My Toshiba notebook has been infected with some type of virus that redirects me to a bad site if I click on any links found with Google or Bing.

McAfee Anti-Virus supposedly found and deleted the Trojan that started this, but the search problem persisted. So I purchased Spyware Doctor hoping it would help. It removed a few more things, but the redirect kept happening. I then tried Malwarebytes Anti-Malware, which again found a Trojan and quarantined and deleted it. However, still no luck.

Finally, I ran a scan with HiJackThis, but unfortunately I'm not very computer savvy so I'm unsure what is really safe to delete. I'm posting the scan log in hopes that someone with a better understanding than myself can shed a little light. Thank you in advance! I never realized how much I use Google until now that I can't use it...!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:50 PM, on 1/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.angelfire.com/wizard/verysecretdiary
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\s wg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O24 - Desktop Component 1: LeakyNews counts down to Order of the Phoenix and Deathly Hallows - http://www.the-leaky-cauldron.org/static_downloads/jointcount.html

--
End of file - 11798 bytes

First off, here is the tutorial for HiJackThis

http://www.pctools.com/forum/showthread.php?t=55651


Second, some things for you to Bing, as I do recognize them.

C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\TPSBattM.exe
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-27-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O24 - Desktop Component 1: LeakyNews counts down to Order of the Phoenix and Deathly Hallows - http://www.the-leaky-cauldron.org/st...ointcount.html




Third, a deletion
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local

Lastly, use HiJackThis , misc tools to check your HOSTS file to see that it has not been hijacked.

You may want to consider a scan with Superantispyware and Avira Antivirus.

If you do, disable McAfee and Spyware Doctor prior to installing. Delete the programs when done scanning so as to not have conflict with McAfee and Spyware Doctor.

You might consider dumping McAfee altogether and upgrade to Spyware Doctor with Antivirus.

Ok. I read through the tutorial. As far as I can tell, the things you pointed out are actually legit so I left them alone. And I checked the host file and it appears to be ok (127.0.0.1 localhost is what came up from the misc tools check).

I did use HiJackThis to fix/delete the "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local".

Afterwards, I restarted the computer. Then, I tried to do a search with Google but unfortunately I'm still getting redirected. Any thoughts for the next step?

Did you scan with Avira and Superantispyware?

Also get CCleaner from filehippo.com and delete all your temp files.

Thank you so much! I ran Superantispyware, then Avira, then I uninstalled them as suggested. I also uninstalled McAfee (my comp actually seems to run a lot faster now!) since my subscription was almost up anyway and I now have Spyware Doctor w/ Antivirus. Then I ran CCleaner and restarted: the search problem is now fixed! :D I really hope that's the last I'll ever see of this annoying bug. Thanks again for your help!

Glad it helped.

You might also want to run Malwarebytes Antimalware from malwarebytes.org.

Better to err on the side of caution.

Just one more heads up for anyone else who may have picked up this bug: it seems I may have gotten it from visiting Hulu! I went over there just now, and I got a strange pop up and suddenly the search redirect started again. :mad: Luckily, I ran CCleaner right away and the problem immediately stopped. I'm going to run Malwarebytes again just to be extra sure. This is one annoying bug. I'm starting to get paranoid to go anywhere online!

::sigh:: Well maybe I was wrong about Hulu. Now it seems like once in a while, a random popup window will appear no matter what site I'm on and the search redirect starts up again. :( I suppose this means that the problem is still not entirely fixed. CCleaner seems to clear it up for a while, but it keeps coming back somehow. Neither Malwarebytes or Spy Doctor w/Antivirus can find anything but a few cookies that they supposedly delete after the scans. Not sure what to do now. I'm getting dizzy going in circles with this thing.

OK try this.

Wipe out your system restore points, right click My Computer, properties, system restore, turn off system restore.

Run CCleaner, in options advanced, uncheck everything, run cleaner.

Run SD full scan, run MBAM full scan.

Re-boot

Turn on your system restore points, right click My Computer, properties, system restore, uncheck turn off system restore.

Run HijackThis, there is a tutorial in Software Recommendations forum, look for strange stuff. If you do not know what an entry is, and HJT find info does not help, bing before deleteing.

See if that helps.

Followed all your instructions, and also ran CCleaner's registry cleaner. No luck. :( I keep getting redirected to an rle822x.cn address, which then directs me to another random bogus site. I have Spyware Doctor set to block access to it, but that still doesn't help me getting redirected.

Do you know what this is? (from HiJackThis)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.angelfire.com/wizard/verysecretdiary

and this?

O24 - Desktop Component 1: LeakyNews counts down to Order of the Phoenix and Deathly Hallows - http://www.the-leaky-cauldron.org/st...ointcount.html

--
If you do not know, delete them and see if this makes a difference.

The first one is my homepage. And the second one was a remenant of a desktop widget I had installed a few years ago. I deleted it with HiJackThis, but it didn't help the current problem.

I found this on Bleeping Computer>

I fixed the Google links redirecting to rle822x.cn.

After fixing a trojan/malware infection, I wound up with Google redirecting my search results to various websites, followed immediately by rle822x.cn. The only way to avoid it was right clicking the link and choosing to open in background or duplicated tabs.

Hijack This! showed no redirects, BHOs, or other suspicious items. Avira, Spyware Blaster, Malware Bytes...all of them showed a clean machine.

I changed my "hosts" file, and I added rle822x.cn to it. This stopped the page from loading, but still left me with a "cannot load site" message and required me to go back and take the long way through. The only information on the web said I had to reformat my system. (Something I avoid like the plague.)

I performed a simple edit in my Configuration file, and can now go directly to any page from both my Google search results and my Google home page links.

Fixing it requires editing values (in mine, only three) in the Firefox configuration. You will keep a copy of the original value. Disclaimer: Don't do this unless you're comfortable changing the values, I'm not responsible for errors, etc, etc...

Type about:config in the address bar.
Type :patterns" in the search bar.
I have the extensions adblock plus and the filter for it installed as extensions, and "patterns" gave me 4 results, 3 with string values (really, really long strings!).
My results were adblock.patterns, extensions.adblockplus.synch.Filterset.G.patterns, and fgupdater.patterns.

Right click the first entry, choose copy. Paste it to a word processing document. (This is your backup.) Go back to the entry, right click, and choose edit. Go to the end (right arrow key), type one space, then type rle822x.cn.

Repeat this action for the other two. (You may have more or less.) Save the document with your original entries as backup.

You should now be able to use Google normally, without being redirected or hijacked by the rle822x whatever-it-is.

Apparetly this is one nasty piece of malware. Try this.

Whatever it is is causing the redirects is hiding from evertthing.

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

http://support.kaspersky.com/viruses/solutions?qid=208280684

Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
"%userprofile%\Desktop\TDSSKiller.exe" -v

Follow the instructions to type in "delete" when it asks you what to do when if finds something.
When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

I would appreciate it if you would run the MD tool along with a History file.

Instructions are here:

http://www.pctools.com/forum/showthread.php?t=55923

Thgis will allow the nPCTools team to check this out further with the MD log

Thanks.

Ok. Just ran the TDSSKiller. It seems to have found/fixed a few issues. I rebooted afterwards, and so far I haven't gotten the redirect again. The log file is attached. Next post I will run another SD full scan and follow up with the MD if necessary. But here's hoping the TDSSKiller zapped whatever this thing is.



01:10:44:046 1912 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
01:10:44:046 1912 ================================================== ==============================
01:10:44:046 1912 SystemInfo:

01:10:44:046 1912 OS Version: 5.1.2600 ServicePack: 3.0
01:10:44:046 1912 Product type: Workstation
01:10:44:046 1912 ComputerName: BETHNOTEBOOK
01:10:44:046 1912 UserName: Beth
01:10:44:046 1912 Windows directory: C:\WINDOWS
01:10:44:046 1912 Processor architecture: Intel x86
01:10:44:046 1912 Number of processors: 1
01:10:44:046 1912 Page size: 0x1000
01:10:44:125 1912 Boot type: Normal boot
01:10:44:125 1912 ================================================== ==============================
01:10:44:500 1912 UnloadDriverW: NtUnloadDriver error 2
01:10:44:500 1912 ForceUnloadDriverW: UnloadDriverW(klmd21) error 0
01:10:44:531 1912 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd. sys) returned status 00000000
01:10:49:437 1912 UtilityInit: KLMD drop and load success
01:10:49:437 1912 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
01:10:49:437 1912 UtilityInit: KLMD open success
01:10:49:437 1912 UtilityInit: Initialize success
01:10:49:437 1912
01:10:49:437 1912 Scanning Services ...
01:10:49:437 1912 CreateRegParser: Registry parser init started
01:10:49:437 1912 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
01:10:49:437 1912 CreateRegParser: DisableWow64Redirection error
01:10:49:437 1912 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
01:10:49:437 1912 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system ) returned status C0000043
01:10:49:437 1912 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
01:10:49:437 1912 wfopen_ex: Trying to KLMD file open
01:10:49:437 1912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
01:10:49:437 1912 wfopen_ex: File opened ok (Flags 2)
01:10:49:437 1912 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 1654900
01:10:49:437 1912 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
01:10:49:437 1912 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\softwa re) returned status C0000043
01:10:49:437 1912 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
01:10:49:437 1912 wfopen_ex: Trying to KLMD file open
01:10:49:437 1912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
01:10:49:437 1912 wfopen_ex: File opened ok (Flags 2)
01:10:49:437 1912 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 16549A8
01:10:49:437 1912 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
01:10:49:437 1912 CreateRegParser: EnableWow64Redirection error
01:10:49:437 1912 CreateRegParser: RegParser init completed
01:10:50:500 1912 GetAdvancedServicesInfo: Raw services enum returned 335 services
01:10:50:500 1912 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
01:10:50:500 1912 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
01:10:50:500 1912
01:10:50:500 1912 Scanning Kernel memory ...
01:10:50:500 1912 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
01:10:50:500 1912 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84EC2898
01:10:50:500 1912 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
01:10:50:500 1912
01:10:50:500 1912 DetectCureTDL3: DEVICE_OBJECT: 83F4E460
01:10:50:500 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83F4E460
01:10:50:500 1912 KLMD_ReadMem: Trying to ReadMemory 0x83F4E460[0x38]
01:10:50:500 1912 DetectCureTDL3: DRIVER_OBJECT: 84EC2898
01:10:50:500 1912 KLMD_ReadMem: Trying to ReadMemory 0x84EC2898[0xA8]
01:10:50:500 1912 KLMD_ReadMem: Trying to ReadMemory 0xE178FA58[0x18]
01:10:50:500 1912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:10:50:500 1912 DetectCureTDL3: IrpHandler (0) addr: F7696BB0
01:10:50:500 1912 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (2) addr: F7696BB0
01:10:50:500 1912 DetectCureTDL3: IrpHandler (3) addr: F7690D1F
01:10:50:500 1912 DetectCureTDL3: IrpHandler (4) addr: F7690D1F
01:10:50:500 1912 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (9) addr: F76912E2
01:10:50:500 1912 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (14) addr: F76913BB
01:10:50:500 1912 DetectCureTDL3: IrpHandler (15) addr: F7694F28
01:10:50:500 1912 DetectCureTDL3: IrpHandler (16) addr: F76912E2
01:10:50:500 1912 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (22) addr: F7692C82
01:10:50:500 1912 DetectCureTDL3: IrpHandler (23) addr: F769799E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
01:10:50:500 1912 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
01:10:50:500 1912 TDL3_FileDetect: Processing driver: Disk
01:10:50:500 1912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:10:50:500 1912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:10:50:562 1912 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:10:50:562 1912
01:10:50:562 1912 DetectCureTDL3: DEVICE_OBJECT: 83E4B5B8
01:10:50:562 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83E4B5B8
01:10:50:562 1912 DetectCureTDL3: DEVICE_OBJECT: 83E90E50
01:10:50:562 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83E90E50
01:10:50:562 1912 DetectCureTDL3: DEVICE_OBJECT: 83E89888
01:10:50:562 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83E89888
01:10:50:562 1912 KLMD_ReadMem: Trying to ReadMemory 0x83E89888[0x38]
01:10:50:562 1912 DetectCureTDL3: DRIVER_OBJECT: 84AF70A8
01:10:50:562 1912 KLMD_ReadMem: Trying to ReadMemory 0x84AF70A8[0xA8]
01:10:50:562 1912 KLMD_ReadMem: Trying to ReadMemory 0xE1C17530[0x1E]
01:10:50:562 1912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
01:10:50:562 1912 DetectCureTDL3: IrpHandler (0) addr: EB315218
01:10:50:562 1912 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (2) addr: EB315218
01:10:50:562 1912 DetectCureTDL3: IrpHandler (3) addr: EB31523C
01:10:50:562 1912 DetectCureTDL3: IrpHandler (4) addr: EB31523C
01:10:50:562 1912 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (14) addr: EB315180
01:10:50:562 1912 DetectCureTDL3: IrpHandler (15) addr: EB3109E6
01:10:50:562 1912 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (22) addr: EB3145F0
01:10:50:562 1912 DetectCureTDL3: IrpHandler (23) addr: EB312A6E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
01:10:50:562 1912 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
01:10:50:562 1912 KLMD_ReadMem: Trying to ReadMemory 0xEB311F26[0x400]
01:10:50:562 1912 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
01:10:50:562 1912 TDL3_FileDetect: Processing driver: USBSTOR
01:10:50:562 1912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:10:50:562 1912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:10:50:640 1912 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
01:10:50:640 1912
01:10:50:640 1912 DetectCureTDL3: DEVICE_OBJECT: 84F56030
01:10:50:640 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84F56030
01:10:50:640 1912 KLMD_ReadMem: Trying to ReadMemory 0x84F56030[0x38]
01:10:50:640 1912 DetectCureTDL3: DRIVER_OBJECT: 84EC2898
01:10:50:640 1912 KLMD_ReadMem: Trying to ReadMemory 0x84EC2898[0xA8]
01:10:50:640 1912 KLMD_ReadMem: Trying to ReadMemory 0xE178FA58[0x18]
01:10:50:640 1912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:10:50:640 1912 DetectCureTDL3: IrpHandler (0) addr: F7696BB0
01:10:50:640 1912 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (2) addr: F7696BB0
01:10:50:640 1912 DetectCureTDL3: IrpHandler (3) addr: F7690D1F
01:10:50:640 1912 DetectCureTDL3: IrpHandler (4) addr: F7690D1F
01:10:50:640 1912 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (9) addr: F76912E2
01:10:50:640 1912 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (14) addr: F76913BB
01:10:50:640 1912 DetectCureTDL3: IrpHandler (15) addr: F7694F28
01:10:50:640 1912 DetectCureTDL3: IrpHandler (16) addr: F76912E2
01:10:50:640 1912 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (22) addr: F7692C82
01:10:50:640 1912 DetectCureTDL3: IrpHandler (23) addr: F769799E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
01:10:50:640 1912 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
01:10:50:640 1912 TDL3_FileDetect: Processing driver: Disk
01:10:50:640 1912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
01:10:50:640 1912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
01:10:50:656 1912 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
01:10:50:656 1912
01:10:50:656 1912 DetectCureTDL3: DEVICE_OBJECT: 84FD2AB8
01:10:50:656 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84FD2AB8
01:10:50:656 1912 DetectCureTDL3: DEVICE_OBJECT: 84EC2288
01:10:50:656 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84EC2288
01:10:50:656 1912 DetectCureTDL3: DEVICE_OBJECT: 84F60818
01:10:50:656 1912 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84F60818
01:10:50:656 1912 KLMD_ReadMem: Trying to ReadMemory 0x84F60818[0x38]
01:10:50:656 1912 DetectCureTDL3: DRIVER_OBJECT: 84FCC610
01:10:50:656 1912 KLMD_ReadMem: Trying to ReadMemory 0x84FCC610[0xA8]
01:10:50:656 1912 KLMD_ReadMem: Trying to ReadMemory 0x84FD4030[0x38]
01:10:50:656 1912 KLMD_ReadMem: Trying to ReadMemory 0x84F60D20[0xA8]
01:10:50:656 1912 KLMD_ReadMem: Trying to ReadMemory 0xE176B1B0[0x1A]
01:10:50:656 1912 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
01:10:50:656 1912 DetectCureTDL3: IrpHandler (0) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (1) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (2) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (3) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (4) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (5) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (6) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (7) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (8) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (9) addr: 84EC6856
01:10:50:656 1912 DetectCureTDL3: IrpHandler (10) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (11) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (12) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (13) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (14) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (15) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (16) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (17) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (18) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (19) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (20) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (21) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (22) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (23) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (24) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (25) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: IrpHandler (26) addr: 84EC6856
01:10:50:671 1912 DetectCureTDL3: All IRP handlers pointed to one addr: 84EC6856
01:10:50:671 1912 KLMD_ReadMem: Trying to ReadMemory 0x84EC6856[0x400]
01:10:50:671 1912 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
01:10:50:671 1912 Driver "atapi" Irp handler infected by TDSS rootkit ... 01:10:50:671 1912 KLMD_WriteMem: Trying to WriteMemory 0x84EC68CF[0xD]
01:10:50:671 1912 cured
01:10:50:671 1912 KLMD_ReadMem: Trying to ReadMemory 0x84EC6701[0x400]
01:10:50:671 1912 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
01:10:50:671 1912 Driver "atapi" StartIo handler infected by TDSS rootkit ... 01:10:50:671 1912 TDL3_StartIoHookCure: Number of patches 1
01:10:50:671 1912 KLMD_WriteMem: Trying to WriteMemory 0x84EC680A[0x6]
01:10:50:671 1912 cured
01:10:50:671 1912 TDL3_FileDetect: Processing driver: atapi
01:10:50:671 1912 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
01:10:50:671 1912 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
01:10:50:687 1912 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
01:10:50:687 1912 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 01:10:50:687 1912 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
01:10:50:687 1912 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\File Repository\*) error 3
01:10:50:750 1912 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
01:10:50:937 1912 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
01:10:50:984 1912 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
01:10:51:031 1912 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
01:10:51:062 1912 CabinetCallback: File extracted successfully: C:\DOCUME~1\Beth\LOCALS~1\Temp\bck27.tmp
01:10:51:437 1912 ValidateDriverFile: Stage 1 passed
01:10:51:437 1912 ValidateDriverFile: Stage 2 passed
01:10:51:765 1912 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
01:10:59:312 1912 DigitalSignVerifyByHandle: Cat DS result: 00000000
01:10:59:312 1912 ValidateDriverFile: Stage 3 passed
01:10:59:312 1912 CabinetCallback: File validated successfully, restore information prepared
01:10:59:312 1912 FindDriverFileBackup: Backup copy found in cab-file
01:10:59:312 1912 TDL3_FileCure: Backup copy found, using it..
01:10:59:343 1912 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk28.tmp
01:10:59:437 1912 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk28.tmp, system32\drivers\atapi.sys)
01:10:59:515 1912 TDL3_FileCure: KLMD jobs schedule success
01:10:59:515 1912 will be cured on next reboot
01:10:59:515 1912 UtilityBootReinit: Reboot required for cure complete..
01:10:59:515 1912 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb .sys) returned status 00000000
01:10:59:671 1912 UtilityBootReinit: KLMD drop success
01:10:59:687 1912 KLMD_ApplyPendList: Pending buffer(372A_7D89, 608) dropped successfully
01:10:59:687 1912 UtilityBootReinit: Cure on reboot scheduled successfully
01:10:59:687 1912
01:10:59:687 1912 Completed
01:10:59:687 1912
01:10:59:687 1912 Results:
01:10:59:687 1912 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
01:10:59:687 1912 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
01:10:59:687 1912 File objects infected / cured / cured on reboot: 1 / 0 / 1
01:10:59:687 1912
01:10:59:687 1912 UnloadDriverW: NtUnloadDriver error 1
01:10:59:687 1912 KLMD_Unload: UnloadDriverW(klmd21) error 0
01:10:59:703 1912 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd. sys) returned status 00000000
01:10:59:703 1912 UtilityDeinit: KLMD(ARK) unloaded successfully

Well I ran SD full scan one more time and it came up clean. Been on and off Google and Bing much of the afternoon and haven't had any redirect issues or popups. I think I can now safely say the computer has been cured, and from now on I'll be able to search and click the links with no problems! :) I'll be keeping my fingers crossed anyway. Thanks again!