Malware removal problem

[dharmaj]

After typing in Combofix /u, ONline Armor pops up telling me that "A program wants to run". I wasn't paying close attention and clicked allow several times, but am now am noticing that it is a different program each time. Now it is telling me that pev.exe wants to run. I googled that and it said it is part of Combofix, but I'm confused now because if I want to uninstall something, why would parts of it need to run.

Please advise....did I err in clicking on "allow" several times? If so, what should I do about it? What about pev.exe and any subsequent choices as part of uninstalling Combofix?

[dharmaj]

Here are the programs Online-Armor is asking me about - in no particular order:
pev.exe
swreg.exe
SWXCACLS.cfxxe
MSDOS (parent program is Combofix....the program name appears in the form of an icon)
PREP.inf

One needs to both "Trust" and "Allow", so even though I clicked on "Allow" before, looks like nothing happened and I can still moderate these.

I'm guessing that there will be more of these programs to trust or not.

please advise.

[Shaba]

They are all part of combofix.

Please do combofix /u in safe mode

[dharmaj]

That was way more complicated than I expected and I'm not sure whether I've actually removed Combofix or not.

Online Armor continually kept popping up with messages with the names of the programs above, and a few others, asking if I wished to allow it to run...and messages saying the program wants to run again, etc.

There were multiple boxes to choose from below and whenever possible I checked "Run in Safer Mode" (can't remember exactly the wording), but sometimes, that option was no longer available (not on the menu of choices), so I just clicked on Trust this program.

No bombs have gone off, so I am going to continue with your instructions and download OTCleanIt

[dharmaj]

I downloaded and ran this program. Upon rebooting, I got a message:

C:/windows/system32/grpconv.exe

"Windows cannot access the specified device path or file, You may not have the ppropriate permissions to access the item." [okay]

So I clicked okay, and Online Armor popped up and told me the above program was blocked and gave me options to Run Safer, Trust, Allow, Delete, Block.

I think I may have blocked it when attempting to uninstall combofix (which I'm still not sure if I was successful at doing).

[dharmaj]

Will proceed with this later, need to rest from a molecular virus (as opposed to a computer virus).

[dharmaj]

I disabled and re-enabled System Restore as advised. Seems like the OT CleanIT tool did not work perfectly as I had to manually remove Hijack This, WIN32kdiag (something like that), and maybe one other...but I seem to have been able to do that.

Thanks for all your help Shaba...restores my faith and hope that the forces of good are out there working for us all.

[dharmaj]

I tried to uninstall Lavasoft's "Adaware" by going to Control Panel/Add-Remove Programs, but even though that program does show up as installed, there is no option to remove it. I went to the folder in my C-Drive and manually deleted most of the files inside the Lavasoft folder, but some of them wouldn't allow themselves to be deleted. Any suggestions?

[Shaba]

If you have issues with Ad-aware, it is best to ask in their forums

[Shaba]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.