Google redirect, AV & IE damage

Cannot delete combofix.exe from desktop, access denied.

Broni, I'm really sorry but it is getting late for me. I'm enormously grateful for all your work but there has to come a point where I call it a day and go for a clean install. I don't want to on this machine because there are programs I need for which I don't have the setups and which will be difficult to replace. If you think we are almost there let's carry on for the next hour. Otherwise let me have a think about it overnight. I'm away for the weekend anyway so couldn't resume the task till Monday.

Blitzblank log

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\documents and settings\russell dobash\desktop\combofix.exe", destinationFile = "(null)", replaceWithDummy = 0

OK. I'll post again tomorrow.

I'll have a think about it over the weekend.

Possibly Resolved

Hi Broni,

Apologies for not posting yesterday. I decided I would go for a clean reinstall but since I had nothing to lose would give disinfecting one more try. Over the weekend I went over all the tool reports and prepared a list of all the registry entries, files and folders they deleted and also our actions round about the points we thought we had made headway. It's in a spreadsheet and I'd be happy to attach it if you would find it useful.

Here's the list of what I did. I've retained all the logs and can post these as well. All the tools were downloaded on a good machine and copied via a USB stick which was always reformatted after being in the infected machine.

1) Completely remove McAfee using the MCPR tool
2) Uninstalled Adobe Reader 8 via add/remove pgms
3) Followed these instructions to completely remove any remnants of Adobe Reader 8
4) Found and deleted AcroRd32Infomgr.exe in c:\program files\adobe...\reader\ It had the quill and inkwell icon used by the virus
5) Uninstalled Adobe Flash
6) Backed up the registry
7) Followed the instructions Here to restore the Safe Mode registry keys. This did not apparently work. The safeboot key was still empty.
8) Booted into OLTPE and use the remote registry tool and the file tool to remove the list of entries I made earlier
9) Compared acpi.sys to a copy from a good XP SP3 system. It was identical.
10) Searched for and deleted any remaining copies of lmllhkfv.exe
11) Emptied all temp and temp internet folders
12) Ran OTLPE quick scan which looked clean
13) Put copies of any tools I thought I would need on C:\ and the desktop
14) Rebooted normally
15) Ran Fixtdss "Tidserv has not been found"
16) Ran TDSSKiller. 0 threats.
17) Ran comboFix "Expired. Reduced functionality" Only stage 49 apparently But at least 3 reg keys and one module of the virus had returned.

Oh hubris

18) Redownloaded combofix and ran again (nb no Nirkmd message)
19) Unticked all startups and non-microsoft services in msconfig
20) Booted in OLTPE and removed all the reg keys and modules again
21) Rebooted normally
22) Ran new combofix. Apparently clean
23) Checked safeboot key. It was fully populated!
24) Ran Kaspersky scan with the Prompt action in case I lost the reports again. It found about 700 infections over two runs most of which I chose disinfect. They were dll's belongin to many different programs some of which I can uninstall some of which I need so we will see.

That's where I am now

Things I still have to do:

1) Uninstall the programs I don't need that were disinfected: Chrome, Belkin wireless, Virtual clone, HP Printer
2) Install a free AV, Java, flash, Adobe Reader
3) Test IE/Google
4) Test the programs I need
5) Virus check and replace if necessary remaining modules on the startup lists.
6) Clean out system Restore
7) Test safe Mode
5) Take a DriveImage

Please also accept my apologies for not involving you in this but with the California/UK time difference and the slowness of commnicating via Techspot it was just going to take too long.
I'll understand if you want to wash your hand of it but if you do have any advice I would be very grateful to receive it. I couldn't have done this without your assistance.

Problem Resolved

I think the computer is now completely free of the virus and working normally. Here's a list of the remaining things I did

1) Uninstalled Chrome, Google toolbar, Belkin 54G Nework Adapter, Freecom Media Suite, Virtual Clone, Yahoo toolbar, WD Diags
2) Corrected time
3) Installed the following from standalone installers: AVG Free, Adobe Reader 10 (still had to Restore pdf file associations) , Flash 11, Java
4) Checked safemode worked OK
5) Checked sound worked OK
6) Checked all the programs stopped in Msconfig that I planned to keep at virustotal.com

smax4pnp.exe
hptlpxfx.exe
cvpnd.exe
idrivert.exe
mdm.exe
ose.exe

All passed 0/43 except idrivert.exe which got 1/43
I also checked them against the kapersky disinfected list. Only idrvert.exe and smax4pnp.exe were in it.
Decided none of them were essential so deleted them all from HKLM\Software\Microsoft\Shared Tools\Msconfig... and left the services disabled
7) Ran Hijack this and deleted SACORE (McAfee) and a couple of File Missing entries
8) Turned system Restore off then on to remove all previous checkpoints
9) Took a checkpoint and also created a Driveimage backup
10) Restarted, checked the registry entries and file locations the virus had used were all OK again
11) removed Google entries from Task Scheduler
12) Went online and tested IE, google etc. All OK.
13) uninstalled combofix
14) removed all the tools and output from C:\ and the desktop

Phew, I have a working, virus free computer and only a few points, most unessential, I would like to resolve:

a) how to be confident the mdm (machine debug manager) and ose (office source engine) services are safe to start again.
b) ditto the analog services file smax4pnp.exe and the HP file hptlpxfx.exe although I can always reinstall the sound and the printer.
c) and the idrivert.ex called by the Install Driver Table Manger Service though I'm not convinced it's required.
d) the only ones that really need fixed are the two entries for Cisco VPN. One is the service cvpnd.exe the other is an entry in the common Startup which points to an installer. I suspect a reinstall is the best idea here too.
e) i also need to check all my other programs still work, especially where Kapersky disinfected dll's.

Any further advice gratefully accepted.

ESET result

Eset result:

No threats found.

There was no List of found threats or Export to text file button so I took a screenshot if required.

Since I last posted I also ran an AVG scan which found no threats either.

I've also now tested all my applications and they all work with the exception of the Cisco VPN Client which fails with Reason 435: Firewall Policy Mismatch. I've found links suggesting missing zonealarm files are the problem so I'm hunting for those now. I think also one of the deletions was a Zonealarm service so I'll check that too. I'm on more familiar ground with this but if you have any suggestions I'll be happy to hear them.

Indeed. Thanks again for all your help.

If I were interested in helping out in the forum what would I do?

Thanks Broni. I'm happy for the thread to be closed now.