recovering from Midhos Trojan

Hi guys , i have worked through the advice posted , ran combo fix which helped a lot ,and removed what I can but there are still some problems.
I apologise if i have done this out of order.
Can someone find the time to look these scans over and post back please

Hi,

Who told you to run Combofix?

  1. Delete current version of Combofix, download new, fresh one from here:
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

  1. Open notepad and copy/paste the text present inside the code box below:


DirLook::
c:\program files\ContinueToSave
c:\documents and settings\All Users\Application Data\StarApp

Folder::
c:\program files\WebSearch

ClearJavaCache:: 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

File::
c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\{e0948f62-c1f6-11e2-8275-b8ac6f996f26}.xpi


DDS::
mStart Page = hxxp://websearch.pu-results.info/?pid=724&r=2013/05/15&hid=971332579&lg=EN&cc=AU

KillAll::

Firefox::
FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://websearch.pu-results.info/?pid=724&r=2013/05/15&hid=971332579&lg=EN&cc=AU&l=1&q=
FF - ExtSQL: 2013-05-17 11:34; paoeuu@fgtyqafd.edu; c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\paoeuu@fgtyqafd.edu
FF - ExtSQL: 2013-05-17 11:34; xjmvmd@ioard.org; c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\xjmvmd@ioard.org
FF - ExtSQL: 2013-05-23 17:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
FF - ExtSQL: 2013-06-12 12:56; {e0948f62-c1f6-11e2-8275-b8ac6f996f26}; c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\{e0948f62-c1f6-11e2-8275-b8ac6f996f26}.xpi
FF - ExtSQL: !HIDDEN! 2013-05-17 11:34; paoeuu@fgtyqafd.edu; c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\paoeuu@fgtyqafd.edu
FF - ExtSQL: !HIDDEN! 2013-05-17 11:34; xjmvmd@ioard.org; c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\e2dw1kpw.default\extensions\xjmvmd@ioard.org
FF - user.js: extensions.shownSelectionUI - true
FF - user.js: extensions.delta.tlbrSrchUrl - 
FF - user.js: extensions.delta.id - 40913830000000000000001a92e74e0a
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15846
FF - user.js: extensions.delta.vrsn - 1.8.21.5
FF - user.js: extensions.delta.vrsni - 1.8.21.5
FF - user.js: extensions.delta.vrsnTs - 1.8.21.519:16
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.ffxUnstlRst - true
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta_i.babTrack - "quot;&affID=119816&tt=gc_190513_215
FF - user.js: extensions.delta_i.babExt - 
FF - user.js: extensions.delta_i.srcExt - ss
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

============= Next ============

Re-run OTL.exe.

[*]Download OTLFix.txt, attachment in my post.
Copy and paste the following text written in OTLFix.txt, into the Custom Scans/Fixes box.

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

============= Next ============

[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK

[
] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt

thanks for your assistance Magna86 , I have completed the tasks and reports are attached . hope this fixes all the problems.
thanks again Peter

You need to be a litle more up to date with your response. For too long delaying attaching logs and work with Fixes…

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



installedprogs;
c:\documents and settings\All Users\Application Data\StarApp;f
filesrcm;
startupall;
c:\program files\ContinueToSave;f
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log