Help with Hijacker - Logs enclosed

By xltodd ยท 23 replies
Jun 4, 2010
  1. Hey gang. I've been working on a WIN XP SP3 pc that had the "Personal Security" malware installed. Seemingly, I've been able to get everything removed after running Adaware AND Malwarebytes scanning software. The only issue I have remaining is the browser hijack. When a URL is clicked that has been stored in FAVORITES, the link works fine and the site loads. Tested on 3 saved links. When a Google or Yahoo search link is clicked, the URL displays (e.g. in the browser title bar, but after a second or two, I'm redirected to a non-related site. Fortunately, none of the sites are "adult" in nature. Any insight to what I need to do in order to clear this up is greatly appreciated. I have completed the 8 step preliminary removal guide. Below are the logs:

    Malwarebytes Log:

    Database version: 4168

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/3/2010 4:33:44 PM
    mbam-log-2010-06-03 (16-33-44).txt

    Scan type: Quick scan
    Objects scanned: 125485
    Time elapsed: 9 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER Log:

    GMER -
    Rootkit scan 2010-06-04 06:41:50
    Windows 5.1.2600 Service Pack 3
    Running: pf5tz8hx.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwpcqfoc.sys

    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF92B287E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF92B2BFE]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
    .text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00E5000A
    .text C:\WINDOWS\System32\svchost.exe[1088] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AF000A
    .text C:\WINDOWS\Explorer.EXE[1548] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[1548] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[1548] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- EOF - GMER 1.0.15 ----

    DDS Log (DDS.txt):

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 6:46:39.26 on Fri 06/04/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.78 [GMT -5:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\system32\svchost.exe -k HPService
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    F:\Malware Removal\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://
    uSearch Page = hxxp://
    uSearch Bar = hxxp://
    uSearchAssistant = hxxp://
    uSearchURL,(Default) = hxxp://
    mSearchAssistant = hxxp://
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [Sonic RecordNow!]
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: igfxcui - igfxsrvc.dll

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-11 64288]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-11 216200]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-11 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-11 242896]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-16 916760]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-6 135664]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]

    =============== Created Last 30 ================

    2010-06-03 21:17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-06-03 21:17:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-26 19:15:57 0 dc-h--w- c:\windows\ie8
    2010-05-24 20:51:52 0 d-----w- c:\program files\Trend Micro
    2010-05-24 18:49:34 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
    2010-05-24 18:49:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-24 18:49:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-05-24 18:49:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-24 18:49:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-06 23:03:39 0 d-----w- c:\docume~1\owner\applic~1\HpUpdate
    2010-05-06 23:03:18 0 d-----w- c:\windows\Hewlett-Packard

    ==================== Find3M ====================

    2010-06-02 13:06:29 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-29 22:37:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-04-08 01:37:26 193187 ----a-w- c:\windows\hpoins43.dat
    2010-03-16 13:36:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    ============= FINISH: 6:48:10.78 ===============

    DDS Log (Attach.txt):

    **This log is attached. Thank you for any help!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    For someone getting redirected, you have some pretty clean looking logs! I do see 2 of the following processes:

    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12

    which is curious since you only need one!

    I'd like you to do an online AV scan and we'll go from there:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Read the line about not checking for removal and leave the log in your next reply.
  3. xltodd

    xltodd TS Rookie Topic Starter

    Thanks for the reply, Bobbye! I'll get that done as soon as possible and post the log. :grinthumb
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You should probably run Combofix also- it might pick up something that has been missed:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
  5. xltodd

    xltodd TS Rookie Topic Starter

    Here's the ESET Log. I'll try and have the COMBOFIX Log posted by the end of the day (I'm at work right now and going back and forth between my work comp and the one that's been hijacked. Thank you for your patience.):

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=
    # api_version=3.0.2
    # EOSSerial=c265b4462fd0d948a75b29fd6c5735df
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-06-04 11:21:25
    # local_time=2010-06-04 06:21:26 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 868353 868353 0 0
    # compatibility_mode=1024 16777175 100 0 7256381 7256381 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=29262
    # found=0
    # cleaned=0
    # scan_time=4668
  6. xltodd

    xltodd TS Rookie Topic Starter

    I downloaded and transferred COMBOFIX via jumpdrive to the HJed computer's desktop. I closed all programs including AVG and double clicked the .exe. I'm getting the message that "nircmd.cfxxe" could not be found. I've never seen a file extension of this type. Did I do something incorrect? I just left that window open because I don't know where to point in order to find that particular file. (web search did not find anything) ... Thanks!
  7. xltodd

    xltodd TS Rookie Topic Starter

    Combofix is reporting that AVG is still running. I went into computer management via control panel and changed both AVG services listed to startup type "manual" then restarted the computer before attempting to run Combofix again. I am attaching a screencap of the message and task manager listing of running services. I do not see the AVG process. I just left the computer as is until further instructed.

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    "nircmd.cfxxe" is malware trying to start.
    Source: Threat Expert
    Eset didn't pick it up but Kaspersky should ID it as Packer info: packed with: PE_Patch.UPX [Kaspersky Lab]

    Let's do this- in this order:
    1. Open the Task Manager> click on "NirCmd.cfxxe" to highlight> click on End Task
    2. Override the Combofix message> click on OK and go ahead with the scan. It's the malware trying to prevent it.
    (FYI: AVG shows Disabled in the DDS scan)
    3. Run Combofix as directed.
    4. Follow with online Kaspersky scan:
    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    Please leave both Combofix report and Kaspersky log in next reply.

    If there is still a problem running the scans, I will have you check for a Virut malware infection
  9. xltodd

    xltodd TS Rookie Topic Starter

    Hey Bobbye ... I had issues at work yesterday and didn't get a chance to proceed. I'll try to get these steps done and logs posted today. Thanks again, for your patience.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Don't wail too long. If you do have malware, the sooner it's removed the better.
  11. xltodd

    xltodd TS Rookie Topic Starter

    OK, I just went back to HJed system and it was the same as the screen cap attached above. When I highlighted the Nircmd process and ended it, COMBOFIX ended as well. So I double clicked the COMBOFIX exe again to fire it up and a truck load of processes ending in that strange extension fired off, inclucing a LOT of .exe process that fired off and went away. One that I noticed was "hidec.exe". Another was "grep (or gpep) .exe. Several "iexplore.cfxxe". So I guess my next question is, do I need to leave the Nircmd process running and do the COMBOFIX scan, OR do the Kapersky scan/removal then attempt the COMBOFIX scan? Awaiting your reply ... thanks!
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I'm not following you about all those .exe files running. Was Combofix actually running when you did the End Task?.cfxxe is a malware file. Nircmd is yelling at you for shutting it down! May have to use KillBox to turn it off!

    Go ahead and run the Kaspersky scan. Leave the log and I'll see if it finds it. Hold on Combofix until I see that log.
  13. xltodd

    xltodd TS Rookie Topic Starter

    Bobbye: I'm having trouble with the Kaspersky scan. I started scanning the system yesterday and at quitting time it was still running. I left it overnight and when I got back in this morning, the browser (IE8) was frozen. So I started the process again. After 2+ hours, the duration counter stopped and the scan was frozen again. I noted the file before lunch and came back an hour later, the same file was seemingly scanning, but nothing was happening. I refreshed the browser and started the scan once again. I'll post results, if and when I get something.

    Regarding my previous post: After receiving the last instructions from you concerning the combofix scan, I went to the HJed system and it was in the exact state as the screen cap shows (combofix and task manager running). I highlighted the .cfxxe process and "ended" per your instructions. When I did that, combofix shutdown. I left TM running to watch processes and when I double clicked the combofix icon on the desktop to start the scan again, SEVERAL .cfxxe processes fired off and quickly disappeared in the task manager window. There were also several .exe processes that fired and quickly disappeared. I did remember the two noted above (hidec.exe and grep (or gpep).exe. These were only in the task manager process listing for about a second or two, but there were LOTS of processes showing up and disappearing after a second or two. Anyway, hope that clears that up. I'll post the Kaspersky scan log as soon as I get it. Thanks!
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Can you just run Combofix? Are you able to override the messages? I'll settle for that for now.
  15. xltodd

    xltodd TS Rookie Topic Starter

    Here's the KASPERSKY Log:

    KASPERSKY ONLINE SCANNER 7.0: scan report
    Wednesday, June 9, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version:
    Last database update: Wednesday, June 09, 2010 08:51:37
    Records in database: 4228261

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:

    Scan statistics:
    Objects scanned: 34616
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 03:02:16

    No threats found. Scanned area is clean.

    Selected area has been scanned.

    (end of log - T.H.)

    One last note, when I was able to get to the HJed system, I had a message that CF had detected ROOTKIT activity and needed to reboot to finish the scan. I clicked OK and let the system reboot, the scan completed. I tried to post the log but it's too long. I'm attaching the CF log. Waiting your next instructions. Thanks again!

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Are you actually having any problems now. I take it that 'Hjed sys' means the redirection? Has that resolved now?
    Suggest you get this on the system:

    Do you know what this is?
    2010-05-17 21:53 c:\documents and settings\Owner\Local Settings\Application Data\chpxtyxal
  17. xltodd

    xltodd TS Rookie Topic Starter

    Yes, I'm still getting redirected. By HJed, I mean the "High Jacked System". By "Recovery Console", doesn't that mean, basically, System Restore? If so, it IS installed and seems to work fine. Initially, I tried system restore but it did not work. That's when I started looking for solutions on the web and came here. I got a message at the end of the restore process that stated something like "The system could not be restored to that restore point..." (something like that). I don't know what "chpxtyxal" refers to. Any suggestions as to what to do next?
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    No, it doesn't. These are 2 different features:
    What is System Restore?
    What is the Recovery Console?
    The biggest difference is not content> it's when you use it:
    System Restore can be used while in normal Mode or Safe Mode. It will restore the content of the system that were in a snapshot taken on a specific time and day.

    The Recovery Console can be use when you can not boot into the system.

    As for this:
    When giving error messages, they must be exact. "Something like this"......doesn't do it! There can be specific reasons why a system Restore process won't work, but it begins by known the message.

    The word I asked you about is likely malware. It can be removed. I urge you to get the Recovery Console installed before going further.

    What problems are you actually having with the system now?
  19. xltodd

    xltodd TS Rookie Topic Starter

    I understand that specificity is important when posting results, error messages, etc. In reference to the system restore that I attempted a while back (before coming here), I could not remember the specific message. I have not tried another restore due to the fact that most EVERY post states not to do ANYTHING unless instructed. With that said, the error message was the "generic could not restore" message one gets when the system restore failed. There was no specific reason (or code) given as to why it failed (that I can remember).

    When COMBOFIX reported that the RECOVERY CONSOLE was not installed, I followed the prompts to install it. Is there a way to check that it was installed properly? If it is not installed, I will install RC. What do I try next? The browser is still being redirected when clicking on Google, Yahoo, etc. search links. Thanks again for all your help!
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    We got sidetracked with the System Restore issue. Since Combofix was run 3 days ago, please go ahead and run it again, leaving the new log. We will be able to tell from that if the Recovery Console was installed.

    NirCmd can also be the name of a freeware Windows command-line tool from Nir Sofer. Here is their site:

    Here is some info on the .cfxxe file extension:
    Some reported having catchme.cfxxe file extension which belongs to belongs to Combofix and is not a virus. Others said that "Nircmd.cfxxe - Corrupt file. The file or directory \recycled\dc4.exe is corrupt and unreadable. Please run the chkdsk utility." And I found the Worm ID.
    I'm thinking that when you made the transfer of Combofix from the flash drive that it did not go over intact. So try this please:
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Reboot when finished. Then download and install Combofix again and run the scan. If possible, do the download directly instead of using the jump drive. There were some removals done by Combofix previously and you have not mentioned not being able to get the internet connection.

    This will also show the presence of the Recovery Console. If you see the 'Warning' again, be sure you are connected to the internet and get the Console while in Combofix. If it is already there, no warning.

    Install Recovery Console- Combofix:
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
  21. xltodd

    xltodd TS Rookie Topic Starter

    Bobbye, before I read your last post, I opened a browser window to see if I was still getting redirected and I am happy to report that I AM NOT!! I did several searches from google and yahoo and when I clicked on each of the links, the correct page opened fine. No redirects or popups. I thought that the programs you had me running were just producing logs. I also didn't realize that CF was made up of several modules. The several executables that I stated were beginning and ending quickly were from CF. Do you still want me to rescan with CF and post log? Or is this a done deal? Thank you again for your patience and assistance with everything!
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I think you're done! The logs were pretty clean to begin with.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin

    Let me know if you need anymore help.
  23. xltodd

    xltodd TS Rookie Topic Starter

    Thank you very much for all your help! I'll finish cleaning everything up this evening and let you know if anything unusual happens. If I have any issues in the future, I'll definitely come back here for assistance first. You've been most helpful and patient. Thanks again!
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You're welcome. Glad to help.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...