We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Help with removing Win32: Rootkit-gen (RtK)

Milltowngirl
Posts: 114 Forumite
Ive been having problems with my computer freezing and so have recently followed the steps in earlier post 'how to speed up your computer in 60 minutes'. The results are amazing ! My computer now starts up in about 2 mins rather than the 20-30 it was taking and the freezing appears to have stopped completely. Im hoping I can now get a bit longer out of my 9 year old PC, so thanks to the posters of that thread :T
Anyway, cleaning up the PC has uncovered another problem. As per the instructions, I have swopped from using AVG to Avast and now Avast has discovered some 'Win32: rootkit infections' which either AVG didnt find or didnt deal with.
In the Avast Chest is now the following:4 entries:
Original filename: _b8d0259f6878b520e949562f9fcb3273.sys_vir
Original folder: C:\\WINDOWS\system32
Virus description: win32:rootkit-gen (RtK)
Original filename: A0081347.sys
Original folder: C:\SystemVolumeInformation\_restore{C881ASFE-1B75-4DE8-B23C-D3A26D9A79B}\RPZ89
Virus description: win32:rootkit-gen (RtK)
Original filename: autorun.inf
Original folder: G
Virus description: VBS:Malware-gen
Original filename: b8d0259f6878b520e949562f9fcb3273.sys_vir
Original folder: C:\\WINDOWS\system32
Virus description: win32:rootkit-gen (RtK)
The first 3 seem to have been on the computer for 2-3 years; the last one (which appears a near identical repeat of the first) I think I have put back on using an old pendrive yesterday (oops)
Also, in addition, in running a Boot-up scan, it had the additional entry:
File C:|WINDOWS\system32\sciencwu.exe\>%system/
WSN_scnc 0704Inst.exe\>WSN.exe is infected by Win 32: whenu-I (PUP)
When I selected 'move to chest' it gave me a warning about moving windows files, so I didnt move it and selected no action, as I wasnt sure if it was safe to move it.
Avast cant fix these. Ive run malwarbytes and spybot:search&destroy and neither of these find the infections, never mind fix them.
Any advice on how dangerous they are and what I should do now to get rid of them ? Im hoping as long as they are in the vault the rest of my PC is safe but Id prefer to get them cleaned up completedly ?
Ive also run hijack this and posted a log below.
Thanks for all your help
Anyway, cleaning up the PC has uncovered another problem. As per the instructions, I have swopped from using AVG to Avast and now Avast has discovered some 'Win32: rootkit infections' which either AVG didnt find or didnt deal with.
In the Avast Chest is now the following:4 entries:
Original filename: _b8d0259f6878b520e949562f9fcb3273.sys_vir
Original folder: C:\\WINDOWS\system32
Virus description: win32:rootkit-gen (RtK)
Original filename: A0081347.sys
Original folder: C:\SystemVolumeInformation\_restore{C881ASFE-1B75-4DE8-B23C-D3A26D9A79B}\RPZ89
Virus description: win32:rootkit-gen (RtK)
Original filename: autorun.inf
Original folder: G
Virus description: VBS:Malware-gen
Original filename: b8d0259f6878b520e949562f9fcb3273.sys_vir
Original folder: C:\\WINDOWS\system32
Virus description: win32:rootkit-gen (RtK)
The first 3 seem to have been on the computer for 2-3 years; the last one (which appears a near identical repeat of the first) I think I have put back on using an old pendrive yesterday (oops)
Also, in addition, in running a Boot-up scan, it had the additional entry:
File C:|WINDOWS\system32\sciencwu.exe\>%system/
WSN_scnc 0704Inst.exe\>WSN.exe is infected by Win 32: whenu-I (PUP)
When I selected 'move to chest' it gave me a warning about moving windows files, so I didnt move it and selected no action, as I wasnt sure if it was safe to move it.
Avast cant fix these. Ive run malwarbytes and spybot:search&destroy and neither of these find the infections, never mind fix them.
Any advice on how dangerous they are and what I should do now to get rid of them ? Im hoping as long as they are in the vault the rest of my PC is safe but Id prefer to get them cleaned up completedly ?
Ive also run hijack this and posted a log below.
Thanks for all your help

Proud to be dealing with my debts
Debt at Light Bulb Moment (January 2011): £21,953
Debt at current level (Nov 2013): £4,567.50
Debt free wanabee date: Dec 2014 :j
0
Comments
-
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:11:47, on 19/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Wireless Desktop\LgWDskTp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Sony\click to dvd\ctdatsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [LgWDskTp] C:\Program Files\Wireless Desktop\LgWDskTp.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDgxODg5MzU0LVQxMS1VODUrMS1CQSsxLUtWMys3LUZQOTIrNi1UQjkrMi1GTCs5LUYxME0rNC1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzI"&"prod=90"&"ver=10.0.1204
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Click to DVD Automatic Mode Launcher.lnk = C:\Program Files\Sony\click to dvd\ctdatsvr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141555291125
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - Winlogon Notify: acacecfceddb - C:\WINDOWS\system32\acacecfceddb.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\Dfsdks.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMEDIAPLATFORM-MUSICSERVER-UPNP) - Sony Corporation - C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMEDIAPLATFORM-PHOTOSERVER-UPNP) - Sony Corporation - C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMEDIAPLATFORM-VIDEOSERVER-UPNP) - Sony Corporation - C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\DOCUME~1\shelley\LOCALS~1\Temp\winvnc4.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.urban75.org/photos/newyork/images/ny026.jpg
O24 - Desktop Component 1: (no name) - http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/medici/12_25/mail/mailcommonlib.js
--
End of file - 11734 bytesProud to be dealing with my debtsDebt at Light Bulb Moment (January 2011): £21,953Debt at current level (Nov 2013): £4,567.50Debt free wanabee date: Dec 2014 :j0 -
Was malwarebytes up to date? did you run a FULL scan?:idea:0
-
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive):idea:0 -
Was malwarebytes up to date? did you run a FULL scan?
Oops, no wasnt updated. Think spybot updated but not this. Ive just done an update and will run scan again. if it doesnt find / fix everything Ill run the ComboFix scan and post here
ThanksProud to be dealing with my debtsDebt at Light Bulb Moment (January 2011): £21,953Debt at current level (Nov 2013): £4,567.50Debt free wanabee date: Dec 2014 :j0 -
Malwarebytes log: it has found 2 items but from the names they dont look like the same things that Avast has found ?
Should I now run ComboFix ?
Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org
Database version: 6105
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
19/03/2011 12:33:51
mbam-log-2011-03-19 (12-33-51).txt
Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 254356
Time elapsed: 1 hour(s), 2 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} (Adware.MywaySearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} (Adware.MywaySearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)Proud to be dealing with my debtsDebt at Light Bulb Moment (January 2011): £21,953Debt at current level (Nov 2013): £4,567.50Debt free wanabee date: Dec 2014 :j0 -
yes, continue with combofix now...........Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
I would recommend uninstalling 'Ashampoo Winoptimiser' as its been known to remove things it shouldnt (And it probably does next to nothing to actally help)
TICK and FIX these in hijack -
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - Winlogon Notify: acacecfceddb - C:\WINDOWS\system32\acacecfceddb.dll (file missing)
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe (file missing)
Use the 32 bit AVG removal tool
http://www.avg.com/download-tools:idea:0 -
bootup should be less than 1 minute when you've finished
did you install cleanmem and set mini_monitor to run at startup? If not, try it
just delete C:|WINDOWS\system32\sciencwu.exe\>%system/
WSN_scnc 0704Inst.exe\>WSN.exe and empty the virus chest
I'd uninstall spybot and ashampoo completely
tick and fix this
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\DOCUME~1\shelley\LOCALS~1\Temp\winvnc4.exe (file missing)
and
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtN ElKTUg"&"inst=NzctNDgxODg5MzU0LVQxMS1VODUrMS1CQSsx LUtWMys3LUZQOTIrNi1UQjkrMi1GTCs5LUYxME0rNC1RSVgxKz QtWDIwMTArMi1GMTBNMTBDKzI"&"prod=90"&"ver=10.0.120 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
and all the O16's
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141555291125
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfvi...iewerSetup.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
also after following Rik's advice
Internet explorer
- On the Tools menu, click Internet Options.
- Click the Advanced tab.
- Click to select the Disable script debugging check box, and then click OK
do you want the 2 desktop components at the end of your log, twin towers etc? If not tick and fix.
If you don't regularly connect your nokia phone to the system, I'd uninstall the software as it adds bloat to the startup
disable google update service using services.msc
disable these by using msconfig (untick them)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
then reboot and post a fresh hijackthis log and commit charge!!
> . !!!! ----> .0 -
Heres the Combofix log:
ComboFix 11-03-18.04 - shelley 19/03/2011 15:40:57.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.480.242 [GMT 0:00]
Running from: C:\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\logs
.
.
((((((((((((((((((((((((( Files Created from 2011-02-19 to 2011-03-19 )))))))))))))))))))))))))))))))
.
.
2011-03-19 12:42 . 2011-03-19 12:42
dc----w- c:\documents and settings\shelley\Local Settings\Application Data\Yahoo!
2011-03-18 15:59 . 2011-03-15 21:19 61440 -c--a-w- c:\windows\system32\CleanMem.exe
2011-03-18 15:59 . 2008-09-19 17:37 121856 -c--a-w- c:\windows\system32\schtasks.exe
2011-03-18 15:59 . 2011-03-18 15:59
d
w- c:\program files\CleanMem
2011-03-18 15:59 . 2011-03-18 15:59
dc----w- c:\windows\CleanMem
2011-03-18 15:29 . 2011-02-23 14:54 19544 -c--a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-18 15:29 . 2011-02-23 14:56 301528 -c--a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-18 15:29 . 2011-02-23 14:55 25432 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-18 15:29 . 2011-02-23 14:56 371544 -c--a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-18 15:29 . 2011-02-23 14:55 49240 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-18 15:29 . 2011-02-23 14:55 102232 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
2011-03-18 15:29 . 2011-02-23 14:55 96344 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2011-03-18 15:29 . 2011-02-23 14:54 30680 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
2011-03-18 15:29 . 2011-02-23 15:04 40648 -c--a-w- c:\windows\avastSS.scr
2011-03-18 15:29 . 2011-02-23 15:04 190016 -c--a-w- c:\windows\system32\aswBoot.exe
2011-03-18 15:28 . 2011-03-18 15:28
dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-03-18 15:28 . 2011-03-18 15:28
d
w- c:\program files\AVAST Software
2011-03-18 14:53 . 2011-03-18 14:53
dc----w- c:\windows\Internet Logs
2011-03-18 08:57 . 2011-03-18 08:57
d
w- c:\program files\CCleaner
2011-03-18 08:24 . 2011-03-18 08:24 388096 -c--a-r- c:\documents and settings\shelley\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-18 08:24 . 2011-03-18 08:24
d
w- c:\program files\Trend Micro
2011-03-17 23:27 . 2011-03-17 23:27
dc----w- C:\iTunes
2011-03-13 20:52 . 2011-03-13 20:51 389120 -c--a-w- c:\windows\system32\CF25356.exe
2011-03-13 20:52 . 2011-03-13 20:51 389120 -c--a-w- c:\windows\system32\CF25363.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-19 15:36 . 2009-01-07 18:53 4290979 -c--a-r- C:\ComboFix.exe
2011-02-09 13:53 . 2003-11-05 08:31 270848 -c--a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-11-05 08:31 186880 -c--a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2003-11-05 09:53 2067456 -c--a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2003-11-05 09:53 677888 -c--a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-11-05 08:31 439296 -c--a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2003-11-05 08:30 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2003-11-05 08:31 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2005-06-17 22:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2003-11-05 08:31 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2003-11-05 08:31 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2008-12-14 14:23 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2008-12-14 14:24 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2003-11-05 08:31 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 -c--a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
"LgWDskTp"="c:\program files\Wireless Desktop\LgWDskTp.exe" [2003-10-29 65536]
"Logitech Utility"="Logi_MwX.Exe" [2003-07-22 19968]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Drag'n Drop CD+DVD"="c:\program files\drag'n drop cd+dvd\BinFiles\DragDrop.exe" [2003-08-08 1175552]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 229376]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\shelley\Start Menu\Programs\Startup\
Click to DVD Automatic Mode Launcher.lnk - c:\program files\Sony\click to dvd\ctdatsvr.exe [2004-8-16 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=c:\windows\pss\Timer Recording Manager.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"SSDPSRV"=3 (0x3)
"KaseyaAgent"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\giga pocket\\gps.exe"=
"c:\\Temp\\kf56686.exe"=
"c:\\Temp\\KRlyCCon.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [18/03/2011 15:29 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18/03/2011 15:29 301528]
R1 feed;feed;c:\windows\system32\feed.sys [12/10/2010 17:38 75264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/03/2011 15:29 19544]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [04/11/2003 08:21 175744]
S0 b8d0259f6878b520e949562f9fcb3273;b8d0259f6878b520e949562f9fcb3273;c:\windows\system32\b8d0259f6878b520e949562f9fcb3273.sys --> c:\windows\system32\b8d0259f6878b520e949562f9fcb3273.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 18:45 135664]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [05/11/2003 08:31 14336]
S3 SMSCMS;SMSC LPC Memory Stick Host Controller;c:\windows\system32\drivers\SMSCMS.SYS [04/11/2003 08:44 58112]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S4 KaseyaAgent;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [07/01/2009 18:13 610304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-03-19 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2011-03-18 21:19]
.
2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 18:45]
.
2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 18:45]
.
.
Supplementary Scan
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm143YYGB&fl=0&ptb=u.vKSz5OumWpKu2LQLktHQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\shelley\Application Data\Mozilla\Firefox\Profiles\8yh1nc8x.default\
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d29d7c4&v=6.011.025.001&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: [EMAIL="wrc@avast.com"]wrc@avast.com[/EMAIL] - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: XHTML Mobile Profile: {8ea9957e-2953-402f-80e0-bceb5f169d6f} - %profile%\extensions\{8ea9957e-2953-402f-80e0-bceb5f169d6f}
FF - Ext: EWOQ Mobile Setup extension: {f035aa18-ee32-4e6e-81d2-57e32867f8a7} - %profile%\extensions\{f035aa18-ee32-4e6e-81d2-57e32867f8a7}
FF - Ext: wmlbrowser: {c4dc572a-3295-40eb-b30f-b54aa4cdc4b7} - %profile%\extensions\{c4dc572a-3295-40eb-b30f-b54aa4cdc4b7}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-Nokia FastStart - c:\program files\Nokia\Nokia Music\NokiaMusic.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-19 15:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WININET.dll
c:\program files\Wireless Desktop\LgWndHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-19 15:57:21
ComboFix-quarantined-files.txt 2011-03-19 15:57
ComboFix2.txt 2009-01-16 21:57
ComboFix3.txt 2009-01-07 19:12
.
Pre-Run: 13,948,719,104 bytes free
Post-Run: 14,071,947,264 bytes free
.
- - End Of File - - 88F8C23F53C0B53E2CB7A5A0750E9A9BProud to be dealing with my debtsDebt at Light Bulb Moment (January 2011): £21,953Debt at current level (Nov 2013): £4,567.50Debt free wanabee date: Dec 2014 :j0 -
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\CF25356.exe
c:\windows\system32\CF25363.exe
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
(If SNAPSHOT is stupidly large, leave that part out)
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 350.2K Banking & Borrowing
- 252.8K Reduce Debt & Boost Income
- 453.2K Spending & Discounts
- 243.2K Work, Benefits & Business
- 597.6K Mortgages, Homes & Bills
- 176.5K Life & Family
- 256.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards