binsill

Hi,

I was at a site at approx 9:30 last night that asked me to download the newest version of flashplayer (v10).

I still have the culprit file in the trash (can send if you wish), I'm now running in safe mode. When I installed the program, windows defender and avg immediately said I had a virus and moved to quarantine. Everything froze, had to restart.

Spybot doesn't open. Avg and windows system scans see nothing. I see a strange process in task manager: 190589026.tmp.

First I can't download hijackthis/ malwarebites' antimalware/ superantispyware (web page is blocked). Then when I get around that by going to a cached webpage I can download the programs, but the install doesn't work. When I installed HJT, I crashed.

Thanks in advance, any add'l info needed I can provide ASAP.

DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by B at 0:31:07.30 on Fri 07/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.545 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SpywareBot *disabled* (Updated) {3914BDEB-9CF2-421A-9495-FE4C87AEFBD1}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\B\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = https://websec.it.siu.edu/util/googl...ltmplcache%3D2
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [<NO NAME>]
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.11,85.255.112.139
TCP: {888F2070-E6FE-4DF8-A2B8-CCF106CAE472} = 85.255.112.11,85.255.112.139
TCP: {D4764EF1-211E-4342-B966-6C114DD89F47} = 85.255.112.11,85.255.112.139
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\b\appdata\roaming\mozilla\firefox\profiles\qtybuz5s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://caloriecount.about.com/cc/account/index.php
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\users\b\appdata\roaming\mozilla\firefox\profiles\qtybuz5s.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-25 108552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-25 327688]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-25 298776]

=============== Created Last 30 ================

2009-07-03 00:24 <DIR> --d----- c:\program files\Trend Micro
2009-07-02 22:57 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 22:57 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-02 22:57 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-02 22:57 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-02 22:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 20:46 <DIR> --d----- c:\program files\PlayMe
2009-06-30 23:50 <DIR> --d----- c:\program files\Amazon
2009-06-19 18:02 11,264 a------- c:\windows\system32\PSS70687.DLL
2009-06-19 18:01 32,592 a------- c:\windows\system32\msonpmon.dll
2009-06-19 17:50 <DIR> --d----- c:\users\b\appdata\roaming\GetRightToGo
2009-06-19 15:01 <DIR> --d----- c:\programdata\Yahoo!
2009-06-13 17:03 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-13 17:02 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-13 17:02 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 17:02 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 17:02 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-12 08:50 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-11 14:55 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-06-11 12:25 <DIR> --d----- c:\program files\iPod
2009-06-11 12:25 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

2009-07-02 09:33 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 09:33 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 21:13 51,200 a------- c:\windows\inf\infpub.dat
2009-06-11 12:17 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-11 12:17 86,016 a------- c:\windows\inf\infstor.dat
2009-05-28 09:08 116,842 a------- c:\windows\hpqins00.dat
2009-05-08 11:37 300,688 a------- c:\windows\jgzr.dat
2009-04-24 11:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 11:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 08:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 07:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 07:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-16 03:08 11,264 a------- c:\windows\system32\PSS289F7.DLL
2008-09-21 01:47 174 a--sh--- c:\program files\desktop.ini
2008-09-21 01:27 665,600 a------- c:\windows\inf\drvindex.dat
2007-11-15 07:14 40 a------- c:\users\b\appdata\roaming\wklnhst.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2001-11-08 19:52 278,528 a------- c:\program files\cac106.exe
2008-09-17 08:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-17 08:47 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-17 08:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-12 20:47 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 0:33:23.37 ===============

Attached Files

Attach.zip.zip (3.3 KB, 3 views)

mas_pogi

hi.

Welcome to TSF once again.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe

-------------------------------------------------------------------------
Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

-----------------------------------------------------------------------
I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

----------------------------------------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


* You must rename it before saving it. Rename it from Combofix.exe to Combo-fix.exe . Save it to your desktop.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

Please include the C:\ComboFix.txt in your next reply for further review


Mark

binsill

Downloadad combo-fix, didn't install. I'm in safe mode, so avg doesn't show up in the tray, I assume it's disabled?

mas_pogi

hi.

When you double-click Combofix, did it get an error? What else happen? Could you be more descriptive? Can you try it again?


Yup. AVG is disabled.

Mark

binsill

(all done in safe mode)
OK, ran ComboFix, used the link in the notification to download and install another version just to be safe, then ran again. Got the following message at command prompt:

"cannot access the specified device/path/file, may not have the appropriate permission"

(and I haven't been able to sign on as administrator).

But kept going w/ combofix, saw the display that "backs up Windows Registry." After that I got a notification:

detected rootkit: must reboot. You may need to record this for later use:

C:\Windows\System32\drivers\MSIVXiqdpyddinbehckvbpdiwolovyqcfopur.sys.

Then it reboots, to regular mode (not safe) but nothing happens (nothing has changed).

Think I'm doing something (many things) wrong; sorry.
Should I not be in safe mode?

binsill

[quote=binsill;2220896](all done in safe mode)
Correction:

C:\Windows\System32\drivers\MSIVXiqpyddinbehckvbpdiwolodvyqcfopcr.sys.

mas_pogi

hi.

Only one?



Copy the content of C:\ComboFix.txt and post it here.

Mark

binsill

Yes, that was all I had, it didn't get very far I guess.

mas_pogi

hi.

Please re-run Combofix in normal mode.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark

binsill

sorry for the slow reply, had a phone call, I'm checking this post immediately now. When I restart in normal mode, any ComboFix materials are invisible!

binsill

Also, the Combo-Fix install is visible on the desktop, but upon clicking to install, got the message:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

binsill

Also (sorry to keep posting, just giving more details): computer has crashed twice, just sitting here in normal mode running firefox.

mas_pogi

hi.

No problem.

I think we still have main infection onboard.

We will try this one again.
---------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.
--------------------------------------------------------------------------

1. Restart your computer in Safe mode.
2. In Safe mode, Re-run Combofix.
3. If ComboFix needs to reboot the machine, reboot it back into to safe mode to complete the Job.
4. Then after Combofix finishes in safe mode, Reboot in normal mode and post the logs

Hope it will work this time.

Mark

binsill

tried again,

- Did combofix in safe mode, got several messages in command prompt ("Access Denied. Admin permissions are needed to use the selected options, use an admin command prompt to complete these tasks"), then program scanned for infected files.
Then I got same message (and same .sys to remember) as last time (C:\Windows\System32\drivers\MSIVXiqpyddinbehckvbpdiwolodvyqcfopcr.sys). Then it restarted and I pressed F8 to get into safe mode. Desktop popped up, nothing happened. Ran combofix again and same as before with same .sys file listed (repeat of last 2 times).

- the only sign of combofix I can find when I restart in safe mode is the desktop icon (can't see anything when I restart in normal mode), so hopefully the logs are automatically created or I will be prompted to create them? Otherwise I fear I downloaded combofix incorrectly?

mas_pogi

hi.

Let check what is left on the infection.

Double-click GMER.exe you downloaded before.

When the program opens and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
Click on Scan.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop.
Attach that ARK.txt in your next reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Mark

binsill

Here goes:

Attached Files

ark.txt (11.1 KB, 3 views)

mas_pogi

hi.

The rootkit installed is quite persistent. Please bear with me as we clean it.

IMPORTANT
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.
----------------------------------------------------------------------

In safe mode with networking

1. Delete any copy of Combofix.exe.
   
2. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   
3. You must rename it before saving it. Rename it from Combofix.exe to binsill.exe . Save it to your desktop.
   
   
4. • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
     
     
     WINDOWS DEFENDER
     • Click Start > Programs > Windows Defender or launch from the system tray icon.
     • Click on Tools & Settings > Options.
     • Under Real-time protection options, uncheck the "Real-time protection" check box.
     • Click Save.
     • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
     • (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)
   
   
5. Double click on ComboFix.exe & follow the prompts.
   
6. Click on Yes, to continue scanning for malware.
   
   * If you will see denied access like bofore, just ignore it. Combofix will continue anyway. If ever that "access denied" message stay more than 10 mins, close it by hitting the X at the right top of the form.
   
   
7. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hope it will work this time around.

Mark

binsill

off for the evening. I'll be back around 9-10 am. Anything I can do to help get this done ASAP, just say the word.

thanks for the help so far!

binsill

followed the instructions to the letter. Basically, same procedure (and problem) happened as before.

downloaded using binsill and installed from the link in safe mode, then started ComboFix. After same admin request and 2 loud beeps, it did the registry backup.

last popup: "combofix detected presence of rootkit activity & needs reboot, note name of each file." The old .sys is posted as before. I click 'ok.'

Then reboots, I hit F8 for safe mode, and get desktop again like nothing happened, no .txt file.

I have no spyware/ etc. icons in my tray. I have safely remove hardware, internet connection, and sound icons only. I even turned off firewall in windows defender to be sure.

Does it matter that even in safe mode, I can't access spybot? Or AVG (except for the command line scan)? Just like Malwarebytes or suparantispyware, clicking on the icon under these programs gives me nothing.

mas_pogi

hi.

I know its frustrating but we are dealing with a nasty infection. Not an easy task to do.

I'm afraid we have to do it again. Follow thoroughly the instruction in disabling Windows defender. We need to disable that. This is very important.

When it reboot, choose normal mode.

They are blocked by the infection.


IMPORTANT
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.
----------------------------------------------------------------------

1. Log in Safemode
2. • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
     
     
     WINDOWS DEFENDER
     • Click Start > Programs > Windows Defender or launch from the system tray icon.
     • Click on Tools & Settings > Options.
     • Under Real-time protection options, uncheck the "Real-time protection" check box.
     • Click Save.
     • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
     • (When we are done, you can re-enable Defender using the same steps but this time place a check next to "Turn on real-time protection" check box.)
   
   
3. Double click on ComboFix.exe & follow the prompts.
   
4. Click on Yes, to continue scanning for malware.
   
   * If you will see denied access like bofore, just ignore it. Combofix will continue anyway. If ever that "access denied" message stay more than 10 mins, close it by hitting the X at the right top of the form.
   
5. When it reboots, choose Normal mode.
6. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark