Solved Infected with Guard Online and Google Redirect

If you disabled what you could and Combofix issues a warning, but it can proceed go ahead and run it.
 
Combofix is still stuck on the same screen as the previous time I ran it saying "scanning.....typically doesn't take more than ten minutes. It has been running for 20 minutes and has not said anything other than scanning....

Should I do something else?
 
Stop Combofix.

See if aswMBR will run now.
If so post its log.

Also....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    Code:
    :filefind
    tdx.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
asWMBR kept stopping in the middle but I managed to save the log before it closed out when it found a problem. I will do the other step now. here is the log.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-13 21:26:15
-----------------------------
21:26:15.630 OS Version: Windows 6.0.6002 Service Pack 2
21:26:15.630 Number of processors: 2 586 0x1706
21:26:15.632 ComputerName: HOME-PC UserName: Home
21:26:19.300 Initialize success
21:26:24.154 AVAST engine defs: 11101200
21:26:29.013 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:26:29.015 Disk 0 Vendor: Hitachi_HTS543232L9A300 FB4OC40C Size: 305245MB BusType: 3
21:26:31.094 Disk 0 MBR read successfully
21:26:31.096 Disk 0 MBR scan
21:26:31.101 Disk 0 Windows VISTA default MBR code
21:26:31.106 Disk 0 scanning sectors +625140400
21:26:31.202 Disk 0 scanning C:\Windows\system32\drivers
21:26:52.928 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Crypt-KMR [Trj]
21:26:56.700 Service scanning
21:27:00.826 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
21:27:00.843 The log file has been saved successfully to "F:\aswMBR.txt"
 
Here is the System Look log:

SystemLook 30.07.11 by jpshortstuff
Log created at 21:30 on 13/10/2011 by Home
Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.sys"
C:\Windows\System32\drivers\tdx.sys --a---- 72192 bytes [23:00 23/09/2009] [04:45 11/04/2009] 31396184B0E2D25A1F5FB38D88B89353
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [02:24 21/01/2008] [02:24 21/01/2008] D09276B1FAB033CE1D40DCBDF303D10F
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys --a---- 72192 bytes [23:00 23/09/2009] [04:45 11/04/2009] 31396184B0E2D25A1F5FB38D88B89353

-= EOF =-
 
Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

  • Click OK at the warning.
  • Click the Script tab and copy/paste the following text there:
Code:
CopyFile:
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys C:\Windows\System32\drivers\tdx.sys
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post the report created by Blitzblank.
    You can find it in the root of the drive, normally C:\

Post new System Look log as well.
 
I ran the program and the computer has been restarting for about ten minutes. Should I wait a little while longer or manually boot the computer. I really appreciate your help on this.
 
I got an error saying Windows was unable to start. Windows startup repair is currently running now. Should I let this run?
 
I deleted the old one and downloaded a fresh one. I got three error messages saying it can't find the file and now it's scanning for files - same screen as the previous times I ran it. you mentioned it would say stage 1, stage 2, etc but that hasn't happened any time I have run combofix.
 
Back