Results of Hijack This scan

[jocaan409]

Could not run Rooter.  Tried all sorts of ways.  It would not Open or Save.  Frank C. 

[SuperDave]

Ok. Let's try this one.

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
• If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
• Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
• To clean up these entries click on the Clean up checked items button
  
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
• When you have re-booted,and tell me how your computer is running now

[jocaan409]

OK Sophos download and scan completed.   14 items are selected for clean up.  I checkmarked each one seperately and each one came up with the same message if I clicked OK. The message is:
Warning:You have selected some items which are not recommended for cleanup.  Removing these items may cause problems with your computer.  Are you sure you want to cleanup the selected items?   
Frank C.

[SuperDave]

Can you post the log so I can look at it?

[jocaan409]

There is no log option, per se, so I Selected, Copied each remark to Word now lets see if it will paste: 

Area:   Local hard drives

1. Description:   Unknown hidden file
Location:   C:\Program Files (x86)\GIGABYTE\ET6\work.dll
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

2. Description:   Unknown hidden file
Location:   C:\Program Files\Microsoft Reference\Bookshelf 98\SETUP.EXE
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

3. Description:   Unknown hidden file
Location:   C:\Program Files\Microsoft Reference\Bookshelf 98\QTVR\QT.EXE
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

4. Description:   Unknown hidden file
Location:   C:\Program Files (x86)\Nitro PDF\Reader\NitroPDFReaderDriver.dll
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

5. Description:   Unknown hidden file
Location:   C:\Program Files (x86)\Nitro PDF\Reader\npdf.dll
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

6. Description:   Unknown hidden file
Location:   C:\Users\Frank C\Downloads\NewsSetup.exe
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

7. Description:   Unknown hidden file
Location:   C:\Program Files (x86)\Chessmaster Challenge\Images\armhelper.ocx
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

8. Description:   Unknown hidden file
Location:   C:\Program Files (x86)\Chessmaster Challenge\chess.exe
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

9. Description:   Unknown hidden file
Location:   C:\Windows\Downloaded Program Files\armhelper.ocx
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

10. Description:   Unknown hidden file
Location:   C:\Users\Frank C\Downloads\CyberTablet-Win-64-bit\CyberTablet 64-bit\setup.exe
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

11. Description:   Unknown hidden file
Location:   C:\Users\Frank C\Documents\DocsOldComp\Old My Documents\My
Documents Partition N\latency.exe
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

12. Description:   Unknown hidden file
Location:   C:\Users\Frank C\Documents\DocsOldComp\WDC4Free.exe
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

13. Description:   Unknown hidden file
Location:   C:\Users\Frank C\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\OYJZ6O9K\YEjcIi4cSTGzgwck8swoH77N2MCcKtu3YbdiXvMtESp1IYKuXOSrkXUOODw_L2vM477KGNh
15opFk6kZpVSLI1W55ZtVY2uASdAHgFnTN9PwAX YXvgDw-ob43MAAAA%253D%2526dst%253D;ord=2599883974921274[1].js
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available) Area:   Local hard drives

14. Description:   Unknown hidden file
Location:   C:\Users\FLC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WGZLT16I\n.js,swfobject.js,adsmanager.js,cams.js,video_prev.js,search_predict_ajax.js,v_refresh.js,slide.js,viewvideo.js,mark_
as_spam.js,emoticons.js,thumbnail_change[1].js
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

Well, so there it is.  Frank C. 

[SuperDave]

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  File::
  C:\Users\Frank C\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\OYJZ6O9K\YEjcIi4cSTGzgwck8swoH77N2MCcKtu3YbdiXvMtESp1IYKuXOSrkXUOODw_L2vM477KGNh
  15opFk6kZpVSLI1W55ZtVY2uASdAHgFnTN9PwAX YXvgDw-ob43MAAAA%253D%2526dst%253D;ord=2599883974921274[1].js
  
  C:\Users\FLC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WGZLT16I\n.js,swfobject.js,adsmanager.js,cams.js,video_prev.js,search_predict_ajax.js,v_refresh.js,slide.js,viewvideo.js,mark_
  as_spam.js,emoticons.js,thumbnail_change[1].js
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[jocaan409]

I'm having trouble.  I had the Notepad text in your last post ready to paste or transfer to combofix.exe, but when I tried to save combofix it just ran the scan and did not give me any options to paste your Notepad comments.  I do have combofix.exe but it is in my Downloads file.  I could I guess find my Notepad that I copied your statements to and copy/paste it to combofix.exe in
Users\Downloads, if that would work.  The trouble is Combofix just ran automatically and now as before Internet Explorer, Word, Outlook will not start up.  I get an error message "Illegal operation attempted on a registry key that has been marked for deletion."  I also have a new Combofix.txt file after it downloaded from the site you indicated but it is in my other User Account where none of the programs will start up.  Microsoft Essentials was closed on this User Account I am writing you from but at least it turned on and IE is working on this User Account as before.  Last time I had this trouble also and had to uninstall Microsoft Essentials on this account I'm writing you from, reinstall and then turn it on.  When I then went back into my account where Combofix was downloaded IE, Word and Outlook worked again, but not this time.  I may have to uninstall Micorsoft Essentials on this account, even though it is working this time, because it still is not working on the other account and hopefully uninstalling and reinstalling Microsoft Essentials will fix the account where combofix is downloaded as it did last time.
I'll have to check this message board again, later, because I do not have email set up in this User Account, to see when you respond.    Frank C.       

[jocaan409]

OK scratch the last.  I am back on in my original User Account.  After a while I restarted and everything is ok after I started up again.  So now I have my notepad file and I have Combofix.exe.  Should I Copy/Paste Notepad into Combofix.exe and run it again? 
Frank C. 

[SuperDave]

So now I have my notepad file and I have Combofix.exe.  Should I Copy/Paste Notepad into Combofix.exe and run it again? 

You will need to uninstall/delete ComboFix, download a new one and save it to your desktop. Then you can run the ComboFix script.

[jocaan409]

Maybe I should try the Run command instead.  I do not remember which one I tried first but I am not sure I could save combofix.exe to my desktop either time, I know I could not save it the last time but I clicked on Save rather than Run the last time.  As I mentioned Combofix ran automatically and I did not have a chance to save it to my desktop the last time but I did click Save rather than Run.  I'll try it again, go through it as indicated and see what happens and get back to you.  Frank C. 

[jocaan409]

When I get Combofix.exe and CFScript.txt to my desktop I try to drag the CFScript.txt icon to Combofix.exe icon.  When I do this the CFScript.txt icon pops to the other side of the Combofix.exe icon.   It's as if it "doesn't go in."  So then I right click the CFScript.txt icon and select Copy.  Then I right click the Combofix.exe icon in an effort to Paste but there is no Paste option.  I try to Cut and Paste.  I am able to select the Cut option but again when I right click Combofix.exe there is no Paste option.  So the CFScript.txt icon is now grayed out but I cannot get a paste option when I right click Combofix.exe.  After that I still try to run Combofix.exe but now I get an Open With screen that asks me to choose a program to run Combofix.  I do not know if I should choose a program or if somehow I need to insure CFScript.txt is in Combofix before I run it.  I do not know for sure if CFScript.txt is now "in" Combofix because the CFScript icon on the desktop remains grayed out.   Frank C. 

[SuperDave]

Please try this and then see if ComboFix will work.

Please download  SREng

•   Extract it to Desktop and double click SREngLdr.EXE to run it
  
•   Select System Repair from the left pane.
  
• Click on File  Association
  
• Select all entries that has an Error  status click [Repair]
  
• Refer to this image for an  example:

•   In your case, it would be .EXE
  
• Close SREng now.

.

[jocaan409]

When I Save to desktop, the file Saves as  sreng2_zip.  When I click on the icon an Open With page pops up with a list of programs to open the file.  Frank C. 

[SuperDave]

Ok. Let's try this:

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 7 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* WiNlOgOn.exe
* uSeRiNiT.exe
* iExplore.exe
* eXplorer.exe
Once you've gotten one of them to run then try to immediately run the following.

[jocaan409]

OK, I'll try the steps you mentioned.  But now I do not know if I should.  You sort of ended your last message with an instructional sentence without the instruction.  I'll wait until I read your next message. 
Thanks,  Frank C.