Not sure which infection this is? Java Exploit maybe..?

[kevinf80]

That RK log is not showing any entries as deleted, is only showing found. Are you referring to these entries:

 

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

 

The two commands are inert, they are not active.

 

Did you try the system from clean boot state, did it make any difference?

[hiesenberg]

kevin-

that log is from before I deleted them, but I delete them over and over and still they reappear. are you saying that in spite of those registry entries constantly returning after each deletion that they are safe and are not actually affecting the registry..? 

I ran the pc in clean boot for a short period and yes it was obvious that the svchost/taskbar issue seemed to be resolved but that is very similar to when I run it in safe mode. I won't be home for a couple of days, then I will run it for a longer while and slowly starting adding back services as you suggested.

your patience is very much appreciated. Thanks!!

[kevinf80]

Apologies for the late reply, I receive no notification. What is current status of your system, are there any remaining issues or concerns...

[hiesenberg]

keviin:

I still have the following:

> 2 folders marked Network Connections, pretty sure there should only be one in the control panel

> the win-xp search tool, search companion, still opens an empty window not allowing search criteria to be entered

> the 2 registry changes do not stay deleted, (list below). they always come back on reboot. Is there a way to manually delete

these from within the reg editor? Thanks!

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED

[kevinf80]

I really do not understand why you would want to remove the two following entries:

 

[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED

 

The entries are appended with (0) that means Task manager and Registry tools are active, if they were appended (1) that would mean they were disabled.

 

Regarding the search issue, go here: http://www.ehow.com/how_7655076_fix-search-companion-windows.html and follow those instructions..

 

Regarding Network Connections, can you post a screen shot

[hiesenberg]

Kevin-

Here is a shot of the 2 folders in control panel, (file uploaded). So to clarify, there is no need to remove those entries b/c they are inactive. Got it! Thanks.

[kevinf80]

There are no files attached?

[hiesenberg]

Lets try again..

SCRN-SHOT.doc

[kevinf80]

Run the following, does second network connection disappear on completion...

 

Remove Combofix now that we're done with it

• 
  

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")

 
Please follow the prompts to uninstall Combofix.
You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

• 
  

    ComboFix and its associated files and folders.
    VundoFix backups, if present
    The C:_OtMoveIt folder, if present
    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.
    Reset System Restore.

 

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

[hiesenberg]

Kevin-

the 2nd network connections folder is still there. After running combofix /uninstall, I watched it as combofix was removed but that folder remains. thx!

[kevinf80]

Please download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.

 

http://jpshortstuff.247fixes.com/SystemLook_x64.exe      <<-   64 bit….

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe    <<-  32 bit

 

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  

  :filefindncpa.cpl

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
 

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!