How Can I remove this rootkit virus

My boss somehow managed to get a virus on the PC its a persistent one and even survived reloading Windows. I looked up the popup his AVG antivuris gives and there are some articles about rootkit viruses. I have tried AVG's scan, Malwarebytes some sort of Sophos task killer and still cannot get rid of it. its causing browser redirects etc.   I even reloaded the PC and it somehow remained. Is there anything else I can do.
virus.doc.docx
LVL 2
Axis52401Security AnalystAsked:
Who is Participating?
 
Ben_b3nConnect With a Mentor Commented:
At this stage I would recommend the following only if you are comfortable-

-Download ComboFix.

-Unplug from the internet and deactivate AVG (might have to uninstall to get it stop its on demand scanning). Also deactivate any other antivirus programs you have running.

-Then Run ComboFix
-Follow the on screen prompts and then let it run. Don't run any other programs or touch anything until it has finished. It may even reboot your computer and continue scanning.
-Eventually it will prepare a log report, please then post that here. (might be easier to attached file)

@younghv - Good Point =) Thank you
0
 
Ben_b3nCommented:
Hi There!
Root kits are a pain.
Did you format the drives when you re-installed windows?

Here is how I attack a root kit-
Boot into TDSS KILLER and delete or quarantine any win32.rootkit or TDSS.filesystem.

Boot into windows in safe mode and run  TDSS KILLER again to delete/cure anything that pops up. The reason I run in MiniXP fist is to put it in quarantine so it can't run in the windows environment. I just removed a rootkit yesterday that stopped TDSSkiller from running...it was fun.

Once completed- Reboot back into safe mode and run Spybot+Malwarebytes at the same time (its how I roll). Remove anything selected and reboot again.

If its still there- post back here- if not continue below.

Depending on which root kit you removed (please post), it may corrupt or drop a browser hijack/redirect or even damage your winsock/lsp. Lets hope it didn't do the dirty on the way out.
0
 
Axis52401Security AnalystAuthor Commented:
I'd tried the TDSSkieer app with no success
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Giovanni HewardCommented:
@Jason0923 ...as your post mentioned you reloaded Windows I infer it's safe to assume you would be willing to do it again?  If so, this time I would recommend that you actually write 0's to the entire drive prior to reloading the OS.  After that I would ensure that you're reloading Windows with a legitimate Microsoft disc or ISO image.  If you want to be really careful you could disconnect network access to the infected machine until you have time to create an clean image after the reinstall.  DBAN will help you nuke the entire drive.  While deeper hardware level root kits do exist, and reside within hardware firmware and/or special areas of your CPU, it's highly unlikely you have this type of infection as the general purpose of these types of root kits is being convert and not openly announcing itself by browser redirects, etc.

After you've created a clean image you can always revert back to it should infection occur again.
0
 
Ben_b3nCommented:
Ok- I'll try again

:)

Boot into Safe mode, once inside run rKill.exe . Hopefully that will run with results of stopping process. Then download and run TDSS Killer be sure to click on the more parameters select both boxes under additional options.
0
 
Giovanni HewardCommented:
If you want to attempt the disinfection route (having no real guarantee the system is actually clean) I've had good results with GMER as well.
0
 
Axis52401Security AnalystAuthor Commented:
I have the Windows OS cd that came with the laptop so yes its a legit copy. I used the format drive option before the reload you don't think that is enough? Its not connected to the company network yet.
0
 
Giovanni HewardCommented:
At the end of the day it's more probable that it's not a root kit but malware, and your boss is inadvertently downloading and running after the system has been cleaned/restored... likely through a link obtained via email.  After you've restored I recommend you use OpenDNS for all your DNS resolution (and block outbound packets to all other DNS servers) and install Spybot S&D on his PC or similar program.
0
 
Axis52401Security AnalystAuthor Commented:
Now it shows this Trojan Horse backdoor (screen shot)
virus.doc.docx
0
 
Giovanni HewardCommented:
It depends if you only formatted one partition (and left another partition which may have contained malware and was executed later on) rather than using the install disc to delete all partitions first and then format the entire drive afterwards.  I would also look at each program your boss wants to install after the fact... any installed by email links, etc. and scan with VirusTotal .  It probably wouldn't hurt (technically) to only give him local Standard permissions rather than Administrator so you must be involved whenever he tries to install additional software, etc.
0
 
Ben_b3nCommented:
Jason-
Have you ran Spybot and or Malware Bytes?

If not try running rKill first and then the above programs.

Can you post that whole rKill log?
0
 
Axis52401Security AnalystAuthor Commented:
The rkill log

Rkill 2.3.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/22/2012 01:51:40 PM in x64 mode.
Windows Version: Windows 7 Service Pack 1

Checking for Windows services to stop.

 * No malware services found to stop.

Checking for processes to terminate.

 * No malware processes found to kill.

Possibly Patched Files.

 * C:\Windows\system32\services.exe

Checking Registry for malware related settings.

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

 * Windows Firewall Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   "EnableFirewall" = dword:00000000

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
     * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
     * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

 * BFE (BFE) is not Running.
   Startup Type set to: Manual

 * Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual

 * AppMgmt [Missing Service]
 * BITS [Missing Service]
 * CscService [Missing Service]
 * iphlpsvc [Missing Service]
 * MpsSvc [Missing Service]
 * PeerDistSvc [Missing Service]
 * UmRdpService [Missing Service]
 * WinDefend [Missing Service]
 * wscsvc [Missing Service]
 * wuauserv [Missing Service]

 * SharedAccess [Missing ImagePath]

 * BFE => . [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * C:\Windows\System32\services.exe [NoSig]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe : 328,704 : 07/13/2009 08:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]
0
 
Ben_b3nCommented:
I'm still new here at EE so i'm not sure if I can ask this- But can you post the log of Malwarebytes and Spybot when completed?

I think it might also be a good idea to run a HiJackthis report also.

But like x66 said- If you did a complete re-install and it came back, then someone probably re-downloaded on the computer. BUT- we can still get it off. :-)
0
 
Axis52401Security AnalystAuthor Commented:
Malwarebyets

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.07.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
kombat :: KOMBAT-PC [administrator]

Protection: Enabled

8/7/2012 1:33:44 PM
mbam-log-2012-08-07 (13-33-44).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 314737
Time elapsed: 29 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Users\kombat\Downloads\7zip_installer_1650.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b20d08-4db2-569a-2381-22ac965db0cb}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b20d08-4db2-569a-2381-22ac965db0cb}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b20d08-4db2-569a-2381-22ac965db0cb}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)
0
 
Axis52401Security AnalystAuthor Commented:
hijack this
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:06:36 PM, on 8/22/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Users\kombat\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.millhisersmith.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Chicony_OSD] "C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = kombat\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://ssl.axisbu.com/+CSCOL+/relayp.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
O16 - DPF: {C861B75F-EE32-4AA4-B610-281AF26A8D1C} - https://ssl.axisbu.com/+CSCOL+/cscopf.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com//activex/ractrl.cab?lmi=928
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.1.5\ViProtocol.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atashost.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: BFE - Unknown owner - C:\Windows\.
O23 - Service: Intel® PROSet/Wireless WiMAX Red Bend Device Management Service (DMAgent) - Red Bend Ltd. - C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ChiconyOSDService (OSDSvc) - Chicony - C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\OSDSrv.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater12.1.5 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.1.5\ToolbarUpdater.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel(R) Corporation - C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10939 bytes
0
 
Ben_b3nCommented:
Inside HiJackThis-

O23 - Service: BFE - Unknown owner - C:\Windows\.

Check that one for sure

If you don't know these URL's- Check them. (If you don't use Cisco)

O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://ssl.axisbu.com/+CSCOL+/relayp.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
O16 - DPF: {C861B75F-EE32-4AA4-B610-281AF26A8D1C} - https://ssl.axisbu.com/+CSCOL+/cscopf.cab

Are you still getting the AVG pop up warning?
0
 
Axis52401Security AnalystAuthor Commented:
What should I do about
O23 - Service: BFE - Unknown owner - C:\Windows\

The SSL.axis....etc ones are from our office. I'm not famaliar with the middle one
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab

Is it something I shoudl remove, if so how?
0
 
Ben_b3nCommented:
When you do a scan on HiJackThis is pops up that log report, but click back on the actual program.

You will see almost the same data as the report, but there will be little boxes infront of each line. Just check that box.
**ONLY CHECK THE BOXES THAT YOU WANT STUFF REMOVED. CLICKING THE WRONG BOXES CAN HURT YOUR COMPUTER.**

Once you have the items you want to removed checked click the button at the bottom of the screen that says "Fix Checked"

About O16-DPF...etc......If you don't know what it is, I would get rid of it. I'm not excited about the folder, file or what it is.
0
 
Axis52401Security AnalystAuthor Commented:
I followed that and rebooted and as soon as I opened the browser got this (screenshot attached) Trojan Horse patched_c.txt   AVG error
virus.doc.docx
0
 
Axis52401Security AnalystAuthor Commented:
The combo fix doesnt install Like malwarebytes it seems to run and then go away there is no log I can find to attach
0
 
Ben_b3nCommented:
When you double click combofix and start the process a windows pops up and extracts all files and then should keep running the background and eventually pop up with a blue screen and letters. I tell people once you start the process don't do anything to your computer for about 15-20 minutes, if it doesn't pop up the blue screen you have something stopping combofix from running.
0
 
Sudeep SharmaTechnical DesignerCommented:
Jason0923,

Advice above from Vic would do the trick and you may be able to run Combofix.

However if that fails then try to rename the Combofix.exe to iexplore.exe or explorer.com and try running it.

Once you are able to run it post the logs, which you could find in C:\
0
 
Axis52401Security AnalystAuthor Commented:
Combofix seemed to have worked. I reloaded windows, ran combofix, went through the prompts and its all working.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.