Author Topic: [Inactive] Potential Google Redirect Problem  (Read 2686 times)

0 Members and 1 Guest are viewing this topic.

Offline Lantern7

  • Bronze Member
  • Posts: 17
[Inactive] Potential Google Redirect Problem
« on: March 03, 2012, 10:03:25 am »
As the title says, I think my laptop has a Google Redirect problem. I believe that my registry is fouled up, making my computer worse in the process. I was referred to this site from the Dell Community Forums. I have a trial version of Malwarebytes Anti-Malware, and I have log files that I can share. Any help would be appreciated.
« Last Edit: March 03, 2012, 01:58:55 pm by Bugbatter »



Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25011
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Potential Google Redirect Problem
« Reply #1 on: March 03, 2012, 11:05:29 am »
Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.Also tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. If it does, please let me know. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer.


We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Please copy and paste both logs into your next response. You may need more than one response.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet. 

Information on A/V control HERE

Consumer Security

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • Posts: 8172
Re: [In Progress] Potential Google Redirect Problem
« Reply #2 on: March 03, 2012, 02:03:32 pm »
Hi Hoov and Lantern,
Quote from: Bugbatter at Dell
Please include a link to this topic at Dell, so your helper does not needlessly repeat the same things we have already discussed here.
Lantern must have forgotten to do that, so I edited the original post above to include the link.

Lantern, you are in good hands with Hoov!  :t

Microsoft MVP - Consumer Security

Offline Lantern7

  • Bronze Member
  • Posts: 17
Re: [In Progress] Potential Google Redirect Problem
« Reply #3 on: March 03, 2012, 11:37:16 pm »
I've tried downloading dds.scr, but nothing is happening. So far, I've downloaded HijackThis, something from kaspersky.com, SpeedyPC Pro Installer.exe, ComboFix.exe, mbam-setup-1.60.1.100.exe, and ComboFix.exe. Here's the first log from Malwarebytes:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.21.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: PRO [administrator]

Protection: Enabled

2/22/2012 12:01:02 AM
mbam-log-2012-02-22 (00-01-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190384
Time elapsed: 2 hour(s), 24 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Owner\Local Settings\Temp\41.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

And here's a log from ComboFix:

ComboFix 12-03-02.01 - Owner 03/02/2012  22:09:12.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.511.220 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\SPL11C.tmp
c:\documents and settings\All Users\SPL1AF.tmp
c:\documents and settings\Owner\My Documents\R166248.zip
c:\windows\system32\oobe\msoobe.exe
c:\windows\system32\oobe\oobebaln.exe
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETB6.tmp
c:\windows\system32\SETB8.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETBF.tmp
c:\windows\system32\SETC0.tmp
c:\windows\system32\SETC4.tmp
c:\windows\system32\SETC6.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-03 to 2012-03-03  )))))))))))))))))))))))))))))))
.
.
2012-02-27 02:58 . 2012-02-27 02:58   19416   ----a-w-   c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2012-02-22 02:33 . 2012-02-22 02:33   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2012-02-22 02:25 . 2012-02-22 02:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-22 02:24 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-02-22 02:24 . 2012-02-22 02:31   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-02-20 16:03 . 2012-02-20 16:03   --------   d-----w-   c:\documents and settings\Owner\Application Data\DriverCure
2012-02-20 16:03 . 2012-02-20 16:03   --------   d-----w-   c:\documents and settings\Owner\Application Data\SpeedyPC Software
2012-02-20 15:59 . 2012-02-20 15:59   --------   d-----w-   c:\program files\Common Files\SpeedyPC Software
2012-02-20 15:59 . 2012-02-20 15:59   --------   d-----w-   c:\program files\SpeedyPC Software
2012-02-20 15:59 . 2012-02-20 15:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\SpeedyPC Software
2012-02-19 07:45 . 2012-02-19 07:45   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2012-02-16 05:17 . 2012-02-16 05:17   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2012-02-14 23:31 . 2012-01-11 19:06   3072   -c----w-   c:\windows\system32\dllcache\iacenc.dll
2012-02-14 23:31 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\iacenc.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-24 16:27 . 2011-09-02 04:50   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2008-04-13 23:00   1859968   ----a-w-   c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-13 23:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-13 23:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2008-04-13 23:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2008-04-13 23:00   385024   ----a-w-   c:\windows\system32\html.iec
2012-02-27 02:57 . 2012-02-27 02:57   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-20 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-02-12 115560]
"SMSERIAL"="sm56hlpr.exe" [2008-08-05 557056]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
.
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2012 9:25 PM 652360]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [9/8/2011 5:00 PM 95200]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/3/2012 4:00 AM 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2012 9:24 PM 20464]
S0 cerc6;cerc6;

S2 gupdate1ca1b2e32a2fe4e;Google Update Service (gupdate1ca1b2e32a2fe4e);c:\program files\Google\Update\GoogleUpdate.exe [8/12/2009 4:20 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/12/2009 4:20 AM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 09:20]
.
2012-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 09:20]
.
2012-02-20 c:\windows\Tasks\SpeedyPC Pro.job
- c:\program files\SpeedyPC Software\SpeedyPC\SpeedyPC.exe [2011-10-09 01:19]
.
2012-02-27 c:\windows\Tasks\SpeedyPC Registration3.job
- c:\program files\Common Files\SpeedyPC Software\UUS3\UUS3.dll [2011-10-06 16:18]
.
2012-02-23 c:\windows\Tasks\SpeedyPC Update Version3.job
- c:\program files\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe [2011-10-06 16:18]
.
2012-03-03 c:\windows\Tasks\User_Feed_Synchronization-{296B6A4D-0A3B-4748-8233-BD34781CA63D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hohfuz2c.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-02 22:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EB-40 rev.00K0A0C0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read  A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x822662C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcxcoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\sm56hlpr.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2012-03-02  22:55:27 - machine was rebooted
ComboFix-quarantined-files.txt  2012-03-03 03:55
.
Pre-Run: 25,309,929,472 bytes free
Post-Run: 26,751,733,760 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect
.
- - End Of File - - D2C247125EAC0627640B0429DAB907AF

Is there anything else I should post?

Offline Hoov

  • Malware Removal Mentors
  • Global Moderator
  • Diamond Member
  • Posts: 25011
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Potential Google Redirect Problem
« Reply #4 on: March 03, 2012, 11:46:33 pm »
Please download Rkill by Grinler and save it to your desktop.
    Link 2
    Link 3
    Link 4

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.





    • If an infected file is detected, the default action will be Cure, click on Continue.





    • If a suspicious file is detected, the default action will be Skip, click on Continue.





    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.





    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
    Now update Malwarebytes' Anti-Malware and run a full scan with that. If it finds anything, fix it all then post the log. If it finds nothing, post that log. [/list]

    Consumer Security

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline Lantern7

    • Bronze Member
    • Posts: 17
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #5 on: March 04, 2012, 12:04:38 am »
    I'll take care of that tomorrow. Also, I forgot to add that I'm on a personal laptop that nobody else uses.

    Offline Hoov

    • Malware Removal Mentors
    • Global Moderator
    • Diamond Member
    • Posts: 25011
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #6 on: March 04, 2012, 07:42:41 am »
    No worries, I will be here.

    Consumer Security

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline Lantern7

    • Bronze Member
    • Posts: 17
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #7 on: March 04, 2012, 11:42:53 am »
    I got the rkill log. Should I post that here before moving on to TDDSKiller?

    Offline Hoov

    • Malware Removal Mentors
    • Global Moderator
    • Diamond Member
    • Posts: 25011
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #8 on: March 04, 2012, 11:55:38 am »
    Nope, just go ahead and post them at the same time

    Consumer Security

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline Lantern7

    • Bronze Member
    • Posts: 17
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #9 on: March 04, 2012, 04:36:58 pm »
    rkill log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/04/2012 at 11:44:27.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    c:\PROGRA~1\mcafee\SITEAD~1\saui.exe


    Rkill completed on 03/04/2012 at 11:52:39.


    tddskiller log:

    16:46:21.0304 3148   TDSS rootkit removing tool 2.7.18.0 Mar  2 2012 09:40:07
    16:46:23.0306 3148   ============================================================
    16:46:23.0306 3148   Current date / time: 2012/03/04 16:46:23.0306
    16:46:23.0306 3148   SystemInfo:
    16:46:23.0306 3148   
    16:46:23.0306 3148   OS Version: 5.1.2600 ServicePack: 3.0
    16:46:23.0306 3148   Product type: Workstation
    16:46:23.0306 3148   ComputerName: PRO
    16:46:23.0457 3148   UserName: Owner
    16:46:23.0457 3148   Windows directory: C:\WINDOWS
    16:46:23.0457 3148   System windows directory: C:\WINDOWS
    16:46:23.0457 3148   Processor architecture: Intel x86
    16:46:23.0457 3148   Number of processors: 1
    16:46:23.0457 3148   Page size: 0x1000
    16:46:23.0457 3148   Boot type: Normal boot
    16:46:23.0457 3148   ============================================================
    16:47:17.0194 3148   Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    16:47:17.0645 3148   \Device\Harddisk0\DR0:
    16:47:18.0235 3148   MBR used
    16:47:18.0235 3148   \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852C1
    16:47:18.0846 3148   Initialize success
    16:47:18.0846 3148   ============================================================
    16:49:13.0581 1628   ============================================================
    16:49:13.0581 1628   Scan started
    16:49:13.0581 1628   Mode: Manual;
    16:49:13.0581 1628   ============================================================
    16:49:28.0853 1628   Abiosdsk - ok
    16:49:32.0518 1628   abp480n5 - ok
    16:49:39.0208 1628   ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\drivers\ACPI.sys
    16:49:39.0438 1628   ACPI - ok
    16:49:42.0893 1628   ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    16:50:10.0904 1628   ACPIEC - ok
    16:50:11.0875 1628   adpu160m - ok
    16:50:13.0537 1628   aeaudio         (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
    16:50:18.0795 1628   aeaudio - ok
    16:50:19.0826 1628   aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    16:50:22.0861 1628   aec - ok
    16:50:23.0932 1628   AFD             (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    16:50:24.0143 1628   AFD - ok
    16:50:25.0164 1628   agp440          (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    16:50:26.0045 1628   agp440 - ok
    16:50:26.0887 1628   Aha154x - ok
    16:50:27.0848 1628   aic78u2 - ok
    16:50:29.0390 1628   aic78xx - ok
    16:50:30.0592 1628   AliIde - ok
    16:50:31.0593 1628   amsint - ok
    16:50:32.0314 1628   Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    16:50:32.0344 1628   Arp1394 - ok
    16:50:33.0446 1628   asc - ok
    16:50:34.0207 1628   asc3350p - ok
    16:50:34.0858 1628   asc3550 - ok
    16:50:35.0799 1628   AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    16:50:35.0960 1628   AsyncMac - ok
    16:50:36.0971 1628   atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
    16:50:37.0071 1628   atapi - ok
    16:50:37.0822 1628   Atdisk - ok
    16:50:38.0814 1628   ati2mtag        (1ca68bc171e299636026ee9656217d27) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    16:50:40.0927 1628   ati2mtag - ok
    16:50:41.0508 1628   Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    16:50:42.0139 1628   Atmarpc - ok
    16:50:42.0850 1628   audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    16:50:43.0160 1628   audstub - ok
    16:50:44.0362 1628   bcm4sbxp        (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
    16:50:44.0883 1628   bcm4sbxp - ok
    16:50:45.0674 1628   Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    16:50:45.0964 1628   Beep - ok
    16:50:46.0535 1628   catchme - ok
    16:50:47.0937 1628   cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    16:50:48.0317 1628   cbidf2k - ok
    16:50:49.0109 1628   cd20xrnt - ok
    16:50:49.0980 1628   Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    16:50:50.0641 1628   Cdaudio - ok
    16:50:51.0552 1628   Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    16:50:52.0213 1628   Cdfs - ok
    16:50:53.0375 1628   Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    16:50:58.0122 1628   Cdrom - ok
    16:50:58.0552 1628   cerc6 - ok
    16:51:00.0114 1628   Changer - ok
    16:51:00.0916 1628   CmBatt          (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    16:51:01.0807 1628   CmBatt - ok
    16:51:03.0930 1628   CmdIde - ok
    16:51:06.0073 1628   COH_Mon         (86a22dff16e8ca67601044efe6825537) C:\WINDOWS\system32\Drivers\COH_Mon.sys
    16:51:08.0376 1628   COH_Mon - ok
    16:51:09.0538 1628   Compbatt        (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    16:51:10.0409 1628   Compbatt - ok
    16:51:11.0190 1628   Cpqarray - ok
    16:51:13.0394 1628   dac2w2k - ok
    16:51:14.0826 1628   dac960nt - ok
    16:51:16.0087 1628   Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    16:51:16.0678 1628   Disk - ok
    16:51:18.0931 1628   dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    16:51:22.0657 1628   dmboot - ok
    16:51:23.0298 1628   dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    16:51:23.0819 1628   dmio - ok
    16:51:24.0429 1628   dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    16:51:24.0970 1628   dmload - ok
    16:51:25.0671 1628   DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    16:51:26.0452 1628   DMusic - ok
    16:51:27.0293 1628   dpti2o - ok
    16:51:28.0565 1628   drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    16:51:29.0417 1628   drmkaud - ok
    16:51:30.0879 1628   E1000           (a8b3ec8ee13cbe14f067c72110155a1b) C:\WINDOWS\system32\DRIVERS\e1000325.sys
    16:51:32.0581 1628   E1000 - ok
    16:51:35.0656 1628   eeCtrl          (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    16:51:49.0816 1628   eeCtrl - ok
    16:51:51.0659 1628   EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    16:51:51.0759 1628   EraserUtilRebootDrv - ok
    16:51:53.0912 1628   Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    16:51:55.0624 1628   Fastfat - ok
    16:51:56.0606 1628   Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    16:51:56.0656 1628   Fdc - ok
    16:51:57.0637 1628   Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    16:51:57.0737 1628   Fips - ok
    16:51:58.0228 1628   Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    16:51:58.0438 1628   Flpydisk - ok
    16:51:59.0039 1628   FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    16:51:59.0410 1628   FltMgr - ok
    16:51:59.0860 1628   Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    16:51:59.0930 1628   Fs_Rec - ok
    16:52:00.0832 1628   Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    16:52:00.0962 1628   Ftdisk - ok
    16:52:01.0423 1628   GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    16:52:01.0893 1628   GEARAspiWDM - ok
    16:52:02.0624 1628   Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    16:52:02.0855 1628   Gpc - ok
    16:52:03.0876 1628   hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    16:52:04.0006 1628   hidusb - ok
    16:52:04.0257 1628   hpn - ok
    16:52:04.0677 1628   HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    16:52:04.0697 1628   HTTP - ok
    16:52:04.0948 1628   i2omgmt - ok
    16:52:05.0639 1628   i2omp - ok
    16:52:05.0899 1628   i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    16:52:07.0702 1628   i8042prt - ok
    16:52:08.0202 1628   Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    16:52:09.0064 1628   Imapi - ok
    16:52:11.0497 1628   ini910u - ok
    16:52:17.0506 1628   IntelIde        (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\drivers\intelide.sys
    16:52:18.0607 1628   IntelIde - ok
    16:52:24.0085 1628   intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\drivers\intelppm.sys
    16:52:25.0998 1628   intelppm - ok
    16:52:30.0014 1628   Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    16:52:34.0180 1628   Ip6Fw - ok
    16:53:09.0000 1628   IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    16:53:45.0873 1628   IpFilterDriver - ok
    16:53:59.0823 1628   IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    16:54:06.0262 1628   IpInIp - ok
    16:54:15.0355 1628   IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    16:54:15.0936 1628   IpNat - ok
    16:54:20.0222 1628   IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    16:54:27.0863 1628   IPSec - ok
    16:54:29.0385 1628   IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    16:54:29.0906 1628   IRENUM - ok
    16:54:38.0028 1628   isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\drivers\isapnp.sys
    16:54:40.0301 1628   isapnp - ok
    16:54:40.0672 1628   Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    16:54:40.0872 1628   Kbdclass - ok
    16:54:41.0162 1628   kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    16:54:41.0172 1628   kmixer - ok
    16:54:41.0473 1628   KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    16:54:41.0523 1628   KSecDD - ok
    16:54:42.0104 1628   lbrtfdc - ok
    16:54:43.0516 1628   MBAMProtector   (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
    16:54:43.0696 1628   MBAMProtector - ok
    16:54:47.0461 1628   mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    16:54:47.0491 1628   mnmdd - ok
    16:54:47.0862 1628   Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    16:54:47.0872 1628   Modem - ok
    16:54:48.0523 1628   Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    16:54:49.0564 1628   Mouclass - ok
    16:54:50.0926 1628   mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    16:54:57.0596 1628   mouhid - ok
    16:55:07.0150 1628   MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    16:55:10.0384 1628   MountMgr - ok
    16:55:19.0738 1628   mraid35x - ok
    16:55:21.0490 1628   MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    16:55:30.0023 1628   MRxDAV - ok
    16:55:31.0745 1628   MRxSmb          (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    16:55:32.0696 1628   MRxSmb - ok
    16:55:34.0459 1628   Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    16:55:34.0509 1628   Msfs - ok
    16:55:36.0352 1628   MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    16:55:37.0664 1628   MSKSSRV - ok
    16:55:40.0137 1628   MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    16:55:40.0768 1628   MSPCLOCK - ok
    16:55:45.0515 1628   MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    16:55:46.0336 1628   MSPQM - ok
    16:55:47.0067 1628   mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    16:55:47.0217 1628   mssmbios - ok
    16:55:49.0300 1628   Mup             (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    16:55:49.0310 1628   Mup - ok
    16:55:51.0624 1628   NAVENG          (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120303.009\NAVENG.SYS
    16:56:00.0296 1628   NAVENG - ok
    16:56:06.0655 1628   NAVEX15         (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120303.009\NAVEX15.SYS
    16:56:12.0964 1628   NAVEX15 - ok
    16:56:16.0309 1628   NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    16:57:17.0157 1628   NDIS - ok
    16:57:32.0709 1628   NdisTapi        (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    16:57:33.0150 1628   NdisTapi - ok
    16:57:53.0369 1628   Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    16:58:00.0008 1628   Ndisuio - ok
    16:58:02.0031 1628   NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    16:58:08.0671 1628   NdisWan - ok
    16:58:10.0904 1628   NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    16:58:10.0964 1628   NDProxy - ok
    16:58:12.0376 1628   NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    16:58:13.0638 1628   NetBIOS - ok
    16:58:14.0579 1628   NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    16:58:15.0751 1628   NetBT - ok
    16:58:16.0372 1628   NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    16:58:16.0402 1628   NIC1394 - ok
    16:58:16.0712 1628   Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    16:58:16.0712 1628   Npfs - ok
    16:58:17.0383 1628   Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    16:58:18.0565 1628   Ntfs - ok
    16:58:18.0905 1628   Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    16:58:19.0316 1628   Null - ok
    16:58:20.0858 1628   nv              (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    16:58:23.0041 1628   nv - ok
    16:58:23.0692 1628   NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    16:58:24.0273 1628   NwlnkFlt - ok
    16:58:24.0824 1628   NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    16:58:24.0974 1628   NwlnkFwd - ok
    16:58:25.0315 1628   ohci1394        (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    16:58:25.0325 1628   ohci1394 - ok
    16:58:26.0246 1628   Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    16:58:26.0957 1628   Parport - ok
    16:58:29.0060 1628   PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    16:58:29.0461 1628   PartMgr - ok
    16:58:29.0901 1628   ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    16:58:30.0011 1628   ParVdm - ok
    16:58:30.0782 1628   PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\drivers\pci.sys
    16:58:30.0973 1628   PCI - ok
    16:58:31.0313 1628   PCIDump - ok
    16:58:31.0433 1628   PCIIde - ok
    16:58:32.0134 1628   Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    16:58:33.0036 1628   Pcmcia - ok
    16:58:34.0568 1628   PCnet           (7bc8027d56fab153a987c56ae9835664) C:\WINDOWS\system32\DRIVERS\pcntpci5.sys
    16:58:35.0559 1628   PCnet - ok
    16:58:36.0731 1628   PDCOMP - ok
    16:58:38.0524 1628   PDFRAME - ok
    16:58:39.0215 1628   PDRELI - ok
    16:58:39.0835 1628   PDRFRAME - ok
    16:58:40.0246 1628   perc2 - ok
    16:58:40.0416 1628   perc2hib - ok
    16:58:41.0268 1628   PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    16:58:42.0710 1628   PptpMiniport - ok
    16:58:43.0210 1628   PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    16:58:43.0931 1628   PSched - ok
    16:58:44.0923 1628   Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    16:58:45.0183 1628   Ptilink - ok
    16:58:45.0764 1628   ql1080 - ok
    16:58:46.0245 1628   Ql10wnt - ok
    16:58:46.0715 1628   ql12160 - ok
    16:58:47.0096 1628   ql1240 - ok
    16:58:47.0326 1628   ql1280 - ok
    16:58:47.0827 1628   RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    16:58:47.0877 1628   RasAcd - ok
    16:58:48.0959 1628   Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    16:58:49.0209 1628   Rasl2tp - ok
    16:58:49.0930 1628   RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    16:58:51.0392 1628   RasPppoe - ok
    16:58:52.0674 1628   Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    16:58:53.0115 1628   Raspti - ok
    16:58:54.0416 1628   Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    16:58:54.0557 1628   Rdbss - ok
    16:58:55.0248 1628   RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    16:58:55.0408 1628   RDPCDD - ok
    16:58:56.0149 1628   rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    16:58:56.0239 1628   rdpdr - ok
    16:58:57.0160 1628   RDPWD           (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    16:58:57.0361 1628   RDPWD - ok
    16:58:59.0213 1628   redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    16:59:01.0717 1628   redbook - ok
    16:59:11.0681 1628   Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    16:59:12.0623 1628   Secdrv - ok
    16:59:15.0457 1628   serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    16:59:16.0488 1628   serenum - ok
    16:59:17.0450 1628   Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    16:59:18.0131 1628   Serial - ok
    16:59:24.0089 1628   Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    16:59:24.0770 1628   Sfloppy - ok
    16:59:30.0268 1628   Simbad - ok
    16:59:34.0304 1628   smserial        (0eb62cdf4168c49e7568fd544f05d0f1) C:\WINDOWS\system32\DRIVERS\smserial.sys
    16:59:39.0842 1628   smserial - ok
    16:59:42.0536 1628   smwdm           (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
    16:59:46.0091 1628   smwdm - ok
    16:59:47.0292 1628   Sparrow - ok
    16:59:48.0815 1628   SPBBCDrv        (d7bb213566e16bca372e2cb517eda907) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    16:59:54.0343 1628   SPBBCDrv - ok
    16:59:56.0075 1628   splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    16:59:56.0345 1628   splitter - ok
    16:59:57.0046 1628   sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    16:59:57.0788 1628   sr - ok
    16:59:59.0370 1628   SRTSP           (4d61a5c45f82e02e73019cd4b31ba6e0) C:\WINDOWS\system32\Drivers\SRTSP.SYS
    17:00:03.0005 1628   SRTSP - ok
    17:00:04.0928 1628   SRTSPL          (932381c43c212901b38f30d6b1b54bf6) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    17:00:09.0064 1628   SRTSPL - ok
    17:00:09.0775 1628   SRTSPX          (0fbda1995a1389ee36e5c9335c4ea3eb) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
    17:00:10.0005 1628   SRTSPX - ok
    17:00:10.0726 1628   Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    17:00:10.0876 1628   Srv - ok
    17:00:11.0968 1628   STAC97          (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys
    17:00:12.0949 1628   STAC97 - ok
    17:00:13.0680 1628   swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    17:00:13.0700 1628   swenum - ok
    17:00:14.0211 1628   swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    17:00:14.0221 1628   swmidi - ok
    17:00:14.0722 1628   symc810 - ok
    17:00:15.0153 1628   symc8xx - ok
    17:00:15.0533 1628   SymEvent        (c5eafb6a8c73fb26b73ee613c1a5aef6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    17:00:15.0783 1628   SymEvent - ok
    17:00:16.0084 1628   SYMREDRV        (be3c117150c055e50a4caf23e548c856) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    17:00:18.0287 1628   SYMREDRV - ok
    17:00:21.0391 1628   SYMTDI          (7b0af4e22b32f8c5bfba5a5d53522160) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    17:00:24.0145 1628   SYMTDI - ok
    17:00:24.0456 1628   sym_hi - ok
    17:00:29.0213 1628   sym_u3 - ok
    17:00:30.0394 1628   sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    17:00:30.0445 1628   sysaudio - ok
    17:00:32.0397 1628   Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    17:00:32.0658 1628   Tcpip - ok
    17:00:33.0950 1628   TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    17:00:34.0360 1628   TDPIPE - ok
    17:00:35.0342 1628   TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    17:00:37.0324 1628   TDTCP - ok
    17:00:38.0656 1628   Teefer2         (0dc098cc18a974e7c1e96e6846bd06e4) C:\WINDOWS\system32\DRIVERS\teefer2.sys
    17:00:38.0746 1628   Teefer2 - ok
    17:00:39.0698 1628   TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    17:00:40.0629 1628   TermDD - ok
    17:00:41.0290 1628   TosIde - ok
    17:00:43.0213 1628   Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    17:00:43.0613 1628   Udfs - ok
    17:00:45.0366 1628   ultra - ok
    17:00:47.0870 1628   Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    17:00:49.0442 1628   Update - ok
    17:00:50.0834 1628   usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    17:00:51.0365 1628   usbccgp - ok
    17:00:52.0396 1628   usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    17:00:52.0817 1628   usbehci - ok
    17:00:55.0130 1628   usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    17:00:58.0034 1628   usbhub - ok
    17:01:02.0360 1628   usbprint        (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    17:01:02.0671 1628   usbprint - ok
    17:01:06.0837 1628   usbscan         (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    17:01:07.0097 1628   usbscan - ok
    17:01:08.0009 1628   USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    17:01:08.0119 1628   USBSTOR - ok
    17:01:09.0170 1628   usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    17:01:09.0220 1628   usbuhci - ok
    17:01:10.0071 1628   VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    17:01:10.0142 1628   VgaSave - ok
    17:01:11.0263 1628   ViaIde - ok
    17:01:12.0505 1628   VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    17:01:12.0845 1628   VolSnap - ok
    17:01:13.0516 1628   Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    17:01:13.0617 1628   Wanarp - ok
    17:01:13.0947 1628   WDICA - ok
    17:01:14.0127 1628   wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    17:01:14.0197 1628   wdmaud - ok
    17:01:14.0758 1628   WPS             (e52098e11a66288106d1ff4951c681e5) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
    17:01:14.0758 1628   WPS - ok
    17:01:15.0239 1628   WpsHelper       (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
    17:01:15.0249 1628   WpsHelper - ok
    17:01:15.0569 1628   WS2IFSL         (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    17:01:15.0720 1628   WS2IFSL - ok
    17:01:15.0970 1628   WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    17:01:16.0080 1628   WudfPf - ok
    17:01:16.0451 1628   WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    17:01:16.0551 1628   WudfRd - ok
    17:01:16.0831 1628   MBR (0x1B8)     (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
    17:01:16.0891 1628   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    17:01:16.0981 1628   \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    17:01:17.0132 1628   Boot (0x1200)   (6f3b8d2ef95150f078e8ca68ac94893c) \Device\Harddisk0\DR0\Partition0
    17:01:17.0172 1628   \Device\Harddisk0\DR0\Partition0 - ok
    17:01:17.0172 1628   ============================================================
    17:01:17.0172 1628   Scan finished
    17:01:17.0172 1628   ============================================================
    17:01:24.0302 2700   Detected object count: 1
    17:01:24.0302 2700   Actual detected object count: 1
    17:07:51.0088 2700   \Device\Harddisk0\DR0\# - copied to quarantine
    17:07:51.0338 2700   \Device\Harddisk0\DR0 - copied to quarantine
    17:07:54.0733 2700   \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
    17:07:55.0985 2700   \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
    17:08:09.0505 2700   \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
    17:08:18.0347 2700   \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
    17:08:29.0263 2700   \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
    17:08:31.0897 2700   \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
    17:09:15.0730 2700   \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
    17:09:24.0933 2700   \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
    17:09:26.0265 2700   \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
    17:09:28.0028 2700   \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
    17:09:32.0073 2700   \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
    17:09:57.0049 2700   \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
    17:10:33.0091 2700   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    17:10:34.0153 2700   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    17:10:34.0153 2700   \Device\Harddisk0\DR0 - ok
    17:10:34.0393 2700   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    17:16:15.0493 3752   Deinitialize success

    Offline Hoov

    • Malware Removal Mentors
    • Global Moderator
    • Diamond Member
    • Posts: 25011
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #10 on: March 04, 2012, 05:47:51 pm »
    * Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

    Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

    Please include the C:\ComboFix.txt in your next reply for further review.

    Note:
    Do not mouseclick combofix''s window while it''s running. That may cause it to stall

    Consumer Security

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline Lantern7

    • Bronze Member
    • Posts: 17
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #11 on: March 04, 2012, 11:56:40 pm »
    I tried that, but the laptop froze. However, I did run it on Friday. Here's the log, if it helps:

    ComboFix 12-03-02.01 - Owner 03/02/2012  22:09:12.1.1 - x86
    Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.511.220 [GMT -5:00]
    Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\SPL11C.tmp
    c:\documents and settings\All Users\SPL1AF.tmp
    c:\documents and settings\Owner\My Documents\R166248.zip
    c:\windows\system32\oobe\msoobe.exe
    c:\windows\system32\oobe\oobebaln.exe
    c:\windows\system32\SETB5.tmp
    c:\windows\system32\SETB6.tmp
    c:\windows\system32\SETB8.tmp
    c:\windows\system32\SETBE.tmp
    c:\windows\system32\SETBF.tmp
    c:\windows\system32\SETC0.tmp
    c:\windows\system32\SETC4.tmp
    c:\windows\system32\SETC6.tmp
    .
    .
    (((((((((((((((((((((((((   Files Created from 2012-02-03 to 2012-03-03  )))))))))))))))))))))))))))))))
    .
    .
    2012-02-27 02:58 . 2012-02-27 02:58   19416   ----a-w-   c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2012-02-22 02:33 . 2012-02-22 02:33   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
    2012-02-22 02:25 . 2012-02-22 02:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-02-22 02:24 . 2011-12-10 20:24   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
    2012-02-22 02:24 . 2012-02-22 02:31   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
    2012-02-20 16:03 . 2012-02-20 16:03   --------   d-----w-   c:\documents and settings\Owner\Application Data\DriverCure
    2012-02-20 16:03 . 2012-02-20 16:03   --------   d-----w-   c:\documents and settings\Owner\Application Data\SpeedyPC Software
    2012-02-20 15:59 . 2012-02-20 15:59   --------   d-----w-   c:\program files\Common Files\SpeedyPC Software
    2012-02-20 15:59 . 2012-02-20 15:59   --------   d-----w-   c:\program files\SpeedyPC Software
    2012-02-20 15:59 . 2012-02-20 15:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\SpeedyPC Software
    2012-02-19 07:45 . 2012-02-19 07:45   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
    2012-02-16 05:17 . 2012-02-16 05:17   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
    2012-02-14 23:31 . 2012-01-11 19:06   3072   -c----w-   c:\windows\system32\dllcache\iacenc.dll
    2012-02-14 23:31 . 2012-01-11 19:06   3072   ------w-   c:\windows\system32\iacenc.dll
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-24 16:27 . 2011-09-02 04:50   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 16:53 . 2008-04-13 23:00   1859968   ----a-w-   c:\windows\system32\win32k.sys
    2011-12-17 19:46 . 2008-04-13 23:00   916992   ----a-w-   c:\windows\system32\wininet.dll
    2011-12-17 19:46 . 2008-04-13 23:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
    2011-12-17 19:46 . 2008-04-13 23:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22 . 2008-04-13 23:00   385024   ----a-w-   c:\windows\system32\html.iec
    2012-02-27 02:57 . 2012-02-27 02:57   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-07-20 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-02-12 115560]
    "SMSERIAL"="sm56hlpr.exe" [2008-08-05 557056]
    "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
    "dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
    "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
    "DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    "c:\\WINDOWS\\system32\\dlcxcoms.exe"=
    .
    R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2012 9:25 PM 652360]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [9/8/2011 5:00 PM 95200]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/3/2012 4:00 AM 106104]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2012 9:24 PM 20464]
    S0 cerc6;cerc6;

    S2 gupdate1ca1b2e32a2fe4e;Google Update Service (gupdate1ca1b2e32a2fe4e);c:\program files\Google\Update\GoogleUpdate.exe [8/12/2009 4:20 AM 133104]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/12/2009 4:20 AM 133104]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 09:20]
    .
    2012-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 09:20]
    .
    2012-02-20 c:\windows\Tasks\SpeedyPC Pro.job
    - c:\program files\SpeedyPC Software\SpeedyPC\SpeedyPC.exe [2011-10-09 01:19]
    .
    2012-02-27 c:\windows\Tasks\SpeedyPC Registration3.job
    - c:\program files\Common Files\SpeedyPC Software\UUS3\UUS3.dll [2011-10-06 16:18]
    .
    2012-02-23 c:\windows\Tasks\SpeedyPC Update Version3.job
    - c:\program files\Common Files\SpeedyPC Software\UUS3\SpeedyPC_Update3.exe [2011-10-06 16:18]
    .
    2012-03-03 c:\windows\Tasks\User_Feed_Synchronization-{296B6A4D-0A3B-4748-8233-BD34781CA63D}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hohfuz2c.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-Symantec Antvirus
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-02 22:42
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ... 
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ... 
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: HITACHI_DK23EB-40 rev.00K0A0C0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
    .
    device: opened successfully
    user: MBR read successfully
    error: Read  A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x822662C6
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(956)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(1028)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3644)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\dlcxcoms.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\sm56hlpr.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-02  22:55:27 - machine was rebooted
    ComboFix-quarantined-files.txt  2012-03-03 03:55
    .
    Pre-Run: 25,309,929,472 bytes free
    Post-Run: 26,751,733,760 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect
    .
    - - End Of File - - D2C247125EAC0627640B0429DAB907AF

    Offline Hoov

    • Malware Removal Mentors
    • Global Moderator
    • Diamond Member
    • Posts: 25011
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #12 on: March 05, 2012, 12:36:44 am »
    Can you reboot to safe mode and try running it again?

    Consumer Security

    If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

    Offline Lantern7

    • Bronze Member
    • Posts: 17
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #13 on: March 07, 2012, 01:06:25 am »
    Downloaded ComboFix and ran it. Computer froze. Ran it in safe mode . . . laptop froze for over ten minutes. I'm thinking I should try it again, and let it sit for a few hours. Any thoughts, Hoov?

    Offline Hoov

    • Malware Removal Mentors
    • Global Moderator
    • Diamond Member
    • Posts: 25011
    • Unwilling part owner of Gov't. Motors and Chrysler
      • Hoov's Personal Site
    Re: [In Progress] Potential Google Redirect Problem
    « Reply #14 on: March 07, 2012, 08:46:48 am »
    No don't try it again, lets try a few things first and see what happens.

    Please download Rkill by Grinler and save it to your desktop.
      Link 2
      Link 3
      Link 4

      • Double-click on the Rkill desktop icon to run the tool.
      • If using Vista, right-click on it and Run As Administrator.
      • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      • If not, delete the file, then download and use the one provided in Link 2.
      • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
      • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      • If the tool does not run from any of the links provided, please let me know.
      Please read carefully and follow these steps.
      • Download TDSSKiller and save it to your Desktop.
      • Extract its contents to your desktop.
      • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.





      • If an infected file is detected, the default action will be Cure, click on Continue.





      • If a suspicious file is detected, the default action will be Skip, click on Continue.





      • It may ask you to reboot the computer to complete the process. Click on Reboot Now.





      • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
      • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
      Please download Malwarebytes Anti-Malware and save it to your desktop.
      alternate download link 1
      alternate download link 2

      MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot''s Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
      • Make sure you are connected to the Internet.
      • Double-click on mbam-setup.exe to install the application.
      • When the installation begins, follow the prompts and do not make any changes to default settings.
      • When installation has finished, make sure you leave both of these checked:
        • Update Malwarebytes'' Anti-Malware
        • Launch Malwarebytes'' Anti-Malware
        • Then click Finish.
        MBAM will automatically start and you will be asked to update the program before performing a scan.
        • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
        • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
        On the Scanner tab:
        • Make sure the "Perform Quick Scan" option is selected.
        • Then click on the Scan button.
        • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
        • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
        • When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
        • Click OK to close the message box and continue with the removal process.
        Back at the main Scanner screen:
        • Click on the Show Results button to see a list of any malware that was found.
        • Make sure that everything is checked, and click Remove Selected.
        • When removal is completed, a log report will open in Notepad.
        • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
        • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
        • Exit MBAM when done.
        Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.[/list]

        Consumer Security

        If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!