All files are hidden on Dad's infected laptop

December 2, 2011 at 04:28:18
Specs: Windows XP, 2.6 Ghz
My dads laptop is badly infected. It is a simular virus before and I removed it with combofix. The thing is it has not been 100%. I boot it up and nothing in start menue no icons I slave the drive to my desktop and nothing in his C drive all files seem to be hidden only the combofix icon but it looks like an exe and not the normal combo fix icon. I know when I booted it up the first time it had some sysfix virus. I removed that when I scanned the drive when it was slave. I was hoping to be able to remove AVG and install MSE AV. I could not even get into safemode. The OS is XP and it is set up with ctrl-alt-delete login. I put his password in while trying to boot to safe mode and it's the wrong password. I really don't know what to do. I got combofix on a jump drive but cannot access it because I cannot access anything on his computer. I just removed the same virus from my nieces laptop with Vista a few days ago and it was easier. I just find it funny that the laptops had the same virus. She has connected to his wirelesss while at his house maybe someone hacked thru the network? It really seems strange to be. I should go check his router but I am scared to go on his network with my laptop. If anyone could help please let me know. Maybe a format on his would be good but the thing is he has ms office I have my office disk but not his and I vould use it but don't have the license also he has e-mails that may be important.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


See More: All files are hidden on Dads infected laptop

Report •


#1
December 2, 2011 at 06:13:25
I think that one of them clicked on an attachment & it read the address book, which sent the virus to the other. It happened once when my sister did the same thing. My father, who was 80 at the time, knew better than to click on it. 2 of my brothers did.

Try to run hijack this from a CD & post the log.

How do you know when a politician is lying? His mouth is moving.


Report •

#2
December 2, 2011 at 09:15:37
I cannot run hijack from a CD. No drives are accessable. Nothing is accessible it does not auto run when you put in a jump drive or a CD. I really do not want to slave it again because of my computer being infectedd. The workgroups on the two laptops are different. I guess the virus can still spread? I am still going to check the router. I have heard or routers being infected before. It is a Belkin router Wireless N WNR 1000 I believe. The one that still has two antennas. I really am stuck at this point. It has AVG free installed. I thought about using the AVG boot CD that may be the only hope. Then I may have a chance of atleast getting to the C drive while booting up.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#3
December 2, 2011 at 11:56:31
can you boot to the command prompt? avg will run from there, you might be able to access the cd from there as well. I believe that either can run from a prompt?

mike


Report •

Related Solutions

#4
December 2, 2011 at 13:18:49
I will see later tonight if I can boot to command prompt. I even tried to get in safe mode. The thing is the laptop is setup with old school login the ctrl-alt-delete to unlock or bring up the password and name box. I got there while going into safe mode and I used his name and password and it said it was wrong. Maybe I do not remember how to log into safe mode with the login set up that way. I figured it was the same? If I do get to command prompt what do I type?

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#5
December 2, 2011 at 19:24:53
OK Well I did a scan with AVG rescue CD. It found several infections and cleaned them. Still no icons and nothing in start menue. I am trying to boot to safe mode with commamd right now. It is at the ctrl alt delete login screen. I type in same username as normal and same password and it saids username or password incorrect.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#6
December 2, 2011 at 19:43:17
I just tried Last Good Known Configuration. Icons ETC still hidden. But Good News! I put the jump drive in and can see files on it. I am running combofix from it.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#7
December 2, 2011 at 20:13:15
user name or password is incorrect xp

http://is.gd/hBQpuH


Report •

#8
December 3, 2011 at 05:19:49
OK I was able to get combofix to run. It cleaned it and now I can see the icons. I removed the AVG amd I am going to install MSE AV along with makeware bytes.
Thanks for the help. The AVG was not free version. It was AVG Internet Security Bussiness. This laptop had a simular virus back in April I worked on it then but it has not been 100% like it was before April. I tried and a shop tried and no luck. But now I believe it is back to like it was. Maybe I will run combofix again.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#9
December 3, 2011 at 07:03:27
Combofix log.

ComboFix 11-12-02.01 - RAGARRETT 12/02/2011 22:45:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.433 [GMT -5:00]
Running from: F:\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\NetworkService\Application Data\5776.bat
c:\documents and settings\RAGARRETT\Start Menu\Programs\System Fix
c:\progra~1\CELEBS~2\bar\2.bin\kaBAr.dll
c:\progra~1\WEATHE~2\bar\2.bin\gcbar.dll
c:\program files\CelebSauce\bar\2.bin\kaBAr.dll
c:\program files\WeatherBlink
c:\program files\WeatherBlink\bar\1.bin\chrome\gcffxtbr.jar
c:\program files\WeatherBlink\bar\1.bin\gcbarsvc.exe
c:\program files\WeatherBlink\bar\2.bin\CHROME.MANIFEST
c:\program files\WeatherBlink\bar\2.bin\chrome\gcffxtbr.jar
c:\program files\WeatherBlink\bar\2.bin\gcBAr.dll
c:\program files\WeatherBlink\bar\2.bin\INSTALL.RDF
c:\program files\WeatherBlink\bar\2.bin\LOGO.BMP
c:\program files\WeatherBlink\bar\Cache\00055A1E.bmp
c:\program files\WeatherBlink\bar\Cache\00056122.bmp
c:\program files\WeatherBlink\bar\Cache\000562C8.bmp
c:\program files\WeatherBlink\bar\Cache\000563F1.bmp
c:\program files\WeatherBlink\bar\Cache\000566EF.bmp
c:\program files\WeatherBlink\bar\Cache\0011DC92
c:\program files\WeatherBlink\bar\Cache\009F5ACC
c:\program files\WeatherBlink\bar\Cache\009F6089.bmp
c:\program files\WeatherBlink\bar\Cache\009F64BF.bmp
c:\program files\WeatherBlink\bar\Cache\009F66E2.bmp
c:\program files\WeatherBlink\bar\Cache\009F6924.bmp
c:\program files\WeatherBlink\bar\Cache\009F6BF3.bmp
c:\program files\WeatherBlink\bar\Cache\009F6E74.bmp
c:\program files\WeatherBlink\bar\Cache\files.ini
c:\program files\WeatherBlink\bar\History\search3
c:\program files\WeatherBlink\bar\Message\COMMON.T8S
c:\program files\WeatherBlink\bar\Settings\prevcfg2.htm
c:\program files\WeatherBlink\bar\Settings\s_pid.dat
c:\program files\WeatherBlink\Shared\Cache\PopupProperties100016374.html
c:\program files\WeatherBlink\Shared\Cache\PopupProperties100016377.html
c:\program files\WeatherBlink\Shared\Cache\PopupProperties100016379.html
c:\program files\WeatherBlink\Shared\Cache\PopupProperties100016381.html
c:\windows\CSC\d6
c:\windows\system32\0.15834589727520865.exe
c:\windows\system32\0.2958065717812537.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-03 to 2011-12-03 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-13 19:53 . 2011-04-11 13:10 362446 ---ha-w- c:\windows\system32\PerfStringBackup.TMP
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0122CC7-9671-4BD2-AC81-AEAE8001E2F2}"= "c:\program files\Infospace\NationRecipes\NationRecipesToolbar.dll" [2008-11-24 92216]
.
[HKEY_CLASSES_ROOT\clsid\{f0122cc7-9671-4bd2-ac81-aeae8001e2f2}]
[HKEY_CLASSES_ROOT\NationRecipesToolbar.NationRecipesToo.1]
[HKEY_CLASSES_ROOT\TypeLib\{DE7C68D9-2DF5-4F89-B104-64A953626B72}]
[HKEY_CLASSES_ROOT\NationRecipesToolbar.NationRecipesT]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F0122CC7-9671-4BD2-AC81-AEAE8001E2F2}"= "c:\program files\Infospace\NationRecipes\NationRecipesToolbar.dll" [2008-11-24 92216]
.
[HKEY_CLASSES_ROOT\clsid\{f0122cc7-9671-4bd2-ac81-aeae8001e2f2}]
[HKEY_CLASSES_ROOT\NationRecipesToolbar.NationRecipesToo.1]
[HKEY_CLASSES_ROOT\TypeLib\{DE7C68D9-2DF5-4F89-B104-64A953626B72}]
[HKEY_CLASSES_ROOT\NationRecipesToolbar.NationRecipesT]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"aoChCgeHApgo"="c:\documents and settings\All Users\Application Data\aoChCgeHApgo.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-06 872448]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 131072]
"MsmqIntCert"="mqrt.dll" [2011-04-18 177152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 135168]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 159744]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
.
c:\documents and settings\RAGARRETT\Start Menu\Programs\Startup\
Adobe Media Player.lnk - c:\program files\Adobe Media Player\Adobe Media Player.exe [2010-12-9 261632]
.
c:\documents and settings\RAGARRETT\Start Menu\Programs\Startup\FileZilla
FileZilla Documentation.lnk - c:\program files\FileZilla\FileZilla.chm [2005-6-19 291307]
FileZilla.lnk - c:\program files\FileZilla\FileZilla.exe [2007-2-28 1740800]
Uninstall.lnk - c:\program files\FileZilla\uninstall.exe [2007-6-7 63258]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv58AC]
@="service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"uvnc_service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Documents and Settings\\RAGARRETT\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
"RemoteAddresses"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 3:32 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 248656]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]
R2 K9;K9 Time Synchronization;c:\windows\system32\k9nt.exe [5/25/2007 10:26 AM 73728]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [8/1/2006 9:45 AM 57344]
S0 biizvfx;biizvfx; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 3:52 PM 135664]
S2 srv58AC;srv58AC;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 3:00 AM 14336]
S3 cpuz134;cpuz134; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 3:52 PM 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 3:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 uvnc_service;uvnc_service; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
srv58AC
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-24 23:05]
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 20:52]
.
2011-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 20:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://celrs/Reports/Reserved.ReportViewerWebControl.axd?ReportSession=bxgzax55zrbhvjzy2gyvr255&ControlID=eee6ee2a3ce64736b7a9f3979a7fafb6&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab&Arch=X86
DPF: {F91AB7B8-EE67-42AF-A5AA-8E232C396A04} - hxxps://creditcommander.microbilt.com/cabs/htmlprint.cab
.
Supplementary scan did not complete!
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{2083a5f7-39dd-410a-95db-0afc2dcc29f4} - c:\program files\CelebSauce\bar\2.bin\kaSrcAs.dll
HKCU-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\YspService.exe
HKLM-Run-WeatherBlink Browser Plugin Loader - c:\progra~1\WEATHE~2\bar\2.bin\gcbrmon.exe
HKLM-Run-CelebSauce Browser Plugin Loader - c:\progra~1\CELEBS~2\bar\2.bin\kabrmon.exe
HKLM-Run-dSPEfJqNGav.exe - c:\documents and settings\All Users\Application Data\dSPEfJqNGav.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
AddRemove-Reimage Repair - c:\program files\Reimage\Reimage Repair\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-02 23:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\srv58AC]
"servicedll"="\\?\globalroot\Device\HarddiskVolume1\WINDOWS\Temp\srv58AC.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2011-12-02 23:23:12
ComboFix-quarantined-files.txt 2011-12-03 04:22
ComboFix2.txt 2011-04-11 13:13
.
.
Post-Run: 40,989,605,888 bytes free
.
- - End Of File - - 5D0A543511305B7C4687D0D11E124985

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#10
December 3, 2011 at 19:22:01
Guapo is probably right about the virus vector, but make sure the router has a custom administrative password. Also, you are correct that workgroups afford zero privacy or protection. They are for identification only.

Report •

#11
December 3, 2011 at 19:32:03
I believe I got it all cleaned. I ran super antispyware today and it did not find any trojans just adware is all. I am going to run combofix again just to be on the safe side. Then run maleware bytes. I just confirmed it. It may be back to like it was before the first virus. Before the first virus there was a mmagicjack icon. After It had the first virus back in april that hid everything it has not been there scence. Now it's back and more icons than there was on desktop. Maybe it is clean this time. Only time will tell. Well my dog is standing at his food tray barking. I guess he is telling me he is hungry? Take care and thanks for the help.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#12
December 3, 2011 at 19:41:36
"I am going to run combofix again"
Uninstall & download the latest version.

ComboFix
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.myantispyware.com/2007/1...
http://www.jamiiforums.com/download...
http://forums.majorgeeks.com/showth...
How to uninstall combofix
http://www.myantispyware.com/2008/0...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...


Report •

#13
December 4, 2011 at 17:47:16
I took it back because he needed it. I "hope" it's cleaned. I scanned with maleware bytes before I took it back. It found one PUP. It is slow. I guess I am used to Windows 7 and 3 GB ram on my laptop and 5 GB on my desktop so that may be why it seems slow.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#14
December 4, 2011 at 17:49:52
For some reason I am not able to edit the above message. I meant to add. I turned off System Restore. Only because I think the infections are hideing there.

Just because the OP does not come back in 3 or 4 days to reply, does not mean he will not come back and reply.


Report •

#15
December 4, 2011 at 18:12:52
"I turned off System Restore. Only because I think the infections are hideing there."
There probably was.

Turning off removes all old restore points, turning back on starts afresh.


Report •

Ask Question