also @ TechSpot: Google, Samsung unveil Chromebook, Chromebox with Chrome OS 19

TechSpot

[Solved] Two versions of iexplore.exe in Task Manager, Event ID 850

Discussion in 'Virus and Malware Removal' started by Fiona ny, Jun 27, 2011.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Bobbye Helper on the Fringe

    Do you mean "nircmd"?>> Yes! Thank you for catching that.

    Do you know what files are in the Combofix Directory? Before you do the reinstqll, let see what they are.
    Bobbye, Jul 8, 2011
    #21

  2. Fiona ny Newcomer, in training

    Remaining Combofix files

    Bobbye:

    These are the files in the Combofix folder in C:\

    ComboFix-Download.cfxxc
    Nircmd.cfxxe
    PING.cfxxe
    hidec.cfxxe
    pev.cfxxe

    There is also a ComboFix.exe file w/icon on my desktop.

    I haven't done a search to delete the nircmd files, because one of them is in the ComboFix folder.

    I also continue to have a folder labeled 32788R22FWJFW in the C:\ drive, with an icon of a monitor and hard drive. Is this okay?

    Is it possible to use another program besides ComboFix to fix my problems? It seems to be adding problems and creating more work, not fixing them.

    Please advise. Thanks again.
    Fiona ny, Jul 9, 2011
    #22

  3. Bobbye Helper on the Fringe

    Please attempt to d a right click? Delete on each of the files in the Combofix Directory. Apparently is has become corrupt somewhere here in out work and unless we get all the old entries off, I don't think an uninstall or re-download and scan will work correctly.
    Bobbye, Jul 9, 2011
    #23

  4. Fiona ny Newcomer, in training

    Second Combofix Scan - Mark II

    Bobbye:

    I deleted all the nircmd files, and emptied them out of the recycle bin.

    I deleted out all the ComboFix files.

    I downloaded a clean copy of ComboFix onto my desktop.

    My question is: Should I run a straight scan of ComboFix, or should I drop the CFScript.exe onto and then run the scan?

    Please advise. Thanks.
    Fiona ny, Jul 10, 2011
    #24

  5. Bobbye Helper on the Fringe

    Update and do new scan with Combofix. Forget the old script- its no longer needed. Delete the file for the script from the desktop new script if needed. You can delete the previous script with the one entry.
    Bobbye, Jul 10, 2011
    #25

  6. Fiona ny Newcomer, in training

    I Could Scream!

    Bobbye:

    I deleted CFScript.exe, and tried to run the ComboFix scan.

    It is still stalling at the 32788R22FWJFW file - as soon as it hits Assoc.cmd, it can't read it.

    I previously deleted this folder, but it came back, as I mentioned a few posts ago.

    Is this file legitimate, or not? If not, how can I get rid of it? Or should we use a different malware scan?

    I don't understand why we can't get past this point.
    Fiona ny, Jul 11, 2011
    #26

  7. Bobbye Helper on the Fringe

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [IMG]
    ==========================================
    Reboot the computer.
    ==========================================
    Run Please download ATF Cleaner by Atribune
    This program is for XP, Vista and Windows 2000 only

    • [1] Double-click ATF-Cleaner.exe to run the program.
      [2] Under Main choose: Select All
      [3] Click the Empty Selected button.

      If you use Firefox browser
      [1] Click Firefox at the top and choose:Select All
      [2] Click the Empty Selected button.
      [3] NOTE: If you would like to keep your saved passwords, please click No at the prompt.

      If you use Opera browser
      [1] Click Opera at the top and choose: Select All
      [2]Click the Empty Selected button.
      [3]NOTE: If you would like to keep your saved passwords, please click No at the prompt.

      Click Exit on the Main menu to close the program.

    =======================================
    Reboot the computer.
    ======================================
    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    sunday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    -------------------------------------
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Rkill instructions
    Once you've gotten one of them to run
    • immediately double click on sunday.exe to run
    • If normal mode still doesn't work, run BOTH tools from safe mode.

    In you have done #2, please post BOTH logs, rKill and Combofix.

    L:eave the new logs for me.

    Also, please give me an update on the system.
    Bobbye, Jul 13, 2011
    #27

  8. Fiona ny Newcomer, in training

    Some Scan Logs

    Bobbye:

    1) I tried running my second version of ComboFix in Safe Mode. It began to scan, but it once again said Threatfire was still running on my machine, even though I deleted it last week. I ignored this, but when it came time to compile the report, it gave the message "This version is expired, do you want to complete scan w/reduced functionality?" I said No and aborted the scan. I uninstalled this version of Combofix, and downloaded a new version under "sunday.exe" to my Desktop.

    2) I downloaded ATF Cleaner, which stalled on the first go-round. I reran it successfully, and rebooted.

    3) I downloaded Rkill.com, which ran but said there were processes in use which it could not review, and showed nothing in the report. I decided to run it in Safe Mode, but on the reboot, there was a System Error Oxxx... - it went too fast for me to record it. I will have more comments re: this in my next reply.

    The Rkill report follows:

    Rkill was run on 07/13/2011 at 21:17:10.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\userinit.exe


    Rkill completed on 07/13/2011 at 21:17:13.

    Next is the log for ComboFix.
    Fiona ny, Jul 13, 2011
    #28

  9. Fiona ny Newcomer, in training

    Combofix Log

    I ran ComboFix as sunday.exe. Once it began, it yet again complained that Threatfire and Avira Antivir were running, even though Threatfire has been deleted, and I ran Safe Mode without networking (Antivir not on).

    Here is the log:

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.803 [GMT -4:00]
    Running from: c:\documents and settings\Karen\Desktop\sunday.exe
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
    FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-30 02:04 . 2011-06-30 02:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
    2011-06-27 23:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-27 23:09 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-19 17:07 . 2011-06-19 17:07 -------- d-----w- c:\program files\Macrium
    2011-06-19 16:47 . 2011-06-19 16:47 388096 ----a-r- c:\documents and settings\Karen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-06-17 02:25 . 2011-06-17 02:26 -------- d-----w- c:\program files\Common Files\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-10 02:35 . 2011-05-19 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-05 02:05 . 2009-05-24 19:02 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-07-05 02:05 . 2009-05-24 19:02 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-30 08:38 . 2010-06-01 23:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
    2011-06-30 08:38 . 2010-06-01 23:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-06-30 08:38 . 2010-06-04 15:55 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-06-30 08:38 . 2010-06-01 23:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-06-30 08:37 . 2010-06-01 23:00 285256 ----a-w- c:\windows\system32\guard32.dll
    2011-06-30 02:04 . 2010-05-24 02:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-20 00:10 . 2010-04-05 20:33 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-08 03:10 . 2011-06-08 03:10 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
    2011-06-08 03:09 . 2011-06-08 03:09 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
    2011-06-08 03:09 . 2011-06-08 03:09 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
    2011-06-02 14:02 . 2007-01-31 22:25 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31 . 2008-03-17 19:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2004-08-04 04:56 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2007-01-31 22:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-26 11:07 . 2007-01-31 22:25 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-04-26 11:07 . 2004-08-04 04:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-04-25 16:11 . 2007-01-31 22:27 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 16:11 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 12:01 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-04 03:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-01 2424192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-06-30 2554696]
    .
    c:\documents and settings\Karen\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-04 23:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Karen^Start Menu^Programs^Startup^Secunia PSI.lnk]
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
    2006-11-21 12:27 106496 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcttime.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=2 (0x2)
    "wltrysvc"=2 (0x2)
    "Fax"=2 (0x2)
    "gupdate"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\fxsclnt.exe"=
    "c:\\WINDOWS\\system32\\lxctcoms.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Opera9.64\\opera.exe"=
    .
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [6/7/2011 11:09 PM 16024]
    S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [7/25/2010 9:37 PM 41928]
    S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [7/25/2010 9:37 PM 11776]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 242600]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 29400]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/14/2009 2:22 PM 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 67656]
    S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/25/2010 9:37 PM 2978720]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 3:02 PM 136360]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;gupdate;c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 2:15 AM 136176]
    S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [6/7/2011 11:09 PM 220824]
    S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/25/2010 9:37 PM 73728]
    S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/17/2008 6:25 PM 92550]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 12872]
    S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [5/31/2009 3:08 PM 987648]
    S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [5/31/2009 3:08 PM 242176]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-14 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\initialize.exe [2011-02-27 16:28]
    .
    2011-07-14 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-04 16:14]
    .
    2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
    .
    2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769}: NameServer = 156.154.70.22,156.154.71.22
    TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430}: NameServer = 156.154.70.22,156.154.71.22
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-13 21:33
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="04F0D21-79D8-7A25-D702-433F"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(220)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(1480)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    .
    Completion time: 2011-07-13 21:36:34
    ComboFix-quarantined-files.txt 2011-07-14 01:36
    ComboFix2.txt 2011-06-30 03:12
    .
    Pre-Run: 58,418,487,296 bytes free
    Post-Run: 58,405,531,648 bytes free
    .
    - - End Of File - - 6BDAB9C9B9D1804FF313A46335B2F00A
    Fiona ny, Jul 13, 2011
    #29

  10. Fiona ny Newcomer, in training

    System Error Log shows problems upon reboot

    Bobbye:

    When I rebooted to run Rkill.com and ComboFix in Safe Mode, there was a System Error. I ran the scans, but my system Error Log shows a lot of the following:

    DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server .....

    DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server....

    DCOM got error "%1084" attempting....service netman with argument....

    (multiple instances w/2 different server designations)

    Service Control Mgr: The following boot-start or system-start drive(s) failed to load: a2injectiondriver AFD APPD RV etc, etc.

    Service Control Mgr: The IPSEC services service depends on the IPSEC driver which failed to start because of the following error: A device attached to the system is not functioning.

    Svc Control Mgr: TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the error: A device attached to the system is not functioning.

    Svc Control Mgr: The DNS Client service depends on the TCP/IP Protocol Driver service which failed.......device attached in not functioning.

    And so on.

    This looks bad - is it something I should be worried about?
    Fiona ny, Jul 13, 2011
    #30

  11. Fiona ny Newcomer, in training

    Raktor scan logs

    I ran Raktor twice. The first time, the screen showed:

    exeHelper by Raktor
    Build 20100414
    Run at 22:30:43 on 07/13/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Error occurred while processing: exefile.
    Error occurred while processing: .exe.
    Resetting filetype association for .com
    Error occurred while processing: comfile.
    Error occurred while processing: .com.
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    Press any key to continue . . .

    Because of the errors, I ran it again. Here is the compiled log:

    exeHelper by Raktor
    Build 20100414
    Run at 22:30:43 on 07/13/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 22:36:11 on 07/13/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--


    I would like to delete from my Desktop some of the stuff we've been using (Malwarebytes, GMER, ddr.scr, ATF-Cleaner, sunday.exe, the various logs, etc.) Can I do that now?

    Please advise. Thanks very much.
    Fiona ny, Jul 13, 2011
    #31

  12. Bobbye Helper on the Fringe

    Please just follow my directions. The error are indicating there wasn't an internet connection as you were running in Safe Mode. You should not be doing the scans in Safe Mode unless 1. you can't get into Normal Mode or 2. I instruct you to do something in Safe Mode.

    Running in S/M does not load all the drivers and some things won't work.

    The purpose of running RKill was to stop processes that were interfering with running Combofix. You don't understand the Event Viewer and are only making problems for yourself. Running in Safe Mode so your security won't run is not proper. You disable the security.

    Tell me please- you you having any actual system problem from malware? If not:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    Bobbye, Jul 14, 2011
    #32
Page 2 of 2
Thread Status:
Not open for further replies.