TechSpot

Two versions of iexplore.exe in Task Manager, Event ID 850

By Fiona ny
Jun 27, 2011
  1. About 10 days ago my ISP went down, and I stupidly used an public wireless port for a few hours. This weekend my laptop (Dell 600m) has been very slow & stupid.

    When I'm on IE8, there are two versions of iexplore.exe in the Task Manager. My error log is normal, but the Event Viewer shows someone or something is getting permission to enter my system. The Google/Yahoo search boxes are constantly spazzing.

    I update and run Avira Antivir, SuperAntispyware, Spyware Blaster, & Emsisoft AntiMalware once a week (Avira auto-updates). My firewall is Comodo. When I ran them yesterday, they said my system was clean, but it's clearly not.

    Can you please help me find the problem & fix it? Thanks very much.

    Dell 600m, IE8/Opera, XPSP3
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I will assist you in working through this:

    First, it is perfectly normal to have 2 or more processes for iexplore.exe running in IE8. And the description of Event ID #850 is:
    You may be misunderstanding what it says. It is basically telling you that the Security Audit, which takes place the entire time the computer is on, has been successful.

    In order to further assess this Event, I would need the information for:
    Name: <application name>
    Port number: <port number>
    Protocol: <protocol type>

    It might comfort you to know that the update for the antivirus program is listed as an Exception in the firewall. So this does not necessarily mean 'bad.' And it is likely that the system would have failed the Security Audit if it had been bad.
    ===========================================
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Giving me a more accurate description of what is happening rather than use words like 'stupid', 'spazzing'
     
  3. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    My Malwarebytes' Log

    Thanks for getting back to me so quickly!

    When I say "stupid" and "spazzing", the search engine boxes seem to flicker or quickly flash on and off, as if they're trying to reload. Also, websites I've visited many time before are very slow to load, some fail despite repeated reloads. Those that do load text have incomplete Flash image loading.

    Here's my Malwarebytes' log:


    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/27/2011 7:20:18 PM
    mbam-log-2011-06-27 (19-20-18).txt

    Scan type: Quick scan
    Objects scanned: 162618
    Time elapsed: 8 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Next reply will be the GMER report.
     
  4. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    GMER Report

    MER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-27 19:40:00
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541680J9AT00 rev.SB2OA70H
    Running: 52u8x9l5.exe; Driver: C:\DOCUME~1\Karen\LOCALS~1\Temp\afayraow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xF477B864]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xF477BABA]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

    ---- EOF - GMER 1.0.15 ----
     
  5. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    Problem w/DDS.SCR

    Okay, so I downloaded the dds script program, but when I double-click the icon, I get an OS message that says: Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the file.

    I'm the administrator, so that can't be the problem. I don't know how to disable the script feature in Avira or Comodo firewall. (I looked but don't see it in either program.) Can you help me with this? Thanks again.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Follow this for the scripting:

    1. Launch Internet Explorer 8 on your computer and then click on the "Tools" option from the top toolbar menu.
    2. Select the "Internet Options" button. The Internet Options dialog box will appear on your screen. Click the "Security" tab.
    3. Click the "Custom Level" option. The Custom Level page will appear.
    4. Scroll down through the "Settings" section and select the "Disable" radio button from "Active scripting" heading.
    5. Click the "OK" button to save your changes and complete the task.
     
  7. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    DDS script logs: dds.txt (1 of 2)

    Thanks for the instructions. Here's the dds.txt log:


    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Karen at 22:23:31 on 2011-06-27
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.711 [GMT -4:00]
    .
    AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: COMODO Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\lxctcoms.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Macrium\Reflect\ReflectService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: {A6EC4B1B-577A-4564-BC70-B9518B694B6F} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\karen\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218664418421
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769} : NameServer = 156.154.70.22,156.154.71.22
    TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430} : NameServer = 156.154.70.22,156.154.71.22
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 62.146.66.181 dl1.avgate.net
    Hosts: 62.146.66.182 dl2.avgate.net
    Hosts: 62.146.66.183 dl3.avgate.net
    Hosts: 62.146.66.184 dl4.avgate.net
    Hosts: 80.190.143.23 dl5.avgate.net
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-6-7 16024]
    R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2010-7-25 41928]
    R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2010-7-25 11776]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-24 11608]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 242472]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 29400]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-14 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 67656]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-7-25 2978720]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-24 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-24 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-24 61960]
    R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1779792]
    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2011-6-7 220824]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;gupdate;c:\program files\google\update\GoogleUpdate.exe [2010-12-10 136176]
    S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-7-25 73728]
    S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2008-3-17 92550]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 12872]
    S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-5-31 987648]
    S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [2009-5-31 242176]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-06-27 23:09:18 -------- d-----w- c:\documents and settings\karen\application data\Malwarebytes
    2011-06-27 23:09:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-27 23:09:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-06-27 23:09:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-27 23:09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-19 17:07:21 -------- d-----w- c:\program files\Macrium
    2011-06-19 16:52:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-19 16:47:21 388096 ----a-r- c:\documents and settings\karen\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-06-08 03:10:12 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
    2011-06-08 03:09:44 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
    2011-06-08 03:09:32 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
    2011-06-06 16:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2011-05-29 17:26:29 307200 ----a-w- c:\windows\system32\BMAPI.dll
    2011-05-29 17:26:29 122880 ----a-w- c:\windows\system32\NicConfigSvc.Cpl
    2011-05-29 17:24:10 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
    2011-05-29 17:24:03 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
    2011-05-29 17:24:03 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
    2011-05-29 17:24:03 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
    2011-05-29 17:24:03 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
    2011-05-29 17:24:02 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
    2011-05-29 17:23:54 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
    2011-05-29 17:23:52 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
    .
    ==================== Find3M ====================
    .
    2011-06-20 00:10:19 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-19 17:08:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-19 16:52:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-04 22:39:54 284744 ----a-w- c:\windows\system32\guard32.dll
    2011-05-04 22:39:49 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-05-04 22:39:49 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-05-04 22:39:48 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    .
    ============= FINISH: 22:24:43.92 ===============

    My next reply has attach.txt log.
     
  8. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    DDS script logs: attach.txt (2 of 2)

    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/17/2008 3:34:02 PM
    System Uptime: 6/27/2011 6:56:13 PM (4 hours ago)
    .
    Motherboard: Dell Computer Corporation | | 0X8957
    Processor: Intel(R) Celeron(R) M processor 1.40GHz | Microprocessor | 1395/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 53.698 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Dell Wireless 1370 WLAN Mini-PCI Card
    Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&39A85202&0&18F0
    Manufacturer: Broadcom
    Name: Dell Wireless 1370 WLAN Mini-PCI Card
    PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&39A85202&0&18F0
    Service: BCM43XX
    .
    ==== System Restore Points ===================
    .
    RP748: 4/2/2011 7:13:20 PM - System Checkpoint
    RP749: 4/3/2011 10:12:04 PM - System Checkpoint
    RP750: 4/5/2011 1:37:59 AM - System Checkpoint
    RP751: 4/6/2011 9:53:11 AM - System Checkpoint
    RP752: 4/7/2011 9:34:11 PM - System Checkpoint
    RP753: 4/8/2011 11:45:37 PM - System Checkpoint
    RP754: 4/9/2011 8:59:48 PM - Removed Opera 10.63.
    RP755: 4/11/2011 10:33:04 PM - System Checkpoint
    RP756: 4/13/2011 1:16:25 AM - System Checkpoint
    RP757: 4/14/2011 2:18:26 PM - System Checkpoint
    RP758: 4/15/2011 4:07:52 PM - Software Distribution Service 3.0
    RP759: 4/15/2011 10:11:19 PM - Software Distribution Service 3.0
    RP760: 4/15/2011 10:46:21 PM - Software Distribution Service 3.0
    RP761: 4/17/2011 1:07:51 AM - System Checkpoint
    RP762: 4/17/2011 1:12:49 AM - Software Distribution Service 3.0
    RP763: 4/18/2011 3:26:17 PM - System Checkpoint
    RP764: 4/19/2011 4:58:14 PM - Removed Opera 10.63.
    RP765: 4/21/2011 12:31:51 AM - System Checkpoint
    RP766: 4/22/2011 12:47:49 AM - System Checkpoint
    RP767: 4/23/2011 12:49:19 AM - System Checkpoint
    RP768: 4/24/2011 10:55:35 AM - System Checkpoint
    RP769: 4/24/2011 4:16:28 PM - Revo Uninstaller's restore point - VLC media player 1.1.9
    RP770: 4/24/2011 4:19:56 PM - Revo Uninstaller's restore point - GoToMeeting 4.5.0.457
    RP771: 4/26/2011 1:22:43 PM - System Checkpoint
    RP772: 4/27/2011 2:37:25 PM - System Checkpoint
    RP773: 4/30/2011 5:00:15 PM - System Checkpoint
    RP774: 5/1/2011 6:08:21 PM - System Checkpoint
    RP775: 5/1/2011 7:05:13 PM - Removed Java(TM) 6 Update 24
    RP776: 5/3/2011 12:18:38 AM - System Checkpoint
    RP777: 5/3/2011 6:06:25 PM - Restore Operation
    RP778: 5/4/2011 9:07:37 PM - System Checkpoint
    RP779: 5/5/2011 10:44:54 PM - System Checkpoint
    RP780: 5/8/2011 1:03:55 AM - System Checkpoint
    RP781: 5/9/2011 1:38:55 AM - System Checkpoint
    RP782: 5/10/2011 1:40:36 AM - System Checkpoint
    RP783: 5/12/2011 11:53:12 AM - System Checkpoint
    RP784: 5/13/2011 4:52:14 PM - System Checkpoint
    RP785: 5/14/2011 4:54:52 PM - System Checkpoint
    RP786: 5/16/2011 3:56:05 PM - System Checkpoint
    RP787: 5/19/2011 2:10:50 AM - System Checkpoint
    RP788: 5/20/2011 10:29:58 AM - System Checkpoint
    RP789: 5/21/2011 3:28:57 PM - System Checkpoint
    RP790: 5/21/2011 6:30:34 PM - Revo Uninstaller's restore point - The Weather Channel Desktop 6
    RP791: 5/23/2011 9:48:04 AM - System Checkpoint
    RP792: 5/24/2011 12:25:18 PM - System Checkpoint
    RP793: 5/25/2011 12:06:04 AM - Software Distribution Service 3.0
    RP794: 5/26/2011 12:40:12 PM - System Checkpoint
    RP795: 5/26/2011 1:02:42 PM - Removed Java(TM) 6 Update 24
    RP796: 5/28/2011 8:10:04 PM - System Checkpoint
    RP797: 5/29/2011 1:25:14 PM - Installed QuickSet
    RP798: 5/29/2011 1:26:28 PM - Installed Internal Network Card Power Management
    RP799: 5/30/2011 1:50:20 PM - Revo Uninstaller's restore point - The Weather Channel Desktop 6
    RP800: 6/1/2011 1:01:03 PM - System Checkpoint
    RP801: 6/3/2011 1:09:39 AM - System Checkpoint
    RP802: 6/4/2011 1:48:13 PM - Installed Macrium Reflect - Free Edition
    RP803: 6/5/2011 4:01:55 PM - System Checkpoint
    RP804: 6/7/2011 12:28:00 AM - System Checkpoint
    RP805: 6/8/2011 10:22:34 AM - System Checkpoint
    RP806: 6/9/2011 7:43:08 PM - System Checkpoint
    RP807: 6/12/2011 2:06:14 AM - System Checkpoint
    RP808: 6/13/2011 9:07:22 PM - System Checkpoint
    RP809: 6/16/2011 12:52:32 AM - System Checkpoint
    RP810: 6/16/2011 6:43:59 PM - Software Distribution Service 3.0
    RP811: 6/16/2011 10:35:44 PM - Software Distribution Service 3.0
    RP812: 6/18/2011 7:55:31 PM - System Checkpoint
    RP813: 6/18/2011 8:09:05 PM - Software Distribution Service 3.0
    RP814: 6/19/2011 12:51:59 PM - Removed Java(TM) 6 Update 25
    RP815: 6/19/2011 1:07:11 PM - Installed Macrium Reflect - Free Edition
    RP816: 6/20/2011 9:17:04 PM - System Checkpoint
    RP817: 6/21/2011 11:47:39 PM - System Checkpoint
    RP818: 6/22/2011 7:01:23 PM - Software Distribution Service 3.0
    RP819: 6/24/2011 7:45:29 PM - System Checkpoint
    RP820: 6/26/2011 12:35:48 AM - System Checkpoint
    RP821: 6/27/2011 1:49:59 AM - System Checkpoint
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 62.146.66.181 dl1.avgate.net
    Hosts: 62.146.66.182 dl2.avgate.net
    Hosts: 62.146.66.183 dl3.avgate.net
    Hosts: 62.146.66.184 dl4.avgate.net
    Hosts: 80.190.143.23 dl5.avgate.net
    Hosts: 80.190.143.23 dl6.avgate.net
    Hosts: 62.146.66.178 dl7.avgate.net
    Hosts: 62.146.66.179 dl8.avgate.net
    Hosts: 80.190.143.239 dl9.avgate.net
    Hosts: 80.190.143.230 dl10.avgate.net
    ==== Installed Programs ======================
    .
    ABBYY FineReader 6.0 Sprint
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.0)
    AM-DeadLink 3.2
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Avira AntiVir Personal - Free Antivirus
    Broadcom Management Programs 2
    C-Major Audio
    CCleaner
    COMODO Internet Security
    Conexant D480 MDC V.92 Modem
    Critical Update for Windows Media Player 11 (KB959772)
    DellSupport
    EasyCleaner
    Emsisoft Anti-Malware 5.0
    ERUNT 1.1j
    FileHippo.com Update Checker
    Glary Utilities 2.32.0.1126
    Google Toolbar for Internet Explorer
    HD Tune 2.55
    HiJackThis
    HijackThis 2.0.2
    Hitman Pro 3.5
    Homeopathy Pro 1.0
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    ImgBurn
    Intel(R) Processor ID Utility
    Internal Network Card Power Management
    Java Auto Updater
    Java(TM) 6 Update 26
    Lexmark 5400 Series
    Lexmark Toolbar
    Macrium Reflect - Free Edition
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Media Player Classic - Home Cinema v. 1.3.1249.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C Runtime
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Windows Script 5.7
    Microsoft Windows XP Video Decoder Checkup Utility
    Move Networks Media Player for Internet Explorer
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB954459)
    Nexus Radio
    O2Micro Smartcard Driver
    Opera 11.10
    Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
    Polipo 1.0.4.1
    QuickSet
    Real Alternative 2.0.1 Lite
    Revo Uninstaller 1.92
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB917537)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sibelius Scorch (ActiveX Only)
    Spelling Dictionaries Support For Adobe Reader 8
    SpywareBlaster 4.4
    SRS Audio Sandbox
    SUPERAntiSpyware Free Edition
    System Requirements Lab
    Tor 0.2.1.26
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 7 (KB928089)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    User Profile Hive Cleanup Service
    Verizon Online Help and Support
    Vidalia 0.2.9
    Windows Backup Utility
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    xp-AntiSpy 3.96-8
    XP Codec Pack
    Yahoo! Install Manager
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/26/2011 5:29:18 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Google Software Updater service, but this action failed with the following error: An instance of the service is already running.
    6/26/2011 5:14:18 PM, error: Service Control Manager [7031] - The Google Software Updater service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 900000 milliseconds: Restart the service.
    6/26/2011 5:14:07 PM, error: Service Control Manager [7031] - The Google Software Updater service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 900000 milliseconds: Restart the service.
    6/24/2011 7:04:40 PM, error: Service Control Manager [7034] - The lxct_device service terminated unexpectedly. It has done this 1 time(s).
    6/22/2011 6:59:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the gupdate service to connect.
    6/22/2011 6:59:42 PM, error: Service Control Manager [7000] - The gupdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================

    Thanks for your rapid replies, and help thus far.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are 2 antivirus programs running: AntiVir Desktop and ThreatFire. One of them should be removed: Note: You should boot into Safe Mode for the removal: If using removal too, download it first and save to desktop:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    AV: ThreatFire > ThreatFire Removal Tool

    AV: AntiVir Desktop> Try Add/Remove Programs first. Please note: The manual uninstallation of the Avira Software is only necessary if this removal isn't successful.
    Then use Windows Explorer to Remove Avira program files:
    Right click on Start> Explore> My computer> Double click on Local Drive (C)> Programs> Then navigate to the directory C:\Program Files\. Here, delete all existing Avira AntiVir directories:C:\Program Files\Avira\*.*

    If you keep Avira, we will need to reset the host files for the updates.
    =============================================
    Since your main problem appears to involve flash features and since your version of Flash is current:
    Click on Start> Settings> Control Panel> System> Hardware tab> Device Manager> You will be looking for the error icon: [​IMG] on any of the video drivers. If you see on> Do a right click> Properties and read the message for the error.
    ===========================================
    Java is way out of sate. Please update Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ============================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==============================================
    The system is looking pretty healthy right now from a malware point of view. We'll see what the new logs show and if you have any errors on video drivers.
     
  10. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    My Further Scan Results: Threatfire, Java, etc.

    Threatfire:

    I thought I had deleted this over a year ago, as Avira is now my chosen antivirus. Your link to the removal tool was broken, and a search on the Threatfire website was not helpful. I used a link posted on PC Tools (sorry!) from January of this year. I unzipped it and ran it in Safe Mode. However, I am not sure it was completely removed, as you will see later under my Combofix notes.

    Please advise me on how to reset the updates feature on Avira.

    Device Manager:

    I checked the video drivers, and all other devices in the Manager, and they are all clean - no errors or grayed-out listings.

    Java:

    I was surprised that my Java was out-of-date, because I use the FileHippo Update Checker, and recently updated Java. However, I did uninstall it, using Revo Uninstaller (moderate level), and did a new install using your link. The new version had the same name as my old one (Version 6, update 26). Is it possible that my earlier malware reports show fragments of older versions of Java in my system? If so, I don't know how to get them out.

    My next reply will be about Combofix.
     
  11. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    My Combofix Report

    Running Combofix was a harrowing experience! I did not realize it would take over my machine. It would be helpful for newbies to know that there are 50 stages to the scan, to give us an idea of how far along the scans are. I used your link to download it.

    Two kinds of errors occurred during the running of Combofix: near the beginning, I got at least 2 messages saying that Threatfire was still running, and I needed to turn it off. This was after I uninstalled Threatfire (I thought). I just overrode the warning. The second error occurred while the multi-stage scan was running. I got the following Windows message 3 times:

    Registry Editor error
    App Name: regt.cfxxe
    App Ver: 5.1.2600.5512
    Mod Name: a2hooks32.dll
    Mod Ver: 5.0.0.91
    Offset: 00002c57

    (I think this file is connected to my Emsisoft Anti-Malware program. I have since been able to update and run a quick scan with it, but I am not sure if it was damaged or not.)

    The Combofix scan continued to run, however. It also updated my Windows Recovery Console module.

    Here is the log report:

    ComboFix 11-06-29.06 - Karen 06/29/2011 22:36:14.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.719 [GMT -4:00]
    Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
    FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Karen\g2mdlhlpx.exe
    c:\documents and settings\Karen\GoToAssistDownloadHelper.exe
    c:\windows\system32\_000005_.tmp.dll
    c:\windows\system32\_000006_.tmp.dll
    c:\windows\system32\regobj.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-30 02:04 . 2011-06-30 02:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
    2011-06-27 23:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-27 23:09 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-19 17:07 . 2011-06-19 17:07 -------- d-----w- c:\program files\Macrium
    2011-06-19 16:47 . 2011-06-19 16:47 388096 ----a-r- c:\documents and settings\Karen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-06-17 02:25 . 2011-06-17 02:26 -------- d-----w- c:\program files\Common Files\Adobe
    2011-06-08 03:10 . 2011-06-08 03:10 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
    2011-06-08 03:09 . 2011-06-08 03:09 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
    2011-06-08 03:09 . 2011-06-08 03:09 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
    2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-30 02:04 . 2010-05-24 02:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-28 22:39 . 2011-05-19 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 00:10 . 2010-04-05 20:33 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-05-10 15:46 . 2010-06-01 23:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
    2011-05-04 22:39 . 2010-06-01 23:00 284744 ----a-w- c:\windows\system32\guard32.dll
    2011-05-04 22:39 . 2010-06-01 23:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-05-04 22:39 . 2010-06-01 23:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-05-04 22:39 . 2010-06-04 15:55 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-05-02 15:31 . 2008-03-17 19:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2004-08-04 04:56 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2007-01-31 22:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11 . 2007-01-31 22:27 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 16:11 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 12:01 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-04 03:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
    .
    c:\documents and settings\Karen\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-04 23:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Karen^Start Menu^Programs^Startup^Secunia PSI.lnk]
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
    2006-11-21 12:27 106496 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcttime.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=2 (0x2)
    "wltrysvc"=2 (0x2)
    "Fax"=2 (0x2)
    "gupdate"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\fxsclnt.exe"=
    "c:\\WINDOWS\\system32\\lxctcoms.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Opera9.64\\opera.exe"=
    .
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [6/7/2011 11:09 PM 16024]
    R1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [7/25/2010 9:37 PM 41928]
    R1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [7/25/2010 9:37 PM 11776]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 242472]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 29400]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/14/2009 2:22 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 67656]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/25/2010 9:37 PM 2978720]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 3:02 PM 136360]
    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [6/7/2011 11:09 PM 220824]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;gupdate;c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 2:15 AM 136176]
    S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/25/2010 9:37 PM 73728]
    S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/17/2008 6:25 PM 92550]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 12872]
    S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [5/31/2009 3:08 PM 987648]
    S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [5/31/2009 3:08 PM 242176]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - JAVAQUICKSTARTERSERVICE
    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-30 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2011-02-27 16:28]
    .
    2011-06-30 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-04 16:14]
    .
    2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
    .
    2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769}: NameServer = 156.154.70.22,156.154.71.22
    TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430}: NameServer = 156.154.70.22,156.154.71.22
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-NavLogon - (no file)
    MSConfigStartUp-dlccmon - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-29 23:08
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose, ZwOpenFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="04F0D21-79D8-7A25-D702-433F"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(680)
    c:\windows\system32\guard32.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'lsass.exe'(736)
    c:\windows\system32\guard32.dll
    .
    Completion time: 2011-06-29 23:11:59
    ComboFix-quarantined-files.txt 2011-06-30 03:11
    .
    Pre-Run: 57,329,569,792 bytes free
    Post-Run: 57,400,725,504 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - B19D69A08F80476E5000A42AFC177A05


    Next will be my ESET online scan results.
     
  12. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    ESET online scan results

    The ESET scan originally took over 4 hours, but I had to abort it. The second, complete scan took a little over 2 hours. There was no log report, because it was "clean".

    I look forward to your comments on my other scan results. I really appreciate this help.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, coming along nicely. Since there are no other entries for ThreatFire, I am removing it from the Combofix header. As for the Emisoft error: All of the security is supposed to be disabled when the Combofix scan is run. If you did not disable that antimalware program, that is likely the cause of the error message.

    Not sure where my 'way out of date Java' message came from. You do show Javav6u18 still on the system, but you also have the current v6u26. Please make sure the v6u18 version is uninstalled in Add/Remove Programs. Also check Tools> Manage Addons> Look in both 'processes now on system' and 'processes previously on system' and remove the one for v6u18 if still there.

    About relying on the FileHippo Update Checker for the Java update, I suggest you check for it yourself. MY reason is because an update for Java doesn't overwrite the previous version. So while the update checker might put the updates on, it is not likely to remove the previous version. Updates for Java and the Adobe Reader are for security purposes and outdated versions are vulnerabilities.

    My personal feeling is that I want total control of my system- I do not want programs to be accessing the internet, every day, several times a day, looking for 'updates' that might only come once a month! The only auto-update I allow is the antivirus program.
    ================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    SecCenter::
    {67B2B9A1-25C8-4057-962D-807958FFC9E3}
    DDS::
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ==========================================
    I'd like top run the following to make sure an entry I saw in GMER has been resolved:
    Download aswMBR to your desktop.
    The screens you will be seeing will be black with white writing. This may look strange to you but it is normal.
    • Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan on lower left:
    • On completion of the scan click "Save log"- lower right and save it to your desktop
    • Post in your next reply:
    [​IMG]
    (Image courtesy Broni)
    ===================================================
     
  14. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    Problem with Second ComboFix scan

    Bobbye:

    Thanks for the suggestion about checking my IE8 add-ons re: Java. I did have 2 earlier Java version plug-ins, which I disabled.

    Re: Second Combofix scan - I copied the script as instructed, and dragged the text doc onto the Combofix icon. It began running the scan without any issue. However, at the end, I got the following message at the DOS C: prompt:

    'c.bat' is not recognized as an internal or external command, operable program or batch command.

    Below this was C: Combofix>

    I checked the Combofix file for the new report doc, but the only Combofix.txt doc there was the one from the first scan, dated June 29.

    How do I fix this so the scan will generate a report?

    Please advise. Thanks very much.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The log is generated automatically after the script is run. It sounds like the script wasn't named properly: Please try running it again.

    Save this as CFScript.txt, in the same location as ComboFix.exe

    As far as I know, 'c.bat' is only a Directory with batch files.
     
  16. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    Another snag w/Second Combofix scan

    Bobbye:

    I deleted my prior version of CFScript.txt, redid it, and dropped it on top of Combofix. The scan started, but soon gave the message:

    Error opening file for writing:

    C:\32788R22FWJFW\AWF.cmd

    I retried, no dice, then hit Ignore to see if the scan would proceed. It threw up another error:

    Error opening file for writing:

    C:\32788R22FWJFW\Assoc.cmd

    I picked Ignore, and many more files appeared under the "32788R22..." directory, like:

    Auto-RC.cmd
    Boot-RK.cmd
    Boot.bat
    CF-Script.cmd
    CSet.cmd

    etc., etc. Eleven files and counting - I aborted the scan.

    Is this malware? Or what is it? Combofix doesn't like it.

    Please advise. Thanks very much.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Normally is shouldn't be 'harrowing'!
    I have not heard anyone complain about their machine being taken over by Combofix!
    50 stages is relative to what is found in each stage. If I had told you there were 50 stages, it could have meant less time or more time!

    However, you can view the Tutorial in full for Combofix and observe:
    Here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    ====================================================
    Have you uninstalled Hitman yet? You are showing evidence of problems with the Application.NirCmd
    Application.NirCmd is a collection of third party tools packed in one executable that can be used to remove threats in an infected machine. However it can also be used by users with malicious intent to do a different activity.
    ============================================
    Please do the following- and it's important that you do it in the order that I give it:

    1. Uninstall Hitman Pro in Add/remove Programs. After you have done that, delete the program folder>>
    Right click on Start> Explore> My Computer> Double click on Local Drive (C)> Programs> do a right click> delete on the Hitman folder.
    Reboot the computer

    2. Uninstall ComboFix and all Backups of the files it deleted- Note: this is a complete uninstall of the program itself, log, backups.
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    Reboot the computer

    3. Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    4. Do a search on the system, with Local Drive for location, for nircam. Do a right click> Delete on entries found.
    Boot back into Normal Mode.

    5. Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
      You should already have the Recovery Console so Combofix won't do the query.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    Please paste the new Combofix log in your next reply.
     
  18. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    Problems Uninstalling Combofix

    Bobbye:

    I uninstalled Hitman Pro.

    I'm still having problems with Combofix, I can't successfully complete the uninstall.
    When the process begins running, I still get the message:

    Error opening file for writing:

    and the same series of command files (C:\32788R22FWJFW\...) cannot be opened or deleted by Combofix. What should I do?

    Help! (lol)

    Thanks again.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Set a new Restore Point> name it 'testdelete' or any name that you will remember why you set it..

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Using Windows explorer (Windows key + E> go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'Hide protected system files (Recommended)> click on Yes for the confirmation> Apply> OK
    Then go to My Computer> Double click on Local Drive (C)> look for this Directory C:\32788R22FWJFW> Click on this Directory> Go to Edit> Select All> File> Delete.

    Go back and rehide the files and folders>> Check 'Do not show hidden files and folders'> Check 'Hide protected system files (Recommended)'> Apply> OK
    Exit Windows Explorer

    Reboot the computer into Normal Mode. See if you can proceed with the Combofix uninstall.

    Let me know.
     
  20. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    A Little Progress & A Question

    I deleted the ",,,JFW" files in Safe Mode.

    I was able to run the Combofix Uninstall command. However, there is still a Combofix file with files in it on my C:\ drive. Is this okay?

    Also, you say to search to delete "nircam". Do you mean "nircmd"?

    After I hear from you, I will run the Combofix reinstall and post a report.

    Thanks very much.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you mean "nircmd"?>> Yes! Thank you for catching that.

    Do you know what files are in the Combofix Directory? Before you do the reinstqll, let see what they are.
     
  22. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    Remaining Combofix files

    Bobbye:

    These are the files in the Combofix folder in C:\

    ComboFix-Download.cfxxc
    Nircmd.cfxxe
    PING.cfxxe
    hidec.cfxxe
    pev.cfxxe

    There is also a ComboFix.exe file w/icon on my desktop.

    I haven't done a search to delete the nircmd files, because one of them is in the ComboFix folder.

    I also continue to have a folder labeled 32788R22FWJFW in the C:\ drive, with an icon of a monitor and hard drive. Is this okay?

    Is it possible to use another program besides ComboFix to fix my problems? It seems to be adding problems and creating more work, not fixing them.

    Please advise. Thanks again.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please attempt to d a right click? Delete on each of the files in the Combofix Directory. Apparently is has become corrupt somewhere here in out work and unless we get all the old entries off, I don't think an uninstall or re-download and scan will work correctly.
     
  24. Fiona ny

    Fiona ny TS Rookie Topic Starter Posts: 20

    Second Combofix Scan - Mark II

    Bobbye:

    I deleted all the nircmd files, and emptied them out of the recycle bin.

    I deleted out all the ComboFix files.

    I downloaded a clean copy of ComboFix onto my desktop.

    My question is: Should I run a straight scan of ComboFix, or should I drop the CFScript.exe onto and then run the scan?

    Please advise. Thanks.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Update and do new scan with Combofix. Forget the old script- its no longer needed. Delete the file for the script from the desktop new script if needed. You can delete the previous script with the one entry.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...