[Resolved K]PC Only works in Safe Mode - Admin Disable - AV Disabled

[kevinf80]

Hiya Rick,

I dont see any reason why CF will not run from a script, lets start again with a fresh run of CF. Make sure that it is saved direct to the Desktop.

Delete any versions of Combofix that you may have on your Desktop or anywhere else on your system, download a fresh copy from either of the following links :-

Link 1
Link 2

• Ensure that Combofix is saved directly to the Desktop <--- Very important
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  
  
• Close any open browsers and any other programs you might have running
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  
  
• Instructions for running Combofix available Here if required.
  
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why  disabling autoruns is recommended.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

[Notremos58]

Sorry kevin did you want me to run it with or without the script.

Prior to my last response to you I deleted the other copies of the file and downloaded direct to the desktop and subseqeuntly dragged the script into comboxfix.

Rick

[kevinf80]

Hiya Rick,

Do a fresh install and run, no script. I`m unsure why the script switch did not run correctly, a fresh run may flag an issue we missed

Kevin

[Notremos58]

Hi Kevin

Attached is the Combofix file.  I tried to run with the script after I ran without it but no luck.

Rick

[kevinf80]

Hiya Rick,

I see from the log that Windows Defender was still active, that could very well be the reason the script command will not run.

• Open Windows Defender.
     
• Click Tools, and then click General Settings.
• Under Real-Time Protection options, uncheck the "Real-time protection" check box.
• Tools ---> Administrator Options ----> turn off also
• Click Save.
• Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
• You can re-enable Windows Defender by placing a check next to "Turn on real-time protection".)

Then try the script switch again...

Kevin

[Notremos58]

Hi Kevin.

Windows Defender was not open. Nevertheless I fillowed you instructions and opened, changed the settings and tried again.

No luck.

Rick

[kevinf80]

Hiya Rick,

From your last CF log Windows Defender was active:
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Leave Combofix for now and run the following :-

Download OTL from any of the following links and save to your Desktop:

Link 1
Link 2
Link 3
Link 4

• Double click on the icon to run it, Vista  or Windows 7 users right click and select Run as Administartor. Make sure all other windows are closed and to let it run uninterrupted.
• In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
     
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

These logs can be quite large, if they exceed character limit split the logs and use multiple replies.....

Kevin

[Notremos58]

Hi Kevin

here are the logs.

[Notremos58]

Sorry forgot attachments

[Notremos58]

Second log

[kevinf80]

Hiya Rick,

As follows please :-

Re-Run   by double left click, Vista and Widows 7 users right click and select Run as Administrator.

• Under the box at the bottom, paste in the following ***Note the scroll bars, make sure you copy the full script***
  
  

Code: [Select]

:OTL
O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-2808852390-2653332168-3628843389-1008\..\Toolbar\WebBrowser: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2808852390-2653332168-3628843389-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:8CE646EE
:Services
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{138600EC-20F1-48DB-A15D-3DBC82ECD83E}" =-
"{33B6DFF0-96C0-4EFF-89B3-16C5E99B0DA9}" =-
:Files
ipconfig /flushdns /c
C:\found.000
C:\found.009
C:\Users\RickS\AppData\Roaming\BitTorrent
:Commands
[EmptyTemp]
[CREATERESTOREPOINT]
[Reboot]


• Then click button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Post the log it produces in your next reply.

Let me see the OTL fix log, also tell me what issues/concerns remain....

Kevin

[Notremos58]

Hi Kevin

I have set out the OTL Log below.

I am still getting the rundll error plus a desktop ini file opens on boot with the following content.


[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787



OTL Logs

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_USERS\S-1-5-21-2808852390-2653332168-3628843389-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-21-2808852390-2653332168-3628843389-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
ADS C:\ProgramData\TEMP:8CE646EE deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{138600EC-20F1-48DB-A15D-3DBC82ECD83E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{138600EC-20F1-48DB-A15D-3DBC82ECD83E}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{33B6DFF0-96C0-4EFF-89B3-16C5E99B0DA9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33B6DFF0-96C0-4EFF-89B3-16C5E99B0DA9}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\RickS\Desktop\cmd.bat deleted successfully.
C:\Users\RickS\Desktop\cmd.txt deleted successfully.
C:\found.000 folder moved successfully.
C:\found.009\dir0001.chk folder moved successfully.
C:\found.009\dir0000.chk folder moved successfully.
C:\found.009 folder moved successfully.
C:\Users\RickS\AppData\Roaming\BitTorrent\dlimagecache folder moved successfully.
C:\Users\RickS\AppData\Roaming\BitTorrent\apps folder moved successfully.
C:\Users\RickS\AppData\Roaming\BitTorrent folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Jack Somerton
->Temp folder emptied: 527043 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Karen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Milly
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
User: RickS
->Temp folder emptied: 2474994 bytes
->Temporary Internet Files folder emptied: 49633985 bytes
->Java cache emptied: 223995 bytes
->FireFox cache emptied: 79745885 bytes
->Google Chrome cache emptied: 7372657 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 7429 bytes
 
User: William
->Temp folder emptied: 34227 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 193740 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 43414571 bytes
 
Total Files Cleaned = 175.00 mb
 

 
OTL by OldTimer - Version 3.2.22.3 log created on 05062011_221929

Files\Folders moved on Reboot...
File move failed. C:\Users\Jack Somerton\AppData\Local\Temp\IDC2.tmp\getPlusPlus_Adobe.exe scheduled to be moved on reboot.
File move failed. C:\Users\Jack Somerton\AppData\Local\Temp\IDC2.tmp\getPlusPlus_Adobe_reg.exe scheduled to be moved on reboot.
File move failed. C:\Users\Jack Somerton\AppData\Local\Temp\IDC2.tmp\getPlus_Helper_3004.dll scheduled to be moved on reboot.
File move failed. C:\Users\Jack Somerton\AppData\Local\Temp\IDC2.tmp\gp.inf scheduled to be moved on reboot.
File move failed. C:\Users\Jack Somerton\AppData\Local\Temp\IDC2.tmp\gp.ocx scheduled to be moved on reboot.
File move failed. C:\Users\Jack Somerton\AppData\Local\Temp\IDC2.tmp\np_gp.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[Notremos58]

PS Kevin.

My computer no longer hibernates. If I try to hibernate when I reboot I do not come back to the previous state I have a clean reboot.

Rick

[kevinf80]

Hiya Rick,

Hibernation requires a certain amount of free HD space to be available to copy system state, The same applies for the System Restore function, if you recall we had problems with Combofix trying to create a restore point.
System restore requires approx 15% free HD space, if look at the OTL log you`ll see that you only have a touch over 10% free space available on the HD. You`ve got to suspect free space is the issue for both the Hibernation and System restore functions. Excerpt from OTL log follows:

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.00 Gb Total Space | 30.33 Gb Free Space | 10.18% Space Free | Partition Type: NTFS

Regarding the desktop.ini file, this may simply be that "Hidden files/folders" are showing, go Here and have a read, there is an auto fix available, just hit the following icon at the site :-



Either use the Fixit function or follow the manual fix and see if that resolves the desktop.ini file issue.

Is it posible you can move Data from your HD to some external media source? Maybe Music, Videos, Pictures etc. See if that resolves the other issues....

Kevin

[kevinf80]

You still with us Rick........