Posts by PhilliePhan

Any ideas on this one.....?

S3 gel90xne;gel90xne;\??\c:\docume~1\roisin\locals~1\temp\gel90xne.sys --> c:\docume~1\roisin\locals~1\temp\gel90xne.sys [?]

2011-01-04 19:46:37 53248 ----a-w- c:\windows\system32\drivers\sst6BA.sys
2011-01-04 19:46:37 0 ----a-w- c:\windows\system32\drivers\sst6BA.tmp
2011-01-04 19:46:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\nJpCf06504

Do you know what these are?

At quick glance, these smell of Rootkit to me.

I imagine Judy will concur....

PP:)

My bad! I completely missed where you said that in the first place (doh!)

It's a shame you can't use a pen drive or something easy :)

Hey Rik,

I found this - I imagine if you work in a shop you'd have the needed ingredients:

- So i tried reinstalling with the my desktop and it doesn't work. It will load the os but it wont load into windows.

- You can reinstall windows this way: If you have an external hard drive that accepts IDE drives.

What youll need: External IDE hard drive and Desktop DVD or CD Rom.

How To:

1. Open up your external hard drive. Make sure it's an IDE connection.
2. Remove the IDE hard drive. Power cable and IDE cable.
3. Remove your DVD or CD ROM from your desktop
3. Plug the power and IDE cable from your external to your DVD or CD ROM.
4. Connect it to your tablet and boot from removable drives.

I just recently upgraded my hard drive to a 120GB 5400RPM and reinstalled with XP PRO. Works fine without any issues. I plan on ordering a XP Tablet Edition recovery soon.

Reinstall-Tablet-XP-OS-w-o-external-optical-drive

PP:)

Hi Trampaw,

Let's try something a bit easier:

Download the attached Look.zip.
RightClick it and extract Look.bat from the ZIP.

DoubleClick on Look.bat to run it. Let it run - shouldn't take more than a minute.

A text log will pop up - please copy and paste that here for us.

PP:)

yes, Avira is also very good. but in comparison to AVG...it pales a tad.

Don't let Judy hear you say that! :)

Were you able to rename mdnsNSP.dll?

Did you try this?

Gizmo Project has created a small tool TurnOffBonjour.exe that turns off and removes Bonjour service. However, it will not remove the Bonjour folder from Program Files. You will still need to manually delete the Bonjour folder after restart. The reason why you’re advised to delete the folder after restart is in case there’s a problem, the Bonjour files are still there for you to restore.

PP:)

Any other suggestions that might work?

You might also try this tool to ID the program responsible for the problem:

http://windowsxp.mvps.org/temp/GetOpenClipboardWindow.zip

Extract it from the ZIP and run it - let us know the results.

Cheers :)
PP

My question is, can anyone recommend a decent FREE antivirus program that will work with windows 7 64bit?

Hey Rik,

Did you try Avira? That would be my recommendation.

Commodo is probably good, too, but I know that they've had some problems with their firewall and Windows 7 64-bit. So, I'd avoid that and just try the AV.

Avira had some issues about a year ago - something to do with chkdsk I think, but they have since been addressed. As far as a free solution, that'd be my choice.

I prefer Avira to AVG and Avast! for all OS.....

Happy Christmas :)
PP

Cheers PP, thats a big help i was having thoughts it might have been a trojan or the like as i have had recent viral trouble too.
Frimpage.

Great!

Though, if you've had some malware, you might want to run the linky below and post the results:

http://www.daniweb.com/forums/thread134865.html

A lot of the baddies today are well-hidden and "stealthed," so a second opinion might be warranted....

Happy Christmas :)
PP

Nevermind. Everything's good now. Thanks.

Outstanding!
Glad you got it sorted.

Happy Christmas :)
PP

while looking through my computer I discovered that Vista has doubled all my photos, and put them in a hidden folder for each picture
why is this happening and how do i stop it from happening again?

This is an issue with Vaios.

If your compy is a Vaio, check this out:
http://social.answers.microsoft.com/Forums/en-US/vistamedia/thread/89a50671-eca9-4fd5-9c63-1d68eff17e32

Cheers :)
PP

Well . . . Nothing jumps out at me, though the DDS is missing a lot of info.

Let's try the easy way:

Click START > Control Panel > Administrative Tools > Services
Look for the Themes service and make sure the Status is Started and the Startup Type is Automatic.

Then, RightClick the Desktop and select Properties > Themes and make sure it is set to Windows XP.

If it is not there, choose Browse and navigate to C:\Windows\Resources\Themes\Luna.theme and set this as the theme.

Let me know how that shakes out. I'll be back Friday evening EST.

PP:)

Go through each and every one of those downloads?

The MBAM and DDS steps ought to suffice at the moment - We'll see what they have to show us before going further.

PP:)

Tried that. Never had anything restored before it happened, because I didn't know much about System Restore.

Try running the scans in the linky I posted and copy&paste the requested scanlogs for us and we'll have a look.

PP:)

Do I have to go to the computer repair shop to see what's happening?

Probably not.

Try a System Restore back to a point before the problem started.

Even if that restores things to "normal," I'd suggest running MBAM as per the linky below:

http://www.daniweb.com/forums/thread134865.html

Cheers :)
PP

Hi TRAMPAW,

A few questions:
-- Are you not able to restore changes made by Bit Defender?
-- What is you OS?
-- Do you have a thumb drive?
-- Can you get a command prompt?

Since explorer.exe is protected, replacing it is a rather drawn out process.
In the meantime, you might want to install http://www.litestep.net/ (if you are able - one of the reasons I asked about flash drive) to give you some more functionality until we can figure this out.

Cheers :)
PP

What exactly is the PQServices? I know that it is a protected partition as is most of the Data Partition. Macrium Reflect allowed me to copy them to the external HD. I just don't know if it has to be an image of it or if the actual files will do.

I would try the actual files - The key is being able to get it to work with D2D....

Check this out:

I have a travelmate 8104 which may have a slightly different PQSERVICE partition, but here's what I found...

By default, the BIOS and Acer's MBR code (the software in your master boot record) work together to try to keep your PQSERVICE partition "hidden". Typically, you'll see that the PQSERVICE partition is type 12h - which is marked as a diagnostic partition type.

In actual fact, your partition is probably type 0Bh or type 0Ch (Fat32).

The problem is that if you attempt to change the partition type from 12h to 0Bh, if you boot the HD again, the MBR code will set it back to 12h.

I used a bootable CDROM (with a win98 command prompt and DOS utilities) to change the partition to 0Bh. I used Partition Magic's PTEDIT to change the partition type. Once changed, I rebooted BACK TO THE CDROM (you got to do this before allowing the system to boot the HD). Now on the CDROM boot again, I can now see the files on the PQSERVICE partition.

At this point, I …

Right now the key seems to lay in getting at the original OEM files in the hidden partition. Without those, the new hard drive won't be of much value until I can afford $300 for the retail version of Windows 7.

Yeah - therein lies the difficulty...

You can probably locate and copy them via a Knoppix disk. Heck, Parted Magic is essentially the same thing and should do it.
Thing is, I'm not sure how to make it actually useable....

I did manage to dig up an old link which popped into my brain when I read your thread:
http://laptop-support.org/OS-backup-and-install-review/the-acer-d2d-erecovery-101.html
I'm not so sure about the veracity of the info - see if it makes any sense to you.

Other than that, I would imagine you've tried much of what I could suggest....

PP:)

So, is there any way to roll this sucker back and make the stupid CD that I should have made when I bought this thing?? Or, am I truly UP THE CREEK???

You may well be up the creek.....

--- We can try a few things. First, though, it would be best if you "cloned" your HD (make a copy of the old drive onto your new HDD) with a tool such as Acronis_True_Image_Home_2011

I think the free trial ought to allow you to do this. Then, remove the old drive and we'll do all our "work" on the cloned image on your new hard drive. That way, if we mess something up, we still have the original drive to fall back on....

Let me know if you have any trouble - I'll try to check back in a timely manner.

Cheers :)
PP

I was just looking for a way to hopefully combine my clones into one and clean out the duplicates etc.. . . . . I am sure you will probably agree that a clean recovery is the best and easiest way to go - it just takes forever to update everything!

Yeah - definitely the easiest and most effective course of action!

And, perhaps most importantly, a clean install won't have you pulling out your hair and threatening your machine at sledgehammerpoint..... Is that a word? Like gunpoint? ;)

Cheers :)
PP

Any other thoughts short of installing Outlook on my old machine and then doing an upgrade, then copying the new Contacts file over to my new machine?

Sorry, I didn't think about two computers. You'd think there'd be an easy way to do this, but it is M$ after all . . .

Perhaps you could use a flash drive or cd to transfer to new compy. Similar to this:
http://www.ehow.com/how_6002724_do-outlook-express-windows-mail_.html

You could probably export to .csv and put that on pen drive and go from there.....

Cheers :)
PP

I just don't see in Outlooks Import tool a place where it asks for a .wab or a .pab file. Am I missing something?

Have you looked at this?

http://support.microsoft.com/kb/286116

How to drag address information to Outlook
It is possible to drag individual or groups of Windows Address Book entries to Outlook. To do this, follow these steps:

1. On the Start menu, point to Find, and then click Files And Folders.
2. In the Open box, type .wab, and then click OK.
3. Double-click the Windows Address Book file from which you want to move addresses.
4. Start Outlook if it is not already running.
5. Resize Outlook so that the Windows Address Book and Outlook are visible next to each other on the screen. Verify that the Outlook Contacts folder is visible in the resized Outlook window.
6. Select an entry from the Windows Address Book. Drag it to the Contacts folder. A new Outlook Contact form is created with the information from the Windows Address Book entry. Click Save and close.

PP:)

@nocindy - I split you off into your own thread.

What issues are you having with your compy?

PP:)

I tried SeaTools, and the drive failed the short test(self diagnostic).

Sorry to hear that!

I agree with gerbil that drive cannot be reliable - probably better to recycle.
Especially given the prices for much larger drives are so low these days...

PP:)

In addition to Gerbil's suggestion, you might want to try SeaTools.

Seagate has a good walkthrough:
http://www.seagate.com/staticfiles/support/seatools/user%20guides/SeaTools_for_Windows.EN.pdf

Best Luck :)
PP

I'm trying to help a friend with a problem.. . . .
You may assume that full AV scans have turned up nothing. Thanks.

I haven't used IE in years, so probably can't be much help. Just wanted to pass along a couple helpful links:

http://support.microsoft.com/kb/318378

http://support.microsoft.com/kb/923737 --> This may be best to start with

http://windows.microsoft.com/en-US/windows-vista/Reset-Internet-Explorer-7-settings

See if you are able to reset IE and then see if the issues continue. Bear in mind that the problem may not lie in IE - this ought to help point you in the right direction.

Best Luck :)
PP

think there is a registry value making it open on startup and changing the settings again! Can someone give me some suggestions of where to find it? Sorry I'm a bit of a noob with the registry...

I agree with rch1231 - Run MBAM and see what shakes out
-- Also, you really should not be running multiple AV apps. Remove one.

If you want to search the registry for for those known file names, try Bill James' or Bobbi Flekman's Registry Search tools:

http://www.billsway.com/vbspage/
http://www.xs4all.nl/~fstaal01/regsearch-us.html

Cheers :)
PP

same site as mentioned, but my default fundamental settings are chinese or somthing, a lot of other basic things are chinese. i need help changing it, i had a hard time reading the instructions, luckily i read the instructions beforehand on the site carefully like said. LOL

That is bizarre.

Let's first remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

-- Did you check in Control Panel > Language&Region Options? Maybe you can change it there?

I will be away much of the weekend - will try to check back as time permits. Judy may be around to offer a suggestion or two....

Cheers :)
PP

A HP pavilion dv9000 laptop running vista home premium is the culprit, it has behaved in a rather eccentric manner almost from day one, though I suspect vista to be the cause rather than the machine.
I keep tinkering down to an absolute minimum as an ardent believer in the "If it aint broke..." rule, and also due to a lack of expertise. It actually gave pretty good service right until the warranty ran out when the optical drive promptly failed. I have no axe to grind with hp, just telling it like it is,keep all my important stuff on old Dell running XP as it proved to be more stable.

Still, probably a good idea to invest in a backup hard drive. Perhaps an external drive might fit the bill the best?

I, too, subscribe to the "if it ain't broke" principle . . . . But, it is wise to be prepared for the worst. Especially when you are getting plenty of warning signals of impending doom.....

Cheers :)
PP

TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
00:54:22:625 0784 Results:
00:54:22:625 0784 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:54:22:625 0784 File objects infected / cured / cured on reboot: 1 / 0 / 1

Great - That should have helped.

In this case, I'd like to go with another step as well:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for us.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Cheers :)
PP

i keep finding "(random letters)tssd.exe" in my task manager and i close them. . . . .

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-21 21:36:27
Windows 5.1.2600 Service Pack 2
Running: nxg6jws3.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kflyyfog.sys

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Sorry for the delay and runaround - we have very few regular volunteers these days.

I suggest getting right to business:

Please download TDSSKiller.zip and Extract TDSSKiller.exe from the ZIP to your Desktop.
-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. If you get a Hidden service detected message, DO NOT take any action. Just press ENTER and allow the tool to continue.

Likewise, TDSSKiller may tell you a Reboot is necessary for the cure to take effect. Press “Y” or Enter when prompted to do so.

Once it finishes, please post the C:\LogIt.txt for us. Let's see if the MSRT missed anything....

Cheers :)
PP

Will run through them again, I am using machine in question now as fault is intermittent.

Intermittent is not good - could be a sign of a failing hard drive.... Hope you've backed up any and all important data in the event intermittent becomes permanent.

Is this a PC or laptop? If PC, get another Hard Drive - you can get a 1TB drive for under $100. If you buy retail (not OEM), many include software such as Acronis to allow for easy transfer of data / OS / etc....

A laptop would be a bit more involved...

Best Luck :)
PP

Are there any recorded instances of the dreaded "operating system not found" screen being caused by malware? I understand most likely cause to be creep or software related, apologise if this question already posted.

I do not think a malware cause is outside the realm of possibility. Especially with all the stuff that messes with the MBR these days.
But, I wouldn't put it at the head of the list. I'd look at the hard drive and BIOS first. Maybe recovery console or a bootable rescue CD the poke around and see if HD is functioning....

Best Luck :)
PP

Can it really be this easy?! Wow, That seems, so far, to have done the trick.....
Thank you, thank you, thank you many times over PhilliePhan!

You're welcome - Happy to help!

These days it seems I only have time for these "quick and easy" threads ;)

Anyhoo, I took a quick glance at your Attach.txt. It's good that you updated Java - you should also take a minute and update your Adobe Reader as well. And, you might want to give Limewire the boot - P2P is increasingly dangerous these days.

Other that those, I really didn't have a chance to pore over the logs. Given the MBAM log and lack of symptoms, though, I'd wager you're good to go.

Cheers :)
PP

I am the DIY type and get alot of satisfaction from fixing things myself, but I have gotten so frustrated and have now reached the end of my rope. I hate to admit defeat, but I would appreciate any suggestions.

Hi Rich,

Sorry for the delay - we just don't have many volunteers these days.

Combofix would probably be a good next step. However, given that your logs are for the most part clean, let's try a more direct approach and see what shakes out:

Please download TDSSKiller.zip and Extract TDSSKiller.exe from the ZIP to your Desktop.
-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. If you get a Hidden service detected message, DO NOT take any action. Just press ENTER and allow the tool to continue.

Once it finishes, please post the C:\LogIt.txt for me. Just copy & paste it into your reply.

Let me know if there are any problems along the way. I'll check back as time permits.

Best Luck :)
PP

Installed Comodo Internet Security, which I think is the best option for this person, since it's an all in one. I use Comodo Firewall, so I'm familiar with the interface, etc. Did a full system scan with Comodo, it found 5 infected files. Out of the 5, 3 were not actual virus (Vonage related). 2 were trojan Java exploits, can't remember the file path offhand, but they were in a temp folder. I had Comodo disinfect them and hope all is ok I guess. I can go back if there are some file I need to delete manually. But I just hate to leave it "unfinished". That's just not me. Thanks again for all the help and I'll wait to either here from someone further, or post that all is actually well for this pc.

Sorry for the wait - we have very few volunteers and it's a busy time of the year for most away from the compy.

Anyhoo, Comodo is solid. No worries there.

-- Make sure all older versions of Java have been uninstalled via Add / Remove Programs.
If you are not at Version 6 Update 20 , then you'll need to update.
Also, run ATF-Cleaner after updating. This will flush the Java cache, among other things.

-- The logs look OK. If you are not having any more issues, you're probably good to go. You can "fix" these entries with HJT, just to tidy things up a bit:

R0 - …

Hi,

I want to learn about md5.please tell me how i can calculate md5 of a file
Waiting for your kind answer

Thanks

There are a number of tools available to do this. I have used these, among others:
md5sum.exe
md5deep.exe
md5summer.exe

Cheers :)
PP

Infected copy of c:\windows\system32\drivers\intelide.sys was found and disinfected
Restored copy from - Kitty had a snack :p

S3 IRLSSZY;IRLSSZY;c:\docume~1\HP_Owner\LOCALS~1\Temp\IRLSSZY.exe --> c:\docume~1\HP_Owner\LOCALS~1\Temp\IRLSSZY.exe [?]

S3 YPARRTSJMFN;YPARRTSJMFN;c:\docume~1\HP_Owner\LOCALS~1\Temp\YPARRTSJMFN.exe --> c:\docume~1\HP_Owner\LOCALS~1\Temp\YPARRTSJMFN.exe [?]

Looks like something is reinfecting intelide.sys.

Also, did you check those iffy files YPARRTSJMFN.exe & IRLSSZY.exe? They might be baddies - certainly look the part, but who knows these days...

Wish I had more time to help you guys out, but it's back to the salt mines for a bit.

Cheers :)
PP

Well, I am stumped and I hate saying it :(. I will see if I can get some help here.

Hey guys,

Looks to me like a persistent re-infection of the MBR. This might be a newer version of this popular affliction.
Lots of logs and little time, so I may have missed something, but I'd focus on the MBR.

-- A reinstall might be faster and certainly most effective, as our scanners just may not see this yet....

You could try this:
Please download mbr.exe and place it in your C:\ Drive
-- Click START > RUN > type cmd ENTER
At the prompt, type or Copy and Paste: mbr -t > C:\Logit.txt
Let it run and please post the Logit.txt for us.

-- Also, go ahead and delete your current combofix and then DL a fresh copy and run another scan as you did before. Let's see if it replaces another infected .sys file.....

Best Luck :)
PP

GMER Two:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-23 23:04:36
Windows 5.1.2600 Service Pack 2
Running: 7qxco86v.exe; Driver: C:\DOCUME~1\Shelly\LOCALS~1\Temp\uxroypod.sys

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

Hey Judy - I'd suggest skipping ahead to a run of Combofix and making sure it addresses the infected atapi.sys.

Cheers :)
PP

Hi Judy,

Thanks for jumping in :) - I've been a bit preoccupied with work lately.

-- I did not see any evidence of the MBR infection in previous scanlogs. Did not want to get in the way of the Stop Sign people ( and vice versa ).

If Janet is still having trouble with this baddie, there are a couple relatively painless avenues we can follow to try to remove it once and for all.

I, too, would like to see the latest logs.

PP:)

ShellExView was the tool! Found and disable adobe drive item. Couldn't remove it, but my windows exporer works just fine now. Thanks Cap'n!

Glad to hear you got this mess sorted out!

Cheers :)
PP

I'm in que with Adobe tech support, they promise to get back to me within 3 days. . . .

Good - hope they can offer a viable solution.

If not, happyrock's post re: ShellExView would be a good next step before hacking the registry.

Keep us in the loop :)

PP

I don't use CS4, just tried a trial of Dreamweaver and then uninstalled it through remove programs, which called up the Adobe removal tool. Not only doesn't VersionCue.dll exist, nothing exists below the \common files\Adobe level!

Given the state of this problem, and Apple and Microsoft's recent critique of Adobe, maybe this should be moved into the malware category?

Perhaps malware is a bit harsh, but it is certainly a pain in the ass . . . .

The fact that it can bork a machine is distressing.

Worst case scenerio, I suppose we could hack the registry. That is if a complete uninstall / reinstall fails.

Cheers :)
PP

I have tried this fix from the Adobe forums, but the result was only a different fatal error message. (Not certain of the wording, but nothing worked any better.) The primary difference may be that all of the posters at the adobe forum were installing CS4. I got rid of it. . . . .

I am sorry to have troubled you all.

No trouble at all :)

The thing is, when we move away from malware and into proprietary software such as Adobe, you'd probably have better luck with their tech support - Speaking only for myself, I don't know much about it other than a few select recurring issues....

CS4 shows as being installed in your logs, hence my point in that direction.
If a complete uninstall and then reinstall and/or update of Adobe doesn't clear up the problem, I really wouldn't know how to advise you further.
I am not sure how important VersionCue.dll is. If you are not using CS4, I don't know why that is being called?

Does C:\Program Files\common files\Adobe\Adobe Version Cue CS4\client 4.0.0\VersionCue.dll exist? Maybe there is an updated version?

I don't know - Though, I'm fairly certain your problem lies wholly with Adobe and not malware.

Cheers :)
PP

Appreciate your help, but how about giving someone else a shot?

Hi Brian,

I think happyrock is approaching this issue in much the same way I or the other regulars here would do so - these are kind of hard to ferret out.

I do believe this is a known issue with Adobe and that bloody VersionCue.dll.
Have a look here and see if replacing the .dll helps ---> http://forums.adobe.com/thread/419427

Best Luck :)
PP

I sent the following web address to StopSign because it explained my problem much better than I can:
http://social.answers.microsoft.com/Forums/en-US/xpsecurity/thread/41c1d91e-a661-4209-9641-7e352822fecb

Right - this is a well known issue. That link illuminates it well.

On May 1, StopSign contacted me again and requested that I do another ComboFix which I did and now I am waiting to hear back from StopSign. I am attaching the May 1 ComboFix log.txt to this post also in case it found part or most of the problem.

A few things ( and please bear in mind that this is solely my opinion ):
I am not particularly enamored with StopSign. You can do a lot better. Especially if you are going to spend money on protection (though there are free options that perform better than StopSign...).

Since you are dealing with them, it would be counterproductive for me to jump into the middle of the mess - too confusing.

-- It looks as though combofix has addressed the MBR issue. Likewise, the GMER scans are clean - I don't see anything there.
We'll see what the fresh run of combofix does (BTW - combofix should be run from Desktop), but I'd like to hold off while StopSign is advising you.

-- You have a number of security risks showing. Risky programs and legit items that need updating (Adobe Reader / Java / etc...).
Again, I'll wait until StopSign has spoken before jumping in.

Cheers :)
PP

Any ideas? Thanks.

Please follow the steps in the linky below and post the requested scanlogs.
We'll have a look and go from there.

http://www.daniweb.com/forums/thread134865.html

Cheers :)
PP

Many thanks for sticking with me on this...I sure didn't want to have to reload this guy. I suppose I should consider a mirror backup or something, any suggestions?

You're welcome :)

-- I don't actually use any imaging software. I just have a number of hard drives that I use back up stuff I can't afford to lose.
I know Acronis is a popular option. You may want to have a look at these options and see if anything appeals to you.

Cheers :)
PP

Here's a fresh run of combofix...

That looks good - apparently iaStor.sys was still the culprit but combofix was able to replace it.

I wonder if it got re-infected after you replaced it the first time or if there was a problem with the replacement...?

Anyhoo, how are things looking now?

PP:)