Does this log show virus? What should I do?

Redirect virus causes BHO trojan to resurface in registry after malbyte scrub removes it (HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO).  Here's the Hijack Log on "cleaned" computer. Does this log show any problems I can fix?


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:16 AM, on 10/4/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\prevhost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0222D6D9-E01F-49B0-B6E5-CEA67F24FFF1} - C:\Users\Olivia\AppData\Local\TrayUser.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [WindowsNotifierProfile] rundll32.exe "C:\ProgramData\WindowsNotifierProfile.dll",DllRegisterServer
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Reasonable_Software_House Update] C:\Users\Olivia\AppData\Local\Reasonable_Software_House\Reasonable_Software_HouseUpdate\Reasonable_Software_Houseupdt32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: WePrint Server.lnk = C:\Program Files\WePrint\WePrint Server.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SATARaid5Manager.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll
O23 - Service: SATARaid5 Configuration Service (SATARaid5 Config Service) - Unknown owner - C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Silicon Image HBA Wakeup Utility (SiHbaWakeupService) - Unknown owner - C:\Program Files\Silicon Image\Silicon Image HBA Wakeup Utility\SiHbaWakeupService.exe

--
End of file - 6144 bytes
oliviajonesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oliviajonesAuthor Commented:
Here's a good one. if you click EE's search tab at top of this page, which uses google, same trojan is placed again in the registry.
0
johnb6767Commented:
HJT log looks clean.....

Autoruns
http://live.sysinternals.com/autoruns.exe

Can you please run a scan (Options>and Uncheck "Hide ms and windows entries") and save the .arn file here?
0
David Johnson, CD, MVPOwnerCommented:
run msconfig and do a diagnostic boot, then run malware bytes and see what results you get... what is this 'reasonable software house stuff is it "legit"? I went to the http://reasonables.com/ website and it hasn't been updated in 5 years.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

David Johnson, CD, MVPOwnerCommented:
also stop that rundlll32.exe
0
johnb6767Commented:
That rundll might be a part of an NVidia/ATI driver service..... Might want to see what the FULL command line path to it is.... Add the Command Line path in the Task Manager, and see what it points to...
0
MereteCommented:
The hijackthis is clean

If you need deeper cleaning remember to empty recycle bins and TEMP files in TEMP Folder
Stop the system restore and restart to start a new settings point
delete the old one's
Windows 7 go to control panel> System and Security >System>System Protection>under the panel Local Disc C
See
Configure restore points settings,manage disc space and delete restore points>Configure>
at the bottom Delete all restore points
0
JonveeCommented:

As stated above your HiJackThis log looks clean, but please be aware that several recent Malware are not detected by HiJackThis.

Suggest you first try downloading & updating Malwarebytes anti-Malware, from here:
http://www.malwarebytes.org/mbam.php
Run in normal mode.
Tutorial, if required:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t169669.html

MalwareBytes(free) should remove the problem, but if MalwareBytes won't run, download and run Rkill first.
Do not boot after running Rkill, then run MalwareBytes.

Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools:
http://www.technibble.com/rkill-repair-tool-of-the-week/
http://www.bleepingcomputer.com/forums/topic308364.html

If you're still having difficulties, try running TDSSKiller to see if removes the infection. Try renaming TDSSkiller if it refuses to run:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Download the file TDSSKiller.zip and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.

More detail TDSSKiller tutorial:
http://support.kaspersky.com/viruses/solutions?qid=208280684

Excellent articles for further help, if needed:
Google Hijack" - Google Search Gets Redirected:
http://www.experts-exchange.com/A_3299.html

Infected Router - Google Search Redirects Even on a Clean System
http://www.experts-exchange.com/A_5327.html
0
JonveeCommented:
There's no harm in running TDSSKiller first, you may be fortunate and nail the 'Redirect problem' immediately ...but it's still prudent to follow that with a Malwarebytes deep scan.
0
younghvCommented:
oliviajones,
Please ignore the advice to clean out all of your TEMP folders and empty the Recycle Bin. There are newer variants of malware that will move some of your key files/folders into various paths in your profile and no one should be deleting any files or folders (during the disinfection process) without careful consideration of each one.

Also ignore the advice to reset (delete) your restore points. Although restore points MAY contain infections, they cannot go active unless the restore point is actually used.

A really good EE Article by MS MVP 'rpggamergirl' is here:
Viruses in System Volume Information (System Restore)

*****************

I've been on holiday for a few days and unable to post, but have noticed several questions from you with approximately the same problem. Are your recent questions all about the same computer/infection?

If you are posting a "Follow Up" question about the same problem, please use the "Ask a related question" function which will allow all of us to read through the prior question/comments before offering suggestions.

Details here: http://www.experts-exchange.com/help.jsp#hs=29&hi=414
0
oliviajonesAuthor Commented:
My original question went dormant while I had to be away for a little more than a week. I was not aware of the ask a related question option. thanks.
I have tried to remove the reasonable software stuff from an old noclone install.  It no longer shows up in add/ remove programs nor in my program files folder.
Please tell me how to find the full command path to rundlll32.exe.

I've attached the autorun scan from http://live.sysinternals.com/autoruns     
AutoRuns.arn
0
johnb6767Commented:
Under the Drivers Tab, you need to find out what this file is.....

TrueSight                  c:\users\olivia\desktop\truesight.sys

Take it to http://www.virustotal.com and see what the results are..... Not alot of info out there on it.... Shows up in a CF Safe List....

Other than that, nothing obvious, besides a lot of bloat you can trim out.....

"Please tell me how to find the full command path to rundlll32.exe. "

In the Task Manager, click the View>Select Columns, and add "Command Line". Now look at the Processes Tab, and report the FULL path to that rundll32.exe...
0
oliviajonesAuthor Commented:
I believe the solution to this problem was to boot in safemode and run mbam followed by AV antivirus. For whatever reason, Mbam found and removed 4 trojans that had not shown up in normal mode, and now I seem to have full browser access and no redirect. Virus could be waiting and lurking. If so, I'll be back. Meanwhile, I want to award points for all the time spent on this. Thanks a lot.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oliviajonesAuthor Commented:
As noted above, I believe the solution to this problem was to boot in safemode and run mbam followed by AV antivirus. This was not suggested by EE, but by an IT neighbor. For whatever reason, Mbam in safe mode found and removed 4 trojans that had not shown up in normal mode, and now I seem to have full browser access and no redirect. I believe that cumulative earlier efforts of EE experts assisted in this result. Virus could be waiting and lurking. If so, I'll be back. Meanwhile, I want to award points for all the time spent on this. Thanks a lot
0
JonveeCommented:
Thanks for the report!   It is indeed surprising that MBAM found and removed the four trojans in Safe mode after failing to detect them in normal mode, because MBAM has been designed to work in the latter, where Malware is more active.

You may like to study some of the comments in this MBAM forum link, referred to some months ago by E_E's younghv:
http://forums.malwarebytes.org/index.php?showtopic=17334&pid=88995&start=&st=#entry88995

If you still have access to the computer, the other suggestion is to get a 'second opinion' by trying at least two of the following scanners:

ESET Online Scanner, a free, & powerful tool:
http://www.eset.com/online-scanner 

McAfee Labs Stinger:
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
Recommend you do not initially disable System Restore as suggested.

Dr.Web CureIt!.
http://www.freedrweb.com/cureit/?lng=en
0
oliviajonesAuthor Commented:
Thanks for these useful tools, which I will now run as an added precaution!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.