any help with my problem?

[LDTate]

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\drivers\tmevtmgr.sys
c:\windows\system32\drivers\tmpreflt.sys
c:\windows\system32\drivers\TM_CFW.sys
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys
c:\program files\Trend Micro\Internet Security\TmPfw.exe
c:\program files\Trend Micro\Internet Security\TmProxy.exe

Folder::
c:\program files\Trend Micro\Internet Security

Driver::
tmevtmgr
tmpreflt
tmcfw

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[Lisac]

I have been working on this for quite a while this morning.... the ComboFix scan has been running for probably 45 mins - 1 hour (Much longer than the first time), and hasn't progressed beyond the initial:

scanning for infected files

Typically doesn't take more than 10 minutes

machines that are heavily infected could take significantly longer (paraphrased)

When I tried to run it this morning it stopped me to remind me to disable my antivirus before running. I disabled ESET and MB, tried to run it again, and it listed TrendMicro as still running. I can't disable TM because it isn't a valid program (Or at least I don't know how to find something to disable). It did not give me any message about TrendMicro the first time I ran it the other day.

Should I just stop this program? How do I stop it? I can't believe I'm that heavily infected as it didn't come up with much the first time around. What should I do from here? Help!! :-( Thanks again - lisac

[LDTate]

Try using ( Alt / Ctrl / Del ) all 3 keys at the same time and open taskmanager

CF hangs.

Kill with Taskmanager

* Any process with cfexe file extensions

* FindStr.exe

* Regsvr32.exe

Reboot and run the script again

[Lisac]

Thanks, but I didn't find any exact matches to the three names you gave me. The closest I came was:

CF26881.cfxxe

I tried to 'end task' at the applications page, but it doesn't close out. Should I just 'X" out of the blue box that says it is scanning, or look for another process to quit? lisac

[LDTate]

CF26881.cfxxe

End that one and if you have to, shutdown and restart

[Lisac]

I've rebooted and resaved CombFix. I'm ready to run again, but one question - I have Windows XP. Should I be installing the Recovery Console first? I did not d that last time.... thanks. lisac

[Lisac]

Sorry - not ComboFix - I resaved Killall. It's early. No coffee yet...

[Lisac]

After rereading your previous post about Recovery Consosle I'm going to go ahead and install it and then run CombFix and willpost my results. I didn't before because it said not to for Windows 7. I have Windows XP and IE 7, not Windows 7, so I'm thinking I'm supposed to install it. Guess I wasn't thinking clearly.... Here goes.

[Lisac]

Good morning - bottom line - scan stalled again. This is what I did...

1) booted this morning to clear out yesterday's scan that stalled

2) resaved KillAll to my desktop (the icon had disappeared)

3) disabled ESET and MB to the best of my knowledge (and there was no prompt to further disable my AV or Trend Micro like there was yesterday)

4) dragged CScript to ComboFix and launched it

5) loaded Recovery Console - that went fine

6) started ComboFix and let it run 30+ minutes. No change in screen after initial 'scanning files' / 'should take 10 minutes' / 'may take longer for severly infected computers'. When I ran ComboFix the other day it launched just fine, and advised me about which stages were done, etc......

Any idea why it is hanging up now? What do I need to do differently? How do I get this resolved?

Maybe this is a stupid question, but here goes.... RE: KillAll files to highlight, am I supposed to start from the first line, ie: KillAll::, or start from the first c: line?

Thanks - Lisac

And once again, do you think I still have (or ever did have) any infections, serious or otherwise, or are we just working now to get rid of Trend Miccro? thanks..........

[LDTate]

We're trying to get rid of Trend Miccro.

Start with everything in the quote box.

I don't know what's causing it to hang.

You could try using Safe Mode to run it.

Restart your computer in Safe Mode.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

This can take several miniutes to load.

[Lisac]

I rebooted in safe mode just fine, and MB is disabled, but I can't figure out how to disable ESET. Usually I would just right click the icon on my taskbar and have the option to disable the firewall and AV protection, but it just wants to launch a scan, any advice how to disable? Thanks - lisac

[LDTate]

Go ahead and try the combofix script anyway

[Lisac]

even though it said it may damage files or something? (I'm not at my own computer...) thanks - lisac

i wqs trying to find something on ESETs site about disabling in safe mode. I haven't found anything there yet. I'll try running the scan when I get home, approx. 30 mins...

[LDTate]

OK

[Lisac]

the scan has run and I'm just waiting for the log files to pop up so I can post them....

[Lisac]

OK, the screen is still at 'wait a few seconds for your log file to pop up" and has been there for a while... thre's also a new box that says ComboFix needs to submit some files for review, and to make sure there's an internet connection. Is it waiting for me to submit the files before popping up the log files?

[Lisac]

I've restarted and done a whole shut down, and I have no internet connection so can't post the logs to you right now. How do I reconnect? Thanks - lisac

[Lisac]

Tried to run the internet connection diagnostic tool - disconnected the router and modem - reconnected them - waited 3 minutes - tried again. Got new stupid message:

Runtime error

Program C:\Windows\Network Diagnostic\xpnetdiagexe

Application has requested the Runtime to terminate it in an unusual way. Please contact application support team for more information.

What does this mean?? DoI need to go to another support forum and try to get this fixed so I can get back to a functional computer? Thanks - lisac

[LDTate]

Did combofix finish?

[Lisac]

yes< it finished and I have a log. I will send it shortly. got to save it to a flash drive or something and get it on this computer...

[Lisac]

Here are the log files.....

ComboFix 10-12-12.03 - HP_Administrator 12/13/2010 18:10:17.2.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1749 [GMT -7:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFSCript.txt

AV: ESET Smart Security 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::

"c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys"

"c:\program files\Trend Micro\Internet Security\TmPfw.exe"

"c:\program files\Trend Micro\Internet Security\TmProxy.exe"

"c:\windows\system32\drivers\TM_CFW.sys"

"c:\windows\system32\drivers\tmevtmgr.sys"

"c:\windows\system32\drivers\tmpreflt.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\TM_CFW.sys

c:\windows\system32\drivers\tmevtmgr.sys

c:\windows\system32\drivers\tmpreflt.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TMEVTMGR

-------\Legacy_TMPREFLT

-------\Service_tmcfw

-------\Service_tmevtmgr

-------\Service_tmpreflt

-------\Legacy_SfCtlCom

-------\Legacy_TmPfw

-------\Legacy_TmProxy

-------\Service_SfCtlCom

-------\Service_TmPfw

-------\Service_TmProxy

((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))

.

2010-12-07 22:22 . 2010-12-07 22:22 -------- d-----w- c:\documents and settings\Lauren & Jennifer\Local Settings\Application Data\KodakGallery

2010-12-07 22:21 . 2010-12-07 22:21 -------- d-----w- c:\documents and settings\Lauren & Jennifer\Application Data\Skinux

2010-12-07 22:16 . 2010-12-07 22:16 -------- d-----w- c:\documents and settings\Lauren & Jennifer\Application Data\Sonic

2010-12-07 04:24 . 2010-12-07 04:24 -------- d-----w- c:\documents and settings\Lacey_2\Local Settings\Application Data\Intuit

2010-12-04 03:29 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-04 03:29 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-04 03:29 . 2010-12-04 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-27 16:52 . 2010-11-27 16:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Walgreens

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 18:23 . 2004-08-09 21:00 974848 ------w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-09 21:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-09 21:00 954368 ------w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-09 21:00 953856 ------w- c:\windows\system32\mfc40u.dll

2009-11-18 07:53 . 2009-06-04 17:52 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmileboxTray"="c:\documents and settings\HP_Administrator\Application Data\Smilebox\SmileboxTray.exe" [2010-12-03 312640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-11-30 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-16 27136]

c:\documents and settings\Lauren & Jennifer\Start Menu\Programs\Startup\

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-16 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFree MusicMate]

2006-08-17 16:47 266240 ----a-w- c:\program files\MPFree\MPFree MusicMate\MPFree MusicMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 03:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"bgsvcgen"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ntvdm.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 2:18 PM 107256]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 2:19 PM 731840]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2010 8:29 PM 363344]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2/26/2010 7:58 AM 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2/23/2007 3:09 PM 11113]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2010 8:29 PM 20952]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/10/2010 4:22 PM 136176]

S3 esihdrv;esihdrv;\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys [?]

S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2/23/2007 3:09 PM 149952]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/9/2004 2:00 PM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-10 23:22]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-10 23:22]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

Trusted Zone: intuit.com\ttlc

DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} - hxxp://www.freehandmusic.com/Update/biblionet.cab

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://ttlphoto.lifepics.com/net/Uploader/LPUploader57.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-13 18:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2736)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\program files\Panasonic\VideoCam Suite 2\VideoCamSuiteAutoStart.exe

c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe

c:\program files\Windows Desktop Search\WindowsSearch.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-12-13 18:34:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-14 01:34

ComboFix2.txt 2010-12-09 23:07

Pre-Run: 160,990,846,976 bytes free

Post-Run: 159,133,810,688 bytes free

- - End Of File - - 1D7D33616C962F1C85D96F1E8CCACDD5

[Lisac]

PS - it said it had files to send for analysis< but of course needed a connection and I don't have that so those haven't been sent....,

[LDTate]

I'm pretty sure Temp\esihdrv.sys, running from that location is a RootKit

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\esihdrv.sys

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Next:

It is very important that these steps be carried out exactly as shown otherwise the fix will not work.

If you have any questions please ask before moving on.

• Please start Notepad and using your mouse make sure you select and copy all the information below in the Code box into your new document.
  
• Then save the file as "fixme.bat" to your Desktop
  
• In the drop down box for Save as type: make sure you select All Files (*.*) and keep the quotes on the name as well. Then close the new file.
  

  @ECHO OFF
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable  /t REG_DWORD /d 0 /f
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f
  netsh int ip reset resetlog.txt
  netsh winsock reset catalog

  
  

• On Windows XP you can double-click the file to run it.
  
• On Vista/Win7 you need to Right click the file and choose Run as administrator to run it. With User Account Control on it should ask permission to run it. Click Yes
  
• This will flash a black DOS box very quickly and go away, this is normal.
  
• Restart your computer now.
  
• Launch Internet Explorer and see if you can connect to the Internet.
  

[Lisac]

I'm saving the texts in the boxes in Notepad onto my thumb drive to take to my computer. When clicking on "Stop USB mass storage device" to remove the drive properly (I believe that's what I'm supposed to do), I get a box titled "Problem Ejecting USB Mass Storage Device" with the message "The device 'Generic Volume' cannot be stopped right now. Try stopping the device again later." Am I doing something wrong here? Do I just pull it out and not worry about this message? Thanks - lisac

[Lisac]

Never mind. It can now safely be removed. I'll try to run your programs on my computer. Thanks - lisac