Boy! Honestly I just don't know. Think part of the problem really is that I didn't know everything run prior to this. So I goofed there not asking the right questions.
I can find no info whatsoever on this particular file that Windows seems to be looking for, so wonder if it is combofix and if that is the case Windows SHOULDN'T be looking for it anyway.


I have just restarted my pc and no prompt.

Sorry, looks like I posted on "top of you".
Well at least it quit loading.
You said then that the

... the google search engine the text is back to normal size and also its not opening new windows with adds!!However its still not loading certain pages eg bleeping computer and is also running slow. Halfway there?

NO you are not doomed!!!!
Run me a new HJT scan. Post the log.
I know I DON'T give up, drives others nuts! But let's keep trying, unless you want to "fold 'em"


Sorry, looks like I posted on "top of you".
Well at least it quit loading.
You said then that the
NO you are not doomed!!!!
Run me a new HJT scan. Post the log.
I know I DON'T give up, drives others nuts! But let's keep trying, unless you want to "fold 'em"

Well he said it went back to being the virus'd Google. Just like mine did. :[


I apologize skiesaregrey for not getting back with you yesterday, personal appointments took up much of my time.
Try again to run combofix. Please follow ALL of the instructions below and see if this method will work.

Please download ComboFix by sUBs from HERE or HERE

* You must download it to and run it from your Desktop * Physically disconnect from the internet. * Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
* Double click combofix.exe & follow the prompts.
* When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log * Re-enable all the programs that were disabled during the running of ComboFix..


Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Its fine! I appreciate your busy and on top of that, helping me so no need to apologise.

Right, interesting things have been happening...
Those 2 websites with combofix i could not access (the computer wouldnt let them pages load up). So I went and got onto another pc and downloaded it, saved it to a usb stick and transferred it over to my desktop. I disconnected from the net and shut off all active programs (friewall, virus checker) and then ran it. The blue bar loaded up and after a minute..nothing. So I double clicked again, this time I got the message "Combofix has detected rootkit activity blah blah blah" so the computer restarted. It loaded up windows again and I got the same message again and figured it was for the first time I tried loading it so the computer restart yet again.
This time on restart it took me to a blue screen that contained the following...
"Checking system files on c:
The type of the file system is NTFS.
The volume is dirty.
CHKDSK is verrifying files (1 of 3)...
Deleting corrupt file record segment 56712
Deleting corrupt attribute record (128,"")
from file record segment 57757
File verrification completed....

Anyway windows loads up and...hey presto, Combofix begins!!!
Didnt even dare sneeze!! :)

Heres the log produced by combofix and following it is a log produced by hijackthis, please bear in mind hijack this was ran whilst the my computer was NOT connected to the internet. Thanks

*Combofix results...

ComboFix 08-09-28.05 - Peresh Gela 2008-09-30 15:59:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.535 [GMT 1:00]
Running from: C:\Documents and Settings\Peresh Gela\Desktop\ComboFix.exe
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Peresh Gela\ResErrors.log

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))

2008-09-29 20:03 . 2008-09-29 20:15 <DIR> d-------- C:\327882R2FWJFW
2008-09-29 10:40 . 2008-09-29 10:40 <DIR> d-------- C:\Documents and Settings\Administrator.DHCK9R1J\Application Data\AVG7
2008-09-29 10:22 . 2005-09-15 09:13 <DIR> d-------- C:\Documents and Settings\Administrator.DHCK9R1J\Application Data\You've Got Pictures Screensaver
2008-09-29 10:22 . 2005-09-15 09:17 <DIR> d-------- C:\Documents and Settings\Administrator.DHCK9R1J\Application Data\Symantec
2008-09-29 10:22 . 2005-09-15 09:16 <DIR> d-------- C:\Documents and Settings\Administrator.DHCK9R1J\Application Data\Jasc Software Inc
2008-09-29 10:22 . 2005-09-15 09:07 <DIR> d-------- C:\Documents and Settings\Administrator.DHCK9R1J\Application Data\Intel
2008-09-29 10:22 . 2008-09-29 10:22 <DIR> d-------- C:\Documents and Settings\Administrator.DHCK9R1J
2008-09-29 09:48 . 2008-09-29 09:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-28 16:15 . 2008-09-28 16:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 16:15 . 2008-09-28 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 14:17 . 2008-09-28 16:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-28 14:17 . 2008-09-28 14:17 <DIR> d-------- C:\Documents and Settings\Peresh Gela\Application Data\Malwarebytes
2008-09-28 14:17 . 2008-09-28 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-28 14:17 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-28 14:17 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-28 14:06 . 2008-09-28 14:06 <DIR> d-------- C:\Program Files\ESET
2008-09-28 14:06 . 2008-09-28 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-28 12:48 . 2005-11-09 00:26 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2008-09-28 12:24 . 2008-09-28 12:24 <DIR> d-------- C:\VundoFix Backups
2008-09-28 11:13 . 2008-09-28 11:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-18 08:42 . 2008-09-18 08:42 9,662 --a------ C:\WINDOWS\EPISME00.SWB
2008-09-16 23:13 . 2008-09-16 23:14 6,503 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-09-16 23:07 . 2008-09-16 23:07 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-16 23:07 . 2008-09-16 23:07 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-16 23:07 . 2008-09-16 23:07 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-16 23:07 . 2008-09-16 23:07 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-16 23:03 . 2008-09-16 23:07 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-16 22:54 . 2008-09-16 22:54 <DIR> d-------- C:\WINDOWS\EHome
2008-09-16 22:38 . 2008-04-14 01:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-09-16 22:37 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-09-16 22:36 . 2008-04-14 01:11 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2008-09-08 19:39 . 2008-09-08 19:39 <DIR> d-------- C:\Documents and Settings\Peresh Gela\System
2008-09-08 19:39 . 2008-09-08 19:47 <DIR> d-------- C:\Documents and Settings\Peresh Gela\Application Data\SmartDraw
2008-09-08 19:23 . 2008-09-11 16:41 <DIR> d-------- C:\Program Files\SmartDraw 2009
2008-09-06 16:20 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-06 16:17 . 2008-09-06 16:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-06 12:26 . 2008-09-06 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\UDL
2008-09-06 12:25 . 2004-11-25 06:07 79,679 --a------ C:\WINDOWS\system32\E_FLMACE.DLL
2008-09-06 12:25 . 2003-05-21 03:27 64,000 --a------ C:\WINDOWS\system32\E_FBCBACE.DLL
2008-09-06 12:25 . 2004-09-10 21:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2008-09-06 12:25 . 2000-06-07 02:01 34,304 --a------ C:\WINDOWS\system32\E_FBCHACE.DLL
2008-09-06 12:25 . 2008-04-13 19:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-09-06 12:25 . 2008-04-13 19:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-09-06 12:25 . 2008-04-13 19:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-09-06 12:24 . 2008-09-06 12:27 <DIR> d-------- C:\Program Files\epson
2008-09-06 12:24 . 2005-02-25 00:00 46,080 --a------ C:\WINDOWS\system32\escimgd.dll
2008-09-06 12:24 . 2005-02-25 00:00 29,696 --a------ C:\WINDOWS\system32\escwiad.dll
2008-09-06 12:24 . 2005-02-25 00:00 22,016 --a------ C:\WINDOWS\system32\esccmd.dll
2008-09-06 12:24 . 2008-09-06 12:24 27 --a------ C:\WINDOWS\CDE DX3800EFGIPSD.ini
2008-08-13 14:34 . 2008-05-01 15:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 14:30 . 2008-04-11 20:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-09-29 10:50 --------- d-----w C:\Documents and Settings\Peresh Gela\Application Data\Skype
2008-09-29 09:18 90,112 ----a-w C:\WINDOWS\DUMP278d.tmp
2008-09-28 23:02 --------- d-----w C:\Documents and Settings\Peresh Gela\Application Data\skypePM
2008-09-28 12:13 --------- d-----w C:\Program Files\Bonjour
2008-09-20 00:02 --------- d-----w C:\Program Files\Free Music Zilla
2008-09-07 19:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-06 15:20 --------- d-----w C:\Program Files\Java
2008-09-06 11:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-13 13:30 --------- d-----w C:\Program Files\FixTunes
2008-08-07 22:35 --------- d-----w C:\Documents and Settings\Peresh Gela\Application Data\dvdcss
2008-08-07 22:17 --------- d-----w C:\Program Files\VideoLAN
2008-07-30 16:59 --------- d-----w C:\Documents and Settings\Peresh Gela\Application Data\Media Player Classic
2008-07-30 15:13 --------- d-----w C:\Program Files\Convar
2008-07-30 14:50 --------- d-----w C:\Program Files\EphPod
2008-01-20 22:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-12 22:12 8,134 --sha-w C:\WINDOWS\system32\sttss.ini2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-07 1576176]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-09-04 6856704]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 507904]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-06-28 580096]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 98304]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 36352]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2008-01-14 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-09-15 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-07 20:17 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.ffds"= ffdshow.ax
"vidc.X264"= x264vfw.dll
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

"EnableFirewall"= 0 (0x0)

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-21 42512]
Contents of the 'Scheduled Tasks' folder
------- Supplementary Scan -------
FireFox -: Profile - C:\Documents and Settings\Peresh Gela\Application Data\Mozilla\Firefox\Profiles\bqn1qrbf.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 16:10:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

------------------------ Other Running Processes ------------------------
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Apoint\ApntEx.exe
Completion time: 2008-09-30 16:15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-30 15:15:23
ComboFix2.txt 2008-09-28 11:48:06

Pre-Run: 20,063,465,472 bytes free
Post-Run: 20,137,435,136 bytes free

190 --- E O F --- 2008-09-26 09:41:48


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:20:40, on 30/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?sourceid=navclient&ie=UTF-8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

End of file - 7551 bytes

Thanks Dan


Well I'll be, have not heard of that happening before but will research that ASAP. Give me time to go through this log and hopefully we can see what is going on here.
Did you post this using the infected computer or the other one?


This infected one... and guess what, im on eset doing an online scan!
Ill send that log asap, really want to keep it on this side of the fence! Any other software that I should run?



# version=4
# OnlineScanner.ocx=
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3483 (20080930)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5348aad771303c429863e7938ba0c76e
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-09-30 04:28:07
# local_time=2008-09-30 05:28:07 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=319712
# found=7
# scan_time=2354
C:\QooBox\Quarantine\C\WINDOWS\system32\tdssadw.dll.vir Win32/Agent.ODG trojan 151046484AEF8DE49A459F2340F09190
C:\QooBox\Quarantine\C\WINDOWS\system32\tdssl.dll.vir Win32/Agent.ODG trojan D14A2ACE850393CA9446DA3BB9CFBF0B
C:\QooBox\Quarantine\C\WINDOWS\system32\tdsslog.dll.vir Win32/Agent.OBU trojan AE7C5EDD787BCDD8ED5966BDF02F1B46
C:\QooBox\Quarantine\C\WINDOWS\system32\tdssmain.dll.vir Win32/Agent.OGC trojan 335915A73568AE9BF532C41DF91A3B31
C:\QooBox\Quarantine\C\WINDOWS\system32\tdssserf.dll.vir Win32/Agent.ODG trojan 67E17F3C7F3C0134CAC7374FD013D9F4
C:\QooBox\Quarantine\C\WINDOWS\system32\tdssserf1.dll.vir Win32/Agent.ODG trojan 69D78C4A5D8CC85A00344C37157B87A2
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\tdssserv.sys.vir Win32/Agent.ODG trojan C9B36AE929D020240A91FF5200E8FE80



I had unchecked the box on ESET so it would not clean the problems found...



Don't worry about the items found by ESET they are all in the ComboFix Quarantine and we will get rid of them shortly.
You might try updating and running MBA-M again, FULL scan not the Quick one, Be sure to check Remove Selected Items too if anything is found. Post back with that log.


After you have done that then do the following;
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply and a new Hijack This log please.

By the way, I am fairly certain that Chkdsk ran because of the multiple stopping and rebooting when attempting to run combofix. Now you removed the old combofix programs, PLUS this time you didn't download from the internet but brought it to the computer from a clean computer, PLUS disconnected from the internet while running it. I am doing a great deal of "supposing" here, and somebody may post here and say I am wrong, but think all of this shows that "something" was working there in the background to stop everything from proceeding correctly. Disconnecting helped stop that AND bringing in the clean combofix worked too. Plus, hopefully, chkdsk was able to run and remove some corrupted items. We will try to check that shortly


None found on MBA-M

Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 3

30/09/2008 18:32:58
mbam-log-2008-09-30 (18-32-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140566
Time elapsed: 56 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



When i click that Kaspersky link it doesnt load an activex file. Im just sitting on the homepage... what do I do next?



When i click that Kaspersky link it doesnt load an activex file. Im just sitting on the homepage... what do I do next?


Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Did you check Add/Remove?


But what i am having problems with is that it is saying i need Java 1.5 or newer? Even though I change it to 75% still the accept button is not clickable..


Yeah i need to update Java.. It just wont let me click the accept button.
Although there is nothing related to Java on the website..?



But what i am having problems with is that it is saying i need Java 1.5 or newer? Even though I change it to 75% still the accept button is not clickable..

Change WHAT to 75%?
In order to do many things on line you have to have up to date java. What version of java do you have?


Sorry I dont even know what Java is..
And the 75% was the zoom that I was to do on the Kaspersky site if the accept button was unclickable..


Yeah i need to update Java.. It just wont let me click the accept button.
Although there is nothing related to Java on the website..?

In order to do many things on line you have to have up to date java. Applets are used to provide interactive features to web applications that cannot be provided by HTML.
If the site says you need a more up to date java, then you more than likely do. Plus this "thing" whatever it is/was, may very well have damaged your java.
What version of java do you have?


What version of java do you have?

Never mind I went back through your logs and noted you have the most current version installed. Do you have it enabled in Internet Explorer and Firefox?


I only use internet explorer although Firefox is on my pc i dont use it. How do I check to see if its enabled?

Also my resutls were the following...
You have the recommended Java installed (Version 6 Update 7).



Yes I did Judy. Nothing there, I dont think ive used it before..
Not sure why it has not given me the option to download Activex either.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.