Google/Yahoo search results misdirecting

Yes they are atm.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• Hidden Startup Objects
• System Memory
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be neutralized then choose the delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  Note: This tool will self uninstall when you close it so please save the log before closing it.

Redirects still present after scan completion

Autoscan: completed 1 minute ago (events: 8, objects: 631135, time: 02:05:58)
8/15/2010 9:21:09 PM Task started
8/15/2010 9:25:03 PM Detected: Exploit.Java.Agent.bu C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\48173611-6a614360/________vload.class
8/15/2010 9:25:03 PM Detected: Exploit.Java.Agent.bu C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\48c654db-1d05e81a/vmain.class
8/15/2010 9:30:08 PM Deleted: Exploit.Java.Agent.bu C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\48c654db-1d05e81a/vmain.class
8/15/2010 9:30:17 PM Deleted: Exploit.Java.Agent.bu C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\48173611-6a614360/________vload.class
8/15/2010 9:30:17 PM Detected: Exploit.Java.Agent.bu C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\48173611-6a614360/vmain.class
8/15/2010 9:30:20 PM Deleted: Exploit.Java.Agent.bu C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\48173611-6a614360/vmain.class
8/15/2010 11:27:07 PM Task completed

I ran malwarebytes again found the same infection as last time. I've supposedly deleted this infection 3 or 4 times at this point and it keeps reappearing. Perhaps it might be something causing this.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4435

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/15/2010 11:44:18 PM
mbam-log-2010-08-15 (23-44-18).txt

Scan type: Quick scan
Objects scanned: 142749
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

If this scan will not run correctly in Normal Mode, then boot to Safe Mode and try again.

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

• Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  
• Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  
• Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  
• It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  
• Once inside the interface, do not fix anything. Click on the Report tab.
  
• Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  
• It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  
• When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Same as last time, waited over an hour for it to build the file directories before canceling.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #2
==============================================
>SSDT State
==============================================
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x86741020 [340] C:\Windows\System32\smss.exe (Microsoft Corporation, Windows Session Manager)
0x864F0BD0 [440] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x877BD918 [516] C:\Windows\System32\wininit.exe (Microsoft Corporation, Windows Start-Up Application)
0x855B3448 [524] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x877CEA10 [568] C:\Windows\System32\services.exe (Microsoft Corporation, Services and Controller app)
0x877ECD40 [608] C:\Windows\System32\lsass.exe (Microsoft Corporation, Local Security Authority Process)
0x877EB530 [616] C:\Windows\System32\lsm.exe (Microsoft Corporation, Local Session Manager Service)
0x877ED080 [624] C:\Windows\System32\winlogon.exe (Microsoft Corporation, Windows Logon Application)
0x8783B660 [756] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x878916C8 [836] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x878BC2D0 [884] C:\Windows\System32\atiesrxx.exe (AMD, AMD External Events Service Module)
0x878C3838 [956] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x878DCB18 [1012] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x879521C0 [1056] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x879A73E8 [1204] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x879A5D40 [1316] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x879BF8F0 [1372] C:\Windows\System32\atieclxx.exe (AMD, AMD External Events Client Module)
0xBA5FA030 [1492] C:\Windows\System32\audiodg.exe (Microsoft Corporation, Windows Audio Device Graph Isolation )
0x875D0030 [1500] C:\Windows\System32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x875DF030 [1528] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x879F28B0 [1616] C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET, ESET Service)
0x875CF8F0 [1708] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x87556968 [1772] C:\Windows\System32\sppsvc.exe (Microsoft Corporation, Microsoft Software Protection Platform Service)
0x87879D40 [2068] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86484D40 [2272] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x87C19418 [2284] C:\Windows\System32\dwm.exe (Microsoft Corporation, Desktop Window Manager)
0x87C1E830 [2308] C:\Windows\explorer.exe (Microsoft Corporation, Windows Explorer)
0x87BA79D0 [2316] C:\Windows\System32\taskhost.exe (Microsoft Corporation, Host Process for Windows Tasks)
0x86373590 [2668] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA, VIA HD Audio CPL)
0x867F0C30 [2680] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET, ESET GUI)
0x87CFE6C8 [2704] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation, GrooveMonitor Utility)
0x87D1A030 [2720] C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe (Microsoft Corporation, XBoxStat.exe)
0x87CBA9B8 [2796] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe (Microsoft Corporation, Windows Live Device Manager Executable)
0x85C3E360 [2808] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe (Adobe Systems Incorporated, AAM Updates Notifier Application)
0x878ED7C8 [2836] C:\Windows\iPScan.exe ( iPassion Technology Inc., iPScan)
0x87B12B60 [2872] C:\Program Files\RocketDock\RocketDock.exe
0x877E9030 [2900] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd, DAEMON Tools Lite)
0x87F0BD40 [2956] C:\Windows\System32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x87DC49A8 [2976] C:\Program Files\PowerMenu\PowerMenu.exe (Thong Nguyen, PowerMenu)
0xBA4FE030 [3056] C:\Windows\System32\SearchProtocolHost.exe (Microsoft Corporation, Microsoft Windows Search Protocol Host)
0x87D59D40 [3224] C:\Windows\System32\SearchIndexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0xB4DD3A68 [3384] C:\Windows\explorer.exe (Microsoft Corporation, Windows Explorer)
0xBA576030 [3436] C:\Windows\System32\SearchFilterHost.exe (Microsoft Corporation, Microsoft Windows Search Filter Host)
0x869D1D40 [3676] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB4DD4030 [3704] C:\Users\Nathan\Downloads\RkU3.8.388.590\MustBeRandomlyNamed\U57ar.exe (UG North, RKULE, SR2 Normandy)
0x876CF730 [3800] C:\Windows\explorer.exe (Microsoft Corporation, Windows Explorer)
0x87B9CAB8 [3968] C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0x85504510 [4] System
==============================================
>Drivers
==============================================
0x91032000 C:\Windows\system32\DRIVERS\atikmdag.sys 5328896 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82A04000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x82A04000 PnpManager 4259840 bytes
0x82A04000 RAW 4259840 bytes
0x82A04000 WMIxWDM 4259840 bytes
0x98500000 Win32k 2400256 bytes
0x98500000 C:\Windows\System32\win32k.sys 2400256 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8BC31000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8B8A0000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x83607000 PCI_PNP5019 995328 bytes
0x83607000 C:\Windows\System32\Drivers\spms.sys 995328 bytes
0x83607000 sptd 995328 bytes
0x968D7000 C:\Windows\system32\drivers\viahduaa.sys 905216 bytes (VIA Technologies, Inc., VIA High Definition Audio Function Driver)
0x81EC9000 C:\Windows\system32\DRIVERS\eamon.sys 835584 bytes (ESET, Amon monitor)
0x91547000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8BA74000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x83473000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0x9EA0F000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x99831000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8351E000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x9EB7E000 C:\Windows\system32\drivers\spsys.sys 434176 bytes (Microsoft Corporation, security processor)
0x908AF000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x8BA00000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x8BF71000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x9EB2D000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x9EADE000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x987B0000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9181F000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8359D000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x83729000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9680A000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x83431000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x9084E000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x99999000 C:\Windows\system32\DRIVERS\udfs.sys 262144 bytes (Microsoft Corporation, UDF File System Driver)
0x8BDB4000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8BB2B000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x81E11000 C:\Windows\System32\Drivers\iP293x.sys 245760 bytes (iPassion Technology Inc., iPassion Serial Bus Camera Driver)
0x99904000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x918AE000 C:\Windows\System32\Drivers\aa48ry8n.SYS 233472 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x9096C000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x82E14000 ACPI_HAL 225280 bytes
0x82E14000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8B85B000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x909C9000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8BBA6000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8BFCB000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8BD7A000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x9688F000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8BC00000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x8B9CF000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x9996F000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x83784000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x96869000 C:\Windows\system32\drivers\AtiHdmi.sys 155648 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)
0x83703000 C:\Windows\System32\Drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x8BE3B000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8BB69000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x909A5000 C:\Windows\system32\DRIVERS\Rtlh86.sys 147456 bytes (Realtek Corporation , Realtek 8101E/8168/8169 NDIS6 32-bit Driver )
0x8B82F000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x81FAF000 C:\Windows\system32\DRIVERS\epfw.sys 143360 bytes (ESET, ESET Personal Firewall driver)
0x998E1000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x9193D000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9EAB0000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x90939000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8BEF0000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8BE9A000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x91000000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8BE07000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x98790000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x8BEC7000 C:\Windows\system32\DRIVERS\ehdrv.sys 118784 bytes (ESET, ESET Helper driver)
0x81EAE000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x9993F000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8B813000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x81F95000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x998B6000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x968BE000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x90913000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x91884000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x9191A000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x9195F000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x91977000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x9198E000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8BF4F000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x969BE000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x81E5B000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x835E8000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x969E2000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8B800000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x81FE2000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8BBE9000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x91908000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x9095A000 C:\Windows\system32\DRIVERS\amdk8.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x998CF000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8BBD8000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x81E9D000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x8B88F000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x96858000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x837AE000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x83418000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x81FD2000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8BB8E000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x90830000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x837BF000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x9186A000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x91800000 C:\Windows\system32\DRIVERS\xusb21.sys 61440 bytes (Microsoft Corporation, Windows Common Controller)
0x9092B000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x99961000 C:\Windows\system32\DRIVERS\epfwwfp.sys 57344 bytes (ESET, ESET Personal Firewall driver)
0x8BE26000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8BF41000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x837D6000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8BA5D000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x90840000 C:\Windows\System32\Drivers\SCDEmu.SYS 57344 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0x81E4D000 C:\Windows\System32\Drivers\STREAM.SYS 57344 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0x919D7000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8358F000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x918F0000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x81E7C000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x919BB000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x919C8000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x9EAD1000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8BF11000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x908A3000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x919E5000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x919A5000 C:\Windows\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0x8BEE4000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x81E89000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x918FD000 C:\Windows\system32\DRIVERS\Epfwndis.sys 45056 bytes (ESET, ESET Personal Firewall NDIS filter)
0x91879000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0x969D7000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8340D000 C:\Windows\system32\mcupdate_AuthenticAMD.dll 45056 bytes (Microsoft Corporation, AMD Microcode Update Library)
0x81E71000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x919F1000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8BF36000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x91932000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8BF66000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x83779000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x969B4000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x9684E000 C:\Windows\system32\DRIVERS\flpydisk.sys 40960 bytes (Microsoft Corporation, Floppy Driver)
0x90899000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9088F000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x919B1000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0x9EAA6000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x918A4000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x9101F000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x8B852000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x837EB000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x81E94000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
0x8BA6B000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x9EBF4000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x98760000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8BDAB000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x918E7000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x836FA000 C:\Windows\System32\Drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x9189C000 C:\Windows\system32\DRIVERS\ASACPI.sys 32768 bytes (-, ATK0110 ACPI Utility)
0x8BE60000 C:\Windows\system32\DRIVERS\AtiPcie.sys 32768 bytes (ATI Technologies Inc., ATI PCIE Driver for ATI PCIE chipset)
0x83429000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8BB9E000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BA6000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x83771000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8BF1E000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8BF26000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8BF2E000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8BDF3000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x837E4000 C:\Windows\system32\DRIVERS\amdide.sys 28672 bytes (Advanced Micro Devices, AMD PCI SATA/IDE Bus Driver)
0x8BEC0000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x969F5000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8BEB9000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x9995A000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x837CF000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8BE00000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x9EBE8000 C:\Windows\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0x8BDFB000 C:\Windows\system32\speedfan.sys 8192 bytes (Windows (R) 2000 DDK provider, SpeedFan Device Driver)
0x919D5000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x969D5000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x8BC2D000 C:\Windows\system32\giveio.sys 4096 bytes
0x855441F8 unknown_irp_handler 3592 bytes
0x857881F8 unknown_irp_handler 3592 bytes
0x858581F8 unknown_irp_handler 3592 bytes
0x855421F8 unknown_irp_handler 3592 bytes
0x855431F8 unknown_irp_handler 3592 bytes
0x867991F8 unknown_irp_handler 3592 bytes
0x864CB1F8 unknown_irp_handler 3592 bytes
0x855401F8 unknown_irp_handler 3592 bytes
0x8679D1F8 unknown_irp_handler 3592 bytes
0x876DB1F8 unknown_irp_handler 3592 bytes
0x867291F8 unknown_irp_handler 3592 bytes
0x868B3500 unknown_irp_handler 2816 bytes
0x86706500 unknown_irp_handler 2816 bytes
==============================================
>Stealth
==============================================
0x86665F53 Unknown page with executable code, 173 bytes
WARNING: File locked for read access [C:\Windows\system32\drivers\sptd.sys]
0x865BDE44 Unknown page with executable code, 444 bytes
0x865C5D66 Unknown page with executable code, 666 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
[1616]ekrn.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x76D83162-->00000000 [unknown_code_page]
[2384]lol.launcher.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C617B8-->00000000 [apphelp.dll]
[2384]lol.launcher.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B611B8-->00000000 [apphelp.dll]
[2384]lol.launcher.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0044528C-->00000000 [apphelp.dll]
[2384]lol.launcher.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D114E0-->00000000 [apphelp.dll]
[2384]lol.launcher.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7120144C-->00000000 [apphelp.dll]
[2652]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x771BF585-->00000000 [firefox.exe]
[2652]firefox.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x75673BED-->00000000 [unknown_code_page]
[2652]firefox.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x756747DF-->00000000 [unknown_code_page]
[2652]firefox.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x7567C4C8-->00000000 [unknown_code_page]
[2652]firefox.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x7567C29F-->00000000 [unknown_code_page]
[2652]firefox.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x756768A7-->00000000 [unknown_code_page]
[2920]LolClient.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C617B8-->00000000 [apphelp.dll]
[2920]LolClient.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B611B8-->00000000 [apphelp.dll]
[2920]LolClient.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00402004-->00000000 [apphelp.dll]
[2920]LolClient.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D114E0-->00000000 [apphelp.dll]
[2920]LolClient.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7120144C-->00000000 [apphelp.dll]
[956]svchost.exe-->kernel32.dll-->ActivateActCtx, Type: IAT modification 0x010010A0-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x0100105C-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->CreateActCtxW, Type: IAT modification 0x010010D0-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->DeactivateActCtx, Type: IAT modification 0x01001098-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->DelayLoadFailureHook, Type: IAT modification 0x01001060-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->ExitProcess, Type: IAT modification 0x010010DC-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->ExpandEnvironmentStringsW, Type: IAT modification 0x010010D4-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x0100106C-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->GetCommandLineW, Type: IAT modification 0x010010D8-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->GetLastError, Type: IAT modification 0x01001068-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x01001084-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001064-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->GetProcessHeap, Type: IAT modification 0x010010EC-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->GetSystemTimeAsFileTime, Type: IAT modification 0x01001090-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->GetTickCount, Type: IAT modification 0x0100108C-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->HeapFree, Type: IAT modification 0x010010FC-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->HeapSetInformation, Type: IAT modification 0x010010B8-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->InterlockedCompareExchange, Type: IAT modification 0x01001070-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->InterlockedExchange, Type: IAT modification 0x01001078-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->LCMapStringW, Type: IAT modification 0x010010C4-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x01001074-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x0100109C-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->LocalAlloc, Type: IAT modification 0x01001058-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x010010F8-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->lstrcmpiW, Type: IAT modification 0x010010BC-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->lstrcmpW, Type: IAT modification 0x010010A8-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->lstrlenW, Type: IAT modification 0x010010C0-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->QueryPerformanceCounter, Type: IAT modification 0x01001088-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->RegCloseKey, Type: IAT modification 0x010010B0-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->RegDisablePredefinedCacheEx, Type: IAT modification 0x010010E4-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->RegisterWaitForSingleObjectEx, Type: IAT modification 0x010010F4-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->RegOpenKeyExW, Type: IAT modification 0x010010B4-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->RegQueryValueExW, Type: IAT modification 0x010010C8-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->ReleaseActCtx, Type: IAT modification 0x010010CC-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x010010F0-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->SetProcessAffinityUpdateMode, Type: IAT modification 0x010010E0-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x01001080-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->Sleep, Type: IAT modification 0x0100107C-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x01001094-->00000000 [unknown_code_page]
[956]svchost.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x01001100-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->EtwEventEnabled, Type: IAT modification 0x01001138-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->EtwEventRegister, Type: IAT modification 0x0100113C-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->EtwEventWrite, Type: IAT modification 0x01001134-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x0100110C-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlCopySid, Type: IAT modification 0x0100111C-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x01001140-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlImageNtHeader, Type: IAT modification 0x0100112C-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlInitializeCriticalSection, Type: IAT modification 0x01001124-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlInitializeSid, Type: IAT modification 0x01001118-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlLengthRequiredSid, Type: IAT modification 0x01001110-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlSetProcessIsCritical, Type: IAT modification 0x01001128-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlSubAuthorityCountSid, Type: IAT modification 0x01001120-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlSubAuthoritySid, Type: IAT modification 0x01001114-->00000000 [unknown_code_page]
[956]svchost.exe-->ntdll.dll-->RtlUnhandledExceptionFilter, Type: IAT modification 0x01001130-->00000000 [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Double-click RootkitUnhooker, and click on the Stealth Code tab.

Click the Scan button and allow it to scan, then look for these entries:

0x86665F53 Unknown page with executable code, 173 bytes
0x865BDE44 Unknown page with executable code, 444 bytes
0x865C5D66 Unknown page with executable code, 666 bytes

Select the result, right-click, and then click Wipe File. If the option is not available for Wipe File, then click on Unhook Selected instead.

Then, click on the Drivers tab.

Click the Scan button and allow it to scan, then look for the entries that contains this string: unknown_irp_handler

Select each result, and then right-click Wipe File. If Wipe File is not available, then click on Unhook Selected instead.

===========

After that, reboot your computer, and then please post back a new report from RKU like you did above.

Sorry it's been a few weeks since I've responded. I tried the above methods and it didn't work and I became content with just having to workaround the pasting links in the address bar method. Recently my NOD32 started acting up saying my Winint.exe file was infected along with my firefox.exe and iexplorer.exe. It could not delete wininit.exe probably because its a system file, but it deleted firefox.exe and iexplorer.exe. After I reinstalled the browers the misdirects were gone for the most part, but it said wininit.exe is still infected along with firefox.exe and iexplorer.exe (I had to disable parts of NOD32 to even use them without them being deleted/quarantined).

It said it was the Win32/Bamital.DX trojan for all three. I hope this helps you.

thanks,
nathan

The redirects are gone?

They are not gone, but its not a grantee that it'll misdirect for sure anymore. It's a lot less common then before around 20% of clicked links are misdirects.

Do you have a router?

Yes, I have a linksys router.

Let me look at something real quick...

Please download RenewMyDNS by DragonMaster Jay.

• Save it to your Desktop.
  
• Right-click on the file and select Extract All...
  
• Choose a location to save extracted files and keep pressing Next until Finish.
  
• Double-click RenewMyDNS folder, then double-click RenewMyDNS.bat to start the program.
  
• Follow the prompts, and when finished it will launch a log.
  
• Post that log in your next reply.
  
• After posting the log, delete the folder RenewMyDNS.

RenewMyDNS by DragonMaster Jay
DNS Diagnostics and refresher
Version 0.1.4 - November 2009

Microsoft Windows [Version 6.1.7600]


(((((((((((((((((((( Network and DNS Information ))))))))))))))))))))



Windows IP Configuration

Host Name . . . . . . . . . . . . : Nathan-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : 00-23-54-DA-50-9D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d1e8:42a2:5bab:5ea3%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, September 09, 2010 2:19:37 PM
Lease Expires . . . . . . . . . . : Saturday, September 11, 2010 2:19:37 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 234890068
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-AC-3F-E6-00-23-54-DA-50-9D
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{7668F7E2-CA66-40BD-9C17-839153EAC4C7}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:341b:3fc:9d6b:40b(Preferred)
Link-local IPv6 Address . . . . . : fe80::341b:3fc:9d6b:40b%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

(((((((((((((((((((( DNS-Fake Request Testing and Flush ))))))))))))))))))))

... Requests made were successful

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.


(((((((((((((((((((( Speed-test - Ping ))))))))))))))))))))

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=80ms TTL=48
Reply from 209.191.122.70: bytes=32 time=62ms TTL=47
Reply from 209.191.122.70: bytes=32 time=58ms TTL=48
Reply from 209.191.122.70: bytes=32 time=61ms TTL=48

Ping statistics for 209.191.122.70:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 58ms, Maximum = 80ms, Average = 65ms

Pinging GeekPolice.net [64.202.189.170] with 32 bytes of data:
Reply from 64.202.189.170: bytes=32 time=27ms TTL=111
Reply from 64.202.189.170: bytes=32 time=25ms TTL=111
Reply from 64.202.189.170: bytes=32 time=26ms TTL=111
Reply from 64.202.189.170: bytes=32 time=26ms TTL=111

Ping statistics for 64.202.189.170:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 25ms, Maximum = 27ms, Average = 26ms

Pinging facebook.com [69.63.181.11] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 69.63.181.11:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pinging microsoft.com [207.46.232.182] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 207.46.232.182:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

********************
EOF

Right now I'm using peerblock to stop the redirects and its working well although once I disable it or exit it the redirects continue.

Let's begin by opening up Internet Explorer, and go to the following address:

http://192.168.1.1

if that does not display a blank page with a password prompt, then try this one:

http://192.168.2.1


Once you get the password prompt, enter your password if you selected one, or otherwise enter in admin in to the password box.

Once you confirm that, you shall see the router configuration screen.

---

Please list for me the values included in the boxes similarly named:

-Internet Connection type
-Local IP address
-Static DNS 1
-Static DNS 2
-Static DNS 3
-IP Address Range
-Host name
-Domain name


If some of those you cannot find, then let me know which ones you could not find.

After I know this information, I will tell you how to proceed after this.

Internet Connection Type: Obtain an IP automatically
Local IP Address: 192.168.1.1
Static DNS 1: 0.0.0.0
Static DNS 2: 0.0.0.0
Static DNS 3: 0.0.0.0
IP Address Range: DHCP Address Range?
Host Name: Nothing
Domain name: Nothing

Screenshot

But you still have internet access? And search redirects?

I have internet access, I've always had internet. Yes, the redirects still happen.

I'm pretty sure whats causing it has something to do with my infected wininit.exe which then infects my browsers exe.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  :filefind
wininit.exe
scecli.dll
netlogon.dll
eventlog.dll
winlogon.exe
comres.dll
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
cngaudit.dll
beep.sys
wscntfy.exe
atapi.sys

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 04.09.10 by jpshortstuff
Log created at 21:44 on 12/09/2010 by Nathan
Administrator - Elevation successful

========== filefind ==========

Searching for "wininit.exe"
C:\Windows\System32\wininit.exe --a---- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe --a---- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665

Searching for "scecli.dll"
C:\Windows\System32\scecli.dll --a---- 175616 bytes [23:33 13/07/2009] [01:16 14/07/2009] 26073302DAEA83CC5B944C546D6B47D2
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll --a---- 175616 bytes [23:33 13/07/2009] [01:16 14/07/2009] 26073302DAEA83CC5B944C546D6B47D2

Searching for "netlogon.dll"
C:\Windows\System32\netlogon.dll --a---- 563712 bytes [23:38 13/07/2009] [01:16 14/07/2009] EAA75D9000B71F10EEC04D2AE6C60E81
C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll --a---- 563712 bytes [23:38 13/07/2009] [01:16 14/07/2009] EAA75D9000B71F10EEC04D2AE6C60E81

Searching for "eventlog.dll"
No files found.

Searching for "winlogon.exe"
C:\Windows\System32\winlogon.exe --a---- 285696 bytes [20:52 17/06/2010] [06:17 28/10/2009] 37CDB7E72EB66BA85A87CBE37E7F03FD
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe --a---- 285696 bytes [23:37 13/07/2009] [01:14 14/07/2009] 8EC6A4AB12B8F3759E21F8E3A388F2CF
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe --a---- 285696 bytes [20:52 17/06/2010] [06:17 28/10/2009] 37CDB7E72EB66BA85A87CBE37E7F03FD
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe --a---- 285696 bytes [20:52 17/06/2010] [05:52 28/10/2009] 3BABE6767C78FBF5FB8435FEED187F30

Searching for "comres.dll"
C:\Windows\System32\comres.dll --a---- 1297408 bytes [23:44 13/07/2009] [01:04 14/07/2009] 808D8A8B2A3074002852BC856D419576
C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.1.7600.16385_none_2c8730fb47856e94\comres.dll --a---- 1297408 bytes [23:44 13/07/2009] [01:04 14/07/2009] 808D8A8B2A3074002852BC856D419576

Searching for "crypt32.dll"
C:\Windows\System32\crypt32.dll --a---- 1151488 bytes [23:34 13/07/2009] [01:15 14/07/2009] E6B5DE86ABF68D7D67E451C29287B5C5
C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7600.16385_none_5b4617ff3f275c4b\crypt32.dll --a---- 1151488 bytes [23:34 13/07/2009] [01:15 14/07/2009] E6B5DE86ABF68D7D67E451C29287B5C5

Searching for "gpedit.dll"
C:\Windows\System32\gpedit.dll --a---- 951808 bytes [23:38 13/07/2009] [01:15 14/07/2009] F4CB9FF6AA4F0D3FBE707BE54BB05768
C:\Windows\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.1.7600.16385_none_ce0882b8c63afdf6\gpedit.dll --a---- 951808 bytes [23:38 13/07/2009] [01:15 14/07/2009] F4CB9FF6AA4F0D3FBE707BE54BB05768

Searching for "rundll32.exe"
C:\Windows\System32\rundll32.exe --a---- 44544 bytes [23:41 13/07/2009] [01:14 14/07/2009] 51138BEEA3E2C21EC44D0932C71762A8
C:\Windows\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7600.16385_none_d7dba7b30c3e2855\rundll32.exe --a---- 44544 bytes [23:41 13/07/2009] [01:14 14/07/2009] 51138BEEA3E2C21EC44D0932C71762A8

Searching for "sfc.dll"
C:\Windows\System32\sfc.dll --a---- 2560 bytes [23:15 13/07/2009] [01:10 14/07/2009] 40CAEEE0EAF1B8569F7C8DF6420F2CB9
C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.1.7600.16385_none_a70c196fbd853ae9\sfc.dll --a---- 2560 bytes [23:15 13/07/2009] [01:10 14/07/2009] 40CAEEE0EAF1B8569F7C8DF6420F2CB9

Searching for "svchost.exe"
C:\Windows\System32\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

Searching for "cngaudit.dll"
C:\Windows\System32\cngaudit.dll --a---- 12288 bytes [23:32 13/07/2009] [01:15 14/07/2009] 50BA656134F78AF64E4DD3C8B6FEFD7E
C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll --a---- 12288 bytes [23:32 13/07/2009] [01:15 14/07/2009] 50BA656134F78AF64E4DD3C8B6FEFD7E

Searching for "beep.sys"
C:\Windows\System32\drivers\beep.sys --a---- 6144 bytes [23:45 13/07/2009] [23:45 13/07/2009] 505506526A9D467307B3C393DEDAF858
C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.1.7600.16385_none_c3f6f77668f0ddcc\beep.sys --a---- 6144 bytes [23:45 13/07/2009] [23:45 13/07/2009] 505506526A9D467307B3C393DEDAF858

Searching for "wscntfy.exe"
No files found.

Searching for "atapi.sys"
C:\Windows\System32\drivers\atapi.sys --a---- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a---- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a---- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-= EOF =-

Also I noticed a lock on my wininit.exe in my system32 folder. I did not edit the file in anyway so I dunno how it got there.

Please go to: VirusTotal

• Click the Browse button and search for the following file: c:\windows\system32\wininit.exe
  
• Click Open
  
• Then click Send File
  
• Please be patient while the file is scanned.
  
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

How exactly do I get the the results? Should I copy and paste the actual page in notepad, or should I just make a screen shot of the page?

I've been sitting at the page for a couple hours now and its still sitting at 0/42 results. I don't know if this is normal.

Looks fine.

And you keep getting warnings on it being infected?