Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started with Anti-Virus...now lingering afteraffects


  • This topic is locked This topic is locked
18 replies to this topic

#1 dgfohio

dgfohio

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 20 December 2009 - 02:37 PM

Hello,

The PC started with one of the various fake anti-virus maleware and I was able to get that removed, however there seems to be some lingering after effects.

I have run the various steps as instructed for malwarebytes. I do work in IT, but I never claim to know everything (or anything for that matter).

I got the fake ant-virus removed using malwarebytes, but it was much more difficult than I have done for others in the past.

Now the PC locks up, fails to allow me to activate my McAffee anti-virus. Fails to allow me to run malwarebytes in full (even in safe mode).
There are no specific messages or pop-ups to document. The only way to describe the what is happening is that the active window (much like this we browser) will suddenly stop being the active window (as if you performed an alt-tab to switch windows) but there is no program visibly running that it switched.

I have run the various processes suggested and attached them to this post as directed.

Now I suspect root problems as described on this forum.

Any assistance would be greatly appreciated!

Thanks!

Dave

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 13:31:05.18 on Sun 12/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.34 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\DOCUME~1\David\LOCALS~1\Temp\clspackxq.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [clspackxq.exe] c:\docume~1\david\locals~1\temp\clspackxq.exe
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_SMB]
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [QCWLIcon] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [TomTomHOME.exe] "c:\program files\tomtom home\TomTomHOME.exe" -s
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [c:\windows\system32\kdrih.exe] c:\windows\system32\kdrih.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\documents and settings\administrator\desktop\mbam-installer\explorer.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168631671115
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 91.212.127.226 windows-shield.microsoft.com
Hosts: 91.212.127.226 windows-shield.com
Hosts: 91.212.127.226 www.windows-shield.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\j02w5zhx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\david\application data\mozilla\firefox\profiles\j02w5zhx.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-1-15 58464]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-1-12 15360]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-1-15 102463]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2006-9-14 29184]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-1-15 11113]
S2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2006-9-14 221191]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\ip vpn remote services\Extranet_serv.exe [2007-1-15 786432]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-1-15 149952]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-1-15 116992]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-12-19 21:43:37 0 d-----w- c:\program files\Uniblue
2009-12-17 03:05:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-17 03:05:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 05:53:56 668 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-16 05:52:50 202 ----a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2008-08-30 16:03:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 13:33:35.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 22 December 2009 - 04:47 PM

I know I am not supposed to re-post because then I will be put to the back of the line again, but I feel I have waited pretty patiently here.

If there is something I am missing or did not post correctly, could one of the helpers/moderators steer me in the right direction?

Any help would be greatly appreciated.

Thanks.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 PM

Posted 24 December 2009 - 07:19 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#4 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 24 December 2009 - 11:24 AM

Hi and thank you!

I downloaded Combofix, but it would not run after I double clicked it. I logged back off and logged in as the Administrator and I doubled clicked the combofix icon. The "open file security warning" window appeared and I clicked RUN, but still that is where it stops. When I check the processes that are running I see combofix running, but I never get the "please wait" dos screen.

I tried this in safe mode too....no luck.

I understand your time is busy today and that you may be leaving for a while, so i hope to get going as fast as I can.

Thanks,

Dave

Edited by dgfohio, 24 December 2009 - 11:25 AM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 PM

Posted 24 December 2009 - 11:32 AM

Rename the file to explorer.exe and try running it again.

#6 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 24 December 2009 - 05:50 PM

Sorry for the delay. I had to run into work this afternoon for a mainframe emergency. I did eventually get combofix running and here is what happened:

I logged in as Administrator (I am running XP)
I changed the name of combofix to explorer.exe.

It ran through the step to set up the windows registry.
I did not have Microsoft windows recovery console, so it installed that.

It warned me that there was a new version of combofix and it installed the new version.
It told me to write this info down in case there was a problem and that these files are suspect:

Windows\system32\drivers\H8SRTmfkxqmomyk.sys
Windows\system32\drivers\H8SRTxecspvxmax.dll
Windows\system32\drivers\H8SRTynihnqrdom.dat
Windows\system32\drivers\H8SRTnctakjktgk.dll

It then had me re-boot. I logged back in as administrator and it immediately basically reinstalled combofix and started the scan with the dos screen that reads:
"scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily take double"


That process started at about 12:00 (EST) today.
...and it is still sitting on that screen. (now 1745 EST)

It never read "Completed Stage 1, etc."

So it looks like I am stuck again. Should I retry to run combo fix from the start again?

I know it is christmas eve and I know you must have family & friends. If I don't hear from you for a while...I will remain patient!!!

This infected machine is NOT my machine and I am talking to you through my personal computer.

Have a safe and merry Christmas (or holiday of your choice!!)

And again...thank you for your help!!!

Dave

#7 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 24 December 2009 - 08:46 PM

2045 pm EST Christmas Eve.

On a hunch I decided to try and cancel the Combofix program and restart it. It looks like it is going through the stages now. I will update you shortly.

Thanks.

#8 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 24 December 2009 - 09:17 PM

OK...Combofix finished running. I have attached the log.txt and combofix.txt to this post.

If You need me to cut and paste the text file let me know!

Thanks,

Dave

Attached Files



#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 PM

Posted 24 December 2009 - 09:17 PM

Sounds good. Let me know. Looks like you have the new TDDS infection.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 PM

Posted 25 December 2009 - 10:14 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

RegLock::
[HKEY_USERS\S-1-5-21-861364456-2869939212-1899123480-500\Software\Microsoft\Internet Explorer\User Preferences]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#11 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 26 December 2009 - 03:16 PM

I wanted to let you know that I am not ignoring you. I am having difficulty running combofix with the instructions provided.

I created script as instructed and here is what has been happening.

The first time I ran it, combo fix told me there was a newer version, so I accepted the newer version. It seemed to run OK but never reached a point where it stated "Completed Stage 1, etc."

After an hour or two I canceled that job and retried it.

This time when it asked to upload the newer version of combo fix, I chose NO.

This time it reached Stage 2 and hung up.

Another try I got to stage 6A before hanging up and the last two tries I got to stage 8 before hanging up.

I will give it one more try and then I feel I am toast (or perhaps you have a new idea of what try).

By the way...during the initial successful run of Combofix....did combo fix actually fix anything? The reason I ask is because on the surface the PC seems to be behaving better (other than the problems I mentioned above).

Just curious about my last statement there.

I will let you know how combofix behaves on this next try.

Thanks,
Dave

#12 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 26 December 2009 - 05:46 PM

I tried it one more time and it made it to Stage 8 and then stopped.

I have not tried doing it in safe mode yet, but I would like to wait for your next post.

Thanks,

Dave

#13 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 28 December 2009 - 02:38 PM

The next thing I tried was to run the script in safe mode. Not sure if this is valid or not.

It reached stage_3 and I walked away. When I cam back a few minutes later, there was a log.txt, but no combofix.txt.

Is it because I ran it in safe mode? Maybe this made the run invalid.

I have attached the log.txt (I added a date to the name to keep the previous runs unique).

Let me know you thoughts.

Dave

Attached Files



#14 dgfohio

dgfohio
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 28 December 2009 - 02:41 PM

I did a search and it looks like I found combofix.txt on the c: drive.

I hope this is it as it is timestamped for today at 2:22 PM (around the time I ran it).
Thanks,

Dave

Attached Files



#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:28 PM

Posted 29 December 2009 - 10:03 AM

Sorry for the delay in getting back to you. To answer your questions, yes the first run killed a lot of crapware. My guess is that it was not running properly in reg mode due to mcafee blocking something.

Safe mode did the trick and you look all clean :(

Use the following program to scan your computer for outdated programs with security risks and follow the suggestions given:

http://secunia.com/vulnerability_scanning/online/

Then let me know how it is running.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users