?
Solved

Searching out nasty Redirect Virus. Here's the Combofix Log. What next?

Posted on 2011-10-04
16
Medium Priority
?
1,334 Views
Last Modified: 2016-10-27
EE says I should leave combofix to the experts. I ran Malbytes first and removed a trojan from my registry.(HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO)). Then ran combofix in safe mode. What next? Here's the Combofix log:
ComboFix 11-10-04.04 - Olivia 10/04/2011  12:25:34.1.2 - x86 NETWORK
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3006.2476 [GMT -4:00]
Running from: c:\users\Olivia\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\google\common\google updater\googleupdaterservice.exe
c:\programdata\WindowsNotifierProfile.dll
c:\users\Olivia\AppData\Local\TrayUser.dll
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{13ba79cf-1ffb-4b99-bfab-2da126bc6b8f}
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{13ba79cf-1ffb-4b99-bfab-2da126bc6b8f}\chrome.manifest
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{13ba79cf-1ffb-4b99-bfab-2da126bc6b8f}\chrome\xulcache.jar
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{13ba79cf-1ffb-4b99-bfab-2da126bc6b8f}\defaults\preferences\xulcache.js
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{13ba79cf-1ffb-4b99-bfab-2da126bc6b8f}\install.rdf
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{24435529-fbd3-4061-87e3-24e281f6ed77}
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{24435529-fbd3-4061-87e3-24e281f6ed77}\chrome.manifest
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{24435529-fbd3-4061-87e3-24e281f6ed77}\chrome\xulcache.jar
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{24435529-fbd3-4061-87e3-24e281f6ed77}\defaults\preferences\xulcache.js
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{24435529-fbd3-4061-87e3-24e281f6ed77}\install.rdf
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{3da26ce5-ed2d-49c0-b70a-087c6e8bb244}
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{3da26ce5-ed2d-49c0-b70a-087c6e8bb244}\chrome.manifest
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{3da26ce5-ed2d-49c0-b70a-087c6e8bb244}\chrome\xulcache.jar
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{3da26ce5-ed2d-49c0-b70a-087c6e8bb244}\defaults\preferences\xulcache.js
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{3da26ce5-ed2d-49c0-b70a-087c6e8bb244}\install.rdf
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{72cfdb20-0cca-4758-8fa7-387a639224cd}
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{72cfdb20-0cca-4758-8fa7-387a639224cd}\chrome.manifest
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{72cfdb20-0cca-4758-8fa7-387a639224cd}\chrome\xulcache.jar
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{72cfdb20-0cca-4758-8fa7-387a639224cd}\defaults\preferences\xulcache.js
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{72cfdb20-0cca-4758-8fa7-387a639224cd}\install.rdf
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{afeca7a9-7f03-4968-876b-7c96d6255a94}
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{afeca7a9-7f03-4968-876b-7c96d6255a94}\chrome.manifest
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{afeca7a9-7f03-4968-876b-7c96d6255a94}\chrome\xulcache.jar
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{afeca7a9-7f03-4968-876b-7c96d6255a94}\defaults\preferences\xulcache.js
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{afeca7a9-7f03-4968-876b-7c96d6255a94}\install.rdf
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{da862fba-1675-469e-80f2-40ac21f7b23b}
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{da862fba-1675-469e-80f2-40ac21f7b23b}\chrome.manifest
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{da862fba-1675-469e-80f2-40ac21f7b23b}\chrome\xulcache.jar
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{da862fba-1675-469e-80f2-40ac21f7b23b}\defaults\preferences\xulcache.js
c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\extensions\{da862fba-1675-469e-80f2-40ac21f7b23b}\install.rdf
c:\users\Olivia\GoToAssistDownloadHelper.exe
c:\windows\system32\ndisapi.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-09-04 to 2011-10-04  )))))))))))))))))))))))))))))))
.
.
2011-10-04 16:30 . 2011-10-04 16:31      --------      d-----w-      c:\users\Olivia\AppData\Local\temp
2011-10-04 16:30 . 2011-10-04 16:30      --------      d-----w-      c:\users\Default\AppData\Local\temp
2011-10-04 08:33 . 2011-09-21 13:00      7269712      ----a-w-      c:\programdata\Microsoft\Windows Defender\Definition Updates\{72237C11-1C66-4763-950B-5020130E554E}\mpengine.dll
2011-09-24 18:47 . 2011-09-24 18:47      388096      ----a-r-      c:\users\Olivia\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-24 18:47 . 2011-09-24 18:47      --------      d-----w-      c:\program files\Trend Micro
2011-09-24 17:42 . 2011-09-24 18:41      --------      d-----w-      c:\programdata\Spybot - Search & Destroy
2011-09-24 17:42 . 2011-09-24 17:45      --------      d-----w-      c:\program files\Spybot - Search & Destroy
2011-09-22 17:53 . 2011-09-22 17:53      --------      d-----w-      c:\users\Olivia\AppData\Roaming\AVG2012
2011-09-22 17:21 . 2011-10-03 12:57      --------      d-----w-      c:\programdata\AVG2012
2011-09-11 01:44 . 2011-09-11 01:44      --------      d-----w-      c:\program files\Common Files\Adobe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 21:00 . 2010-10-18 19:11      22216      ----a-w-      c:\windows\system32\drivers\mbam.sys
2011-08-17 18:05 . 2011-06-20 23:32      404640      ----a-w-      c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-05 20:02 . 2009-07-14 02:05      152576      ----a-w-      c:\windows\system32\msclmd.dll
2011-07-16 04:27 . 2011-08-10 04:39      290816      ----a-w-      c:\windows\system32\KernelBase.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      5120      ---ha-w-      c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4608      ---ha-w-      c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      6144      ---ha-w-      c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      4608      ---ha-w-      c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-12 15:20 . 2011-07-12 15:20      83816      ----a-w-      c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20      73064      ----a-w-      c:\windows\system32\dnssd.dll
2011-07-09 04:29 . 2011-08-24 10:44      2048      ----a-w-      c:\windows\system32\tzres.dll
2011-07-09 02:30 . 2011-08-10 04:40      223744      ----a-w-      c:\windows\system32\drivers\mrxsmb10.sys
2011-09-12 03:00 . 2011-04-04 13:55      134104      ----a-w-      c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Olivia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WePrint Server.lnk - c:\program files\WePrint\WePrint Server.exe [2011-2-13 2400256]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
SATARaid5Manager.lnk - c:\windows\Installer\{2ABC904F-6915-40AC-8CF8-B48743698CEC}\_19B708D90CBD3F24F241B9.exe [2010-5-29 1206]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-08-14 01:31      13672      ----a-w-      c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17      64592      ----a-w-      c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-03-27 20:07      362232      ----a-w-      c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 16:48      58656      ----a-w-      c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24      54840      ----a-w-      c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-06-16 17:40      2736128      ----a-w-      c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-03-27 20:06      5107232      ----a-w-      c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2010-02-25 12:33      364544      ----a-w-      c:\windows\System32\WDBtnMgr.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe [2005-10-05 131072]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 SiHbaWakeupService;Silicon Image HBA Wakeup Utility;c:\program files\Silicon Image\Silicon Image HBA Wakeup Utility\SiHbaWakeupService.exe [2009-07-28 62464]
R3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2010-05-21 160704]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-07-13 1394688]
R3 TrueSight;TrueSight;c:\users\Olivia\Desktop\TrueSight.sys [2011-10-03 111104]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
R4 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-05-21 2480048]
R4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
R4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [x]
R4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [x]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [x]
R4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run [x]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R4 Media Center 14 Service;Media Center 14 Service;c:\program files\J River\Media Center 14\JRService.exe [2010-05-05 379392]
S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys [2010-05-21 911680]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService      REG_MULTI_SZ         HPSLPSVC
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt      REG_MULTI_SZ         hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-06-16 17:38      451872      ----a-w-      c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en&num=30
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: pnc.com\www.onlinebanking
TCP: DhcpNameServer = 71.252.0.12 71.242.0.12
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en&num=30
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
HKCU-Run-WindowsNotifierProfile - c:\programdata\WindowsNotifierProfile.dll
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-04  12:32:22
ComboFix-quarantined-files.txt  2011-10-04 16:32
.
Pre-Run: 288,385,675,264 bytes free
Post-Run: 288,341,676,032 bytes free
.
- - End Of File - - 43D90EA168824B1237ED94D3D8A4A2BF
0
Comment
Question by:oliviajones
  • 5
  • 3
  • 3
  • +3
16 Comments
 
LVL 5

Expert Comment

by:greedj
ID: 36911439
If combofix failed to clean it (Combofix is the hulk of clean tools) then I would backup the data and wipe.

You could try installing the HD on another PC and scan it.

0
 
LVL 10

Expert Comment

by:Jim-R
ID: 36911626
Running ComboFix in Safe Mode may be your problem.  Run it again in normal mode and then post the log for the AntiVirus experts to look at.

ComboFix should only be run in Safe Mode when not possible to run normal mode.  The "bugs" are often not present in Safe Mode, so ComboFix can't fix what isn't detectable in Safe Mode.
0
 
LVL 4

Expert Comment

by:alexsupertramp
ID: 36911734
be sure to consider the time you are putting into this troubleshooting right now, versus the time it would take to backup data (as little as possible, in order to avoid backing up an infected file), format the hd and reinstall windows.   my steps to virus troubleshooting are 1) system restore 2) spend maximum 1/2 hour trying to remove the virus 3)back up your data, format and re-install windows and move on to something more time worth your time.
0
 

Author Comment

by:oliviajones
ID: 36911912
interesting idea about backing up and reinstalling. 2 problems (not insurmountable?)
1. find os disk and setups for added sata cards, etc.
2. what document/downloaded program files might carry virus to new location?

anyway, here is combofix log in normal boot mode.:
ComboFix 11-10-04.04 - Olivia 10/04/2011  13:42:42.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3006.2119 [GMT -4:00]
Running from: c:\users\Olivia\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2011-09-04 to 2011-10-04  )))))))))))))))))))))))))))))))
.
.
2011-10-04 17:50 . 2011-10-04 17:50      --------      d-----w-      c:\users\Default\AppData\Local\temp
2011-10-04 17:02 . 2011-10-04 17:02      23624      ----a-w-      c:\windows\system32\drivers\hitmanpro35.sys
2011-10-04 17:02 . 2011-10-04 17:02      --------      d-----w-      c:\program files\Hitman Pro 3.5
2011-10-04 17:01 . 2011-10-04 17:01      --------      d-----w-      c:\programdata\Hitman Pro
2011-10-04 16:32 . 2011-10-04 17:50      --------      d-----w-      c:\users\Olivia\AppData\Local\temp
2011-10-04 08:33 . 2011-09-21 13:00      7269712      ----a-w-      c:\programdata\Microsoft\Windows Defender\Definition Updates\{72237C11-1C66-4763-950B-5020130E554E}\mpengine.dll
2011-09-24 18:47 . 2011-09-24 18:47      388096      ----a-r-      c:\users\Olivia\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-24 18:47 . 2011-09-24 18:47      --------      d-----w-      c:\program files\Trend Micro
2011-09-24 17:42 . 2011-09-24 18:41      --------      d-----w-      c:\programdata\Spybot - Search & Destroy
2011-09-24 17:42 . 2011-09-24 17:45      --------      d-----w-      c:\program files\Spybot - Search & Destroy
2011-09-22 17:53 . 2011-09-22 17:53      --------      d-----w-      c:\users\Olivia\AppData\Roaming\AVG2012
2011-09-11 01:44 . 2011-09-11 01:44      --------      d-----w-      c:\program files\Common Files\Adobe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 21:00 . 2010-10-18 19:11      22216      ----a-w-      c:\windows\system32\drivers\mbam.sys
2011-08-17 18:05 . 2011-06-20 23:32      404640      ----a-w-      c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-05 20:02 . 2009-07-14 02:05      152576      ----a-w-      c:\windows\system32\msclmd.dll
2011-07-16 04:27 . 2011-08-10 04:39      290816      ----a-w-      c:\windows\system32\KernelBase.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      5120      ---ha-w-      c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4608      ---ha-w-      c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      4096      ---ha-w-      c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      6144      ---ha-w-      c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      4608      ---ha-w-      c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      3584      ---ha-w-      c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 04:39      3072      ---ha-w-      c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-12 15:20 . 2011-07-12 15:20      83816      ----a-w-      c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20      73064      ----a-w-      c:\windows\system32\dnssd.dll
2011-07-09 04:29 . 2011-08-24 10:44      2048      ----a-w-      c:\windows\system32\tzres.dll
2011-07-09 02:30 . 2011-08-10 04:40      223744      ----a-w-      c:\windows\system32\drivers\mrxsmb10.sys
2011-09-12 03:00 . 2011-04-04 13:55      134104      ----a-w-      c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Olivia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
WePrint Server.lnk - c:\program files\WePrint\WePrint Server.exe [2011-2-13 2400256]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
SATARaid5Manager.lnk - c:\windows\Installer\{2ABC904F-6915-40AC-8CF8-B48743698CEC}\_19B708D90CBD3F24F241B9.exe [2010-5-29 1206]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-08-14 01:31      13672      ----a-w-      c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17      64592      ----a-w-      c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-03-27 20:07      362232      ----a-w-      c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 16:48      58656      ----a-w-      c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24      54840      ----a-w-      c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-06-16 17:40      2736128      ----a-w-      c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-03-27 20:06      5107232      ----a-w-      c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2010-02-25 12:33      364544      ----a-w-      c:\windows\System32\WDBtnMgr.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe [2005-10-05 131072]
R2 SiHbaWakeupService;Silicon Image HBA Wakeup Utility;c:\program files\Silicon Image\Silicon Image HBA Wakeup Utility\SiHbaWakeupService.exe [2009-07-28 62464]
R3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2010-05-21 160704]
R3 TrueSight;TrueSight;c:\users\Olivia\Desktop\TrueSight.sys [2011-10-03 111104]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400]
R4 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-05-21 2480048]
R4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
R4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run [x]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R4 Media Center 14 Service;Media Center 14 Service;c:\program files\J River\Media Center 14\JRService.exe [2010-05-05 379392]
S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys [2010-05-21 911680]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-07-13 1394688]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService      REG_MULTI_SZ         HPSLPSVC
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt      REG_MULTI_SZ         hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-06-16 17:38      451872      ----a-w-      c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en&num=30
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: pnc.com\www.onlinebanking
TCP: DhcpNameServer = 71.252.0.12 71.242.0.12
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\users\Olivia\AppData\Roaming\Mozilla\Firefox\Profiles\of0j4p2m.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en&num=30
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-04  13:52:15
ComboFix-quarantined-files.txt  2011-10-04 17:52
ComboFix2.txt  2011-10-04 16:32
.
Pre-Run: 288,786,825,216 bytes free
Post-Run: 288,733,274,112 bytes free
.
- - End Of File - - B23956EAFC2DCDF8DC7936137336F9B1
0
 
LVL 4

Expert Comment

by:alexsupertramp
ID: 36912044
Most systems ship with a bootable dvd containing the reinstallation files for the os that shipped on the system.    A reinstall of the os is frequently necessary so it's pretty crucial that this dvd be retained.   Not to mention that it's likely that a customer paid for the right to have that os and a copy of it on dvd when they bought the pc.   If you don't have it then you would need to re-purchase it.   I believe Windows 7 Home Premium goes for under $100.   You can download it or buy the media at Office Depot or Staples.

Drivers: Windows 7 installs standard system hardware drivers without additional effort on your part.

Backup:  You would need to reinstall programs...you would not back up actually programs/applications.   You would back up the data in c:/users/<user name>.   In this case that looks like "olivia".   Only backup data you know you need, like documents, pictures, music.  DO NOT backup ntuser.dat.  That is very important.   If you are not sure where your important data resides then i might suggest that you not format your hard drive, but just boot to the installation dvd and reinstall windows without formatting.  it will move your old install of windows into a separate folder so that you may access files there later, but the virus will not follow because it is only associated with the old instance of windows.

0
 
LVL 10

Expert Comment

by:Jim-R
ID: 36912235
I would wait for younghv, rpgamergirl or one of the AntiVirus experts to answer before I re-installed.

I can tell that alexsupertramp is not one of those A/V experts, not because of his avatar, but because he said "system restore".  Many times system restore points are also infected, yet can still be useful in the repair of a system, but not strictly "as is" if infected.  It wouldn't be the first thing to try UNLESS you knew for certain the computer was NOT infected at the restore point's creation date.

Please allow one of the A/V experts to assist you.

Thanks for using Experts Exchange!
0
 
LVL 4

Expert Comment

by:alexsupertramp
ID: 36912392
you're right jim, i'm not an a/v expert and i didn't realize this was posted in that zone until after my first response, and yes olivia, i am not suggesting that you reinstall right this moment.   however, my role as an IT administrator is to get business users up and running asap.    in my experience, the fact that a restore point could be infected is a technicality.   9 times out of 10 booting into safe mode and running a system restore has permanently fixed a users operating system.  that takes about 15 minutes.   what has cost me time is when users or other IT staff follow instructions to turn off system restore, subsequently deleting all restore points forever and sending me down the road of muddling through the granular process of removing a virus.  

i hope you get your system back up and running soon.  regardless, it's valuable to know where your important data is, how to back it up and how to start from scratch and reinstall your os and your programs.    just a point of view from different angle.  good luck!  
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 36915205
Many of us in E_E think in somewhat different ways to achieve the same result, and IMO its certainly worth trying a cleanup long before you reformat.
But first, is this the same computer that was involved in your earlier question?

Either way i would highly recommend first running TDSSKiller, as explained previously:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Download the file TDSSKiller.zip and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.

More detail TDSSKiller tutorial:
http://support.kaspersky.com/viruses/solutions?qid=208280684

Once again these two excellent articles by rpggamergirl will help in a 'Redirect' problem:
Google Hijack" - Google Search Gets Redirected:
http://www.experts-exchange.com/A_3299.html

Infected Router - Google Search Redirects Even on a Clean System
http://www.experts-exchange.com/A_5327.html 

The ComboFix log file will take quite some time to study, and again rpg is probably the best around.

Incidently its also wise to leave your System Restore functionality alone until after a computer has been disinfected, then you can switch SR off, then on ...it's far better to restore to an infected _Restore folder, than have nothing to restore to at all.  An infection in a _Restore folder will remain contained unless you actually call for a 'restore'.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36919829
@oliviajones,

Are you still getting re-directed ?

Please follow the instructions posted by Jonvee above and let us know how it comes.

Sudeep
0
 

Author Comment

by:oliviajones
ID: 36920823
You spotted it! I had to suspend action on my earlier question and when I returned it did not get responses so i decided to break my question into several pieces. I have run tdsskiller several times. it reports no threats.Should I do it again?  I have several computers on this router and only one is infected, so an EE expert told me it was not the router. I just ran malbytes followed by AV Antivirus in safe mode. malbytes found nothing, but AV found 4 trojans which are quarantined. Any idea why AV found c:\Documents and Settings a locked file it could not test? is that normal?
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36920895
@oliviajones

If router got infected then the search re-direct would happen to all the computer who are connected to that router. If the re-direct is not on all the computer but only one then router infection could be ruled out.

However we would still advice you to change the detault password of the router if you haven't done that yet. To make it safe.

Further it is not recommended to run the AV or any other removal tool in safe mode unless you are unable to run them in normal mode.
0
 

Author Comment

by:oliviajones
ID: 36921011
The amazing thing is that running AV in safe mode as described above and taking out those last trojans SEEMS to have cured problem. I was redirecting in safe mode before and now my google searches SEEM normal. But now I need advice. I am still in safe mode. Is there anything I should do before changing back to normal mode?
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 1600 total points
ID: 36921182
>>>Is there anything I should do before changing back to normal mode?

Nothing more required, just let the AV scan finish and do its job. The boot into normal mode and run the tools described above one-by-one to make sure everything is clean.
I would suggest MBAM first and then AV Scan.

Sudeep
0
 

Author Comment

by:oliviajones
ID: 36921786
In Normal mode ran MABAM: no threats. Running full computer AV scan now. anything else before I hit the browser key that seems to trigger my problem?
0
 
LVL 10

Assisted Solution

by:Jim-R
Jim-R earned 400 total points
ID: 36922578
Yes, you have been advised to run the rest of the tools.  These should be run in normal mode so they may detect any illicit activity running that would not be able to run in Safe Mode.
0
 

Author Closing Comment

by:oliviajones
ID: 36934226
Irony is that neighbor techie's suggesstion that I run mbam in safe mode followed by AV anti virus, still in safe mode, seemed to have found and removed 4 trojans that had not been spotted before. After that, I could follow subsequent advice.
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses
Course of the Month14 days, 3 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question