Remnents of w32.Koobface.B and slow browsers/google redirect side effect

I have a PC that seems to have been infected with the w32.Koobface.B virus.  Research seems to point to this coming from Facebook.  Norton Antivirus has removed it for the last 4 days in a row.  I've verified common files related to Koobface are not present, deleted cookies and temp internet files, ran Ad-Aware in Safe Mode, and the following still happens:  a) Norton still finds it and states it has removed the attack, b) web browsers are much slower than normal (both Firefox and IE), and c) I still experience a google redirect on any searches (this seems to be hit or miss - i.e. when searching on "w32.Koobface.B removal" it redirects, but when searching on "baseball" or "cnn" it does not).  I've attached the log file from HiJack This run in normal mode (not safe mode).  Any advice or assistance on how to proceed would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


The problem is that the AV do remove the viral component, but there are other that download it back. Instead of removing them by hand I sugest that you use the down below programs

Use SpyBot/AdAware to remove them


Examples of omponents that appear in the attached log
c:\windows\mstre8.exe (does the Google redirect)
C:\Program Files\tinyproxy\tinyproxy.exe

O4 - HKLM\..\Run: [sysftray2] C:\windows\bolivar23.exe
O4 - HKLM\..\Run: [systray] c:\windows\mstre8.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe
Also fix the above entry,
C:\Program Files\tinyproxy <-- it's important that you delete this folder.
If problem presists, run Malberbytes or Combofix.
Download Malwarebytes' Anti-Malware to your desktop. check for Updates before scanning.

Download ComboFix to your Desktop, from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Also In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings
 uncheck "use a proxy server" or reconfigure the Proxy server again IF you set previously.

C:\Program Files\tinyproxy <-- you would need to delete this folder in safe mode as the service is active in normal mode.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.


Fixing the service in hijackthis only disables it, alternatively you can stop and delete the service using the sc command.

Delete this service -->  "Protected Storage (ProtectedStorage) "
there's a space after the service name before the end quote.

Also bear in mind that "Protected Storage" is a legit service name, so the bad service you're looking for is this one(the whole line) --> "Protected Storage (ProtectedStorage) " 

Go to Start Menu > Run > type


Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line(including quotes):

sc stop  "Protected Storage (ProtectedStorage) "
sc delete "Protected Storage (ProtectedStorage) " 


DO NOT delete this one, it is legit --> ProtectedStorage
but DELETE this one, it is bad  --> Protected Storage (ProtectedStorage)
Terri_BuddeAuthor Commented:
Unchecked "use proxy server" in IE and Firefox settings, booted in safe mode and deleted "tinyproxy" folder from program files, rebooted in normal mode, entered command prompt and stopped and deleted "Protected Storage (ProtectedStorage) " (with space).  Then ran ComboFix.  Then scanned with HiJack This again, and the lines that were in question in the responses above were no longer there, and thus, nothing to fix.  Attached are the ComboFix Log as well as the 2nd scan of HiJack This.  Tested both browsers, and speed seems to be returned to normal, as well as no redirect on any searches in Google.  Thanks alot!  Please let me know if the attached log files look alright.
Terri_BuddeAuthor Commented:
Thanks for all the help!

Your version of java is very vulnerable to infections, specially vundo infection--> j2re1.4.2_13

I would suggest installing the later or latest version.
Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:

To uninstall combofix;
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Tt will reset system Restore and set a new, clean Restore Point.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.