TechSpot

Need assist with malware removal-double iexpore.exe in task man

By oldfart2
Oct 9, 2010
  1. Please assist with malware removal. I have double iexplore.exe in Task manager for every session open. I noticed it when cleaning a trojan virus(Symantec Antivirus). I installed and ran the malwarebytes software(awesome software) at the suggestion of a collegue which cleaned several more things lurking in the shadows but still have this issue. I am concerned about idenity theft etc..

    I followed the instructions on the UPDATED 8-step Viruses-Spyware-Malware Preliminary Removal Instructions and have the logs available. I wasn't sure whether to paste or attach the logs, but since some are lengthy, I'll attach. I can re-paste if necessary.

    I appreciate any assistance you can provide!!
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    Having multiple iexplore.exe processes is normal with IE8. That is not to say you don't have malware. As you saw, Mbam did remove some. Do you have other concerns or problem other than the iexplore.exe entries? We can check further to see if any remaining entries need to be removed.

    And it would be appreciated if you would paste the logs into the next reply. You can use multiple posts if needed.
    =============================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. oldfart2

    oldfart2 TS Rookie Topic Starter

    ComboFix 10-10-09.03 - Roger 10/09/2010 21:01:43.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2835 [GMT -5:00]
    Running from: c:\documents and settings\Roger\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Roger\Application Data\PriceGong
    c:\documents and settings\Roger\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Roger\Application Data\PriceGong\Data\z.xml
    c:\windows\system32\Cache

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
    .

    2010-10-09 15:03 . 2010-10-09 15:03 -------- d-----w- c:\documents and settings\Roger\Application Data\Malwarebytes
    2010-10-09 15:03 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-09 15:03 . 2010-10-09 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-09 15:03 . 2010-10-09 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-09 15:03 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-01 18:08 . 2010-10-01 18:08 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-10-01 18:08 . 2010-10-01 18:08 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
    2010-10-01 15:20 . 2010-10-01 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
    2010-09-30 04:45 . 2010-09-30 05:18 -------- d-----w- c:\documents and settings\Roger\Application Data\DivX
    2010-09-30 04:45 . 2010-09-30 04:45 -------- d-----w- c:\program files\Common Files\DivX Shared
    2010-09-30 04:44 . 2010-09-30 04:46 -------- d-----w- c:\program files\DivX
    2010-09-30 04:43 . 2010-09-30 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2010-09-30 02:38 . 2010-09-30 02:38 -------- d-----w- c:\program files\Cosmi
    2010-09-30 02:37 . 2010-09-30 02:37 -------- d-----w- c:\program files\NZCSM
    2010-09-29 22:46 . 2010-09-29 22:46 -------- d-----w- c:\documents and settings\Roger\Application Data\ElevatedDiagnostics
    2010-09-16 22:06 . 2010-10-01 15:21 -------- d-----w- c:\documents and settings\Roger\Local Settings\Application Data\Conduit
    2010-09-16 22:06 . 2010-09-16 22:06 -------- d-----w- c:\documents and settings\Roger\Local Settings\Application Data\Temp
    2010-09-16 22:05 . 2010-09-16 22:05 2468688 ----a-w- c:\documents and settings\Free_TV_Bar_c3.exe
    2010-09-15 23:17 . 2010-09-15 23:17 -------- d-----w- c:\documents and settings\Roger\Application Data\Leadertech
    2010-09-15 23:17 . 2010-09-15 23:17 53248 ----a-r- c:\documents and settings\Roger\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
    2010-09-15 23:17 . 2010-09-15 23:17 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
    2010-09-15 23:16 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
    2010-09-15 23:16 . 2010-09-15 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
    2010-09-15 23:16 . 2010-09-15 23:16 -------- d-----w- c:\program files\Logitech
    2010-09-15 23:15 . 2010-09-15 23:17 -------- d-----w- c:\program files\Common Files\LogiShrd
    2010-09-15 23:15 . 2010-09-15 23:17 -------- d-----w- c:\documents and settings\Roger\Application Data\Logitech
    2010-09-15 23:15 . 2010-09-15 23:15 -------- d-----w- c:\documents and settings\Roger\Application Data\Logishrd
    2010-09-15 23:10 . 2008-04-13 23:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-09-15 23:10 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-22 13594624]
    "nwiz"="nwiz.exe" [2008-11-22 1657376]
    "NVHotkey"="nvHotkey.dll" [2008-11-22 90112]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-22 86016]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]

    c:\documents and settings\Roger\Start Menu\Programs\Startup\
    Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/15/2010 6:16 PM 10448]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/10/2010 8:51 AM 102448]
    S2 Cache_c-_intersystems_cache;Caché Controller for CACHEWEB;c:\intersystems\Cache\bin\cservice.exe [12/22/2009 5:12 PM 20992]
    S2 WinkZink Service;WinkZink Service;c:\documents and settings\All Users\Application Data\WinkZink\winkzink131.exe [9/9/2010 12:55 AM 57608]
    S3 CACHEWEBhttpd;Web Server for CACHEWEB;c:\intersystems\Cache\httpd\bin\httpd.exe -k runservice --> c:\intersystems\Cache\httpd\bin\httpd.exe -k runservice [?]
    S3 EraserUtilDrvI3;EraserUtilDrvI3;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys [?]
    S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
    S3 I97DRIVER;I97DRIVER;\??\d:\qa+win32\dgs.sys --> d:\qa+win32\dgs.sys [?]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]
    S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [6/27/2007 11:41 AM 101248]
    S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [6/27/2007 11:42 AM 73856]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    .
    .
    ------- File Associations -------
    .
    vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
    vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
    jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(660)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    .
    Completion time: 2010-10-09 21:05:32
    ComboFix-quarantined-files.txt 2010-10-10 02:05

    Pre-Run: 111,108,059,136 bytes free
    Post-Run: 111,079,690,240 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 39FA953D91B323C6C423F37DEEFD3800
     
  4. oldfart2

    oldfart2 TS Rookie Topic Starter

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=2acaba0e7e75e74480d5e5c16072ec62
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-10 02:39:17
    # local_time=2010-10-09 09:39:17 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=68893
    # found=3
    # cleaned=0
    # scan_time=1433
    C:\Documents and Settings\All Users\Application Data\WinkZink\winkzink131.exe a variant of Win32/Adware.OneStep.L application 00000000000000000000000000000000 I
    C:\Program Files\WinkZink\winkzink.exe a variant of Win32/Adware.OneStep.L application 00000000000000000000000000000000 I
    C:\Program Files\WinkZink\WinkZink_deleted_\winkzink.exe a variant of Win32/Adware.OneStep.L application 00000000000000000000000000000000 I
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's clean these up while I check Combofix:


    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Files 
      C:\Documents and Settings\All Users\Application Data\WinkZink\winkzink131.exe 
      C:\Program Files\WinkZink\winkzink.exe 
      C:\Program Files\WinkZink\WinkZink_deleted_\winkzink.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===================================
    You should consider uninstalling WinkZink 1.0 build 131. Looks like it comes with a generous amount of adware.

    Run the above while I set up some script to run through Combofix.
    Please don't download anything new or do any file sharing while I am helping you.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    d:\qa+win32\dgs.sys
    c:\intersystems\Cache\httpd\bin\httpd.exe -k runservice
    c:\documents and settings\All Users\Application Data\WinkZink\winkzink131.exe 
    Folder::
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    Driver::
    I97DRIVER
    CACHEWEBhttpd
    WinkZink Service
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ========================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...