# I have a Killer Virus!!!



## gaz_dodd (Aug 17, 2011)

I've had a virus for about a week now and it's slowly killing my laptop. I'm hoping someone on her can give me a few ideas.

I bought an external hard drive off ebay, plugged it in and had a bit of a look before formatting it, BIG MISTAKE. It put a virus on my laptop. 

I'll start with my specs: I have a fujitsu siemens amilo pro V3515, 60gb HD, 2gb RAM, XP home, SP3 with MSE anti virus.


Here are the symptoms:-

Freezing
Blue screen of death
Crashing (when the laptop is moved, even in safemode)
An attempt to download a file
Disabling of antivirus
Deleting of antivirus database
Messing with network adapter drivers (can't load them, so no internet)
Laptop struggles to start (Have to keep turning it on and off untill it will start)


I've already tried a few tried a few things. Here's what I've done:-

Scan with MSE (10 adware + Trojun: Vundo)
Scan with Super anti-virus (14 adware)
Scan with Malware bytes (Trojun: Agent)
Scan with Clamwin (Trojun: Agent)
Created new user account and deleted mine
Reinstalled all damaged drivers

None of my antivirus are picking up anything anymore, but the laptop is still cutting out, My network drivers still wont work properly and very occasionally I will get a blue screen of death but no cause will be stated, it just say's a problem occured and it had to shut down to protect the hard drive.

The laptop's performance is as good as always.

I hope someone can help my and thanks in advance to anyone who does.

EDIT: I should mention, my operating system disk is damaged so reformatting has to be a last option because i'm cheap and don't want to buy a new one


----------



## johnb35 (Aug 17, 2011)

Please post the latest malwarebytes log along with a hijack this log.  Follow the instructions in the sticky called "please read before posting" at the top of the security forum.  I would give you links but I'm on my phone at the moment.


----------



## gaz_dodd (Aug 17, 2011)

Thanks for the reply

I have already done a Malware bytes scan but I can't get online with the infected laptop anymore to upload it or to download hijack this. I've downloaded the setup to a clean laptop and i'll burn it to a cd tomorrow so i can install it on the infected laptop

The latest malware bytes are coming up clean though


----------



## johnb35 (Aug 17, 2011)

You will need to download the following file to a flash drive and transfer it to the infected computer.  

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.





We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  



In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## gaz_dodd (Aug 17, 2011)

I cant get onto the internet to download microsoft recovery console, so I went ahead and did the scan anyway. 

Here are the combofix results:-

ComboFix 11-08-16.05 - Gareth 2 17/08/2011  12:02:32.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1982.1590 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((   Files Created from 2011-07-17 to 2011-08-17  )))))))))))))))))))))))))))))))
.
.
2051-08-02 00:10 . 2051-08-02 00:10	--------	d-----w-	c:\program files\Microsoft Reader
2051-08-02 00:08 . 2051-08-02 00:08	--------	d-----w-	c:\program files\Common Files\OverDrive Shared
2051-08-02 00:07 . 2051-08-02 00:07	--------	d-----w-	c:\documents and settings\All Users\Application Data\iMesh
2051-08-02 00:06 . 2051-08-02 00:06	--------	d--h--w-	c:\documents and settings\All Users\Application Data\{DE0AF019-D61B-423F-9C3B-D49ECD51D8A1}
2051-08-02 00:02 . 2051-08-02 00:02	--------	d-----w-	c:\program files\MySQL
2051-08-02 00:02 . 2051-08-02 00:02	--------	d-----w-	c:\program files\Microsoft ActiveSync
2051-08-02 00:00 . 2051-08-02 00:02	--------	d-----w-	c:\program files\Microsoft SQL Server
2051-08-02 00:00 . 2051-08-02 00:00	--------	d-----w-	c:\program files\Microsoft CAPICOM 2.1.0.2
2011-08-17 10:49 . 2011-08-17 10:50	--------	d-----w-	c:\documents and settings\Administrator
2011-08-17 09:29 . 2011-08-17 09:29	--------	d-----w-	c:\program files\Trend Micro
2011-08-16 17:13 . 2011-08-16 17:13	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl25c11be3.sys
2011-08-13 17:47 . 2011-08-13 17:47	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl0c9959cb.sys
2011-08-13 17:45 . 2011-08-13 17:45	--------	d-----w-	C:\found.000
2011-08-13 17:34 . 2011-08-13 17:34	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKslce4a1626.sys
2011-08-13 17:32 . 2011-08-13 17:32	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl8ed0158a.sys
2011-08-13 16:46 . 2011-07-13 03:39	6881616	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\mpengine.dll
2011-08-09 09:36 . 2011-08-16 20:53	--------	d-----w-	c:\documents and settings\Gareth 2
2011-08-09 09:19 . 2011-08-09 09:19	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-08-05 13:33 . 2011-08-05 13:33	--------	d-----w-	c:\documents and settings\All Users\Application Data\!SASCORE
2011-08-05 13:33 . 2011-08-09 09:21	--------	d-----w-	c:\program files\SUPERAntiSpyware
2011-08-05 13:33 . 2011-08-05 13:33	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-27 20:11 . 2051-08-02 00:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\SecTaskMan
2011-07-27 20:11 . 2051-08-02 00:00	--------	d-----w-	c:\program files\Security Task Manager
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 12:17 . 2009-06-14 14:05	90112	----a-w-	c:\windows\DUMP4584.tmp
2011-07-13 03:39 . 2011-05-14 22:29	6881616	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-18 19:25 . 2011-06-07 12:02	2026304	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-06-17 18:53 . 2011-06-16 02:24	586176	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-06-16 07:28 . 2011-06-07 12:02	18368	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-06-02 14:02 . 2005-10-06 00:06	1858944	----a-w-	c:\windows\system32\win32k(2).sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59	937920	----a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02	37296	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-04-16 16:08	172032	-c--a-w-	c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12	110592	----a-w-	c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12	15360	----a-w-	c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
2005-02-02 04:00	98304	----a-w-	c:\windows\system32\spool\drivers\w32x86\3\E_FATIADE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Epson Stylus Office BX320FW(Network)]
2009-09-14 07:00	200704	----a-w-	c:\windows\system32\spool\drivers\w32x86\3\E_FATIGIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FuncKey]
2006-07-27 14:06	122880	-c--a-w-	c:\program files\Hotkey 1.0.4\FuncKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2010-11-30 12:20	997408	----a-w-	c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50	155648	----a-w-	c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
2006-07-11 01:33	176128	----a-w-	c:\windows\system32\S3Trayp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 12:12	253672	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-05-09 12:33	39408	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-05-10 20:52	399736	----a-w-	c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2006-08-03 13:53	53248	----a-w-	c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"xmlprov"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Netlogon"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"BthServ"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
.
S1 MpKsl0c9959cb;MpKsl0c9959cb;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl0c9959cb.sys [13/08/2011 18:47 28752]
S1 MpKsl1b7e8dd0;MpKsl1b7e8dd0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl1b7e8dd0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl1b7e8dd0.sys [?]
S1 MpKsl28969d54;MpKsl28969d54;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl28969d54.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl28969d54.sys [?]
S1 MpKsl2bea2fc8;MpKsl2bea2fc8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A4E1387-8055-4D23-B661-7264E855A9C0}\MpKsl2bea2fc8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A4E1387-8055-4D23-B661-7264E855A9C0}\MpKsl2bea2fc8.sys [?]
S1 MpKsl3170ad88;MpKsl3170ad88;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl3170ad88.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl3170ad88.sys [?]
S1 MpKsl42ac3af1;MpKsl42ac3af1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl42ac3af1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl42ac3af1.sys [?]
S1 MpKsl49099c9f;MpKsl49099c9f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl49099c9f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsl49099c9f.sys [?]
S1 MpKsl88d9f859;MpKsl88d9f859;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl88d9f859.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl88d9f859.sys [?]
S1 MpKsl8e6d9c34;MpKsl8e6d9c34;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl8e6d9c34.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl8e6d9c34.sys [?]
S1 MpKsl8ed0158a;MpKsl8ed0158a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKsl8ed0158a.sys [13/08/2011 18:32 28752]
S1 MpKsl922c3c74;MpKsl922c3c74;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl922c3c74.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl922c3c74.sys [?]
S1 MpKsl98941da7;MpKsl98941da7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl98941da7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0294B480-F853-473E-B04A-1A23E6F87A87}\MpKsl98941da7.sys [?]
S1 MpKsl9c7df659;MpKsl9c7df659;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl9c7df659.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKsl9c7df659.sys [?]
S1 MpKsla14d02ba;MpKsla14d02ba;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsla14d02ba.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsla14d02ba.sys [?]
S1 MpKslc8bb23b1;MpKslc8bb23b1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKslc8bb23b1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F31A240E-FBA8-4DEB-8AB3-7AA35F38C0C7}\MpKslc8bb23b1.sys [?]
S1 MpKslce4a1626;MpKslce4a1626;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5B6AC72F-371F-4675-8EBC-B393DC152E50}\MpKslce4a1626.sys [13/08/2011 18:34 28752]
S1 MpKsle4860c9d;MpKsle4860c9d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsle4860c9d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70E41E0A-F5BE-44BE-8833-C532417CB736}\MpKsle4860c9d.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [09/05/2011 13:32 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [09/05/2011 13:32 136176]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30/03/2009 03:09 239336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-19 12:33]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-09 12:32]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-09 12:32]
.
2011-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 11:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-17 12:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-17  12:09:03
ComboFix-quarantined-files.txt  2011-08-17 11:09
ComboFix2.txt  2011-08-17 09:50
.
Pre-Run: 31,665,119,232 bytes free
Post-Run: 31,652,577,280 bytes free
.
- - End Of File - - 2F85649248CD648A311608681C586329


----------



## gaz_dodd (Aug 17, 2011)

Here is the most recent Hijackthis bytes log:-

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:40:00, on 17/08/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4725 bytes


----------



## johnb35 (Aug 17, 2011)

I don't see any issues that would be causing you to not have internet.  Are you only using Internet Explorer to surf the web?  If so, then its possible that there has been a proxy enabled.  

Open internet options, click on the connections tab, click on the lan settings button, uncheck the boxes under proxy settings if they are checked.  

Are you using wireless on the machine that can't get online or a wired connection?


----------



## gaz_dodd (Aug 19, 2011)

I am using wireless, my ethernet port is broken so wired isn't an option. It's not that I can't use the internet, I can't even connect to the network. If I go onto the device manager I get a "code 37" on the following:-

-Atheros AR5005G Wireless Network Adapter - Packet Scheduler Miniport
-VIA RhineII Fast Ethernet Adapter - Packet Scheduler Miniport
-WAN Miniport (IP)
-WAN Miniport (IP) - Packet Scheduler Miniport
-WAN Miniport (L2TP)
-WAN Miniport (PPPOE)
-WAN Miniport (PPTP)

The actual wireless adapter is working fine, it just not able to load these drivers


----------



## johnb35 (Aug 19, 2011)

Do me a favor, go back into device manager and click on the view menu and uncheck "show hidden devices"  Then you should only see 2 entries under network adapter, the via and atheros devices.  Can you give me a screen shot of device manager at this point?


----------



## gaz_dodd (Aug 22, 2011)

sorry it took so long to get back to you, I'm having a bit of trouble getting the laptop to turn on. 

When I press the power button the powerlight and the wireless light comes on, so does the fan, but apart from that it doesn't do anything.

I'll keep trying and post back when I get it on.


----------



## gaz_dodd (Aug 30, 2011)

Hi, Thanks for being so patient, I got it started yesterday and I got the screen shots, I'll post them up tomorrow when I have the memory stick if you still want them.

A bit of an update,

The laptop will start every 30th try or so

I borrowed an XP disk from my dad but when I try to reformat it just crashes, I've managed to get it on about 5 times, It loads the cd and it will go for a couple of minutes but then I get the blue screen.

I've also got a few phone calls claiming to be from microsoft saying that they have detected malicious software on my computer. I already know that microsoft don't ever contact you about that sort of thing, could this be a scam? (not that it matters if I can't even turn the thing on  )

Thanks


----------



## johnb35 (Aug 30, 2011)

They are not from microsoft and its a scam to allow them access into your system and actually infect it, so they can access it anytime they want.  Just hang up the phone if they call back again or tell them they will be reported if they call back again.  Microsoft will not know if your machine is infected or not.


----------



## gaz_dodd (Aug 30, 2011)

Thanks for the quick response,

thats exactly what I thought, I just told them that I would fix it myself and asked them not to call back, didn't stop them doing it anyway but next time I'll try to take a contact detail and report them to microsoft.

Next post will be the screen shots


----------



## gaz_dodd (Aug 30, 2011)

Here is the device manager screen shot, all of the code 37 drivers are new, they came up when the wireless went off, if I try to uninstall them it says i can because they may be bootable devices.

Sorry the pic isn't too good, I seem to have lost a lot of the quality when I uploaded it


----------



## johnb35 (Aug 30, 2011)

What is the model number of laptop you have?  Should get the driver from the laptop manufacturer but try downloading this driver and install it.

http://www.atheros.cz/atheros-wireless-download.php?chipset=9&system=1

When the page loads, click on the green box that says click for download in the first section you come to.


----------



## gaz_dodd (Aug 30, 2011)

I've used a image host to get a better picture






Ignore the Modem Device, that's just not installed properly


----------



## johnb35 (Aug 30, 2011)

johnb35 said:


> What is the model number of laptop you have?  Should get the driver from the laptop manufacturer but try downloading this driver and install it.
> 
> http://www.atheros.cz/atheros-wireless-download.php?chipset=9&system=1
> 
> When the page loads, click on the green box that says click for download in the first section you come to.



still waiting on answers from this post I made befoe yours.


----------



## gaz_dodd (Aug 30, 2011)

johnb35 said:


> What is the model number of laptop you have?  Should get the driver from the laptop manufacturer but try downloading this driver and install it.
> 
> http://www.atheros.cz/atheros-wireless-download.php?chipset=9&system=1
> 
> When the page loads, click on the green box that says click for download in the first section you come to.



I tried reinstalling the driver using the disc that came with the laptop but it made no difference, I then tried restoring the laptop to a previous state and that made no difference either. It's a Amilo pro v3515 by the way


----------



## gaz_dodd (Aug 30, 2011)

This is really wierd, I've turned off the wireless and uninstalled the drivers that will allow me to and disabled the rest of the code 37 devices now it starts fine, It will still cut out randomly though.

I now have 2 network connections in my control panel and my wireless network connection has been renamed to "network connection 6"

I also have a new icon in control panel, I'm pretty sure it wasn't there before it's called "Data Sources (ODBC)"

Sorry to bombard you with posts, i'm trying to get as much info in as I can


----------



## johnb35 (Aug 30, 2011)

Everytime you create a new connection it adds to the previous.  You can rename it and delete the 6 out.  If it cuts out then its either a failing wireless card or something with your router.


----------



## gaz_dodd (Aug 30, 2011)

johnb35 said:


> Everytime you create a new connection it adds to the previous.  You can rename it and delete the 6 out.  If it cuts out then its either a failing wireless card or something with your router.



Thats the thing, I haven't created a new connection, this is all happening with no input from me. The connection is already dead, the virus has knocked it off. i'm trying to uninstall everything possible to do with the network connections and reinstall it to get the internet back on


----------



## johnb35 (Aug 30, 2011)

If you have done a system restore then it could be that you are infected again as malware will hide in the system restore files.  Please run more scans with malwarebytes and combofix and post them for me.  You may be forced to reinstall windows.


----------



## gaz_dodd (Aug 30, 2011)

Here's the hijack this log but the combo fix wont run anymore, it just delete's itself from my memory stick when I run it. I've tried reinstalling windows but I get the blue screen every time I try

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:40:07, on 30/08/2051
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm405YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O20 - AppInit_DLLs:   
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5367 bytes


----------



## gaz_dodd (Aug 30, 2011)

I just tried reinstalling windows again. It loaded all of the files and as soon as it got as far as "starting windows" I got the blue screen of death. shall I just keep trying?


----------



## S.T.A.R.S. (Aug 31, 2011)

gaz_dodd said:


> I just tried reinstalling windows again. It loaded all of the files and as soon as it got as far as "starting windows" I got the blue screen of death. shall I just keep trying?


 
The reason for that can be that your Windows disk does not have the SATA drivers built-in if you have SATA hard disk drive in your laptop.
You have 2 options:

-Go into your BIOS and find SATA CONTROLLER MODE option and if it's set to AHCI,set it to COMPATIBILITY.Now save your changes to CMOS,restart the computer and boot from the Windows disk and reinstall Windows.
Also be sure that your CD/DVD-ROM drive is the first device to boot from and HDD as the second one.

-If you do not have that kind of option in BIOS,you will need to create ISO image file of that Windows disk,built-in the SATA drivers and then burn that ISO image file on a blank CD or DVD disk then boot from it and install Windows from it.

-----------------------------------------------------------------------
By the way there are some viruses who store themselves into a BOOT SECTOR of the HDD and even Windows reinstallation won't help here since it doesn't delete HDD BOOT SECTOR,only the partitions what is 99% of the HDD while 1% is BOOT SECTOR and Windows disk cannot delete that by just reinstalling Windows and formatting the partitions even if you delete all the partitions and perform a slow format.
Also it can be that you got a virus who stores itself on the low level of the HDD and therefore Windows reinstallation AGAIN won't delete it even if you delete all the partitions and perform a slow format.

So if this is the case,you will need to use special formatting tools for HDD which delete the entire HDD BOOT SECTOR and write zeros to EACH sector on the HDD in order to format it COMPLETELY including the HDD BOOT SECTOR and low level of the HDD.
I recommend DOS tool called KILL DISK for this.But run it from the CD directly by booting off that CD disk and NOT from any removable media so that a virus CANNOT store itself on that removable media and mess everything up. 

Still let's hope that's not the case with you.
-----------------------------------------------------------------------

RECOMMENDATION: Never ever use HDD which you bought BEFORE formatting it OUTSIDE WINDOWS using special DOS tools for that directly from the CD disk EVEN if the HDD is brand new from the store because you can never know what's on it.I always format each HDD with Kill Disk DOS tool completely before even using it at all even if it's brand new from the store.


Cheers!


----------



## johnb35 (Aug 31, 2011)

gaz_dodd said:


> Here's the hijack this log but the combo fix wont run anymore, it just delete's itself from my memory stick when I run it. I've tried reinstalling windows but I get the blue screen every time I try
> 
> Logfile of Trend Micro HijackThis v2.0.4
> Scan saved at 18:40:07, on 30/08/2051
> ...



You must not have installed and reran malwarebytes yet because you have mywebsearch in your log and thats malware.  Run malwarebytes and then redownload the combofix file and run it.  Do not run combofix from the flash drive, download it to your desktop.


----------



## gaz_dodd (Aug 31, 2011)

johnb35 said:


> You must not have installed and reran malwarebytes yet because you have mywebsearch in your log and thats malware.  Run malwarebytes and then redownload the combofix file and run it.  Do not run combofix from the flash drive, download it to your desktop.



For some reason that still comes up with malware bytes but the definitions may be out of date and I can't update it because I have no internet. I'll give combo fix a go from my desktop in the morning.

I don't think these test can be considered reliable though, the definitions were all changed a while ago by this virus (sometimes deleted, sometimes the updates wouldn't finish) and the protection levels were all changed on my antivirus. This doesn't seem to be happening anymore though


----------



## gaz_dodd (Aug 31, 2011)

S.T.A.R.S. said:


> The reason for that can be that your Windows disk does not have the SATA drivers built-in if you have SATA hard disk drive in your laptop.
> You have 2 options:
> 
> -Go into your BIOS and find SATA CONTROLLER MODE option and if it's set to AHCI,set it to COMPATIBILITY.Now save your changes to CMOS,restart the computer and boot from the Windows disk and reinstall Windows.
> ...



I've ordered the proper disk from Fujitsu Seimens now so I'll give that a try as soon as it comes, if that doesn't work I suppose I'll have to give Kill disk a go. Would I be able to install windows as normal after this?


----------



## tremmor (Sep 1, 2011)

Kill disk works well. Used it before. Or wait for the disk and do not use a quick install. Use a full format when option is available. That should work.


----------



## gaz_dodd (Sep 1, 2011)

tremmor said:


> Kill disk works well. Used it before. Or wait for the disk and do not use a quick install. Use a full format when option is available. That should work.



I got the disk this morning and I reformatted. I'm back on the internet now but the virus still seems to be there, The start menu and the icons are consantly flashing and I can't click on them, that will stop when I hit Ctrl, and it still cuts out when I move it. 

I'm convinced that it's something to do with the wireless because it was fine untill I installed the Atheros wireless driver

I did have some trouble reformatting. I wouldn't go into the setup after the restart it just loaded the disk again, seeing as I had already done a slow format I did a quick one to get into the setup again, the setup worked after that.

Maybe I should do it again on a slow format? and if that doesn't work then it looks like Kill Disk time.


----------



## S.T.A.R.S. (Sep 1, 2011)

-Make sure that the CD/DVD-ROM drive is the first device to boot from,HDD as the second one and the rest and the third one and so on...

-Format your HDD with the Kill Disk FIRST!
 NOTE: Be sure that you select your HDD and NOT one of its partitions!!!
After the format is complete,you should have ONLY ONE unpartitioned partition called "Unpartitioned".Now quit Kill Disk and shut down your computer and leave it off for 2 minutes at least.

-Boot from the Windows disk you got.When you get to the part with the partitions,you will have ONLY ONE item called "Unpartitioned space".Be sure that "Unpartitioned space" is selected then click the ENTER button on your keyboard.Next select the option called "Format the partition using the NTFS file system" and then click the ENTER button on your keyboard.

-Wait until the format is complete and then simply follow the setup proceedure...



Report back with the results!



Cheers!


----------



## johnb35 (Sep 2, 2011)

Try this driver.

http://driverscollection.com/?file_cid=4296144336029a551de8e9016a1

If this don't work, then either you have a hardware issue or possibly a router/wireless issue.


----------



## gaz_dodd (Sep 4, 2011)

johnb35 said:


> Try this driver.
> 
> http://driverscollection.com/?file_cid=4296144336029a551de8e9016a1
> 
> If this don't work, then either you have a hardware issue or possibly a router/wireless issue.



I'll try the driver when I get it started again but I think we can rule out the router. I have 3 other laptops on it and they're fine


----------



## gaz_dodd (Sep 4, 2011)

Ok, I've just used Kill Disk and used the XP disk to create a new partition, It's set off formatting using the xp disk at the moment, the next post will be to say wether or not it worked. Fingers crossed an all that...


----------



## gaz_dodd (Sep 5, 2011)

Unfortunately I don't think it worked. It's still a pain to get the thing started and it freezes as soon as I put a cd in it so I can't install the drivers. Does anyone have any more ideas because I'm all out?


----------



## johnb35 (Sep 5, 2011)

It seems you have a hardware issue of some kind.  Take it in to a computer repair shop and have them diagnose it for you.


----------



## gaz_dodd (Sep 5, 2011)

Looks like it. 

Strange how it came on so suddenly though. But saying that this laptop has been through a lot. It was in a serious car crash with me last year that actually knocked the RAM out of place, It was shot with a 2.2 air rifle once and it has been used to teach pensioners basic IT (Do not underestimate a pensioners ability to mess up a computer ). 

But even though I've had it for 7 years it's still faster than most new home laptops so I really want to save it.

Anyway, Thanks to everyone who helped, I really appreciate it!!!


EDIT: I just bit the bullet and bought a new (manufacturer refurbished) laptop, a Toshiba M400, I stripped the old one down and after a bit of handy work with the soldering iron, got it working but realised just how beat up the thing was. I think it's time to put a dead dog to rest, It wont last much longer anyway


----------

