BleepingComputer.com: Combofix bug had deleted & quarantined my program files

I have a Dell D-600 with Windows XP (SP-3).

I ran Combofix, but when I did, I noticed it taking much longer than normal to run the program (about 4 hours). I knew something was wrong for it taking such a long time, but I was also concerned that if I killed the program while running during mid-process, it might have caused me additional problems, so I let it run it's course.

I was extremely dismayed to see when Combofix had finally finished, my computer was now seriously messed up, as many system, program & personal files & folders were deleted and quarantined. Now most programs wouldn't open or run, shortcuts on my desktop wouldn't work, then Windows Internet Explorer wouldn't open as that folder also became a casualty in this. I then tried using System Restore, but it was unsuccessful.

I got on bleepingcomputers.com website (borrowed another computer to get online), then searched and reviewed the forums regarding this Combofix bug problem. I found several topics on the problem with Combofix like I have, but the most similar in the criteria was "www.bleepingcomputer.com/forums/topic290138.html" (a copy of this topic is below), which basically said this problem can be fixed by downloading and running a special tool designed for this bug called CFDQ-UsrPrf.exe.


Forum posting (topic 290138)
ComboFix problems and resolution for legitimate files being deleted:
Posted 24 January 2010 - 09:41 PM

As many of of you know ComboFix has been pulled due to bug that causes legitimate files to be deleted. For those that have been affected, you would have noticed many deletions taking place as ComboFix was running, and your desktop would be blank. For users of Windows XP, you may still have an Internet Explorer icon and the Recycle Bin still present on your desktop, but everything else would be gone.

To restore the folders and files that were deleted, please download the following file and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe

Now disable all anti-virus program as they may interfere with the restoration process. Instructions on how to do this can be found here. Then launch the CFDQ-UsrPrf.exe program to start the restoration process. When the program has finished your data will have been restored. Please note, that if you had infections located in the deleted folders, these infections will now be restored as well. Therefore please do not reboot without first contacting the helper that was helping you previously as the infections could become active again.
(end).

I ran the CFDQ-UsrPrf.exe. But it restored just a couple of files, the majority were were not touched. I tried running it again, but now was getting an error message: `Error: 0x00007766'.

So then I got the list of program tools outlined in the "Preparation Guide for Use before Requesting Help" needed to download, run and make log files to post.

I needed internet back on my computer, so I copied the quarantined Internet Explorer folder from C:\QooBox and pasted it back into C:\Program Files folder. Then went to that folder in Program Files and I manually removed .VIR extensions on all the files. It worked.

I ran the following: Defogger, DDS and GMER and will attach the log files. Not sure if you want Combofix logs yet or anything else, so I didn't send them until you let me know.

I appreciate your time and expertise towards helping me fix this problem.


DDS (Ver_11-03-05.01) - NTFSx86
Run by owner at 12:14:08.83 on Mon 04/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.335 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mPolicies-system: DisableCAD = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program files\microsoft office\office12\REFIEBAR.DLL
Trusted Zone: google.com\www
Trusted Zone: microsoft.com\catalog.update
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\www
Trusted Zone: microsoft.com\www.update
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-19 214664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-21 54760]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2005-1-26 92550]
S3 fsssvc;Windows Live Family Safety Service;"c:\program files\windows live\family safety\fsssvc.exe" --> c:\program files\windows live\family safety\fsssvc.exe [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-4-19 6656]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-19 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-19 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-19 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-19 40552]
S3 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?]
.
=============== Created Last 30 ================
.
2011-04-03 10:35:21 -------- d-----w- c:\program files\common files\ODBC
2011-04-03 09:48:29 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-04-03 09:46:54 -------- d-----w- c:\program files\Internet Explorer 1
2011-04-03 05:34:50 -------- d-----w- c:\program files\VideoLAN
2011-03-27 21:55:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-27 21:55:48 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-12 23:11:42 -------- d-----w- C:\MGtools
2011-03-12 23:10:58 660480 ----a-w- C:\CFDQ-UsrPrf.exe
.
==================== Find3M ====================
.
2011-03-10 23:34:23 439808 ----a-w- c:\windows\system32\searchindexer.exe
2011-03-10 23:30:18 1033728 ----a-w- c:\windows\explorer.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2001-08-18 12:00:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll
2004-08-20 06:26:54 1216 -csh--w- c:\windows\Twunk_16.dll
2004-08-20 06:26:54 1216 -csh--w- c:\windows\Twunk_32.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 12:16:37.73 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

• If you have since resolved the original problem you were having, we would appreciate you letting us know.
  
• If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  
• If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  
• If you have already posted a DDS log, please do so again, as your situation may have changed.
  
• Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



Thanks and again sorry for the delay.

My problem has not been resolved yet. I am just being patient as I am aware of how busy you are getting to these problems. I will run and send the updated logs very shortly per your request in your reply. Thanks, Dan.

Hi. Ok, here it is.

I downloaded and re-ran the latest updates (available) for Defogger, DDS and GMER and now the latest log files are attached in this posting.

Yes, I do still have the Windows CD/DVD disc that came with this computer.

As far as the problem with my computer, it is still the same - I ran Combofix (which I have used about 4 times prior to this incident). But on this occassion, the program must have had a `bug' imbedded in it as it took over 4 hours to run and complete it's scan. All priors times, it usually would take about 10-15 minutes to successfully run, scan and make the log file. The result was many of the system, program & personal files & folders were deleted from their locations, then renamed all the files by adding an .VIR extension to each one then quarantined them into a folder called C:\QooBox. But nothing was wrong with these files.

I need my computer restored back to how it was prior to this problem and to unquarantine all the files and folders, and placed back into their original locations. Except for manually removing and restoring the Internet Explorer Folder and Files from QooBox folder, then placing back into the Program Files folder. This gave me bacj internet access. But I haven't worked on the computer like using Microsoft Office or AutoCAD in fear of losing my files and data.

So here they are -
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by owner at 1:17:24.80 on Mon 04/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.426 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\DllHost.exe
C:\Documents and Settings\owner\Desktop\dds.pif
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex
mPolicies-system: DisableCAD = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program files\microsoft office\office12\REFIEBAR.DLL
Trusted Zone: google.com\www
Trusted Zone: microsoft.com\catalog.update
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\www
Trusted Zone: microsoft.com\www.update
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-19 214664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-21 54760]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2005-1-26 92550]
S3 fsssvc;Windows Live Family Safety Service;"c:\program files\windows live\family safety\fsssvc.exe" --> c:\program files\windows live\family safety\fsssvc.exe [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-4-19 6656]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-19 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-19 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-19 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-19 40552]
S3 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?]
.
=============== Created Last 30 ================
.
2011-04-03 10:35:21 -------- d-----w- c:\program files\common files\ODBC
2011-04-03 09:48:29 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-04-03 09:46:54 -------- d-----w- c:\program files\Internet Explorer 1
2011-04-03 05:34:50 -------- d-----w- c:\program files\VideoLAN
2011-03-27 21:55:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-27 21:55:48 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-03-12 23:05:04 660480 ----a-w- C:\CFDQ-UsrPrf.exe
2011-03-10 23:34:23 439808 ----a-w- c:\windows\system32\searchindexer.exe
2011-03-10 23:30:18 1033728 ----a-w- c:\windows\explorer.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2001-08-18 12:00:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll
2004-08-20 06:26:54 1216 -csh--w- c:\windows\Twunk_16.dll
2004-08-20 06:26:54 1216 -csh--w- c:\windows\Twunk_32.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 1:19:46.33 ===============

Hi, and sorry for the delay.

So, if I understand you correctly, you have placed back all files that were quarantined? If so, we can restore the registry using the Erunt backup made before combofix was run and things should improve.

Please see if the following folder is there: c:\windows\erdnt\subs

Hi Elise.

No, I have not placed back all the files and folders that were quarantined.

In `C:\Qoobox\Quarantine\C\Program Files', I count 110 folders, not to mention the many files in these folders which Combofix had mistakenly quarantined . All of them had been renamed with .VIR extensions onto each of these files.

What I did do however, as I mentioned in the beginning post. was that I did manually remove all the .VIR extensions on the `Internet Explorer' folder and its related files ONLY and placed back into `C:\Program Files' folder. This allowed me to be able to get onto the internet again and directly from my computer.

But I have been holding off on doing anything else until I get your help and advice toward resolving the issues here and to not lose any important files I have. With your help, I would really like to restore my computer back to the way it was - before this quanrantine mishap occurred.

Also Elise, you asked me to verify if the folder C:\Windows\ERDNT\Subs is there. So I did check and YES it is.

Thanks for your help on this Elise.

Sincerely,
Dan.

This post has been edited by deernad123: 25 April 2011 - 02:45 AM

Hi Dan,

Please post me the content of c:\qoobox\quarantine\quarantined-files.txt

Hey Elise,

I tried to post the content of c:\qoobox\quarantine\quarantined-files.txt as per your request, but when I try to post my Reply, I got a message that the reply is too big and need to shorten it.

So instead I tried to attach & upload this file. Then I now got the message that the `file it too big to upload'. It is pretty lengthy.

I ultimately had to zip the file to successfully upload. So here it is.

Dan.

Have you tried running combofix after this initial run which deleted all files? I am asking because if so, the original Erunt backup will have been overwritten.

Combofix creates a restore point before running. Have you tried restoring your computer to that?

It;s been a while now since all this had started, but trying to recall exactly what I did after combofix had deleted all my files, I recall going into the bleepingcomputer.com website forum to find and read about anybody else having the same problem I incurred. I do recall I read a forum discussion that had the same problem and that the `bug' that caused this problem was remedied and suggested downloading the latest update and running the program again. So I did and the 2nd time I ran it, Combofix did run normal (like it usually does), BUT, it did not make any change to the files still deleted and quarantined - still in the `C:\Qoobox' folder.

As for attempting to use restore from the one that Combofix creates, no I did not. In fact I wasn't aware it did. Immediately after this problem occurred though. I did try using Windows Restore, but it wouldn't do so successfully. I tried again using a couple of different restore point dates, but still with no success. This is when I began to freak about this situation and decided I better slow down and get some help from you.

Dan.

The fact that you reran combofix has erased all registry backups. So, even if we would restore the files, the programs they belonged to would still be non-functioning.

For that reason I strongly recommend just reinstalling the affected programs. Either that, or you'll have to manually run every registry backup that can be found in this folder: C:\Qoobox\Quarantine\Registry_backups.

Since only programs were removed and no personal files, I really recommend to just redownload/reinstall them.

You can also try redownloading/rerunning the restore utility you mentioned in your first post (it has been updated).

You don't know how disappointing it is for me hear this. I don't really have such a problem about reinstalling the programs, even though there are many. My biggest problem I need to deal with regardless is to restore my important AutoCAD drawing documents (.dwg files). I have them backed-up on a disk, but, I recently moved and now I'm having trouble locating that disk. I know, it's my bad, but I still need to resolve this dilemma. Worst case is renaming each of these files by manually renaming one at a time. But what a bummer if I do.

Is there any type of program I can download & use to aide in the removal of the .VIR extensions that were added on all the files quarantined and moved into the C:\Qoobox folder? This itself would help me immensely.

Dan

Hi, we can try it as follows, but I'm not sure it'll work.

CF-SCRIPT
-------------
We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\Program Files
QUIT::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Hey Elise.

Ok, I did as you said - I created the CFScript.txt file, then dragged it over the Combofix.exe program, which it then commenced running.

It took a while to run, but it seemed to finish ok.

I hope something good will come of this.

The log file appeared when all done, but I seem to be having trouble locating C:\ComboFix.txt log file. I will search for it. If I can't locate it, I'll rerun it, then make sure it's saved this time.

Dan.

This post has been edited by deernad123: 04 May 2011 - 08:37 PM