BleepingComputer.com: Ran Combofix with out "your" direction

I'm sorry, I am almost computer illiterate, my brother sent me an e-mail from one of your forums regarding malware. I think I have some sort of redirect virus or rootkit, I barely know what those are. Any how each time I tried to google for info I was redirected to other search engines, or ads. I have read posts here and elswhere that this is common. My brother lives 2000 miles away and was trying to help by telling me to run it.
I followed the steps in the guide and would like to post my log for some assistance. Please forgive me for not posting request for help first before running it
There was one file in the beginning that would not be scanned, so I think that is the "hidden file" as stated at the bottom. Does this log state that I have a redirect virus, or root kit? Thank you for your time. Patti

ComboFix 11-07-18.04 - Patti 07/18/2011 15:51:00.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.426 [GMT -7:00]
Running from: c:\documents and settings\Patti\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\1f89b445-358e-4349-afd2-53f82b87ba43.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\69f1e99b-9a23-4ca9-b8be-b6e4f0e8e245.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\cf3463d8-8828-4f50-98c8-d04ca1fe42f3.dll
c:\windows\system32\_000005_.tmp.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-18 to 2011-07-18 )))))))))))))))))))))))))))))))
.
.
2011-07-18 20:37 . 2011-07-18 20:37 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-07-18 20:37 . 2011-07-18 20:37 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-07-18 20:37 . 2011-07-18 20:37 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-07-18 20:37 . 2011-07-18 20:37 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-07-18 20:37 . 2011-07-18 20:37 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-07-18 20:37 . 2011-07-18 20:37 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-07-18 20:37 . 2011-07-18 20:37 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-07-18 20:37 . 2011-07-18 20:37 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-07-18 20:37 . 2011-07-18 20:37 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-07-18 20:37 . 2011-07-18 20:37 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-07-18 20:37 . 2011-07-18 20:37 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-07-18 20:37 . 2011-07-18 20:37 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-07-18 20:36 . 2011-07-18 20:36 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-07-18 20:36 . 2011-07-18 20:36 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-07-18 20:36 . 2011-07-18 20:36 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-07-18 20:36 . 2011-07-18 20:36 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-07-18 20:36 . 2011-07-18 20:36 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-07-15 23:28 . 2011-07-15 23:28 -------- d-----w- c:\program files\iPod
2011-07-15 23:21 . 2011-07-15 23:21 -------- d-----w- c:\program files\Apple Software Update
2011-07-05 06:56 . 2011-07-05 06:56 44544 ----a-w- c:\windows\system32\agremove.exe
2011-06-29 23:11 . 2011-06-29 23:11 -------- d-----w- c:\program files\Common Files\Java
2011-06-24 18:52 . 2011-06-24 18:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:07 . 2008-04-25 20:33 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 21:05 . 2011-05-24 21:05 0 ---ha-w- c:\documents and settings\Patti\Local Settings\Application Data\BIT12.tmp
2011-05-10 15:06 . 2011-04-26 09:31 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-10 15:06 . 2011-04-26 09:31 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-04 11:52 . 2010-07-23 19:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 09:25 . 2009-10-02 14:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-25 20:33 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-25 20:33 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2008-04-25 20:33 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2008-04-25 20:33 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2008-04-25 20:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-25 20:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-25 20:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-25 20:33 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-25 20:33 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KasperskyPasswordManager"="c:\program files\Kaspersky Lab\Kaspersky Password Manager\stpass.exe" [2010-02-25 2755912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-03-31 251176]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-03 365336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Nickelodeon RSS.lnk - c:\program files\Stardock\DesktopGadgets\Nickelodeon RSS\Nickelodeon RSS.exe [2009-10-2 884016]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-10-02 14:55 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2009-06-09 14:55 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\FLiCA\\AweSetup.exe"=
"c:\\Program Files\\FLiCA\\AWEFLiCA.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62515:UDP"= 62515:UDP:maestro
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [10/2/2009 7:48 AM 14248]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
R2 CVPNDRV;Flightline IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [4/14/2010 7:16 PM 263751]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [10/2/2009 7:56 AM 143840]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [10/2/2009 10:19 AM 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [10/2/2009 10:19 AM 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [10/2/2009 10:19 AM 272256]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [10/2/2009 10:19 AM 162816]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2011 3:21 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/2/2009 10:19 AM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2011 3:21 PM 136176]
S3 mr7911;Photo Viewer ;c:\windows\system32\drivers\mr7911.sys [9/9/2010 3:51 PM 39552]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 22:21]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 22:21]
.
2011-07-05 c:\windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
2011-07-05 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: liquidcompass.net\www
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-abvxipqw - c:\documents and settings\Patti\Local Settings\Application Data\cpeskjgfs\xduonvutssd.exe
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-abvxipqw - c:\documents and settings\Patti\Local Settings\Application Data\cpeskjgfs\xduonvutssd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-18 16:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\TEMP\klsAC80.tmp 96208 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2098069541-2113995086-1502447558-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1840)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Stardock\MyColors\fastload.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-07-18 16:12:15
ComboFix-quarantined-files.txt 2011-07-18 23:12
.
Pre-Run: 140,821,639,168 bytes free
Post-Run: 141,879,656,448 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7BAFD677669FB4DC52DF866A4A224931

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 5 days, this topic will be closed. If you have since resolved the original problem you were having, we would appreciate you letting us know.

Hello Graciesowner ,

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

• Please observe and follow these Board Rules and Terms of Use.
  
• Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  
• Please read the instructions carefully and follow them closely, in the order they are presented to you.
  
• If you have any doubts or problems during the fix, please stop and ask.
  
• All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  
• Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  
• Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  
• Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  
• If you do not reply within 5 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly . We may begin.

Don't worry about not being savvy about computers, I will guide you through. You can make a reply to the topic by clicking on the Add Reply button, should be visible on the right side below the latest post.

--------------------

While you may see ComboFix being used quite often and without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool).

Going forward, I highly recommend you heed such instructions.

As stated by the author of ComboFix:

Quote

--------------------

Please download DDS from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Please disable any script blocker before running DDS.

• Double click on the dds file and a command window will appear. This is normal.
  
• Shortly after, two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
• A window will open instructing you to save and post the logs.
  
• Save the logs to a convenient location such as your desktop.
  
• Copy the contents of both logs and post them in your next reply.

--------------------

Please download TDSSKiller© from Kaspersky and save it to your desktop. Click here.

• Alternatively, you may get the zip version and extract the file to the desktop.
  
• Double click on TDSSKiller.exe to execute it.
  
• Press Start scan to begin.
  
• If anything is found, please change all the actions to Skip only. <-- Important, please select Skip only, DO NOT Cure yet.
  
• Then click on Continue at the lower right corner.
  
• You may be prompted to reboot your computer, please consent.
  
• Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
  
• Please post the contents of this log.

--------------------

Please post back:
1. DDS logs (DDS.txt and Attach.txt)
2. the TDSSKiller log

thank you for your help, it seems the combofix worked because I have not had any other search "redirects" since following those instructions. should I still follow the next steps you just outlined as well?

Hello Graciesowner ,

Yes, please do as I have outlined.

Hello Graciesowner ,

I usually close the topic after 5 days without any reply, and it has already been 3 days since my last post. Do you still need help? Any problems following my instructions? Need more time?

If I do not get any response within the next 2 days, this topic will be closed.

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.