Help with removing Win32: Rootkit-gen (RtK)

Milltowngirl
Milltowngirl Posts: 114 Forumite
edited 19 March 2011 at 11:41AM in Techie Stuff
Ive been having problems with my computer freezing and so have recently followed the steps in earlier post 'how to speed up your computer in 60 minutes'. The results are amazing ! My computer now starts up in about 2 mins rather than the 20-30 it was taking and the freezing appears to have stopped completely. Im hoping I can now get a bit longer out of my 9 year old PC, so thanks to the posters of that thread :T


Anyway, cleaning up the PC has uncovered another problem. As per the instructions, I have swopped from using AVG to Avast and now Avast has discovered some 'Win32: rootkit infections' which either AVG didnt find or didnt deal with.


In the Avast Chest is now the following:4 entries:

Original filename: _b8d0259f6878b520e949562f9fcb3273.sys_vir
Original folder: C:\\WINDOWS\system32
Virus description: win32:rootkit-gen (RtK)

Original filename: A0081347.sys
Original folder: C:\SystemVolumeInformation\_restore{C881ASFE-1B75-4DE8-B23C-D3A26D9A79B}\RPZ89
Virus description: win32:rootkit-gen (RtK)

Original filename: autorun.inf
Original folder: G
Virus description: VBS:Malware-gen

Original filename: b8d0259f6878b520e949562f9fcb3273.sys_vir
Original folder: C:\\WINDOWS\system32
Virus description: win32:rootkit-gen (RtK)

The first 3 seem to have been on the computer for 2-3 years; the last one (which appears a near identical repeat of the first) I think I have put back on using an old pendrive yesterday (oops)


Also, in addition, in running a Boot-up scan, it had the additional entry:
File C:|WINDOWS\system32\sciencwu.exe\>%system/
WSN_scnc 0704Inst.exe\
>WSN.exe
is infected by Win 32: whenu-I (PUP)

When I selected 'move to chest' it gave me a warning about moving windows files, so I didnt move it and selected no action, as I wasnt sure if it was safe to move it.



Avast cant fix these. Ive run malwarbytes and spybot:search&destroy and neither of these find the infections, never mind fix them.

Any advice on how dangerous they are and what I should do now to get rid of them ? Im hoping as long as they are in the vault the rest of my PC is safe but Id prefer to get them cleaned up completedly ?

Ive also run hijack this and posted a log below.


Thanks for all your help :)
Proud to be dealing with my debts
Debt at Light Bulb Moment (January 2011): £21,953
Debt at current level (Nov 2013): £4,567.50
Debt free wanabee date: Dec 2014 :j
«13456

Comments

  • Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:11:47, on 19/03/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Wireless Desktop\LgWDskTp.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\Program Files\sony\usbsircs\usbsircs.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Sony\click to dvd\ctdatsvr.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\bgsvcgen.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\sony\giga pocket\shwserv.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sony\vaio media music server\SSSvr.exe
    C:\Program Files\Sony\giga pocket\GPVSvr.exe
    C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
    C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
    C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
    C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
    C:\Program Files\Sony\giga pocket\RM_SV.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [LgWDskTp] C:\Program Files\Wireless Desktop\LgWDskTp.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
    O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDgxODg5MzU0LVQxMS1VODUrMS1CQSsxLUtWMys3LUZQOTIrNi1UQjkrMi1GTCs5LUYxME0rNC1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzI"&"prod=90"&"ver=10.0.1204
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Click to DVD Automatic Mode Launcher.lnk = C:\Program Files\Sony\click to dvd\ctdatsvr.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Remocon Driver.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141555291125
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
    O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
    O20 - Winlogon Notify: acacecfceddb - C:\WINDOWS\system32\acacecfceddb.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe (file missing)
    O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\Dfsdks.exe
    O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
    O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media music server\SSSvr.exe
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMEDIAPLATFORM-MUSICSERVER-UPNP) - Sony Corporation - C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMEDIAPLATFORM-PHOTOSERVER-UPNP) - Sony Corporation - C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMEDIAPLATFORM-VIDEOSERVER-UPNP) - Sony Corporation - C:\PROGRAM FILES\COMMON FILES\SONY SHARED\VAIO MEDIA PLATFORM\UPNPFRAMEWORK.EXE
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\DOCUME~1\shelley\LOCALS~1\Temp\winvnc4.exe (file missing)
    O24 - Desktop Component 0: (no name) - http://www.urban75.org/photos/newyork/images/ny026.jpg
    O24 - Desktop Component 1: (no name) - http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/medici/12_25/mail/mailcommonlib.js

    --
    End of file - 11734 bytes
    Proud to be dealing with my debts
    Debt at Light Bulb Moment (January 2011): £21,953
    Debt at current level (Nov 2013): £4,567.50
    Debt free wanabee date: Dec 2014 :j
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Was malwarebytes up to date? did you run a FULL scan?
    :idea:
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Please run COMBOFIX
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Shut down your anti virus
    Follow the simple instructions it gives
    Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

    If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
    (If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)
    :idea:
  • aliEnRIK wrote: »
    Was malwarebytes up to date? did you run a FULL scan?

    Oops, no wasnt updated. Think spybot updated but not this. Ive just done an update and will run scan again. if it doesnt find / fix everything Ill run the ComboFix scan and post here

    Thanks
    Proud to be dealing with my debts
    Debt at Light Bulb Moment (January 2011): £21,953
    Debt at current level (Nov 2013): £4,567.50
    Debt free wanabee date: Dec 2014 :j
  • Malwarebytes log: it has found 2 items but from the names they dont look like the same things that Avast has found ?

    Should I now run ComboFix ?


    Malwarebytes' Anti-Malware 1.50.1.1100
    https://www.malwarebytes.org

    Database version: 6105

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    19/03/2011 12:33:51
    mbam-log-2011-03-19 (12-33-51).txt

    Scan type: Full scan (C:\|D:\|F:\|)
    Objects scanned: 254356
    Time elapsed: 1 hour(s), 2 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} (Adware.MywaySearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} (Adware.MywaySearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    Proud to be dealing with my debts
    Debt at Light Bulb Moment (January 2011): £21,953
    Debt at current level (Nov 2013): £4,567.50
    Debt free wanabee date: Dec 2014 :j
  • GunJack
    GunJack Posts: 11,806 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    yes, continue with combofix now.....
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    I would recommend uninstalling 'Ashampoo Winoptimiser' as its been known to remove things it shouldnt (And it probably does next to nothing to actally help)

    TICK and FIX these in hijack -
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - C:\WINDOWS\System32\shdocvw.dll
    O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
    O20 - Winlogon Notify: acacecfceddb - C:\WINDOWS\system32\acacecfceddb.dll (file missing)
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe (file missing)


    Use the 32 bit AVG removal tool
    http://www.avg.com/download-tools
    :idea:
  • closed
    closed Posts: 10,886 Forumite
    edited 19 March 2011 at 2:47PM
    bootup should be less than 1 minute when you've finished

    did you install cleanmem and set mini_monitor to run at startup? If not, try it

    just delete C:|WINDOWS\system32\sciencwu.exe\>%system/
    WSN_scnc 0704Inst.exe\>WSN.exe and empty the virus chest

    I'd uninstall spybot and ashampoo completely

    tick and fix this

    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\DOCUME~1\shelley\LOCALS~1\Temp\winvnc4.exe (file missing)

    and

    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtN ElKTUg"&"inst=NzctNDgxODg5MzU0LVQxMS1VODUrMS1CQSsx LUtWMys3LUZQOTIrNi1UQjkrMi1GTCs5LUYxME0rNC1RSVgxKz QtWDIwMTArMi1GMTBNMTBDKzI"&"prod=90"&"ver=10.0.120 4

    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Remocon Driver.lnk = ?
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?


    and all the O16's

    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yaho...st_current.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141555291125
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfvi...iewerSetup.cab
    O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    also after following Rik's advice

    Internet explorer
    1. On the Tools menu, click Internet Options.
    2. Click the Advanced tab.
    3. Click to select the Disable script debugging check box, and then click OK


    do you want the 2 desktop components at the end of your log, twin towers etc? If not tick and fix.

    If you don't regularly connect your nokia phone to the system, I'd uninstall the software as it adds bloat to the startup

    disable google update service using services.msc

    disable these by using msconfig (untick them)

    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

    O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"

    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

    then reboot and post a fresh hijackthis log and commit charge
    !!
    > . !!!! ----> .
  • Heres the Combofix log:

    ComboFix 11-03-18.04 - shelley 19/03/2011 15:40:57.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.480.242 [GMT 0:00]
    Running from: C:\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\logs
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-19 to 2011-03-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-19 12:42 . 2011-03-19 12:42
    dc----w- c:\documents and settings\shelley\Local Settings\Application Data\Yahoo!
    2011-03-18 15:59 . 2011-03-15 21:19 61440 -c--a-w- c:\windows\system32\CleanMem.exe
    2011-03-18 15:59 . 2008-09-19 17:37 121856 -c--a-w- c:\windows\system32\schtasks.exe
    2011-03-18 15:59 . 2011-03-18 15:59
    d
    w- c:\program files\CleanMem
    2011-03-18 15:59 . 2011-03-18 15:59
    dc----w- c:\windows\CleanMem
    2011-03-18 15:29 . 2011-02-23 14:54 19544 -c--a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-03-18 15:29 . 2011-02-23 14:56 301528 -c--a-w- c:\windows\system32\drivers\aswSP.sys
    2011-03-18 15:29 . 2011-02-23 14:55 25432 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-03-18 15:29 . 2011-02-23 14:56 371544 -c--a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-03-18 15:29 . 2011-02-23 14:55 49240 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-03-18 15:29 . 2011-02-23 14:55 102232 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-03-18 15:29 . 2011-02-23 14:55 96344 -c--a-w- c:\windows\system32\drivers\aswmon.sys
    2011-03-18 15:29 . 2011-02-23 14:54 30680 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-03-18 15:29 . 2011-02-23 15:04 40648 -c--a-w- c:\windows\avastSS.scr
    2011-03-18 15:29 . 2011-02-23 15:04 190016 -c--a-w- c:\windows\system32\aswBoot.exe
    2011-03-18 15:28 . 2011-03-18 15:28
    dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-03-18 15:28 . 2011-03-18 15:28
    d
    w- c:\program files\AVAST Software
    2011-03-18 14:53 . 2011-03-18 14:53
    dc----w- c:\windows\Internet Logs
    2011-03-18 08:57 . 2011-03-18 08:57
    d
    w- c:\program files\CCleaner
    2011-03-18 08:24 . 2011-03-18 08:24 388096 -c--a-r- c:\documents and settings\shelley\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-03-18 08:24 . 2011-03-18 08:24
    d
    w- c:\program files\Trend Micro
    2011-03-17 23:27 . 2011-03-17 23:27
    dc----w- C:\iTunes
    2011-03-13 20:52 . 2011-03-13 20:51 389120 -c--a-w- c:\windows\system32\CF25356.exe
    2011-03-13 20:52 . 2011-03-13 20:51 389120 -c--a-w- c:\windows\system32\CF25363.exe
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-19 15:36 . 2009-01-07 18:53 4290979 -c--a-r- C:\ComboFix.exe
    2011-02-09 13:53 . 2003-11-05 08:31 270848 -c--a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2003-11-05 08:31 186880 -c--a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58 . 2003-11-05 09:53 2067456 -c--a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2003-11-05 09:53 677888 -c--a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2003-11-05 08:31 439296 -c--a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2003-11-05 08:30 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2003-11-05 08:31 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2005-06-17 22:49 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2003-11-05 08:31 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2003-11-05 08:31 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 18:09 . 2008-12-14 14:23 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2008-12-14 14:24 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-20 17:26 . 2003-11-05 08:31 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2004-08-04 05:59 385024 -c--a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
    "LgWDskTp"="c:\program files\Wireless Desktop\LgWDskTp.exe" [2003-10-29 65536]
    "Logitech Utility"="Logi_MwX.Exe" [2003-07-22 19968]
    "ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
    "Drag'n Drop CD+DVD"="c:\program files\drag'n drop cd+dvd\BinFiles\DragDrop.exe" [2003-08-08 1175552]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
    "Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 229376]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\shelley\Start Menu\Programs\Startup\
    Click to DVD Automatic Mode Launcher.lnk - c:\program files\Sony\click to dvd\ctdatsvr.exe [2004-8-16 81920]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
    backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
    backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
    backup=c:\windows\pss\Timer Recording Manager.lnkCommon Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2009-08-13 15:51 177440 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-12-13 17:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WebClient"=2 (0x2)
    "SSDPSRV"=3 (0x3)
    "KaseyaAgent"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Sony\\giga pocket\\gps.exe"=
    "c:\\Temp\\kf56686.exe"=
    "c:\\Temp\\KRlyCCon.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [18/03/2011 15:29 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18/03/2011 15:29 301528]
    R1 feed;feed;c:\windows\system32\feed.sys [12/10/2010 17:38 75264]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/03/2011 15:29 19544]
    R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [04/11/2003 08:21 175744]
    S0 b8d0259f6878b520e949562f9fcb3273;b8d0259f6878b520e949562f9fcb3273;c:\windows\system32\b8d0259f6878b520e949562f9fcb3273.sys --> c:\windows\system32\b8d0259f6878b520e949562f9fcb3273.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 18:45 135664]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [05/11/2003 08:31 14336]
    S3 SMSCMS;SMSC LPC Memory Stick Host Controller;c:\windows\system32\drivers\SMSCMS.SYS [04/11/2003 08:44 58112]
    S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
    S4 KaseyaAgent;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [07/01/2009 18:13 610304]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    2011-03-19 c:\windows\Tasks\Clean System Memory.job
    - c:\windows\system32\CleanMem.exe [2011-03-18 21:19]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 18:45]
    .
    2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 18:45]
    .
    .
    Supplementary Scan
    .
    uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm143YYGB&fl=0&ptb=u.vKSz5OumWpKu2LQLktHQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\shelley\Application Data\Mozilla\Firefox\Profiles\8yh1nc8x.default\
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d29d7c4&v=6.011.025.001&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: avast! WebRep: [EMAIL="wrc&#64;avast.com"]wrc@avast.com[/EMAIL] - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    FF - Ext: XHTML Mobile Profile: {8ea9957e-2953-402f-80e0-bceb5f169d6f} - %profile%\extensions\{8ea9957e-2953-402f-80e0-bceb5f169d6f}
    FF - Ext: EWOQ Mobile Setup extension: {f035aa18-ee32-4e6e-81d2-57e32867f8a7} - %profile%\extensions\{f035aa18-ee32-4e6e-81d2-57e32867f8a7}
    FF - Ext: wmlbrowser: {c4dc572a-3295-40eb-b30f-b54aa4cdc4b7} - %profile%\extensions\{c4dc572a-3295-40eb-b30f-b54aa4cdc4b7}
    FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-CTFMON - (no file)
    MSConfigStartUp-Nokia FastStart - c:\program files\Nokia\Nokia Music\NokiaMusic.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-19 15:52
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    DLLs Loaded Under Running Processes
    .
    - - - - - - - > 'explorer.exe'(3220)
    c:\windows\system32\WININET.dll
    c:\program files\Wireless Desktop\LgWndHk.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-03-19 15:57:21
    ComboFix-quarantined-files.txt 2011-03-19 15:57
    ComboFix2.txt 2009-01-16 21:57
    ComboFix3.txt 2009-01-07 19:12
    .
    Pre-Run: 13,948,719,104 bytes free
    Post-Run: 14,071,947,264 bytes free
    .
    - - End Of File - - 88F8C23F53C0B53E2CB7A5A0750E9A9B
    Proud to be dealing with my debts
    Debt at Light Bulb Moment (January 2011): £21,953
    Debt at current level (Nov 2013): £4,567.50
    Debt free wanabee date: Dec 2014 :j
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Open notepad and copy/paste the text in RED below

    File::
    c:\windows\system32\CF25356.exe
    c:\windows\system32\CF25363.exe



    Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
    (If SNAPSHOT is stupidly large, leave that part out)

    Combofix should never take more that 30 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    :idea:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.2K Banking & Borrowing
  • 252.8K Reduce Debt & Boost Income
  • 453.2K Spending & Discounts
  • 243.2K Work, Benefits & Business
  • 597.6K Mortgages, Homes & Bills
  • 176.5K Life & Family
  • 256.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.