Posts by PhilliePhan

...download Hijack This and run it and copy and paste your log file here. ...If you can provided that I'll take a look at it and see if we can get you resolved.

HijackThis is next to useless these days.

We prefer people to follow the steps in the link posted by crunchie earlier - they give us a much more thorough look at the computer.

Here are the 'rules and regulations' for the forum:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/368036

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

-- Any knowledgeable and thorough assistance you wish to provide is welcome here as long as the "standard operating procedure" linked above is followed.

Cheers :)
PP

today i started a boot scan on my system(avast)....

This is a known issue with Avast! and its boot scan.

Have a look at these threads for further info:

http://social.microsoft.com/Forums/en-US/genuinevista/thread/e2f066b3-2517-41bc-8fad-4c036f2f4ac8

http://social.microsoft.com/Forums/en-US/genuinevista/thread/914e08f4-15d6-4c06-90e1-baaecb0068fd

Cheers :)
PP

I really appriciate the responses, guys. I actually found a guy whos a family friend thats gonna help me (: I was a bit nervous to do it myself, for fear of deleting something important from my laptop.
Thanks for trying to help though!

Great!
Good luck to you :)

Hi Miranda,

It would be best if you tried to complete the steps in the linky below and post the requested scanlogs:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Do the steps as best you can - they really aren't too formidable. At the very least, do the MBAM scan and have it remove what it finds and then post the log for us.

I or another volunteer will try to check back as time permits.

PP:)

I'll try that & let y'all know. Here, though, is a different take on the same question: does anyone know of software that will capture video to .gif format? Would cut out the need to convert files.

I think some of the AvlanDesign apps will do that. I know that they do snapshot capture....

PP:)

Am I doing something wrong, there doesn't seem to be any help with the program?

I do not know - I've never had a problem, but I use an older version of SUPER and manipulate the .gifs with Animation Shop.

If this is something really important to you, you might want to step up to http://www.avlandesign.com/vp.htm - The trial period ought to be enough to determine whether it'd be a good investment.

http://www.avlandesign.com/

Cheers :)
PP

I need to convert many small .mpg files to .gif files. I prefer freeware but pay-for-it software, if not too too expensive but works really good, is also acceptable. Anyone know of really good software to do this type of conversion?

You could try SUPER. It is a nice freeware that I used to use to create .gif avatars:

http://www.erightsoft.com/SUPER.html

Not sure if it is "professional" enough, but it did the job for me.

Cheers :)
PP

Please try this as well:

Please download ExWin.exe and run it.
-- Click "Extract" and it will extract the ExWin folder to C:\ExWin.
-- Please open that folder and run RunThis.bat.

If need be, command line to run it is C:\ExWin\RunThis.bat ENTER

Anyhoo, once it runs (3-5 minutes), a log will pop up. Please post that for us.
Also, reboot your computer afterwards and see if there is any improvement.

Cheers :)
PP

Interesting document.

Thanks for all the help.

You're welcome :)

Thanks, I found the .js file for firefox in my roaming folder.

Appreciate the help, still looking for the same data for IE, and Chrome.

You'll probably find this useful:
Web Browser Session Restore Forensics.pdf

It covers IE and Firefox.

Cheers :)
PP

Where can this information be found? Is it in the registry, in a cookie, cache.. or somewhere else?
Appreciate any help.

Hi Suzie,

I use Firefox and, on my XP Box, that info is in Sessionstore.js

I think the full path is something like:

%SystemDrive%\Documents and Settings\<user name>\Application Data\Mozilla\Firefox\Profiles\<random>.default\Sessionstore.js

OR:

%APPDATA%\Mozilla\Firefox\Profiles\<random>.default\Sessionstore.js

Cheers :)
PP

Why limit yourself only to those three options?
Frankly, if you are going to spend money on protection and want to go the full security suite route, Kaspersky Internet Security 2011 is difficult to beat.

I have been recommending Kaspersky for almost ten years now. I've watched as other AV products have diminished in quality or simply fallen by the wayside. Not so with Kaspersky - they seem to keep getting better.

LOL! Maybe they should put me on the payroll!! ;)

Cheers :)
PP

Hi Mary,

In addition to what gerbil has posted, I would suggest that you first give this a go if you are able (you may need to use a command prompt):

Please download ExWin.exe and run it.
Click "Extract" and it will extract the ExWin folder to C:\ExWin.
Please open that and run RunThis.bat.

Command line to run it is C:\ExWin\RunThis.bat

Anyhoo, once it runs (3-5 minutes), a log will pop up. Please post that for us.
Also, reboot your computer afterwards and see if there is any improvement.

Cheers :)
PP

reg cleaners can do more harm than good. The only time a reg cleaner might be of any value is when you install and uninstall many programs that do not do a good job of cleaning up after themselves during uninstall. And even then its questionable to use one because the cleaner could wipe out important stuff in the registry that other programs may use. But if you want to use a reg cleaner anyway, always back up the registry before doing anything.

^^ I agree 100% ^^

I typically use ccleaner after uninstalling a program - there are always registry remnants that need to be removed.
But, I also doublecheck what is being removed and I know what I am looking at when I do so.

Many people don't know what they are doing and blindly click "fix" without knowing or backing up the keys and values they are removing.... and live to regret it..... ;)

You are always putting your computer at risk by using freewares... Paid programs are much better than free ones.

This is quite possibly the most incorrect statement I've read in quite some time. Some of the best software I use on a regular basis is freeware.

How does freeware put your computer at risk?? Seriously?
-- Yeah, there is malware and adware involved with some freeware. But, there are a ton of great and clean free programs as well. So, a blanket statement that all are risky does a disservice for those readers of this thread that do not know better :)

A new Sticky Post detailing our Spyware Forum policy is now in place.

Forum Rules and Policy for First Responders
-- Any and all feedback is welcome. Just PM me with comments and concerns.

I think it is pretty clear, but I'll hit the main points again:

1) Our forum is OPEN and the majority here would like to keep it that way. Most other forums are not and they require a vetting process or some other proof of ability before people are allowed to offer advice.
Personally, I'd rather allow knowledgeable and willing volunteers to post and have the moderating team guide them if they are going in the wrong direction.

And, yes - there are many wrong directions and it is not egotistical to point them out. And, quite frankly, even those of us who have been doing this for years have had to shed some of our bad habits over that time (disabling System Restore before cleaning / forcing Safe Mode, etc...).

2) We like to have all people who request assistance run our Read Me First Sticky post steps in order to establish a plan for further cleaning. That is pretty much the way it is in every forum these days. We try to keep the steps simple and up to date.

3) Generally, telling a person to run "such and such" scanner does not help. The tools in the Read Me First are …

This Sticky Post is intended for all potential volunteers who would like to contribute to Daniweb's Viruses, Spyware and other Nasties Forum.

Please be advised that this forum remains one of the last few open Anti-Malware forums on the web.

By open, we mean that anybody in the Daniweb community is allowed to respond to posts for assistance. There is no vetting process or any other knowledge requirement as to be found in the majority of other Security Forums.
Frankly, we welcome any knowledgeable volunteers who are willing to devote some of their free time to assisting others in need.

However, if you choose to post a response in this forum, we ask that you please adhere to the following Standard Operating Procedure:

-- Please refer initial posters for assistance to our Read Me First Sticky Post
We would like everyone to start with these steps so that a "baseline" for further assistance can be established.

-- Please be prepared to follow through to the end with any thread to which you respond. If you bite off more than you can chew and get in over your head, any of the moderators of this forum will be happy to assist you. This is another reason why we'd like all threads to start with the Read Me First Sticky Post.
If you are not willing or able to follow through with a poster until their machine is clean, …

I suggest Comodo Internet Security.

This is an excellent free security suite.

Cheers :)
PP

access is denied.
thx anyway :)

Try an elevated command prompt:

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator to open an Elevated command prompt.

Then try the command I posted earlier - Basically, I just want to check and see if WMP is already running. If it is, then trying to open a new instance will result in what you are experiencing.
You can also open Task Manager and look for the running process....

PP:)

EDIT:

Also, while the Elevated prompt is open, try this.

Type:
regsvr32 wmp.dll ENTER
regsvr32 jscript.dll ENTER
regsvr32 vbscript.dll ENTER

You should get a confirmation of success each time. Note that there is a space after regsvr32.

-- Do this before trying Caperjack's suggestion. If this bears no fruit, then try SFC....

"you must be an administrator running a console session in order to use the sfc utility " what do i do with this?

Can you open a command prompt and type:
tasklist >> C:\look.txt ENTER

There is a space -- > tasklist <space> >>

Then, please post the C:\look.txt

PP:)

Are you sure your not joking about this process i mean how obvious it is that this may be the cause C:\Program Files\Trend Micro\HijackThis\HijackThis.exe end the process in task manager (ctrl + shift + esc)

I would ask the same question:
Are you kidding?

If you do not know what this is (easily the most recognized executable in a Spyware forum for the last 8-9 years), you really have no business posting in such a forum.

Cheers :)
PP

op,allready did a reinstall of OS

Are you sure?
I could have sworn he was still banging away at it after almost two years... :)

Just wanted to chime in since people are still posting and calling for a reformat. That is not the best first option in these cases. Often, malware will change the default for these keys:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"

Become:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="malware.exe"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="malware.exe"

OR:

[HKEY_CLASSES_ROOT\exefile\shell\open\malware.exe]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\malware.exe]
@="\"%1\" %*"
(this is less common, but I've seen it)

So, when you run an executable, the malware runs instead.

When MBAM or another tool removes the actual malware, those keys are not repaired. As a result, when a user tries to run an executable, they get the error message as in this thread.

So, the first step is to check these keys (and a few other things) and repair them, if needed.

A reformat is way down on the list....

Cheers :)
PP

And the winner is. . . . . . gerbil!

For having the closest to the correct answer! The only thing I would add is that sometimes one needs to manually hack the registry to fix this.
More often than not, malware has borked a few reg keys and, while MBAM and the like will remove the malware, they will not fix the "collateral damage" in the registry.

If you take the time to search any spyware/malware forum, you'll find numerous examples of this type of fix....

Cheers :)
PP

Any ideas out there. I am using Outlook with Windows98.

I haven't used Outlook in many years, but if I remember correctly, this setting can be toggled on or off using the Out Of Office Assistant under the Tools menu in Outlook.
Or, have you tried that already?

I'm pretty sure that is where to enable/disable the feature, but I could be mistaken....

Best Luck :)
PP

Please tell me if there are negative factors of these tricks (I am saying this because i am not sure about Step 1. I have created Sys-Restore after installing my XP [4 years ago] and i haven't re-installed my OS or used system restore after that because my PC works fine)

Step one is not accurate - Really won't help you to recover from a significant malware infestation.

In all honesty, I would recommend buying a 2nd hard drive (they are cheap these days) and running a clone of your OS. That is what I do and it has made life much easier...

In fact, just last week my 8 year old Dell threw one of those nasty config\system corrupted errors and would not boot. The solution is usually to boot the XP disk and run a repair. I could have done that, but I'd have been forced to use an 8 year old system.exe and that would've presented a hassle (lots of updating).

Instead, I just wiped the drive and installed a fresh clone from my drive of backups.

Also, I recommend NOT using a separate partition as your main backup in the event of disk failure. But, if you've got the disk space, regular backups to a "backup partition" makes this system even more convenient....

Cheers :)
PP

I noticed in one of the O4 entries, there is an enemudivos.dll entry, but I wanted to know how to fix the problem- this rundll thing seems like it's a symptom. I would really appreciate someone educating me on how to deal with this.

Well, you can stop that message from popping up by "fixing" the 04 entry you noted with HijackThis so that it is not called upon startup. The malware file is likely already gone - you can look for it to delete it if you want, but the steps below will get it if it remains...

--- Please run the tools in the linky below and post the requested scanlogs and we'll have a look at what (if anything) remains to be done.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Cheers :)
PP

And your DNS lookup is via Comodo, not your ISP. Gee, they are taking over your internet. You really should use the DNS servers given by your ISP.

Gotta disagree with you, my friend :)

Comodo is a really solid FREE security suite. I challenge anyone to find a comparable one that offers all that Comodo does. For free.
I don't recommend things I have little confidence in....

http://www.comodo.com/secure-dns/

For the record, I do not believe that this is a malware issue or solely a Comodo issue, per se. I agree with Judy that something is definitely borked and, if all important data is able to be backed up and the recovery disks are available, a fresh install is probably easiest and least time-consuming.

Like Judy, I too prefer to get to the heart of a mystery - but my time constraints are such that it really isn't feasible and all the waiting between posts really does Karen a disservice.
For that, I apologize.

PP:)

So, I updated to the newest version of firefox today and java is now updated and working. So weird right? Why wouldn't it work in any other browser if it was a firefox issue? I always update firefox when it tells me to... Wow, :o maybe it won't stop again! fingers crossed

Wow - that's bizarre....

But, hey, I'm not going to question it! :) Just take it and mutter a quick thank you to the computer gods and go about my business!

Honestly speaking, experimenting with different browsers' online install was way down on my list of things to try from the beginning.
And, the fact that other versions installed with no problem really threw me for a loop.

-- I still doubt it's a Firefox "issue" - otherwise there'd be a lot of other documented instances. Could be something on your compy interacting with Firefox in a weird way...... But, there I go questioning the computer gods. I'll shut up now :)

PP

Oh, sorry I missed this earlier. I was thinking if we couldn't find a way to make it work, I would do a new backup on the external hard drive and wipe it if I need to. So we could try this first. I am having a great deal of difficulty finding any kind of an answer or support. Java does a hire-an-expert support kind of thing, pay a specialist online and let them take over your computer virtually. My daughter can do this on the mac, but unfortunately for me she doesn't know windows :(

HA!
I'm not sure that if you took your machine to Microsoft that they could tell you what the problem is..... :)

Or worse, we are probably overlooking something so simple that they'd laugh us out the door.

-- Did you download Process Explorer that I mentioned earlier? I'm curious about something:
Try running process explorer in an open window while you attempt the Java install. The installer should pop up in the running processes (msiec.exe - if I recall).
See how long it runs before it terminates. When it terminates, it should flash red and disappear.

Try it a few times - when msiec appears, highlight it in process explorer and RightClick it and select "Launch Depends" which will launch Dependency Walker - see if there are any obvious errors highlighted in red and let me know.

Let me look around to see if I can …

Oh, it's no problem, I understand about being busy. I hate that this is such a puzzle.

-- Super Moon was neat. Hope you guys got a good view.

I am not certain how best to proceed. If I had the compy in front of me, I'm sure I'd be riffing and trying all manner of things the moment they hit my brain - the "throw a bunch of stuff at the wall and see what sticks" method, I guess.

I don't know if trying it again would produce a useable log - I suppose we could try a command line install that specifies log output, but I think we tried that before...
The error messages are a bit vague (as they usually are). I think what is throwing me is that the installation problem only affects latest JRE. That would seem to rule out MSI issues - or maybe I am wrong. LOL! Arrrggh!

-- Would you like to try the Windows Installer Cleanup Utility?
http://majorgeeks.com/download.php?det=4459

See if it finds any Java-related items to remove.

I do not believe Microsoft supports this anymore due to its volatile nature - has been known to occasionally damage some programs. I've never had this happen when I've recommended its use, but everything has a first time.....
Strictly up to you if you want to give it a go.

-- I am wondering if Oracle has any sort of support forum for this?

no luck, I did all of the above and it ran for over an hour then just disappeared

Crap!

I am running out of ideas - I wish we could find an install log that could throw some light on why the new JRE won't install. I don't know what could be blocking it given the deactivation of Comodo and the attempts in safe mode....

Could you please attach these again for me:

c:\users\Auberey\AppData\Local\Temp
MSI*****.log
java_install.log
jusched.log

They should show the last attempt..... I hope. It would be nice if we could find something to point us in the right direction.

I'll try to check back in a timely manner, but I have been swamped lately and my forum time is very limited.

PP:)

I really don't know that this is going to help given what we have and have not been able to accomplish thus far.
I'd like to run the Microsoft Windows Installer CleanUp Utility, but that might do more harm than good. It's been known to be a bit destructive.

Let's do this first:
Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

THEN:

Download the attached RemoveIt.Zip and Extract the folder from the zip.
In the folder, RightClick RunThis.bat and Run As Administrator. It ought to run very quickly.
Let me know if there are any errors.

Reboot.

Then, use Firefox to attempt the online install of the latest Java package and let me know how that shakes out.

Best Luck :)

Hi Karen,

I'm back - sorry for the delay.

I will have a look at those and post something tonight.

PP:)

I am up and running again, and virus free!
Many thanks

Happy to help!

You really ought to follow up with at least a full scan with MBAM as per the linky below:

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Heck, I'd recommend a run of all the tools in the link and post the logs - Better safe than sorry.

Cheers :)
PP

the remove programs removed it but there is still Java in other places from trying to update it and install it, does that matter?

Not at the moment.
I'm going to try to put together something that will remove all traces of it from the machine and then we can try again.

Please download Bill James’ RegSrch

Extract it from the ZIP to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type Java and Click OK.

You’ll need to save the log that pops up in Wordpad and then submit it for me.

Then, do the same for the phrase "Jre" and post that one as well.

If they are very large, please just zip them and attach them.

-- This is really mind boggling to me that older versions can be installed with no problem. There just doesn't seem to be any logic to it.....

PP:)

I am not seeing anything helpful...

-- Please go into Add/Remove Programs and remove All installed Java.
Then, please open an elevated command prompt and type:
dir /a /s Java.* >>C:\peek.txt ENTER

Let it finish and please post the peek.txt. Then you can delete C:\peek.txt.

PP:)

This is all it showed:

127.0.0.1 localhost

OK - that's what it should be.

This error pops up every time I try to log in now :(.... Anyways, let me know if there's something else I can do, thanks.

I don't know - outside of what Judy said, you could try flushing the WOW Cache and / or running the repair tool:
http://us.blizzard.com/support/article.xml?locale=en_US&articleId=21465

I really don't see anything in the previous scanlogs that would cause this issue.

PP:)

nope, got this error message installation of Java Platform update was not completed.

Drat!

See if you can get me all of those logs again:
MSI*****.log
java_install.log
jusched.log

Just Zip them and attach them to your post using the Manage Attachments button.

This is just bizarre that you can install the older versions with no problem.

-- Maybe you could try the latest Java Development Kit?

Anyhoo, I'll look at some things over the weekend - Judy had a few ideas I am going to try to follow up on.

Just attach those logs and I'll get back to you as soon as I can.

Happy Weekend :)
PP

Once again, can't thank you enough for the help.

You're welcome - Happy to help :)

But, I am a bit flummoxed. I don't see anything in the logs....

Your google is not being redirected. Rather you're getting the 404 which doesn't make any sense.
Maybe I am missing something.

-- Can you open D:\Windows\System32\drivers\etc\hosts with notepad and post the contents?

PP:)

ok it worked; and now I see both MSI documents but they are too big, want me to break them up and post them anyway?

No - that's not necessary if the older version installed with no problem.
-- You didn't get any error messages, right?

Look in Program Files\Java Folder\Jre5\bin and run javacpl.exe.
Click the "Update" Tab and then click "Update Now" and let me know what happens.
See if the latest update will install now....

oh and thanks for the app info!

You're welcome - hope it helps :)

PP

...It was of the same variety as the Safe Mode virus, run this scan buy this software etc. I'm going to run MBAM after I finish with Adobe and Java and see if it finds anything...

OK - Be sure to (always) Update MBAM before running it so it has up to date definitions.

-- I did not see anything in the previous logs that jumped out at me. What product does it try to foist on you?
Hopefully there's no rootkit involved.... Try running the GMER scans from the "Read Me First" sticky post and post those for me.

PP:)

yes, Arrrgh! is right, access denied, same error, I copied and pasted it and typed it a second time just to be sure

Allrightythen!

Let's try a few things. It would really help if we could get an error to reference or some logs.

A) First, please look in c:\users\Auberey\AppData\Local\Temp for the following logs and attach them if found:
MSI*****.log
java_install.log
jusched.log

B) Then, please download and attempt to install Java SE Runtime Environment 5.0u22
Let me know of any errors or problems. Be sure to get the correct installation package for your machine.
After install attempt, please repeat step A and look for and post those logs, if found.

If and only if B fails, please download and try to install Java SE Runtime Environment 1.4.2_19

Same drill as before regarding errors and problems. Also, look again for the logs an post them.

With any luck, we can get one of the old packages to install and then update it.....

I'll check back as soon as possible - work is piling up as it usually does heading toward the weekend...

-- Regarding the App writing question, you might post a note with the relevant details here:
Project Partners Wanted

Cheers :)
PP

Alright, just got back from work and got those done. I haven't had the windows safe mode window pop up anymore but I have had what seems to be another piece of malware pop up.

Just rolled in myself - What new malware do you suspect?

I am heading right back out the door, but gave the logs a quick glance and did not see much. I am not as up to date on Windows 7 as I probably should be, so I'm not going to mess with stuff I am not sure of.

As for the rest, fire up OTL.exe again and copy and paste all of the text in Red into the Custom Scans/Fixes Box:

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O4 - HKLM..\Run: [WINDVDPatch] File not found
[2011/03/07 22:18:40 | 000,000,000 | ---D | C] -- D:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Safemode
[2011/03/07 22:18:41 | 000,000,612 | ---- | C] () -- D:\Users\Matt\Desktop\Windows Safemode.lnk
:commands
[EMPTYTEMP]

-- Click Run Fix and let it run.
-- OTL should force a reboot of your compy. If it doesn't, Reboot the machine manually.
-- Please post the Fix Log for me and let me know what that malware is that you suspect.

-- …

so now I am unable to start up at all!

Hi Richard,

-- What options (if any) do you get when you tap F12 on boot?

Can you burn an ISO? You may need a free tool such as ImgBurn to do this.

Please burn the following ISO to CD:
- bitdefender-rescue-cd.iso

Then, pop the CD into the ill machine and see if it will boot. You may need to tap F12 on boot and set to boot from optical drive.

Let us know if you can do this and we'll go from there. BitDefender may automatically start to scan - if so, great - though it might not be able to download updates...

Best Luck :)
PP

This thread is now closed - If the original poster requires it re-opened, please PM me.

To all others:
Please start a new thread for assistance with your infection. Each problem is unique with differing degrees of severity and accompanying malware. It is much easier for the few volunteers to work "one on one" with you.

Thanks for your patience :)
PP

Thanks again for all the help, I think we're making progress.

Happy to help :)

But, these are some odd looking logs - not seeing what I'd expect to see...
It's odd that we didn't need to run RKILL beforehand. You are able to run the tools with no issues.
Plus, MBAM should remove all of this.

Let's remove Combofix:
-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

THEN:
Please update MBAM and run the Full Scan in Normal Windows Boot and post the log. Let's see what the Full Scan finds.

Then, after a reboot, please download OTL.exe to the Desktop.
-- Run it and click Scan All Users and then hit Quick Scan and post me the TWO resulting logs.
I'd like to get better picture of the machine - hopefully this will do it...

With any luck, I'll be back this evening.

Cheers :)
PP

ok, got an error, it says, not a valid Win32 application

Arrrgh!

OK - let's go in this direction:

Please open an elevated command prompt.
Type: CD C:\ ENTER
Type:jre-6u24-windows-i586-s.exe /s /L C:\javalog.txt ENTER

Note: jre-6u24-windows-i586-s.exe <space> /s <space>/L <space>C:\javalog.txt

See if that runs....

PP:)

There wasn't a 106578.exe in the task manager but there was a 761750.exe that I killed. It removed the 'Windows Safe Mode' window but the error messages remained. I was able to update MBAM and run a quick scan in normal.

OK - obviously it's going to be switching random names on us. That can make the manual removal difficult.
Interesting that MBAM didn't flag it on second run.

Anyhoo, before we have to resort to manual removal, let's try this:

Please follow the instructions in the link below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your Desktop as that and then follow the instructions in the linky very carefully to run it and post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Once svchost.com is on the Desktop, close all programs and browsers and Click START --> RUN --> and enter the following command in red exactly as shown to start combofix:

"%userprofile%\desktop\svchost.com" /killall

Note: "%userprofile%\desktop\svchost.com" <space> /killall

Now, we want to do this in Normal Windows Boot, if possible. …

so it didn't run at all...

Jeez - my fault again. I should've said click START > RUN > copy&paste C:\jre-6u24-windows-i586-s.exe /s /L C:\javalog.txt ENTER

I had command prompt on the brain, I guess.

-- Comodo is Off, right?

PP:)

Hope this helps, thanks again for the help.

That'll work.

Open Task Manager and kill 106578.exe

Then see if MBAM will run in Normal Windows Boot. If not, run it in safe mode and have it fix what it finds. Be sure to click the Update tab and update it to latest definitions (if possible).

Have it remove the baddies it finds and then post that log for me and we'll go from there.

PP:)