Worm_Autorun.mcs found and quarantined, but system is still hijacked

I have a computer that got a virus - Worm_Autorun.mcs.  We use TrendMicro OfficeScan and it found and quarantined the file.  I have followed the instructions from Trend and the virus cannot be detected any longer.  However, I'm finding that her web browser is still hijacked.  Search results point to re-directed pages rather than the intended location.  I've attached the HJT log file to see if anyone out there can tell me what items to repair.  I appreciate any assistance!
hijackthis.11.7.log
troypar90Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David-HowardCommented:
I recommend downloading and updating malwarebytes.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
You may also need to download and run HiJackThis from
http://www.merijn.org/programs.php
Once you run the utility save the log file.
You can post it for free analysis here or at
www.hijackthis.de
You are looking for items marked with red X's primarily.
David
0
rpggamergirlCommented:

Fix the entries below in Hijackthis:
O2 - BHO: 890166 helper - {A48FE9AC-DD02-4FF7-9211-B7BA9A2C8BF2} - C:\WINDOWS\system32\890166\890166.dll
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe

Fixing the entries and deleting the files should take care of it.
C:\Program Files\tinyproxy <-- you need to delete this folder in Safe Mode as the service is active in normal mode, or disable the service first.

C:\WINDOWS\system32\890166 <-- and this folder

If problem persists, run combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rpggamergirlCommented:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
Also fix the above if not using proxy.
And In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again if you had set it previoiusly
 For the deletion of Service, instead of fixing the o23 entry which only idsableds it, you can do this;
Delete this service --> "DNS Client (Dnscache) "

Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line: (there is a space between the close parenthesis and the end quote, --->    ) space "

sc stop "DNS Client (Dnscache) "
sc delete "DNS Client (Dnscache) "

exit  
NOTE: Do not delete  "Dnscache", that is a legit service.
This is the bad service --> DNS Client (Dnscache)
0
troypar90Author Commented:
Thank you rpggamergirl - problem solved. I followed your instructions in both posts and it worked perfectly. There was no need to run Combofix.exe, the HJT fixes along with the DNScache service suggestions worked fine.  Thanks again!
0
rpggamergirlCommented:
You're welcome!
Glad to know it's resolved.

Sorry for the typo in my second post ( I just noticed it.)
Thanks for the points and the grade!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.