shuonder771

Just to follow up, I was able to resolve my remaining issues and clean up the rest of the system with some updates and better anti-virus. This pc is back to an almost new state. I can't tell you what a great help you were and how much I appreciate your time and expertise. Thank you, thank you, thank you. You are very good at what you do.

Files dont exist in second admin acct. All programs still need admin allow. Also wont allow deletion of c:\QooBox. Asks to confirm, then Destination folder access denied. For recycle bin...

After restarting to go back to normal mode, I was able to re-enable on the defogger, i found and ran the CF uninstall but all it did was scan again. All programs still getting the registry key msg. Something we did in registry? I'll try a new user now.

My wifes user account is the only one on this pc. It is administrator. I tried going over to safe, but it is the only log in option.

Getting the Illegal operation attempted... on all programs.

Yes I did.

Same with defogger. The directory name is invalid.

Ok, I found it but I cant run it. Have to as admin, but then I get an error stating: The directory name is invalid.

I dont appear to have ComboFix /Uninstall. Only the .exe shows in search.

Deleted. Uninstalled. Installed new version. Still have to run FF, IE, control panel as admin.

DR did not start, or at least show on start up. DR icon still on desktop. Still getting msg: illegal operation attempted... when opening Firefox, control panel, etc. Run as admin still works. ComboFix 10-12-23.02 - Owner 12/23/2010 18:05:47.6.2 - x86 Microsoft

All 3 files deleted successfully. There was another file there c:\programdata\pakmgUn41WkIaX . No extension shown. I ignored it.

After CF scan Firefox didnt want to open normally. Same msg: illegal operation attempted on a registration key marked for deletion. Clicked run as admin and it opened fine. ComboFix 10-12-23.02 - Owner 12/23/2010 17:16:05.5.2 - x86 Microsoft

ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6419 # api_version=3.0.2 # EOSSerial=b48cc0744f66364280df6657924a364c # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-12-23 06:58:14 # local_time=2010-12-23 12:58:14 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=6.0.6001 NT Service Pack 1 # compatibility_mode=1024 16777215 100 0 53866782 53866782 0 0 # compatibility_mode=2560 16777215 100 0 0 0 0 0 # compatibility_mode=5892 16776573 100 100 0 129732640 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=206285 # found=1 # cleaned=1 # scan_time=5582 C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\4ed30d7c-48b4306d a variant of Win32/Kryptik.JBF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Deleted Spybot. Scan took longer. Restarted again before log creation. Restart took longer. Also took much longer to finish log. Then unexpected restart 10 minutes later. ComboFix 10-12-22.04 - Owner 12/22/2010 23:48:11.4.2 - x86 Microsoft

CF restarted pc before log was created. After restart Spybot started up again and forced Confirm changes to continue. CF finished and created log. I then attempted to open Firefox to post results and got the following msg: Illegal operation attempted on a registration key that has been marked for deletion. Internet Explorer had no response at all. No busy or working animation, nothing. Had to go back to safe mode to post this. DR did not start or show in normal mode, but desktop icon remains. ComboFix 10-12-22.01 - Owner 12/22/2010 22:37:12.3.2 - x86 Microsoft

PC seems to behaving normally though I haven't explored. Once during scan screen went black except for blue CF dialog box, then reloaded. Wallpaper still gone, black backround. CF attempted to upload log, but failed though web is active. ComboFix 10-12-22.01 - Owner 12/22/2010 22:00:16.2.2 - x86 Microsoft

I was able to run CF in normal mode. Web is no longer blocked. DR desktop icon remains. ComboFix 10-12-22.01 - Owner 12/22/2010 21:20:59.1.2 - x86 Microsoft

In safe mode? I tried to run it in normal but it seemed to freeze. I left it for about 5 min with no activity. Does it need web access? DR is blocking web. Sorry to be a pain, I just want to be clear. I really appreciate your help.

I already uninstalled through control panel and it appeared to work. I had to restart to complete uninstall so now Disk Repair is back and blocking the web. No web appears to be a problem for CF. Im back in safe mode now as DR is active. Do I still need to use the AVG removal tools?

Disable was not enough. CF said to uninstall. Restart to complete. DR back after restart, blocking web. Im back in safe.

Actually, Resident Shield has it. Asking to Heal/Move to vault.

Windows cannot find file. Also Resident Shield keeps putting up alerts. Just continue with directions?

Was able to run in normal mode however it appears avg was also freed up and scanning. Took a lot longer than previously. Also before last scan web access was still blocked and Disk Repair was on screen. After restart DR does not appear to be running though desktop icon remains. I do have web access in normal mode now. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5371 Windows 6.0.6001 Service Pack 1 Internet Explorer 7.0.6001.18000 12/22/2010 7:50:40 PM mbam-log-2010-12-22 (19-50-40).txt Scan type: Quick scan Objects scanned: 159020 Time elapsed: 12 minute(s), 57 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: c:\programdata\hazifyvopx.exe (Trojan.FakeAlert.Gen) -> 2928 -> Unloaded process successfully. Memory Modules Infected: c:\programdata\jojwknhfjv.dll (Trojan.FakeAlert.Gen) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\programdata\jojwknhfjv.dll (Trojan.FakeAlert.Gen) -> Delete on reboot. c:\programdata\hazifyvopx.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5371 Windows 6.0.6001 Service Pack 1 (Safe Mode) Internet Explorer 7.0.6001.18000 12/22/2010 5:17:29 PM mbam-log-2010-12-22 (17-17-29).txt Scan type: Quick scan Objects scanned: 156460 Time elapsed: 3 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\programdata\jojwknhfjv.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. c:\programdata\tituuliasa2vbcs.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.