Help, Win32: Delf-GD [Trj] comes back after data file deletion

[John896]

I ran a new copy of combofix as directed.  I have attached the log file.  After restarting all virus protection programs have come here.  I found virus file on seachcom_001 location after running fix.  Deleted file and it was replaced within a minute, although the file shows 0 size.  Deleted a second time.  Will check it again later.

[essexboy]

All I need to do now is try and determine where it is being created from

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\users\White\AppData\Local\searchcom_001

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[John896]

I did some roaming with regedit last night.  Found left over references to Enigma software Group Spyhunter, which I had run and uninstalled.  Files were left on the computer for that program, but none looked like active programs.  However, combofix log noted a running process from spyhunter.  There is also a anti-phishing program installed that I forgot about.  I assume the list of bad web sites under P3P ZoneMap Domains are from Spybot immunization.  I noticed several file extensions that bothered me,  called: .zfsendtotarget, .z96, and .lst.  Is it ok to run updated spybot immunizations?  I will hope to hear from you soon.

I bought a new usb powered expander to try switching for each of the old ones to see if it changes the boot problem.  However, it seems that problem would stop access to safe boot options, so might be virus created.
thanks

[essexboy]

.zfsendtotarget, .z96, and .lst are all related to the windows zip function

As you are using USB keyboard and mouse are they set to active in the BIOS ?

[John896]

Searchcom_001 path recreated since run.  File there but zero bits long.  Here is the run log.
Thanks,

[John896]

I am not sure how to see Bios with the keyboard problem.  What is the key sequence and timing for Win 7?

[John896]

Dug up manual, F2 during dell logo gets Bios.  Laptop discusses F12 for a hardware tester, and both have F8 for modified windows boot.  Still not sure keyboard will be active at the right time.
Thanks,
John

[essexboy]

If you have a PS2 keyboard hanging around you could use that to get to the BIOS setup

Basically you need USB to be  active at boot :

enable USB device legacy support in BIOS

Any further alerts from Avast ?

[John896]

Finished a full scan which ran over night.  Avast only found files located where OTL moved them.  Complained Avast dll files path not present.  Looking at seachcom_001 just now after scan and the -f.list file was 0 bits, but scaning the other files found a threat in anther list file that was not -f name but was -m. Other files there with -m and -l names were not considered threat.  Some had 0 content, but some had some content and were not found as threat files.  Avast did not self start on boot last night, but did wake from icon on desktop when I clicked it.

My Dell desktop does not have the older keyboard style connector interface according to manual.

[John896]

New scan also found same file in zip file in IE temporary Internet Files. 

On USB issue, went back through Device Manager and rechecked power management functions on USB devices.  Found both Generic USB Hub and USB Root Hub entries in Power Management for "Allow this device to wake the computer" to be grayed out and not checked.  Could not get that to change.  Under Human interface, all usb input devices did not have  a power management tab.  HID compliant devices did, and I made sure all were checked on for wake up.  The mouse and keyboard entries listed them as HID compliant devices and both are checked for Power Management wake up.  So USB hub wake up seems to be the problem.  Something has blocked Power Management wake up feature for them.

[essexboy]

Remove the hub and then check whether power management is available

New scan also found same file in zip file in IE temporary Internet Files

That would suggest that it is a web site that you are visiting...  Have you set IE to delete temp files on closing ?

[John896]

Added searchcom_001 to default locations for CCleaner to delete.  Already set to delete IE temporary Internet Files and other similiar locations.  Avast run with high detection levels are detecting spybot teatimer in memory as threat: JS:ScriptSH-inf [Trj].   Also getting some zip files as bombs.  One was photos I scanned and stored about a year ago.  Another is old files from Nero 8 in installed folder.

Looked at usbhub entry in hardware with regedit, but did not know enough to make any changes.  There were entries but did not know what they were doing.

[John896]

I did set IE to delete temp files in the advanced tap but am still finding them.  Just checked and that selection was still there, but some of the security settings looked lower with a protection mode unchecked.  Changed to medium level standard settings and when I restart will take effect.

Moved mouse and keyboard to forward direct USB ports on computer.  Will see if that gets around hub issue.  Doesn't the boot cycle restart all hub hardware?  I did a hardware check on the hub entries with device manager and saw no changes after the plug and play check came back.

[John896]

Have not been going to many of my usual sites with this working.  Mainly here and microsoft sites.  Also a few new sites on virus issues. 

[essexboy]

The fact that it resides in the temp ie files leads me to suspect a website, plus I can see no sign of Blecko on your system

 It might actually be worth removing the Hub from the computer and see if that resolves the boot problem

A compression bomb just means a highly compressed file and is just an advisory ... Although I think they should remove that description

How is the computer behaving otherwise ?