JAva: CVE-2010-0 842-A

hy,
I was infected with JAva: CVE-2010-0 842-A
I have removed java, but still computer is not working OK, I also deleted regestry which it create.
Any idea what it does, and what is the right way to remove it?

Thanks, G

When I go to task maneger there are many same proceses running :stuck_out_tongue:
Like 15 crome.exe
is that normal?

JAva: CVE-2010-0 842-A is an exploit trying to exploit a security hole
if all your progams and OS is updated it should not be affected

Try these

DrWeb CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/?lng=en
Norman Malware Cleaner http://www.norman.com/support/support_tools/malware_cleaner/

Download and save to desktop, and run from there
The programs are fully updated when downloaded.
They are not installed so when done, just drag them to the recycle bin

Yes it has affected my system, I saw I have to made few updates but I waited–>> looks kike too long :frowning:
I have got screen with bacgound full of numbers, and some program started to run(which I have never seen before) like scaning my computer and tell me what all files are infected, and asking me if I wanna stay unprotected, also some other programs just start running. and on the right side on bottom there were 2 new icons, so I thought for a start I will just try them not to run, so I go to CCcleaner and in register I disable all weird enteries, then I restarted and everything seem to be ok, but after a while it started again, so I again disable new entery in register, run avast before windows start, and I saw the message to know what virus was, then I unnistalled Java, and deleted sun folder, now seems to be ok, but when I go to Windows task maneger there are like 15 crome processes and also some other are in duble or triple.
You think this program you recommended will help?
Thanks, G

You think this program you recommended will help?
that was why i suggested them ;)
....like scaning my computer and tell me what all files are infected, and asking me if I wanna stay unprotected,....
It looks as you also have a Rogue infection.....meaning a Fake security program so you should also run this

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
always update the program so you have latest database before you scan
click the remove selected button to quarantine anything found

please post the scan log here

03/10/2011 00:41
Scan of all local drives

File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\34\b106aa2-332bd877|>lorry\Debuggr.class is infected by Other:Malware-gen, Deleted
File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\580c06ee-545a6ade|>F.class is infected by Other:Malware-gen, Deleted
File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\580c06ee-545a6ade|>Google.class is infected by Other:Malware-gen, Deleted
File C:\Documents and Settings\user\Local Settings\Temp\3S1UGEvN.zip.part|>includes\js\wz_tooltip.js Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\user\Local Settings\Temp\4749315\ymsgr_inst_us.exe|>[Embedded_R#001280]|>Wise0925.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\user\Local Settings\Temp\H\Trend Micro\AU_Data\AU_Cache\tmus1-transcend-p.activeupdate.trendmicro.com\cvsapi735.zip|>lpt$vpn.735 Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\user\Local Settings\Temp\H\Trend Micro\AU_Data\AU_Temp\6032_3468\AU_Down\pattern\cvsapi735.zip|>lpt$vpn.735 Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\user\Local Settings\Temp\rQxiDMfh.zip.part|>installation\language\fr-FR\fr-FR.ini Error 42125 {ZIP archive is corrupted.}
File D:\Download\script_39.zip|>osDate_v253\public_html\plugins\autogenprofile\sample_data\profile_images\f_26_w_0014.jpg Error 42125 {ZIP archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\01_Funkerman_Speed Up (Granite and Phunk Bi_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\02_G and G Feat. Gary Wright_My My My (Comin Apart) (Klaas_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\03_Ian Oliver Feat. Eastenders_Vino Vino (Ian Olivers Clubovi_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\Prograni_Old\AVSDVDPlayer.exe|>{sys}\mfc70.dll Error 42145 {Installer archive is corrupted.}
File D:\Prograni_Old\cascade.exe|>{embedded}\setup.exe Error 42145 {Installer archive is corrupted.}
File D:\Prograni_Old\cascade.exe|>{sys}\oleaut32.dll Error 42145 {Installer archive is corrupted.}
File D:\Prograni_Old\cascade.exe|>{app}\cascade dtp v4.exe Error 42145 {Installer archive is corrupted.}
File D:\Prograni_Old\iTunesSetup.exe|>iTunes.msi|>01Directory Error 42144 {OLE archive is corrupted.}
File D:\Prograni_Old\iTunesSetup.exe|>iTunes.msi|>01_StringData Error 42144 {OLE archive is corrupted.}
File D:\Prograni_Old\iTunesSetup.exe|>iTunes.msi Error 42127 {CAB archive is corrupted.}
File D:\Prograni_Old\PowerISO\PowerISO30.exe|>$INSTDIR\PowerISO.chm|>images\DialogSaveBootInfo.gif Error 42136 {CHM archive is corrupted.}
File D:\Restore\DRIVERS\WIN\BDCACT\Data1.cab|>F28812_BTStackServer.exe Error 42127 {CAB archive is corrupted.}
File D:\Restore\DRIVERS\WIN\DVD\3rdParty\HHUPD.EXE|>mui.cab|>040B\hhctrlui.dll Error 42127 {CAB archive is corrupted.}
File D:\Restore\DRIVERS\WIN\DVD\3rdParty\HHUPD.EXE|>mui.cab Error 42127 {CAB archive is corrupted.}
Number of searched folders: 40075
Number of tested files: 1230597
Number of infected files: 3


03/10/2011 08:56
Scan of all local drives

File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\7\73432287-579cba92|>ToolsDemo.class is infected by Java:CVE-2010-0842-A [Expl], Deleted
File C:\Documents and Settings\user\Local Settings\Temp\4749315\ymsgr_inst_us.exe|>[Embedded_R#001280]|>Wise0925.bin Error 42145 {Installer archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\01_Funkerman_Speed Up (Granite and Phunk Bi_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\02_G and G Feat. Gary Wright_My My My (Comin Apart) (Klaas_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\03_Ian Oliver Feat. Eastenders_Vino Vino (Ian Olivers Clubovi_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060704.exe|>$INSTDIR\PowerISO.chm|>images\DialogSaveBootInfo.gif Error 42136 {CHM archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060716.exe|>{sys}\mfc70.dll Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060717.exe|>{embedded}\setup.exe Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060717.exe|>{sys}\oleaut32.dll Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060717.exe|>{app}\cascade dtp v4.exe Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060718.exe|>iTunes.msi|>01Directory Error 42144 {OLE archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060718.exe|>iTunes.msi|>01_StringData Error 42144 {OLE archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060718.exe|>iTunes.msi Error 42127 {CAB archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060924.EXE|>mui.cab|>040B\hhctrlui.dll Error 42127 {CAB archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060924.EXE|>mui.cab Error 42127 {CAB archive is corrupted.}
Number of searched folders: 21828
Number of tested files: 796792
Number of infected files: 1


03/10/2011 14:00
Scan of all local drives

File C:\Documents and Settings\user\Local Settings\Temp\4749315\ymsgr_inst_us.exe|>[Embedded_R#001280]|>Wise0925.bin Error 42145 {Installer archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\01_Funkerman_Speed Up (Granite and Phunk Bi_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\02_G and G Feat. Gary Wright_My My My (Comin Apart) (Klaas_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\Downloads\VA_Ultimate.House_2CD-2008_(TerritorioMusic.com).rar|>CD 1\03_Ian Oliver Feat. Eastenders_Vino Vino (Ian Olivers Clubovi_(TerritorioMusic.com).mp3 Error 42126 {RAR archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060704.exe|>$INSTDIR\PowerISO.chm|>images\DialogSaveBootInfo.gif Error 42136 {CHM archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060716.exe|>{sys}\mfc70.dll Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060717.exe|>{embedded}\setup.exe Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060717.exe|>{sys}\oleaut32.dll Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060717.exe|>{app}\cascade dtp v4.exe Error 42145 {Installer archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060718.exe|>iTunes.msi|>01Directory Error 42144 {OLE archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060718.exe|>iTunes.msi|>01_StringData Error 42144 {OLE archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060718.exe|>iTunes.msi Error 42127 {CAB archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060924.EXE|>mui.cab|>040B\hhctrlui.dll Error 42127 {CAB archive is corrupted.}
File D:\System Volume Information_restore{BB0E7E5B-FAC6-434D-8111-0E98273FA171}\RP546\A0060924.EXE|>mui.cab Error 42127 {CAB archive is corrupted.}
Number of searched folders: 21712
Number of tested files: 756875
Number of infected files: 0

File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\7\73432287-579cba92|>ToolsDemo.class is infected by Java:CVE-2010-0842-A [Expl], Deleted
Looks as Dr.Web got that one ;) just continue with the other tools

hy, that was fom avast after I run Dr Web and didnd find nothing, and there are still like 15 come.exe processes runing :frowning:
I think it(virus) has dameged some file

OK
I am at work now so i will PM Essexboy so he can have a look, he is the removal expert…

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

here is the attached report from OTS
Thanks, G

It has again been attacked, and blocked with avast, doe I dont know where too look which file it was looking to file system shield, last file infected, but this file and folder does not exist(I have turned on show hidden files and folders)
Thanks, G

when I go RUN and Netstat the window after few second close by itself, I am not using any router. Maybe somebody accessing my computer?
Any other way to see open ports?

Nope you have malware - at one stage you disabled it by MSConfig - but it is back. Probably from the infected USB you are using

On completion of this fix int the folder C:_OTS will be a zip file please upload to Mediafire and post the sharing link.

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\user\Application Data\Mozilla\FireFox\Profiles\q8pt8r8q.default\prefs.js
YN -> extensions.enabledItems -> seo4firefox@seobook.com:3.3.0
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68}" [HKLM] -> [FireShot]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> "C:\Documents and Settings\user\Application Data\gmcevcadereoc3idypgpkvqeztnwcai2\csrss.exe" -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\DOCUME~1\user\LOCALS~1\Temp\0.8108138830993659.exe" -> [C:\DOCUME~1\user\LOCALS~1\Temp\0.8108138830993659.exe:*:Enabled:ldrsoft]
YN -> "C:\Documents and Settings\user\Application Data\gmcevcadereoc3idypgpkvqeztnwcai2\csrss.exe" -> [C:\Documents and Settings\user\Application Data\gmcevcadereoc3idypgpkvqeztnwcai2\csrss.exe:*:Enabled:ldrsoft]
YY -> "C:\Documents and Settings\user\Application Data\xunmzwyrji2tbauviodtwo3bvcrpc2ui2\svcnost.exe" -> C:\Documents and Settings\user\Application Data\xunmzwyrji2tbauviodtwo3bvcrpc2ui2\svcnost.exe [C:\Documents and Settings\user\Application Data\xunmzwyrji2tbauviodtwo3bvcrpc2ui2\svcnost.exe:*:Enabled:ldrsoft]
YY -> "C:\Documents and Settings\user\Application Data\xyauoftiibdow2teeazn2vfatcdl1uqx2\svcnost.exe" -> C:\Documents and Settings\user\Application Data\xyauoftiibdow2teeazn2vfatcdl1uqx2\svcnost.exe [C:\Documents and Settings\user\Application Data\xyauoftiibdow2teeazn2vfatcdl1uqx2\svcnost.exe:*:Enabled:ldrsoft]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{410dc580-c644-11de-adaa-000cf14c9661} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{410dc580-c644-11de-adaa-000cf14c9661}\Shell\AutoRun\command -> 
YN -> \{410dc580-c644-11de-adaa-000cf14c9661}\Shell\AutoRun\command\\"" -> [H:\fooool.exe]
YN -> \{410dc580-c644-11de-adaa-000cf14c9661} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{410dc580-c644-11de-adaa-000cf14c9661}\Shell\explore\Command -> 
YN -> \{410dc580-c644-11de-adaa-000cf14c9661}\Shell\explore\Command\\"" -> [H:\fooool.exe]
YN -> \{410dc580-c644-11de-adaa-000cf14c9661} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{410dc580-c644-11de-adaa-000cf14c9661}\Shell\open\Command -> 
YN -> \{410dc580-c644-11de-adaa-000cf14c9661}\Shell\open\Command\\"" -> [H:\fooool.exe]
YN -> \{6436358c-78fa-11dd-9100-d5cd3b9a4bd9} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6436358c-78fa-11dd-9100-d5cd3b9a4bd9}\Shell\AutoRun\command -> 
YN -> \{6436358c-78fa-11dd-9100-d5cd3b9a4bd9}\Shell\AutoRun\command\\"" -> [F:\nideiect.com]
YN -> \{6436358c-78fa-11dd-9100-d5cd3b9a4bd9} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6436358c-78fa-11dd-9100-d5cd3b9a4bd9}\Shell\explore\Command -> 
YN -> \{6436358c-78fa-11dd-9100-d5cd3b9a4bd9}\Shell\explore\Command\\"" -> [F:\nideiect.com]
YN -> \{6436358c-78fa-11dd-9100-d5cd3b9a4bd9} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6436358c-78fa-11dd-9100-d5cd3b9a4bd9}\Shell\open\Command -> 
YN -> \{6436358c-78fa-11dd-9100-d5cd3b9a4bd9}\Shell\open\Command\\"" -> [F:\nideiect.com]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YY -> mssend hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Documents and Settings\user\Application Data\xyauoftiibdow2teeazn2vfatcdl1uqx2\svcnost.exe
[Files/Folders - Created Within 30 Days]
NY ->  xyauoftiibdow2teeazn2vfatcdl1uqx2 -> C:\Documents and Settings\user\Application Data\xyauoftiibdow2teeazn2vfatcdl1uqx2
NY ->  xunmzwyrji2tbauviodtwo3bvcrpc2ui2 -> C:\Documents and Settings\user\Application Data\xunmzwyrji2tbauviodtwo3bvcrpc2ui2
NY ->  gmce111111111111111 -> C:\Documents and Settings\user\Application Data\gmce111111111111111
NY ->  oaozxuztvzinbabzpnpkusxxxdwoveo2 -> C:\Documents and Settings\user\Application Data\oaozxuztvzinbabzpnpkusxxxdwoveo2
NY ->  iDkCbDc24400 -> C:\Documents and Settings\All Users\Application Data\iDkCbDc24400
[File - Lop Check]
NY ->  iDkCbDc24400 -> C:\Documents and Settings\All Users\Application Data\iDkCbDc24400
NY ->  Tarma Installer -> C:\Documents and Settings\All Users\Application Data\Tarma Installer
NY ->  gmce111111111111111 -> C:\Documents and Settings\user\Application Data\gmce111111111111111
NY ->  xunmzwyrji2tbauviodtwo3bvcrpc2ui2 -> C:\Documents and Settings\user\Application Data\xunmzwyrji2tbauviodtwo3bvcrpc2ui2
NY ->  xyauoftiibdow2teeazn2vfatcdl1uqx2 -> C:\Documents and Settings\user\Application Data\xyauoftiibdow2teeazn2vfatcdl1uqx2
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Link: http://www.mediafire.com/file/9jonfwq7j33u8ah/_ots.rar
but seems nothing is working better looks like new instalation is best sulution :frowning:

Maybe not - I will use the biggun now

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

hy, there is attached file
still like 15 crome processes :frowning:

Open task manager and close the chrome processes down one by one and let me know whether they respawn please

hy, looks like this are for plugins, as I close them I got report that plugin has colapsed, but there are also many others that are same in many numbers, see attached file.
if I end svch.exe, it is keep reapearing
and when run netstat it is still closing, doe running a bit longer

Svchost is probably being used by Chrome - how many addons/plugins do you have for it
Also what version of Chrome do you have