# Delete browsing history popups? Possible malware? Help!!



## cRise

Hi -

My computer is a year old (running Windows 7) and for the past few days every time I've started it up small pop-up windows will appear headed with 'Please wait while the browsing history is deleted'.

They are a real nuisance - and appear every 10 seconds or so at times. There are often several at one time and they can make my computer very slow.

My internet browser is not necessarily open when they appear, and I had not attempted to delete my browsing history for over a month before this began.

I have not adjusted any settings in any of my browsers, and have run full Virus Protection and Spy scans with no results of use. I have also tried uninstalling Internet Explorer (and have replaced it with Firefox) but still face this issue. I've also deleted all cookies with no results.

I have ran malwarebytes numerous times and avast anti virus.. They both picked up nothing at all.

Can anyone explain this or help me to stop these windows? Any advice would be greatly appreciated.

Thank you in advance.


----------



## johnb35

Please post a hijackthis log for me to analyze.

Download the *HijackThis* installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy.  Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces.


----------



## cRise

Here you go~!



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:47:26 PM, on 8/4/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iMesh Applications\MediaBar\DataMngr\DataMngrUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iMesh Applications\MediaBar\DataMngr\DataMngrUI .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ProgramData\tW6Al5R1.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\ProgramData\tW6Al5R1.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\ProgramData\tW6Al5R1.exe
C:\ProgramData\tW6Al5R1.exe
C:\ProgramData\tW6Al5R1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z039&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: UrlHelper Class - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\MediaBar\DataMngr\IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\tbDVDV.dll
O2 - BHO: (no name) - {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - (no file)
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: MediaBar - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: DVDVideoSoftTB Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVD0.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: DVDVideoSoftTB Toolbar - {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - C:\Program Files\DVDVideoSoft\tbDVD0.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: MediaBar - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll
O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\tbDVDV.dll
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [DataMngr] C:\PROGRA~1\IMESHA~1\MediaBar\DataMngr\DataMngrUI.exe
O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim .exe" /d locale=en-US
O4 - HKCU\..\Run: [EPSON NX410 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFCA.EXE /FU "C:\Windows\TEMP\E_S6C11.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunServices: [Conduiti4jdel05705] C:\Users\CJ\AppData\Local\Temp\svchost.exe
O4 - HKCU\..\RunServices: [TextTEXTASST] c:\users\cj\appdata\locallow\macromedia\shockwave player\xtras\download\macromediainc\textasset\texttextasst10.425.exe
O4 - HKCU\..\RunServices: [ShockwaveShockwave] c:\users\cj\appdata\locallow\adobe\shockwave player 11\xtras\download\adobesystemsincorporated\shockwave3dasset\shockwaveshockwave.exe
O4 - HKCU\..\RunServices: [ShockwaveAsset] c:\users\cj\appdata\locallow\adobe\shockwave player 11\xtras\download\adobesystemsincorporated\shockwave3dasset\shockwaveshockwave.exe
O4 - HKCU\..\RunServices: [MoviesDivX] C:\Users\CJ\Videos\DivX Movies\DivXCreate2935.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Bnelacehezu] rundll32.exe  "C:\Windows\system32\config\systemprofile\AppData\Local\KBDapex.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: buzi.exe (User 'Default user')
O4 - .DEFAULT User Startup: igzuyr.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Free YouTube to iPod Converter - C:\Users\CJ\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\CJ\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\IMESHA~1\MediaBar\DataMngr\datamngr.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickDownload Agent - Innogrid, Inc - C:\Program Files\QuickDownloadService\qdownagent.exe
O23 - Service: QuickDownload Service - Innogrid, Inc - C:\Program Files\QuickDownloadService\qdownservice.exe
O23 - Service: QuickDownload Update - Innogrid, Inc - C:\Program Files\QuickDownloadService\qdownupdate.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: WeFi Engine Service (WefiEngSvc) - WeFi - C:\Program Files\WeFi\WefiEngSvc.exe

--
End of file - 11212 bytes



Thanks a lot, I appreciate it.


----------



## johnb35

You have some suspicious entries in your log. Please do the following.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.





We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  



In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## cRise

ComboFix 11-08-04.02 - CJ 08/05/2011   1:22.1.2 - x86
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.3071.2020 [GMT -4:00]
Running from: c:\users\CJ\Downloads\ComboFix.exe
AV: avast! antivirus *Disabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Disabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~1\IMESHA~1\MediaBar\DataMngr\DataMngrUI.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\AIM\aim.exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Malwarebytes' Anti-Malware\mbam.exe
c:\program files\QuickTime\QTTask.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\Steam\Steam.exe
c:\programdata\tW6Al5R1.exe
c:\users\CJ\AppData\Local\{F1E4DA9D-9D25-440A-836D-AB1ADD56994A}
c:\users\CJ\AppData\Local\{F1E4DA9D-9D25-440A-836D-AB1ADD56994A}\chrome.manifest
c:\users\CJ\AppData\Local\{F1E4DA9D-9D25-440A-836D-AB1ADD56994A}\chrome\content\_cfg.js
c:\users\CJ\AppData\Local\{F1E4DA9D-9D25-440A-836D-AB1ADD56994A}\chrome\content\overlay.xul
c:\users\CJ\AppData\Local\{F1E4DA9D-9D25-440A-836D-AB1ADD56994A}\install.rdf
c:\users\CJ\AppData\Local\2854142630.dll
c:\users\CJ\AppData\Local\TempDIR
c:\users\CJ\AppData\Roaming\Adobe\plugs
c:\users\CJ\AppData\Roaming\Microsoft\Windows\Recent\=[SUMOTorrent.com]=_Pure_POV_(2009xvid)_-_Sabrina_SweetRoxy_PantherJasmine_Rouge.pif
c:\windows\system32\config\systemprofile\AppData\Local\KBDapex.dll
c:\windows\system32\cwjm.exe
c:\windows\system32\itbn.exe
c:\windows\system32\lryl.exe
c:\windows\system32\User.ini
c:\windows\system32\ycoa.exe
.


		Code:
	

 <pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\AIM\aim .exe ---^> c:\program files\AIM\aim.exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe ---^> c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
</pre>

.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_QuickDownload Agent
-------\Service_QuickDownload Service
.
.
(((((((((((((((((((((((((   Files Created from 2011-07-05 to 2011-08-05  )))))))))))))))))))))))))))))))
.
.
2011-08-05 05:29 . 2011-08-05 05:29	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-08-05 02:46 . 2011-08-05 02:46	388096	----a-r-	c:\users\CJ\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-05 02:46 . 2011-08-05 02:46	--------	d-----w-	c:\program files\Trend Micro
2011-08-03 08:34 . 2011-08-03 08:34	0	----a-w-	c:\programdata\xyes.exe
2011-08-03 08:34 . 2011-08-03 08:34	0	----a-w-	c:\programdata\ling.exe
2011-08-03 08:34 . 2011-08-03 08:34	0	----a-w-	c:\programdata\jlyu.exe
2011-08-03 08:34 . 2011-08-03 08:34	0	----a-w-	c:\programdata\gicl.exe
2011-08-02 01:22 . 2011-08-02 01:24	--------	d-----w-	c:\windows\system32\MpEngineStore
2011-07-30 21:03 . 2011-04-21 13:55	508416	----a-w-	c:\windows\system32\drivers\bthport.sys
2011-07-30 21:03 . 2009-06-17 13:23	30208	----a-w-	c:\windows\system32\drivers\BTHUSB.SYS
2011-07-30 21:03 . 2011-06-02 13:34	2043392	----a-w-	c:\windows\system32\win32k.sys
2011-07-30 21:03 . 2011-04-20 15:55	375808	----a-w-	c:\windows\system32\winsrv.dll
2011-07-30 21:03 . 2011-04-20 15:50	49152	----a-w-	c:\windows\system32\csrsrv.dll
2011-07-30 21:03 . 2011-04-29 15:59	276992	----a-w-	c:\windows\system32\schannel.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-02 00:39 . 2011-06-20 21:16	0	----a-w-	c:\users\CJ\AppData\Local\Kbixebicogiceyi.bin
2011-07-06 23:52 . 2009-10-29 21:08	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2009-10-29 21:08	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-21 00:54 . 2011-06-21 00:54	150016	----a-w-	c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\igzuyr.exe
2011-06-21 00:54 . 2011-06-21 00:54	150016	----a-w-	c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\buzi.exe
2011-05-28 06:08 . 2011-06-20 21:23	916480	----a-w-	c:\windows\system32\wininet.dll
2011-05-28 06:04 . 2011-06-20 21:23	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-05-28 06:04 . 2011-06-20 21:23	1469440	----a-w-	c:\windows\system32\inetcpl.cpl
2011-05-28 06:04 . 2011-06-20 21:23	71680	----a-w-	c:\windows\system32\iesetup.dll
2011-05-28 06:04 . 2011-06-20 21:23	109056	----a-w-	c:\windows\system32\iesysprep.dll
2011-05-28 05:10 . 2011-06-20 21:23	385024	----a-w-	c:\windows\system32\html.iec
2011-05-28 04:33 . 2011-06-20 21:23	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2011-05-28 04:31 . 2011-06-20 21:23	1638912	----a-w-	c:\windows\system32\mshtml.tlb
.


		Code:
	

<pre>
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iMesh Applications\MediaBar\DataMngr\DataMngrUI .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Steam\Steam .exe
</pre>

.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47	333192	----a-w-	c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26	3908192	----a-w-	c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
2010-05-27 21:02	392072	----a-w-	c:\program files\iMesh Applications\MediaBar\DataMngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-04-27 15:08	2393184	----a-w-	c:\program files\DVDVideoSoftTB\tbDVDV.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-11-20 17:34	87472	----a-w-	c:\program files\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
2010-10-18 10:26	3908192	----a-w-	c:\program files\DVDVideoSoft\tbDVD0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}"= "c:\program files\DVDVideoSoft\tbDVD0.dll" [2010-10-18 3908192]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll" [2009-11-20 87472]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
.
[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]
.
[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F}"= "c:\program files\DVDVideoSoft\tbDVD0.dll" [2010-10-18 3908192]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
.
[HKEY_CLASSES_ROOT\clsid\{e9911ec6-1bcc-40b0-9993-e0eea7f6953f}]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Aim"="c:\program files\AIM\aim .exe" [N/A]
"Steam"="c:\program files\Steam\Steam.exe" [N/A]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Conduiti4jdel05705"="c:\users\CJ\AppData\Local\Temp\svchost.exe" [N/A]
"TextTEXTASST"="c:\users\cj\appdata\locallow\macromedia\shockwave player\xtras\download\macromediainc\textasset\texttextasst10.425.exe" [N/A]
"ShockwaveShockwave"="c:\users\cj\appdata\locallow\adobe\shockwave player 11\xtras\download\adobesystemsincorporated\shockwave3dasset\shockwaveshockwave.exe" [N/A]
"ShockwaveAsset"="c:\users\cj\appdata\locallow\adobe\shockwave player 11\xtras\download\adobesystemsincorporated\shockwave3dasset\shockwaveshockwave.exe" [N/A]
"MoviesDivX"="c:\users\CJ\Videos\DivX Movies\DivXCreate2935.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]
"DataMngr"="c:\progra~1\IMESHA~1\MediaBar\DataMngr\DataMngrUI.exe" [N/A]
"MRT"="c:\windows\system32\MRT.exe" [2011-08-02 49089992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [N/A]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
buzi.exe [2011-6-20 150016]
igzuyr.exe [2011-6-20 150016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\IMESHA~1\MediaBar\DataMngr\datamngr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R1 azhwmqqi;azhwmqqi;c:\windows\system32\drivers\azhwmqqi.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-07 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-07 136176]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WefiEngSvc;WeFi Engine Service;c:\program files\WeFi\WefiEngSvc.exe [2010-09-06 120152]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
S1 aswSP;avast! Self Protection; [x]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 QuickDownload Update;QuickDownload Update;c:\program files\QuickDownloadService\qdownupdate.exe [2009-02-09 94208]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
bthsvcs	REG_MULTI_SZ   	BthServ
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-07 03:51]
.
2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-07 03:51]
.
2011-08-05 c:\windows\Tasks\WefiStartup.job
- c:\program files\WeFi\WefiStartup.exe [2010-09-06 14:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to iPod Converter - c:\users\CJ\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
IE: Free YouTube to Mp3 Converter - c:\users\CJ\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\CJ\AppData\Roaming\Mozilla\Firefox\Profiles\b9pfha72.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
FF - Ext: Ask Toolbar for Firefox: {E9A1DEE0-C623-4439-8932-001E7D17607D} - %profile%\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
FF - Ext: MediaBar: {28D35620-51D9-11DE-9D13-2DB156D89593} - %profile%\extensions\{28D35620-51D9-11DE-9D13-2DB156D89593}
FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\ghm.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{99E00A4C-D35E-11DD-BA95-9B6A56D89593} - (no file)
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-Steam App 100 - c:\program files\Steam\steam.exe
AddRemove-Steam App 240 - c:\program files\Steam\steam.exe
AddRemove-Steam App 550 - c:\program files\Steam\steam.exe
.
.
.
**************************************************************************
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\conime.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\SLUI.exe
.
**************************************************************************
.
Completion time: 2011-08-05  01:39:41 - machine was rebooted
ComboFix-quarantined-files.txt  2011-08-05 05:39
.
Pre-Run: 24,695,767,040 bytes free
Post-Run: 25,893,937,152 bytes free
.
- - End Of File - - FA7070C91F0EF25E59E1B0654281FF96


----------



## cRise

It seems to have gotten better. However whenever I click on an icon on my desktop, "illegal operation attempted on register key that has been marked for deletion' appears.

What is that?


----------



## johnb35

You still have some issues we need to deal with.  Please move the combofix file to your desktop so you can perform the following fix.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

File::

c:\windows\system32\drivers\azhwmqqi.sys 
c:\windows\vtany.sys 
c:\windows\xhunter1.sys 
c:\programdata\xyes.exe
c:\programdata\ling.exe
c:\programdata\jlyu.exe
c:\programdata\gicl.exe
c:\users\CJ\AppData\Local\Kbixebicogiceyi.bin

Driver::

azhwmqqi
vtany
xhunter1

Renv::

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iMesh Applications\MediaBar\DataMngr\DataMngrUI .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Steam\Steam .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AIM\aim .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe 

Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]



3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.




Also, I need you to post a file from combofix for me.  Navigate to C:\qoobox and in that folder will be file named "add-remove programs.txt"  Please open that file and copy and paste the contents back here.


----------



## cRise

Hey thanks for the help so far.

I tried dragging the file to the combo fix shortcut but the same thing appears.


"Illegal operation attempted on a register key that has been marked for deletion"


----------



## johnb35

Have you rebooted the computer yet?  Usually after you reboot the pc this message goes away.  Then follow the procedure.  But you must move the combofix file to your desktop please.  And it can't be a shortcut to combofix, it must the original file.  So just copy the icon from your downloads folder and paste it to your desktop screen.


----------



## cRise

For some reason, after running combo fix, my laptop will restart.. Then it will automatically restart again by itself. It keeps restarting again and again. I turn it off and now I can barely start it. It will go in to the login screen, expanded and i cant even log in (never had a password, etc). Whats the problem?


----------



## johnb35

Okay, This is the issue sometimes with malware infections.  I assume you have the recovery console installed and can boot to it?  If you didn't have the recovery console installed, combofix would report that it wasn't installed.  At this point I advise you to run a system restore from the recovery console and then we can try cleaning up the machine again.

Please follow the instructions on this site to do the "system restore".  Please follow the instructions precisely.  However, perform the checkdisk procedure first to see if it will allow access to windows.

http://www.myfixes.com/articles/system

If you have any questions please ask.


----------



## cRise

Hey John thanks for the help.

It seems that I need the windows 7 cd? However when I bought my laptop i don't think it came with it. Even if it did, I have no clue where it is.

Do I have to buy another windows 7 now?


----------



## johnb35

Laptop manufacturers don't give you reinstallation cd's anymore.  What they give you is a recovery partition on the hard drive that you boot to in order to reinstall the operating system.  Look in the owners manual to find out how to boot to the recovery partition.


----------



## cRise

Sorry guys i'm actually a little new to all this.

So where exactly is the manual?

And where would I reboot after safe mode?

Thanks guys i really appreciate this.


----------



## johnb35

You didn't get an owners manual with the pc?

When you ran combofix did you allow it to install the recovery console?


----------



## cRise

johnb35 said:


> You didn't get an owners manual with the pc?
> 
> When you ran combofix did you allow it to install the recovery console?



I'm sure I did, but I definitely have no idea where it is.

And is the recovery console installed automatically? I just allowed it to do its functions.


And I don't mean "how" to reboot, I meant after I'm in safe mode, what do I do after that?


----------



## johnb35

If you had the recovery console installed you would get a boot screen similar to this one at startup.






Let me know if you see a screen similar to this and so we can perform a "system restore" using the recovery console.


----------

