Google Hijack Rootkit Issue - D Lo

[Low5Point 0]

I have run the attached as directed. Have used malwarebytes, windows defender and emsisoft and none were able to remove file

[jeffce 1]

Hi and welcome!!

Please download TDSSKiller

• Double click TDSSKiller.exe
  
• When the window opens, click on Change Parameters
  
• Under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  
• click OK
  
• Press Start Scan
  
• Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct
  items.
  
• Attach the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    

----------

[Low5Point 0]

ran report...tryinf to figure out where the txt file is

[jeffce 1]

Check you attachment again.

[Low5Point 0]

Check you attachment again.

Can't find txt of report. Can only paste to word, but file is HUGE

[Low5Point 0]

17:57:17.0051 4752 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0

17:57:17.0051 4752 Suspicious mbr (Forged): \Device\Harddisk0\DR0

17:57:17.0114 4752 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected

17:57:17.0114 4752 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)

17:57:17.0190 4752 \Device\Harddisk0\DR0 ( TDSS File System ) - warning

17:57:17.0190 4752 \Device\Harddisk0\DR0 - detected TDSS File System (1)

[jeffce 1]

Ok that was enough.

Go ahead and run TDSSKiller again. Select to Cure everything that is found and then attach the new log that is created.

[Low5Point 0]

18:44:27.0585 1704 Detected object count: 1

18:44:27.0585 1704 Actual detected object count: 1

18:44:41.0672 1704 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine

18:44:41.0703 1704 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine

18:44:41.0718 1704 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine

18:44:41.0781 1704 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine

18:44:41.0828 1704 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine

18:44:43.0169 1704 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine

18:44:43.0185 1704 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine

18:44:43.0216 1704 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine

18:44:43.0216 1704 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine

18:44:43.0216 1704 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine

18:44:43.0278 1704 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine

18:44:43.0294 1704 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine

18:44:43.0434 1704 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine

18:44:43.0434 1704 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action:

[jeffce 1]

Hi,

Good job!

Download Combofix from the link below, and save it to your desktop.

Link

**Note: It is important that it is saved directly to your desktop**

If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

• 
  When finished, it will produce a report for you.
• Please attach the C:\ComboFix.txt for further review.
  

----------

[jeffce 1]

Do you still need help?

[jeffce 1]

Due to lack of feedback, this topic will now be closed.

If you are the original poster and you still require help, please start a new thread.

-------------------