True problem or false alert? Please, help!

[diko]

Dear All,

Since a few days I have strange files spreading on my USB storage devices and PC. :confused:

After reading the PhilliePhan's READ ME Before Posting A Request For Assistance! I'm posting in hope to get your advice.

Just before providing you with the scan information I give you the facts about the problem the problem.

Avast anti-virus: alerts me that a EggDrop-AC [Trj] has been found, every time I start my computer and/or I try to manually delete it from Processes in the Task Manager. No matter what action I choose (delete, move, etc.) Avast tells me that "the process cannot access the file because it is being used by another process: C:\Documents & Settings\IMC\Local Settings\Temporary Internet Files\Content.IE5\0SBLD5OY\mitm[1].com\[UPX]

Hard disks (C, D, and external E, F, etc.): each hard drive contains at least one suspicious -.exe file and an Autorun. Inf. Sometimes there are two or three similar files, their size slightly changing from 75 to 79 Kb. And what is most impressive, all these files keep changing their names every time the computer restarts: a few hours ago the file was abtpkqmef.exe, now it’s qsthbasfj.exe, then vztyljdqq.exe, etc. All these files are of hidden file type.

Task Manager: usually the Task Manager shows the process with the same name as those on hard disks, but since a few days it is different. Yet all the same it keeps changing its name.
• Image name: today it’s amasujabh.exe.
• User Name – my User Name;
• CPU – 50;
• Memory Usage – 4884 k

Ccleaner: in StartUp (Tools) there is also a suspicious file.
• File: C\WINDOWS\system32\amasujabh.exe (the file name, amasujabh.exe, as I said keeps changing, not the path).
• Program name: reginit, and it doesn’t change.
• Key: HKLM:Run

When I right-click on any of the files, in Properties I find the following information:
• File type: Application
• Description: Install Shield Installer
• Location: C\
• File Version: 8.0.0.343
• Copyright: Microsoft Corp 1992-2001

AS PRESCRIBED BY IANAG Forum:
• Microsoft Windows Malicious Software Removal Tool found no malware or infected files;
• Kaspersky Online Virus Scanner found no malware or infected files (see the Scan Report attached) ;
• AVG Anti-spyware scan in Safe Mode found 485 infected files, 5 tracers (with medium risk) and 1 TrojanWin32 (with high risk): all deleted as requested by the program; the program gave no option for saving the scan-report;
• Windows Defender and Spybot SD found no problems;
• HiJackThis brought up the following results (Sorry, I have problem attaching it, so I paste it below)

Logfile of HijackThis v1.99.1
Scan saved at 11:27:31, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN .EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Fenêtre d'état de Canon LASER SHOT LBP-1120.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK .EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Also, you might find it important to compare it with HiJackThis scan I did separately a day before, here's the link: http://hjt.networktechs.com/parse.php?log=394419


When in Safe Mode I tried both Ccleaner and Task Manager, there was no presence of reginit or anything else suspicious. Yet, coming back to Normal Mode just after the series of scanning I saw reginit & Co reappear in Processes List in Task Manager. And, of course, I was alerted again by Avast with no option whatsoever.
SpyBot SD also asked me if I allow reginit to make changes. By refusing it, the desktop was literally covered with messages of SpyBot SD blocking the change. Yet reginit program & Co were already in Processes List.

So, in the end certain anti-virus programs identify reginit and the files it apparently generates as medium risk tracers, while others don’t even identify them. Yet, any USB flash or hard disc device contracts it and have them installed on other computers.

Advice of knowledgeable guys will be really appreciated!

[jholland1964]

Go into Spybot and turn OFF the TeaTimer. It sometimes interferes with fixes. Don't use the HJT analyser here, it is way out of date.

You have stated you have tried to remove this process manually, one thing for sure is removing EggDrop.AC manually is hard. You never know how many files it has infected.

Ok, having read and re-read this thread I don't mind telling you I am confused here.

Yet, any USB flash or hard disc device contracts it and have them installed on other computers.

I am not certain if you are saying these items are coming FROM you USB drives or that they keep picking them up or they are part of the USB drives.
If it is NOT found during safe boot then it is something that only runs during autostart in NORMAL mode. The Autorun. Inf. pretty much indicates that.

The file you say is using the EggDrop-AC [Trj] or is being used by it is the following;
C:\Documents & Settings\IMC\Local Settings\Temporary Internet Files\Content.IE5\0SBLD5OY\mitm[1].com\[UPX]

This is a folder in the Windows directory where Internet Explorer stores temporary internet files. You need to empty this file.
Go to Safe Mode.
Open Internet Explorer---> Goto Tools ----> Internet Options
Under Temporary Internet Files Section click on Delete Files. You will get a dialog box. Check the box next to Delete all offline content and then click on OK. This hopefully will delete all offline content from your computer and empty C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5 folder.

You have used two different HJT versions for these scans, the one you used the analyzer on is the newest version, the one you have posted here is the older version.

I see nothing in your HiJackThis log, either of them except NO firewall and portions of an older install of Norton Anti-virus which are attempting to run as indicated by these two entries in the logs the second one only appears in the parsed one you gave as a link;


O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)>>>>this one only appears in the parsed version of the HJT program.
You should do a file search for all files Symantec and all files Norton and delete any found.

I want you to use HiJackThis to generate a Start Up Listing and post it here;
In order to do this go into the Config option when you start HijackThis then click on the Misc Tools button at the top.
You will then click on the button labeled "Generate StartupList Log"
Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it here.

[diko]

Judy, thank you for your advice.
I'm sorry for having been absent for over a month. Been to noman's land where computers are almost inexistant. Now I rediscover my laptop and ... the sticky virus that is still around.

I did exactly as you asked me. Here's the Startup List.

StartupList report, 14/12/2007, 23:37:51
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK .EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\kylwcoshe.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Broadcom Wireless Manager UI = C:\WINDOWS\system32\WLTRAY.exe
IntelZeroConfig = "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
reginit = C:\WINDOWS\system32\kylwcoshe.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll - {C451C08A-EC37-45DF-AAAD-18B51AB5E837}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job
WebReg ENU.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/par...an_unicode.cab

[YInstStarter Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6 049 bytes
Report generated in 0,062 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks,

Diko

[jholland1964]

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Then download ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log for you. Attach this log in the thread you are working in.

Note:

* Do not mouseclick combofix's window while it is running. That may cause it to stall

[diko]

It looks like I managed to get rid of the sticky virus!
Apparently, Microsoft Windows Malicious Software Removal Tool that I first heard of on the forum did the job. I used it before but with little effect, the virus kept reappearing. Now I updated all the anti-virus & anti-spyware tools on my PC and it made the difference. Then, to make sure I did full scan with Avast, AVG Anti-spyware, Spybot and Windows Defender and eliminated dozens of other malware.
Now there's a small community of friends who experience the same problem. So, I hope I'll be helpful in getting their PCs clean.

I followed your recent instructions and here's the ComboFix log (the attached file).

I may also come up with tenacious cases of the same problem while helping the others. Should I open a new thread or I can continue this one?

Again, thanks a lot for guiding me through the process.