Hi,

Much like another user just posted, I too keep getting this Avast popup:

I keep getting an Avast pop–up that says:
“Malicious URL Blocked.”
It then shows the alleged URL that was blocked and states:
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe

I scanned with MBAM and got this.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.29.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Karen :: KAREN-PC [administrator]

29/05/2012 7:21:41 AM
mbam-log-2012-05-29 (07-21-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219491
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Karen\AppData\Local\Temp\tempfiles.exe (Trojan.Agent.H) → Quarantined and deleted successfully.

(end)

Then I had to restart my computer so it could remove the Trojan. Note that since then Avast is still complaining about the malicious url with svchost.exe.

Then I downloaded OTL and ran it. Only attaching Extras log file here, and OTL log file will be in next reply (due to sizes).

Then I downloaded and ran aswMBR.exe, log will be attached in next reply since it is 2kb.

Thank you kindly,
Karen

OTL Log file

aswMBR.exe log file

Hi,

I’m new here - is there anything else I’m supposed to provide and/or do?

Thank you!
Karen

nope…now you wait… and it may take several hours

No, it is just that there aren’t that many malware removal specialists (volunteers) to analyse the logs. I will try and get one to take a look at them.

Thank you all, I will check back in later today hopefully get some feedback.

Thanks again,
Karen

Hi,

Sorry for the delay…things have been pretty hectic as of late. While I am reviewing your malware logs please do the following…

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

Hi Jeff,

Thank you:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler1.dll
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler2.dll
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler6.dll
c:\program files (x86)\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files (x86)\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
c:\program files (x86)\android\android-sdk\docs\reference\java\security\spec\rsakeygenparameterspec.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygenerator.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygeneratorspi.html
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\idl\nsikeygenthread.idl
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\include\nsikeygenthread.h
c:\program files (x86)\gimphoto 1.4.3\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\git\bin\ssh-keygen.exe
c:\program files (x86)\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\cmd.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.coderush.common.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.data.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.utils.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\gacutil.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\register.bat
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\sn.exe
c:\users\karen\downloads\iphone apps and games\pb_fantasies-v1.1.1805-cracked_by_trancewarp.ipa
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\d.o.c-howto-crack-a-game.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd protection.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd’s.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\wolf-howto-crack-any-cdprotection.doc
c:\users\karen\downloads\marketing\web_content_studio_[software_(msi)+crack(exe)+_instructions(txt)].rar
c:\users\karen\downloads\pc games\9 - the dark side collector’s edition - full precracked - foxy games\9 - the dark side collector’s edition - full precracked - foxy games.exe
c:\users\karen\downloads\pc games\9 - the dark side collector’s edition - full precracked - foxy games\torrent downloaded from demonoid.me.txt
c:\users\karen\scrapbooking\scrappingtable\theme sets\easter jubilee\eggcracked.scut2
c:\users\karen\scrapbooking\scrappingtable\theme sets\patriotic picnic\firecracker.scut2
c:\web content studio [software (msi) + crack (exe) + instructions(txt)]\crack\webcontentstudio.exe
scanner sequence 3.ZZ.11.XQNALM
----- EOF -----

Karen

Hi,

CKScanner has detected illegal software on your system. Besides being illegal, it’s the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of illegal software except for their removal. If I were to continue helping you with illegal software installed, it could be construed in the eyes of the law as aiding and abetting a crime.

This may or may not be related to your computer issues, however, if you wish me to continue helping you, then you must remove both the keygen and crack files as well as the related programs. If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean. Please let me know if you wish to continue.

Hi Jeff,

I definitely want you to continue to help me, what should I do? My son uses this computer also, I don’t know what to delete that you are referring to? Just the files that showed up in the CK txt?

Thank you!
Karen

Ok…

Let me work up a fix to remove these and the rest of the items that I am seeing in the OTL logs. I will return as quickly as I can.

Hi,

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=CEF4FC3DC34809F10EFC994FC0AD9563&tbp=homepage
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100842&mntrId=eec62336000000000000001ee5df9879
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=CEF4FC3DC34809F10EFC994FC0AD9563&q={searchTerms}
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll ()
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll ()
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O33 - MountPoints2\{1b44f99a-8cc7-11e0-871c-842b2bbca7e1}\Shell - "" = AutoRun
O33 - MountPoints2\{1b44f99a-8cc7-11e0-871c-842b2bbca7e1}\Shell\AutoRun\command - "" = "J:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell - "" = AutoRun
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\AutoRun\command - "" = J:\autorun.exe
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\readme\command - "" = notepad readme.txt
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\Setup\command - "" = J:\install.exe
[2012/05/26 07:16:57 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/26 07:16:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\blekkotb_031
[1 C:\Users\Karen\Documents\*.tmp files -> C:\Users\Karen\Documents\*.tmp -> ]
[2012/05/23 08:41:52 | 000,007,680 | ---- | M] () -- C:\Users\Karen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/21 18:11:14 | 000,000,000 | ---D | M] -- C:\Users\Karen\AppData\Roaming\Babylon
@Alternate Data Stream - 60 bytes -> C:\Users\Karen\.DS_Store:AFP_AfpInfo
@Alternate Data Stream - 255 bytes -> C:\Users\Karen\Documents\invite_2.ai:com.apple.Preview.UIstate.v1
@Alternate Data Stream - 252 bytes -> C:\Users\Karen\Documents\80WebsitesToFindPopularTrends.pdf:com.apple.Preview.UIstate.v1
@Alternate Data Stream - 235 bytes -> C:\ProgramData\Temp:1A15E356
@Alternate Data Stream - 232 bytes -> C:\ProgramData\Temp:0BBF232A
@Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:F89F2593
@Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:737160C1
@Alternate Data Stream - 222 bytes -> C:\ProgramData\Temp:AECF4772
@Alternate Data Stream - 221 bytes -> C:\ProgramData\Temp:A02025CE
@Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:2D2461E7
@Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:512E1728
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:9BB8C675
@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:491270B8
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:4D551822
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:14B2E0BD
@Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:24FECE50
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:905BCB57
@Alternate Data Stream - 132 bytes -> C:\ProgramData\Temp:9F3CEEE6
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:75798D9A
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:1B389835
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:5A2E8BBF
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:59465B40
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:CAC06C34
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:9BAC4211
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:8204AA35
@Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:B139DDF3
@Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:DFC5A2B2

:Files
c:\program files (x86)\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files (x86)\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
c:\program files (x86)\android\android-sdk\docs\reference\java\security\spec\rsakeygenparameterspec.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygenerator.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygeneratorspi.html
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\idl\nsikeygenthread.idl
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\include\nsikeygenthread.h
c:\program files (x86)\gimphoto 1.4.3\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\git\bin\ssh-keygen.exe
c:\program files (x86)\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\cmd.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.coderush.common.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.data.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.utils.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\gacutil.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\register.bat
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\sn.exe
c:\users\karen\downloads\iphone apps and games\pb_fantasies-v1.1.1805-cracked_by_trancewarp.ipa
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\d.o.c-howto-crack-a-game.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd protection.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd's.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\wolf-howto-crack-any-cdprotection.doc
c:\users\karen\downloads\marketing\web_content_studio_[software_(msi)_+_crack_(exe)_+_instructions(txt)].rar
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\9 - the dark side collector's edition - full precracked - foxy games.exe
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\torrent downloaded from demonoid.me.txt
c:\users\karen\scrapbooking\scrappingtable\theme sets\easter jubilee\eggcracked.scut2
c:\users\karen\scrapbooking\scrappingtable\theme sets\patriotic picnic\firecracker.scut2
c:\web content studio [software (msi) + crack (exe) + instructions(txt)]\crack\webcontentstudio.exe
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Hi Jeff,

I did as instructed, but when I went to run OTL the last time, I did uncheck LOP and Purity but when I clicked Quick Scan I looked and those 2 options got selected again.

Thank you,
Karen

Hi,

I see that you have both Avast and AVG on your system. You should only run one antivirus program at a time as running more than one will cause system problems eventually. Let me know which one you would like to remove.

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic

In your next reply please let me know which antivirus you want to remove and attach the logs to Malwarebytes and ESET online scanner.

Hi Jeff,

I’d like to remove AVG and Keep AVAST.

Here is ESET log results and attached is Malwarebytes log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

version=7

iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

OnlineScanner.ocx=1.0.0.6583

api_version=3.0.2

EOSSerial=b8bc8138c1354e489eaa6e8952d536b7

end=finished

remove_checked=false

archives_checked=false

unwanted_checked=true

unsafe_checked=false

antistealth_checked=true

utc_time=2012-05-31 03:11:47

local_time=2012-05-31 12:11:47 (-0400, Atlantic Daylight Time)

country=“Canada”

lang=1033

osver=6.1.7601 NT Service Pack 1

compatibility_mode=1280 16777215 100 0 0 0 0 0

compatibility_mode=5893 16776574 33 85 23941150 89969199 0 0

compatibility_mode=8192 67108863 100 0 0 0 0 0

scanned=553467

found=11

cleaned=0

scan_time=8157

C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarEng.dll Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Bookmarkwiz\bookmarkwiz.exe a variant of Win32/Packed.PrivateexeProtector.F application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Karen\AppData\Local\dplayx.dll a variant of Win32/Kryptik.AEKJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Karen\Documents\hosts2.txt Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Karen\Downloads\cnet2_revosetup_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Windows\Installer{2cc33ef4-4271-9c44-d303-7ad6c65ccd93}\n Win64/Sirefef.W trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\Installer{2cc33ef4-4271-9c44-d303-7ad6c65ccd93}\U\80000000.@ Win64/Sirefef.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:_OTL\MovedFiles\05302012_140604\C_Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:_OTL\MovedFiles\05302012_140604\C_Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\bh\BabylonToolbar.dll Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I

Hi,

Ok…thanks for letting me know about the antivirus you would like to remove.

The ESET log is interesting… please do the following…

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

Hi Jeff,

I did as instructed, but when I ran (as Administrator) the ComboFix.exe on my desktop, what happened was a window appeared (black background, bright green text) and several lines scrolled by then all of a sudden nothing. All my desktop icons disappeared, I waited, after a minute they all came back, but my Chrome browser was shut down. I tested this 3 times and same results. Plus there is no ComboFix.txt file that gets created. But what is odd is during that scrolling green text it said it was making something (dir or whatever) and it IS on my C:\ when I open Windows Explorer. It is called 32788R22FWJFW and when I click on that it then appears NOT to be a folder, but instead shows me my drives (same thing I see if I click on “Computer”). Very strange!

Not sure what to do…

Thank you,
Karen

Hi,

Go ahead and run ComboFix in Safe Mode and see if it will run through. If so please attach the log that is made.

Did this (twice, once Safe mode w/ Networking, once Safe mode without). Still didn’t act any differently.

Except this time that funny numeric folder I described, is actually a folder with a bunch of files in it (executables, .dat, .inf, etc). Very odd.

But still no ComboFix.txt file anywhere.

New problem though, cannot load into Windows at all. I reboot in normal mode and Windows is loading, asks me for my password, and then I just get the spinning circle and “Welcome” but my desktop NEVER loads. Do you know how to fix this? I’m freaking out a bit here… Right now I’m typing this on a different machine (mac).

Please please hope you can help… I will try rebooting and seeing if I can get in with Safe mode. Have to head to sleep shortly.

Thank you,
Karen