Solved Two versions of iexplore.exe in Task Manager, Event ID 850

Status
Not open for further replies.
F

Fiona ny

Posts: 31   +0
About 10 days ago my ISP went down, and I stupidly used an public wireless port for a few hours. This weekend my laptop (Dell 600m) has been very slow & stupid.

When I'm on IE8, there are two versions of iexplore.exe in the Task Manager. My error log is normal, but the Event Viewer shows someone or something is getting permission to enter my system. The Google/Yahoo search boxes are constantly spazzing.

I update and run Avira Antivir, SuperAntispyware, Spyware Blaster, & Emsisoft AntiMalware once a week (Avira auto-updates). My firewall is Comodo. When I ran them yesterday, they said my system was clean, but it's clearly not.

Can you please help me find the problem & fix it? Thanks very much.

Dell 600m, IE8/Opera, XPSP3
 
Welcome to TechSpot! I will assist you in working through this:

First, it is perfectly normal to have 2 or more processes for iexplore.exe running in IE8. And the description of Event ID #850 is:
Event ID 850
Source Security
Type Success Audit
Description A port was listed as an exception when the Windows Firewall started.
Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: <application name>
Port number: <port number>
Protocol: <protocol type>
State: Enabled
Scope: Local subnet only
Click to expand...
You may be misunderstanding what it says. It is basically telling you that the Security Audit, which takes place the entire time the computer is on, has been successful.

In order to further assess this Event, I would need the information for:
Name: <application name>
Port number: <port number>
Protocol: <protocol type>

It might comfort you to know that the update for the antivirus program is listed as an Exception in the firewall. So this does not necessarily mean 'bad.' And it is likely that the system would have failed the Security Audit if it had been bad.
===========================================
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
=======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Giving me a more accurate description of what is happening rather than use words like 'stupid', 'spazzing'
 
My Malwarebytes' Log

Thanks for getting back to me so quickly!

When I say "stupid" and "spazzing", the search engine boxes seem to flicker or quickly flash on and off, as if they're trying to reload. Also, websites I've visited many time before are very slow to load, some fail despite repeated reloads. Those that do load text have incomplete Flash image loading.

Here's my Malwarebytes' log:


Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/27/2011 7:20:18 PM
mbam-log-2011-06-27 (19-20-18).txt

Scan type: Quick scan
Objects scanned: 162618
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Next reply will be the GMER report.
 
GMER Report

MER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-27 19:40:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541680J9AT00 rev.SB2OA70H
Running: 52u8x9l5.exe; Driver: C:\DOCUME~1\Karen\LOCALS~1\Temp\afayraow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xF477B864]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xF477BABA]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----
 
Problem w/DDS.SCR

Okay, so I downloaded the dds script program, but when I double-click the icon, I get an OS message that says: Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the file.

I'm the administrator, so that can't be the problem. I don't know how to disable the script feature in Avira or Comodo firewall. (I looked but don't see it in either program.) Can you help me with this? Thanks again.
 
Follow this for the scripting:

1. Launch Internet Explorer 8 on your computer and then click on the "Tools" option from the top toolbar menu.
2. Select the "Internet Options" button. The Internet Options dialog box will appear on your screen. Click the "Security" tab.
3. Click the "Custom Level" option. The Custom Level page will appear.
4. Scroll down through the "Settings" section and select the "Disable" radio button from "Active scripting" heading.
5. Click the "OK" button to save your changes and complete the task.
 
DDS script logs: dds.txt (1 of 2)

Thanks for the instructions. Here's the dds.txt log:


DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Karen at 22:23:31 on 2011-06-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.711 [GMT -4:00]
.
AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {A6EC4B1B-577A-4564-BC70-B9518B694B6F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\karen\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218664418421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430} : NameServer = 156.154.70.22,156.154.71.22
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 62.146.66.181 dl1.avgate.net
Hosts: 62.146.66.182 dl2.avgate.net
Hosts: 62.146.66.183 dl3.avgate.net
Hosts: 62.146.66.184 dl4.avgate.net
Hosts: 80.190.143.23 dl5.avgate.net
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-6-7 16024]
R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2010-7-25 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2010-7-25 11776]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-24 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 29400]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-14 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 67656]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-7-25 2978720]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-24 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-24 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-24 61960]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1779792]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2011-6-7 220824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;gupdate;c:\program files\google\update\GoogleUpdate.exe [2010-12-10 136176]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-7-25 73728]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2008-3-17 92550]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 12872]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-5-31 987648]
S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [2009-5-31 242176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-27 23:09:18 -------- d-----w- c:\documents and settings\karen\application data\Malwarebytes
2011-06-27 23:09:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-27 23:09:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-27 23:09:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-27 23:09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-19 17:07:21 -------- d-----w- c:\program files\Macrium
2011-06-19 16:52:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-19 16:47:21 388096 ----a-r- c:\documents and settings\karen\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-08 03:10:12 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-06-08 03:09:44 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-06-08 03:09:32 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-06-06 16:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-05-29 17:26:29 307200 ----a-w- c:\windows\system32\BMAPI.dll
2011-05-29 17:26:29 122880 ----a-w- c:\windows\system32\NicConfigSvc.Cpl
2011-05-29 17:24:10 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2011-05-29 17:24:03 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-05-29 17:24:03 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-05-29 17:24:03 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-05-29 17:24:03 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-05-29 17:24:02 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-05-29 17:23:54 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-05-29 17:23:52 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
.
==================== Find3M ====================
.
2011-06-20 00:10:19 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-19 17:08:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-19 16:52:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 22:39:54 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-04 22:39:49 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-04 22:39:49 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-05-04 22:39:48 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 22:24:43.92 ===============

My next reply has attach.txt log.
 
DDS script logs: attach.txt (2 of 2)

DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/17/2008 3:34:02 PM
System Uptime: 6/27/2011 6:56:13 PM (4 hours ago)
.
Motherboard: Dell Computer Corporation | | 0X8957
Processor: Intel(R) Celeron(R) M processor 1.40GHz | Microprocessor | 1395/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 53.698 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1370 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&39A85202&0&18F0
Manufacturer: Broadcom
Name: Dell Wireless 1370 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&39A85202&0&18F0
Service: BCM43XX
.
==== System Restore Points ===================
.
RP748: 4/2/2011 7:13:20 PM - System Checkpoint
RP749: 4/3/2011 10:12:04 PM - System Checkpoint
RP750: 4/5/2011 1:37:59 AM - System Checkpoint
RP751: 4/6/2011 9:53:11 AM - System Checkpoint
RP752: 4/7/2011 9:34:11 PM - System Checkpoint
RP753: 4/8/2011 11:45:37 PM - System Checkpoint
RP754: 4/9/2011 8:59:48 PM - Removed Opera 10.63.
RP755: 4/11/2011 10:33:04 PM - System Checkpoint
RP756: 4/13/2011 1:16:25 AM - System Checkpoint
RP757: 4/14/2011 2:18:26 PM - System Checkpoint
RP758: 4/15/2011 4:07:52 PM - Software Distribution Service 3.0
RP759: 4/15/2011 10:11:19 PM - Software Distribution Service 3.0
RP760: 4/15/2011 10:46:21 PM - Software Distribution Service 3.0
RP761: 4/17/2011 1:07:51 AM - System Checkpoint
RP762: 4/17/2011 1:12:49 AM - Software Distribution Service 3.0
RP763: 4/18/2011 3:26:17 PM - System Checkpoint
RP764: 4/19/2011 4:58:14 PM - Removed Opera 10.63.
RP765: 4/21/2011 12:31:51 AM - System Checkpoint
RP766: 4/22/2011 12:47:49 AM - System Checkpoint
RP767: 4/23/2011 12:49:19 AM - System Checkpoint
RP768: 4/24/2011 10:55:35 AM - System Checkpoint
RP769: 4/24/2011 4:16:28 PM - Revo Uninstaller's restore point - VLC media player 1.1.9
RP770: 4/24/2011 4:19:56 PM - Revo Uninstaller's restore point - GoToMeeting 4.5.0.457
RP771: 4/26/2011 1:22:43 PM - System Checkpoint
RP772: 4/27/2011 2:37:25 PM - System Checkpoint
RP773: 4/30/2011 5:00:15 PM - System Checkpoint
RP774: 5/1/2011 6:08:21 PM - System Checkpoint
RP775: 5/1/2011 7:05:13 PM - Removed Java(TM) 6 Update 24
RP776: 5/3/2011 12:18:38 AM - System Checkpoint
RP777: 5/3/2011 6:06:25 PM - Restore Operation
RP778: 5/4/2011 9:07:37 PM - System Checkpoint
RP779: 5/5/2011 10:44:54 PM - System Checkpoint
RP780: 5/8/2011 1:03:55 AM - System Checkpoint
RP781: 5/9/2011 1:38:55 AM - System Checkpoint
RP782: 5/10/2011 1:40:36 AM - System Checkpoint
RP783: 5/12/2011 11:53:12 AM - System Checkpoint
RP784: 5/13/2011 4:52:14 PM - System Checkpoint
RP785: 5/14/2011 4:54:52 PM - System Checkpoint
RP786: 5/16/2011 3:56:05 PM - System Checkpoint
RP787: 5/19/2011 2:10:50 AM - System Checkpoint
RP788: 5/20/2011 10:29:58 AM - System Checkpoint
RP789: 5/21/2011 3:28:57 PM - System Checkpoint
RP790: 5/21/2011 6:30:34 PM - Revo Uninstaller's restore point - The Weather Channel Desktop 6
RP791: 5/23/2011 9:48:04 AM - System Checkpoint
RP792: 5/24/2011 12:25:18 PM - System Checkpoint
RP793: 5/25/2011 12:06:04 AM - Software Distribution Service 3.0
RP794: 5/26/2011 12:40:12 PM - System Checkpoint
RP795: 5/26/2011 1:02:42 PM - Removed Java(TM) 6 Update 24
RP796: 5/28/2011 8:10:04 PM - System Checkpoint
RP797: 5/29/2011 1:25:14 PM - Installed QuickSet
RP798: 5/29/2011 1:26:28 PM - Installed Internal Network Card Power Management
RP799: 5/30/2011 1:50:20 PM - Revo Uninstaller's restore point - The Weather Channel Desktop 6
RP800: 6/1/2011 1:01:03 PM - System Checkpoint
RP801: 6/3/2011 1:09:39 AM - System Checkpoint
RP802: 6/4/2011 1:48:13 PM - Installed Macrium Reflect - Free Edition
RP803: 6/5/2011 4:01:55 PM - System Checkpoint
RP804: 6/7/2011 12:28:00 AM - System Checkpoint
RP805: 6/8/2011 10:22:34 AM - System Checkpoint
RP806: 6/9/2011 7:43:08 PM - System Checkpoint
RP807: 6/12/2011 2:06:14 AM - System Checkpoint
RP808: 6/13/2011 9:07:22 PM - System Checkpoint
RP809: 6/16/2011 12:52:32 AM - System Checkpoint
RP810: 6/16/2011 6:43:59 PM - Software Distribution Service 3.0
RP811: 6/16/2011 10:35:44 PM - Software Distribution Service 3.0
RP812: 6/18/2011 7:55:31 PM - System Checkpoint
RP813: 6/18/2011 8:09:05 PM - Software Distribution Service 3.0
RP814: 6/19/2011 12:51:59 PM - Removed Java(TM) 6 Update 25
RP815: 6/19/2011 1:07:11 PM - Installed Macrium Reflect - Free Edition
RP816: 6/20/2011 9:17:04 PM - System Checkpoint
RP817: 6/21/2011 11:47:39 PM - System Checkpoint
RP818: 6/22/2011 7:01:23 PM - Software Distribution Service 3.0
RP819: 6/24/2011 7:45:29 PM - System Checkpoint
RP820: 6/26/2011 12:35:48 AM - System Checkpoint
RP821: 6/27/2011 1:49:59 AM - System Checkpoint
.
==== Hosts File Hijack ======================
.
Hosts: 62.146.66.181 dl1.avgate.net
Hosts: 62.146.66.182 dl2.avgate.net
Hosts: 62.146.66.183 dl3.avgate.net
Hosts: 62.146.66.184 dl4.avgate.net
Hosts: 80.190.143.23 dl5.avgate.net
Hosts: 80.190.143.23 dl6.avgate.net
Hosts: 62.146.66.178 dl7.avgate.net
Hosts: 62.146.66.179 dl8.avgate.net
Hosts: 80.190.143.239 dl9.avgate.net
Hosts: 80.190.143.230 dl10.avgate.net
==== Installed Programs ======================
.
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
AM-DeadLink 3.2
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Broadcom Management Programs 2
C-Major Audio
CCleaner
COMODO Internet Security
Conexant D480 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
DellSupport
EasyCleaner
Emsisoft Anti-Malware 5.0
ERUNT 1.1j
FileHippo.com Update Checker
Glary Utilities 2.32.0.1126
Google Toolbar for Internet Explorer
HD Tune 2.55
HiJackThis
HijackThis 2.0.2
Hitman Pro 3.5
Homeopathy Pro 1.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImgBurn
Intel(R) Processor ID Utility
Internal Network Card Power Management
Java Auto Updater
Java(TM) 6 Update 26
Lexmark 5400 Series
Lexmark Toolbar
Macrium Reflect - Free Edition
Malwarebytes' Anti-Malware version 1.51.0.1200
Media Player Classic - Home Cinema v. 1.3.1249.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C Runtime
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Windows Script 5.7
Microsoft Windows XP Video Decoder Checkup Utility
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Nexus Radio
O2Micro Smartcard Driver
Opera 11.10
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
Polipo 1.0.4.1
QuickSet
Real Alternative 2.0.1 Lite
Revo Uninstaller 1.92
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sibelius Scorch (ActiveX Only)
Spelling Dictionaries Support For Adobe Reader 8
SpywareBlaster 4.4
SRS Audio Sandbox
SUPERAntiSpyware Free Edition
System Requirements Lab
Tor 0.2.1.26
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 7 (KB928089)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Profile Hive Cleanup Service
Verizon Online Help and Support
Vidalia 0.2.9
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
xp-AntiSpy 3.96-8
XP Codec Pack
Yahoo! Install Manager
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
6/26/2011 5:29:18 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Google Software Updater service, but this action failed with the following error: An instance of the service is already running.
6/26/2011 5:14:18 PM, error: Service Control Manager [7031] - The Google Software Updater service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 900000 milliseconds: Restart the service.
6/26/2011 5:14:07 PM, error: Service Control Manager [7031] - The Google Software Updater service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 900000 milliseconds: Restart the service.
6/24/2011 7:04:40 PM, error: Service Control Manager [7034] - The lxct_device service terminated unexpectedly. It has done this 1 time(s).
6/22/2011 6:59:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the gupdate service to connect.
6/22/2011 6:59:42 PM, error: Service Control Manager [7000] - The gupdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

Thanks for your rapid replies, and help thus far.
 
There are 2 antivirus programs running: AntiVir Desktop and ThreatFire. One of them should be removed: Note: You should boot into Safe Mode for the removal: If using removal too, download it first and save to desktop:
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
AV: ThreatFire > ThreatFire Removal Tool

AV: AntiVir Desktop> Try Add/Remove Programs first. Please note: The manual uninstallation of the Avira Software is only necessary if this removal isn't successful.
Then use Windows Explorer to Remove Avira program files:
Right click on Start> Explore> My computer> Double click on Local Drive (C)> Programs> Then navigate to the directory C:\Program Files\. Here, delete all existing Avira AntiVir directories:C:\Program Files\Avira\*.*

If you keep Avira, we will need to reset the host files for the updates.
=============================================
Since your main problem appears to involve flash features and since your version of Flash is current:
Click on Start> Settings> Control Panel> System> Hardware tab> Device Manager> You will be looking for the error icon:
dialog_warning.png
on any of the video drivers. If you see on> Do a right click> Properties and read the message for the error.
===========================================
Java is way out of sate. Please update Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
============================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
========================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
==============================================
The system is looking pretty healthy right now from a malware point of view. We'll see what the new logs show and if you have any errors on video drivers.
 
My Further Scan Results: Threatfire, Java, etc.

Threatfire:

I thought I had deleted this over a year ago, as Avira is now my chosen antivirus. Your link to the removal tool was broken, and a search on the Threatfire website was not helpful. I used a link posted on PC Tools (sorry!) from January of this year. I unzipped it and ran it in Safe Mode. However, I am not sure it was completely removed, as you will see later under my Combofix notes.

Please advise me on how to reset the updates feature on Avira.

Device Manager:

I checked the video drivers, and all other devices in the Manager, and they are all clean - no errors or grayed-out listings.

Java:

I was surprised that my Java was out-of-date, because I use the FileHippo Update Checker, and recently updated Java. However, I did uninstall it, using Revo Uninstaller (moderate level), and did a new install using your link. The new version had the same name as my old one (Version 6, update 26). Is it possible that my earlier malware reports show fragments of older versions of Java in my system? If so, I don't know how to get them out.

My next reply will be about Combofix.
 
My Combofix Report

Running Combofix was a harrowing experience! I did not realize it would take over my machine. It would be helpful for newbies to know that there are 50 stages to the scan, to give us an idea of how far along the scans are. I used your link to download it.

Two kinds of errors occurred during the running of Combofix: near the beginning, I got at least 2 messages saying that Threatfire was still running, and I needed to turn it off. This was after I uninstalled Threatfire (I thought). I just overrode the warning. The second error occurred while the multi-stage scan was running. I got the following Windows message 3 times:

Registry Editor error
App Name: regt.cfxxe
App Ver: 5.1.2600.5512
Mod Name: a2hooks32.dll
Mod Ver: 5.0.0.91
Offset: 00002c57

(I think this file is connected to my Emsisoft Anti-Malware program. I have since been able to update and run a quick scan with it, but I am not sure if it was damaged or not.)

The Combofix scan continued to run, however. It also updated my Windows Recovery Console module.

Here is the log report:

ComboFix 11-06-29.06 - Karen 06/29/2011 22:36:14.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.719 [GMT -4:00]
Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Karen\g2mdlhlpx.exe
c:\documents and settings\Karen\GoToAssistDownloadHelper.exe
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
.
.
2011-06-30 02:04 . 2011-06-30 02:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-27 23:09 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 17:07 . 2011-06-19 17:07 -------- d-----w- c:\program files\Macrium
2011-06-19 16:47 . 2011-06-19 16:47 388096 ----a-r- c:\documents and settings\Karen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-17 02:25 . 2011-06-17 02:26 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-08 03:10 . 2011-06-08 03:10 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-06-08 03:09 . 2011-06-08 03:09 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-06-08 03:09 . 2011-06-08 03:09 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 02:04 . 2010-05-24 02:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-28 22:39 . 2011-05-19 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-20 00:10 . 2010-04-05 20:33 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-10 15:46 . 2010-06-01 23:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-05-04 22:39 . 2010-06-01 23:00 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-04 22:39 . 2010-06-01 23:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-04 22:39 . 2010-06-01 23:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-05-04 22:39 . 2010-06-04 15:55 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-02 15:31 . 2008-03-17 19:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 04:56 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-01-31 22:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2007-01-31 22:27 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 03:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
c:\documents and settings\Karen\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-04 23:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Karen^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcttime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"wltrysvc"=2 (0x2)
"Fax"=2 (0x2)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera9.64\\opera.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [6/7/2011 11:09 PM 16024]
R1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [7/25/2010 9:37 PM 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [7/25/2010 9:37 PM 11776]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 29400]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/14/2009 2:22 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 67656]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/25/2010 9:37 PM 2978720]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 3:02 PM 136360]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [6/7/2011 11:09 PM 220824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;gupdate;c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 2:15 AM 136176]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/25/2010 9:37 PM 73728]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/17/2008 6:25 PM 92550]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 12872]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [5/31/2009 3:08 PM 987648]
S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [5/31/2009 3:08 PM 242176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-27 16:28]
.
2011-06-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-04 16:14]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430}: NameServer = 156.154.70.22,156.154.71.22
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
MSConfigStartUp-dlccmon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-29 23:08
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\guard32.dll
.
Completion time: 2011-06-29 23:11:59
ComboFix-quarantined-files.txt 2011-06-30 03:11
.
Pre-Run: 57,329,569,792 bytes free
Post-Run: 57,400,725,504 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B19D69A08F80476E5000A42AFC177A05


Next will be my ESET online scan results.
 
ESET online scan results

The ESET scan originally took over 4 hours, but I had to abort it. The second, complete scan took a little over 2 hours. There was no log report, because it was "clean".

I look forward to your comments on my other scan results. I really appreciate this help.
 
Okay, coming along nicely. Since there are no other entries for ThreatFire, I am removing it from the Combofix header. As for the Emisoft error: All of the security is supposed to be disabled when the Combofix scan is run. If you did not disable that antimalware program, that is likely the cause of the error message.

Not sure where my 'way out of date Java' message came from. You do show Javav6u18 still on the system, but you also have the current v6u26. Please make sure the v6u18 version is uninstalled in Add/Remove Programs. Also check Tools> Manage Addons> Look in both 'processes now on system' and 'processes previously on system' and remove the one for v6u18 if still there.

About relying on the FileHippo Update Checker for the Java update, I suggest you check for it yourself. MY reason is because an update for Java doesn't overwrite the previous version. So while the update checker might put the updates on, it is not likely to remove the previous version. Updates for Java and the Adobe Reader are for security purposes and outdated versions are vulnerabilities.

My personal feeling is that I want total control of my system- I do not want programs to be accessing the internet, every day, several times a day, looking for 'updates' that might only come once a month! The only auto-update I allow is the antivirus program.
================================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\windows\system32\drivers\hitmanpro35.sys
SecCenter::
{67B2B9A1-25C8-4057-962D-807958FFC9E3}
DDS::
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
==========================================
I'd like top run the following to make sure an entry I saw in GMER has been resolved:
Download aswMBR to your desktop.
The screens you will be seeing will be black with white writing. This may look strange to you but it is normal.
  • Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan on lower left:
  • On completion of the scan click "Save log"- lower right and save it to your desktop
  • Post in your next reply:

(Image courtesy Broni)
===================================================
 
Problem with Second ComboFix scan

Bobbye:

Thanks for the suggestion about checking my IE8 add-ons re: Java. I did have 2 earlier Java version plug-ins, which I disabled.

Re: Second Combofix scan - I copied the script as instructed, and dragged the text doc onto the Combofix icon. It began running the scan without any issue. However, at the end, I got the following message at the DOS C: prompt:

'c.bat' is not recognized as an internal or external command, operable program or batch command.

Below this was C: Combofix>

I checked the Combofix file for the new report doc, but the only Combofix.txt doc there was the one from the first scan, dated June 29.

How do I fix this so the scan will generate a report?

Please advise. Thanks very much.
 
The log is generated automatically after the script is run. It sounds like the script wasn't named properly: Please try running it again.

Save this as CFScript.txt, in the same location as ComboFix.exe

As far as I know, 'c.bat' is only a Directory with batch files.
 
Another snag w/Second Combofix scan

Bobbye:

I deleted my prior version of CFScript.txt, redid it, and dropped it on top of Combofix. The scan started, but soon gave the message:

Error opening file for writing:

C:\32788R22FWJFW\AWF.cmd

I retried, no dice, then hit Ignore to see if the scan would proceed. It threw up another error:

Error opening file for writing:

C:\32788R22FWJFW\Assoc.cmd

I picked Ignore, and many more files appeared under the "32788R22..." directory, like:

Auto-RC.cmd
Boot-RK.cmd
Boot.bat
CF-Script.cmd
CSet.cmd

etc., etc. Eleven files and counting - I aborted the scan.

Is this malware? Or what is it? Combofix doesn't like it.

Please advise. Thanks very much.
 
Running Combofix was a harrowing experience! I did not realize it would take over my machine. It would be helpful for newbies to know that there are 50 stages to the scan, to give us an idea of how far along the scans are. I used your link to download it.
Click to expand...

Normally is shouldn't be 'harrowing'!
I have not heard anyone complain about their machine being taken over by Combofix!
50 stages is relative to what is found in each stage. If I had told you there were 50 stages, it could have meant less time or more time!

However, you can view the Tutorial in full for Combofix and observe:
At the time of this writing there are a total of 50 stages as shown in the image below, so please be patient. The amount of stages will go up as time goes on, so if the amount of stages is different when you run it, please do not be concerned.
Click to expand...
Here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
====================================================
Have you uninstalled Hitman yet? You are showing evidence of problems with the Application.NirCmd
Application.NirCmd is a collection of third party tools packed in one executable that can be used to remove threats in an infected machine. However it can also be used by users with malicious intent to do a different activity.
============================================
Please do the following- and it's important that you do it in the order that I give it:

1. Uninstall Hitman Pro in Add/remove Programs. After you have done that, delete the program folder>>
Right click on Start> Explore> My Computer> Double click on Local Drive (C)> Programs> do a right click> delete on the Hitman folder.
Reboot the computer

2. Uninstall ComboFix and all Backups of the files it deleted- Note: this is a complete uninstall of the program itself, log, backups.
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
Reboot the computer

3. Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

4. Do a search on the system, with Local Drive for location, for nircam. Do a right click> Delete on entries found.
Boot back into Normal Mode.

5. Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
    You should already have the Recovery Console so Combofix won't do the query.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================
Please paste the new Combofix log in your next reply.
 
Problems Uninstalling Combofix

Bobbye:

I uninstalled Hitman Pro.

I'm still having problems with Combofix, I can't successfully complete the uninstall.
When the process begins running, I still get the message:

Error opening file for writing:

and the same series of command files (C:\32788R22FWJFW\...) cannot be opened or deleted by Combofix. What should I do?

Help! (lol)

Thanks again.
 
Set a new Restore Point> name it 'testdelete' or any name that you will remember why you set it..

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Using Windows explorer (Windows key + E> go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'Hide protected system files (Recommended)> click on Yes for the confirmation> Apply> OK
Then go to My Computer> Double click on Local Drive (C)> look for this Directory C:\32788R22FWJFW> Click on this Directory> Go to Edit> Select All> File> Delete.

Go back and rehide the files and folders>> Check 'Do not show hidden files and folders'> Check 'Hide protected system files (Recommended)'> Apply> OK
Exit Windows Explorer

Reboot the computer into Normal Mode. See if you can proceed with the Combofix uninstall.

Let me know.
 
A Little Progress & A Question

I deleted the ",,,JFW" files in Safe Mode.

I was able to run the Combofix Uninstall command. However, there is still a Combofix file with files in it on my C:\ drive. Is this okay?

Also, you say to search to delete "nircam". Do you mean "nircmd"?

After I hear from you, I will run the Combofix reinstall and post a report.

Thanks very much.
 
Do you mean "nircmd"?>> Yes! Thank you for catching that.

Do you know what files are in the Combofix Directory? Before you do the reinstqll, let see what they are.
 
Remaining Combofix files

Bobbye:

These are the files in the Combofix folder in C:\

ComboFix-Download.cfxxc
Nircmd.cfxxe
PING.cfxxe
hidec.cfxxe
pev.cfxxe

There is also a ComboFix.exe file w/icon on my desktop.

I haven't done a search to delete the nircmd files, because one of them is in the ComboFix folder.

I also continue to have a folder labeled 32788R22FWJFW in the C:\ drive, with an icon of a monitor and hard drive. Is this okay?

Is it possible to use another program besides ComboFix to fix my problems? It seems to be adding problems and creating more work, not fixing them.

Please advise. Thanks again.
 
Please attempt to d a right click? Delete on each of the files in the Combofix Directory. Apparently is has become corrupt somewhere here in out work and unless we get all the old entries off, I don't think an uninstall or re-download and scan will work correctly.
 
Second Combofix Scan - Mark II

Bobbye:

I deleted all the nircmd files, and emptied them out of the recycle bin.

I deleted out all the ComboFix files.

I downloaded a clean copy of ComboFix onto my desktop.

My question is: Should I run a straight scan of ComboFix, or should I drop the CFScript.exe onto and then run the scan?

Please advise. Thanks.
 
Should I run a straight scan of ComboFix, or should I drop the CFScript.exe onto and then run the scan?
Click to expand...

Update and do new scan with Combofix. Forget the old script- its no longer needed. Delete the file for the script from the desktop new script if needed. You can delete the previous script with the one entry.
 
Status
Not open for further replies.

Similar threads

J
Solved Multiple instances of iexplore.exe in Task Manager
Replies
12
Views
23K
Broni
Broni
C
Solved Multiple IE running in task manager, Google search gets hijacked
Replies
16
Views
4K
Broni
Broni
hiker1092
Solved Multiple instances of iexplore.exe in Task Manager
Replies
23
Views
13K
Broni
Broni

Latest posts

Back