I am wondering how best to confirm if I've removed some malware.
Firstly, the symptoms I originally noticed were...
1) Google search redirected to go.google.com or suchlike
2) Larger than usual text size on the search results. Doesn't match my browser default
3) Problems accessing certain websites and avg, etc.
4) Inability to run various programs such as malwarebytes without renaming them.
5) Some occasional pop-up boxes talking about Anti-Virus 2009.
I've looked at various posts suggesting different methods and after trying...
...and others, I think SDFIX and GMER may have done the trick but I'm getting some mixed results. Malwarebytes detected 5 entris and removed them but it just came straight back.
SDFIX and GMER were the last tools used. I executed SDFIX as Administrator in safe mode. I found that after the first reboot, it wanted a second reboot having detected TDSS. It didn't fire up again automatically after reboot so I started it manually and selected F as suggested in some posts. It then ran to completion. After this, GMER was still finding issues so I figured it had failed. I then rebooted normally expecting the problem to be there still, but was surprised when things were OK.
I can now get results in google OK, and it looks familiar text-size. I'm also OK with AVG updates again.
However, GMER continued to report various issues around services all named TDSS. It did so quickly, before the full scan, and I then found that I could delete the service in GMER, close GMER and re-open it and at each re-start, a different service name would be identified. GMER wouldn't be able to find the underlying directory/files for the service when they were deleted. Now, having done a full scan, it still reports some TDSS stuff, but isn't flagging them as rootkits. Eventually, it found nothing and I then put it into full scan.
I can also see TDSS items in regedit and found one TDSS file in windows\system32 which AVG nailed when I clicked on it. Please don't ask why I did that. It's late.
SVV continues to report "deepred" status and says that..
ntoskrnl.exe not found
kernel32.dll 7c800000 - 7c8f5000 suspected verdict 5
USER32.DLL 7e410000 - 7e4a0000 suspected verdict 5
So on the face of it, it looks OK/better but I have the feeling I've done no more than wound it and it will make a comback at some point. So a couple of questions...
1) Can you advise if I need to do any more?
2) Does this trojan compromise passwords, etc. or just p*ss you off. I'm not sure when I picked it up but think quite recently?
I've now installed SpywareBlaster to the machine.
thanks for your help in advance
Not sure why, but I attach a hijackthis log which I hope is helpful.