114536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-04 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-15 278528]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-07-01 30192]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Alarm 95 Help.lnk - c:\windows\winhelp.exe [2004-8-4 256192]
Alarm 95.lnk - c:\program files\Alarm95\Alarm95.exe [2009-8-23 426496]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-9-6 629248]
PsiWin 2.3 Connection Server.lnk - c:\program files\Psion\PsiWin\Psconsv.exe [2008-7-16 286720]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2010-3-7 368640]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LMIRescue_05cc69be-ef6c-40d9-a32e-51b51a08a20b"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/16/2009 3:34 PM 130936]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/6/2010 5:51 PM 20480]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [9/17/2009 4:12 PM 152328]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [3/7/2010 4:25 PM 264576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-424UB\WLSVC.exe [3/7/2010 4:25 PM 167936]
S3 Arrakis3;The Shield Deluxe Arrakis Server;c:\program files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [9/13/2009 11:31 PM 183880]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2007 12:00 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/2/2008 10:18 AM 348752]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx   REG_MULTI_SZ     scan
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 03:27]
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc076dadee6214.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13}: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lc6vgsqt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-09 19:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-09 20:00:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-10 03:00
ComboFix2.txt 2011-07-10 03:08
.
Pre-Run: 59,016,167,424 bytes free
Post-Run: 59,009,564,672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7CCFC895A45A57F525FADF7D75C17742

SuperDave · « **Reply #13 on:** August 10, 2011, 05:55:41 PM »

Quote

Sorry about the delayed response; I have some family members that are sick and it takes most of my free time (elderly father and mother in-law). I could not find the Panda Antivirus Pro 2012 nor the Norton 360 after scanning my system. Did I miss something?

I'm really sorry about your relatives and also the mix-up I caused. I must have confused your thread with another thread. I was juggling too many balls at once.
Are you still getting the re-directs?

Quote

By the way I might have picked up another redirecting virus (slow/intermittent connection to internet, the hard drive runs unusually fast on start-up as if something is loading, and I lose my internet connection after a few minutes) prior to my running ComboFix. I don't think CobmboFix cured it. I re-enabled my Deluxe Shield as well as my PC Tools Spyware Doctor antivirus checkers and ran them after the ComboFix scan. I'm not sure I did a good thing.

That could becuse it appears that you two AV programs running at one; McAfee Anti-Virus and Anti-Spyware and The Shield Deluxe Antivirus You should only have one AV running.

Please download: HiJackThis to your Desktop.
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
************************************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

bicyclist · « **Reply #14 on:** August 14, 2011, 11:38:32 PM »

Dave,

The major re-direct problem I originally was having has been solved so my system works much better since I ran the TDSSKiller several posts ago per your instructions.

Mozilla Firefox is preventing a few re-directs but those are mostly during my visits to commercial websites so I think that might be OK--I overreacted to the few redirects I got after all the work we did.

By the way , the sound on my system has been restored again due to running the TDSSKiller several posts ago per your instructions.

I seem to be having trouble hooking up to the internet. I understand the need to have only have one AV running at a time. I'll try contacting McAfee about how to uninstall their anti-virus software that might still be on my system (I may have inadvertently deleted it rather than uninstalled it when I cancelled their service).

I could not get the HiJackThis to run on my system. When I tried to run it I got a window that said "C:\Documents & Settings\User\Desktop\HiJackThisInstaller.exe is not a valid win32 application".

Thought I should not run RootRepeal until we finished with HiJackThis---OK?

What should I do next?

Ken

Computer Hope Forum

News:

Author Topic: Google redirect problem (Read 17753 times)

bicyclist

Google redirect problem

SuperDave

Re: Google redirect problem

bicyclist

Re: Google redirect problem

SuperDave

Re: Google redirect problem

bicyclist

Re: Google redirect problem

SuperDave

Re: Google redirect problem

bicyclist

Re: Google redirect problem

SuperDave

Re: Google redirect problem

bicyclist

Re: Google redirect problem

SuperDave

Re: Google redirect problem

bicyclist

Re: Google redirect problem

SuperDave

Re: Google redirect problem

bicyclist

Re: Google redirect problem

SuperDave

Re: Google redirect problem

bicyclist

Re: Google redirect problem