Do I rerun Hijack This?

Hi sidebside,

Yes. Re-run Hijack This and then put a check mark on O4 - Global Startup: MRI_DISABLED

After that, click fix checked and restart the computer.

Regards,

---

I am a Trend Micro employee.  My comments and advice come from my personal knowledge and experience.  I’m happy to volunteer what I can to help others have a great Trend Micro experience. If you find my response helpful, appreciation through Kudos is well appreciated! 

I tried it more than once and it didn't work.

I think it was because some box came up every time I tried 2 run it.

I finally right clicked on it and ran as an adminstrator.

I think that did it.

Now I don't think I can get PDF's to work.  It says internet explorer has stopped working.  It seems to keep looping thru that and tries 2 correct itself over and over.

And everytime I click on something I hear it double click which seems to slow everything down.

Ok...lets getting rid of the bad files now.

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
3. Open notepad and copy/paste the text in the code box below into it:

File::
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
B1.bat 
c:\windows\System32\sysprep\splash.exe

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT

Try the below go to Run... command for me please:-

sfc /purgecache

And let myself know the outcome, also run the below:-

Check Hard Disk For Errors:

Press Start >> Run..., then copy/paste the following command into the box and press OK:

A blank command window will open on your desktop, then close in a few minutes. This is normal. 

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial of mine here and follow the instructions for Graphical Mode if you so wish.

Click on Start >> Run and type cleanmgr in the box and press OK.

• Ensure the boxes for Temporary Files, Temporary Internet Files and Recycle Bin are checked.
• You can choose to check other boxes if you wish but they are not required.
• Click on OK then Yes.

Next:-

• Click on Start >> Run... then type in CMD and click on OK.
• At the Command Prompt C:\ > type the following:
• CD C:\ and hit the Enter/Return key.
• Now type in DEFRAG C: -F
• A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
• This may take some time, when completed the Command Prompt C:\ > will appear.
• Now type in CHKDSK C: /R and hit the Enter/Return key.
• When prompted with:

• Hit the Y key then at the Command Prompt C:\ >
• Type in EXIT and and hit the Enter/Return key.
• Now Reboot(Restart) your computer.

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

I concede.  I have no idea on how to get to/thru point A above.  I ended up running ComboFix again.

Here is the log.  I think I need more specific instructions.  I couldn't figure out where 2 save what u wanted me 2 cut and paste.  Sorry...

ComboFix 12-02-15.01 - owner 02/19/2012  14:31:55.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1917.1306 [GMT -5:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-19 to 2012-02-19  )))))))))))))))))))))))))))))))
.
.
2012-02-19 19:42 . 2012-02-19 19:42 693297 ----a-w- c:\programdata\SPLB856.tmp
2012-02-19 19:39 . 2012-02-19 19:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-16 21:49 . 2012-02-16 21:49 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2012-02-16 21:48 . 2012-02-16 21:48 -------- d-----w- c:\programdata\Malwarebytes
2012-02-16 21:48 . 2012-02-16 21:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-16 21:48 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-14 01:22 . 2012-02-14 01:33 -------- d-----w- c:\users\owner\AppData\Local\Browser Guard
2012-02-14 00:10 . 2012-02-14 00:10 -------- d-----w- c:\program files\WinPcap
2012-02-13 23:52 . 2012-02-13 23:52 388096 ----a-r- c:\users\owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-20 22:43 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-20 22:43 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-20 22:43 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-20 22:43 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-20 22:43 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-20 22:43 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 10:10 . 2009-10-02 21:46 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-18 23:33 . 2011-03-28 23:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-01-17 09:39 . 2012-02-17 17:40 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D0ABB968-16FA-4DE9-B764-1D02609BF5A2}\mpengine.dll
2011-11-25 15:59 . 2012-01-11 01:19 376320 ----a-w- c:\windows\system32\winsrv.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 21:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-04-13 23:48 194912 ------w- c:\program files\Yontoo Layers\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdlmon.exe"="c:\program files\Lexmark 7500 Series\lxdlmon.exe" [2007-06-11 455600]
"lxdlamon"="c:\program files\Lexmark 7500 Series\lxdlamon.exe" [2007-06-01 20480]
"Lexmark 7500 Series Fax Server"="c:\program files\Lexmark 7500 Series\fm3032.exe" [2007-06-11 308144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"Trend Micro Browser Guard"="c:\program files\Trend Micro\Browser Guard\BGUI.EXE" [2011-02-26 787984]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"OE"="c:\program files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe" [2011-07-18 238928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-30 02:51 4911104 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3850138164-68269979-4277157850-1000]
"EnableNotificationsRef"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-17 21:12]
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-17 21:12]
.
2010-12-17 c:\windows\Tasks\User_Feed_Synchronization-{7B9A655B-F2D3-48EA-9917-0A7AE6F57785}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=16
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5860)
c:\program files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Trend Micro\AMSP\coreServiceShell.exe
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\atashost.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\programdata\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe
c:\windows\system32\lxdlcoms.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\Trend Micro\RUBotted\RUBotSrv.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Trend Micro\Browser Guard\tmiegsrv.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-02-19  14:54:13 - machine was rebooted
ComboFix-quarantined-files.txt  2012-02-19 19:53
ComboFix2.txt  2012-02-16 00:37
.
Pre-Run: 126,796,046,336 bytes free
Post-Run: 126,904,893,440 bytes free

U need to disable your trend....Close all browsers.

Open notepad and copy/paste the text in code box into notepad that i gave in my instructions and save it as CFScript.txt on desktop and drag the file to combofix icon as shown in the image.

Once finished...attach the log as said in my instructions.

MJB877 please make a new topic in malware discussion forum and i will help u.

A box pops up.

Do I change the encoding drop down?

It says something 2 the effect about saving it as an ANSI file, Unicode format will be lost.

no need to change the coding.Just accept any warnings related to coding.