Jump to content

Won't Run... and I have Paladin. Help, Please :o)

mmwashin

By mmwashin
in Resolved Malware Removal Logs

 Share

Recommended Posts

mmwashin

mmwashin

Posted
Posted

I've tried searching for my exact problem all over the place, and have not come across anything that has helped. I've tried several different methods that people have suggested, to remove Paladin, and to get MBAM up and running. I have spent a good amount of time, on my own, trying to delete files from the registry as well.

If I start my computer normally (I run Windows XP), my desktop background says that I have a virus on my computer, rather than my normal background image. Then several "warnings" pop up saying I need to download various updates (which I'm sure you are aware of all of the Paladin pop-ups). Then Paladin starts re-downloading itself when there is a network connection (even after I've followed instructions on how to go through CMD and the registry to delete the files--so I'm guessing there are some hidden ones?). The Task Manager is disabled as well, and I am unable to get any type of website to load through either Firefox or IE.

When I start my computer in safemode, the task manager is also disabled, and I get various pop-ups about virus alerts as well.

I downloaded MBAM from another computer and burned it to a disk to put into my infected laptop. I followed the instructions from another forum post and got it to load to my screen correctly. However, when I try to run the program (both as a quick scan and a full scan) I get a blue screen before any files are even scanned that says:

"Unable to run malware bytes.

A problem has been detected and Windows has been shut down to prevent damage to your computer.

Technical information:

*** STOP: 0x00000024 (0x001902FE, 0xF80BD324, 0xF80BD020, 0xF9441A3E)"

I have been able to run rkill, and GMER. Below is the information from them.

RKILL

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Administrator on 02/27/2010 at 19:56:07.

Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\smss32.exe

Rkill completed on 02/27/2010 at 19:56:15.

GMER

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-27 23:06:01

Windows 5.1.2600 Service Pack 2

Running: 4ggvc78f.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agtdypow.sys

---- System - GMER 1.0.15 ----

Code F9441EB5 ZwCallbackReturn

Code F9441979 ZwEnumerateKey

Code FFAAE1F0 ZwFlushInstructionCache

Code F944196F ZwSaveKey

Code F9441974 ZwSaveKeyEx

Code FFAAE7BE IofCallDriver

Code F9441BD2 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 812EEBB0

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\_VOIDmxiuakmpfn.sys (*** hidden *** ) F8CB0000-F8CCE000 (122880 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\4DW4R3tSLkuGoWMT.sys (*** hidden *** ) [sYSTEM] 4DW4R3 <-- ROOTKIT !!!

Service (*** hidden *** ) [bOOT] vwaukqvx <-- ROOTKIT !!!

Service C:\WINDOWS\system32\drivers\_VOIDmxiuakmpfn.sys (*** hidden *** ) [sYSTEM] _VOIDd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@ImagePath \systemroot\system32\drivers\4DW4R3tSLkuGoWMT.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@Start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections@5bf3bc6c

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3c

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3tSLkuGoWMT.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3JsJtPjRfUV.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\vwaukqvx@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\vwaukqvx@Start 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\vwaukqvx@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\vwaukqvx@Group Boot Bus Extender

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDmxiuakmpfn.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDmxiuakmpfn.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDwvmjoypull.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDvtvoagdije.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDxnqqpxtewq.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDvpphwbrnsw.dll

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@ImagePath \systemroot\system32\drivers\4DW4R3tSLkuGoWMT.sys

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@Type 1

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@Start 1

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\connections (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\connections@5bf3bc6c

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\injector@* 4DW4R3c

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3tSLkuGoWMT.sys

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3JsJtPjRfUV.dll

Reg HKLM\SYSTEM\ControlSet002\Services\vwaukqvx@Type 1

Reg HKLM\SYSTEM\ControlSet002\Services\vwaukqvx@Start 0

Reg HKLM\SYSTEM\ControlSet002\Services\vwaukqvx@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet002\Services\vwaukqvx@Group Boot Bus Extender

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDmxiuakmpfn.sys

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDmxiuakmpfn.sys

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDwvmjoypull.dll

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDvtvoagdije.dat

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDxnqqpxtewq.dll

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDvpphwbrnsw.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\4DW4R3c.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3hksPptiSEy.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3hWdBfkoTBl.dll 28160 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3DqIoUprLjm.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3fXRrlreCDb.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3gmYEpdvXdj.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3INYuBqoYrd.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3PMQdltWjsq.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3tSLkuGoWMT.sys 46592 bytes executable <-- ROOTKIT !!!

File C:\WINDOWS\system32\drivers\4DW4R3UqOntpTwkE.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3USxkNePIBu.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\4DW4R3xExBeeTiJi.sys 46592 bytes executable

File C:\WINDOWS\system32\drivers\vwaukqvx.sys (size mismatch) 791552/0 bytes executable

File C:\WINDOWS\system32\4DW4R3jmWvMGjbXh.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3JsJtPjRfUV.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3kGHEVbUMPv.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3lvLLWlkMpq.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3sv.dat 53 bytes

File C:\WINDOWS\system32\4DW4R3wvseMTYUWn.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3XJfavSPQTx.dll 28160 bytes executable

File C:\WINDOWS\system32\4DW4R3XMeVlrkspe.dll 28160 bytes executable

---- EOF - GMER 1.0.15 ----

ANY help that you are able to provide me with would be GREATLY appreciated so I can finally get Paladin off of my computer, and can hopefully run MBAM to help against future threats. This has been such a headache for me. Thank you!

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Hello mmwashin

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=========================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites
mmwashin

mmwashin

Posted
  • Author
Posted

I tried running ComboFix in both regular mode, and the safemode and could not get it to show up on my screen.

I ran rKill again so that it would shut down the applications that were running that would not allow me to open up the task manager, so that way I could see if ComboFix had even launched. According to the task manager, it said ComboFix was running, but it was not visible on my screen.

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

1. Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
4DW4R3
_VOIDd.sys
vwaukqvx

Drivers to delete:
4DW4R3
_VOIDd.sys
vwaukqvx

Files to delete:
C:\WINDOWS\system32\4DW4R3c.dll 
C:\WINDOWS\system32\4DW4R3hksPptiSEy.dll 
C:\WINDOWS\system32\4DW4R3hWdBfkoTBl.dll 
C:\WINDOWS\system32\drivers\4DW4R3.sys 
C:\WINDOWS\system32\drivers\4DW4R3DqIoUprLjm.sys 
C:\WINDOWS\system32\drivers\4DW4R3fXRrlreCDb.sys 
C:\WINDOWS\system32\drivers\4DW4R3gmYEpdvXdj.sys 
C:\WINDOWS\system32\drivers\4DW4R3INYuBqoYrd.sys 
C:\WINDOWS\system32\drivers\4DW4R3PMQdltWjsq.sys 
C:\WINDOWS\system32\drivers\4DW4R3tSLkuGoWMT.sys 
C:\WINDOWS\system32\drivers\4DW4R3UqOntpTwkE.sys 
C:\WINDOWS\system32\drivers\4DW4R3USxkNePIBu.sys 
C:\WINDOWS\system32\drivers\4DW4R3xExBeeTiJi.sys 
C:\WINDOWS\system32\drivers\vwaukqvx.sys 
C:\WINDOWS\system32\4DW4R3jmWvMGjbXh.dll 
C:\WINDOWS\system32\4DW4R3JsJtPjRfUV.dll 
C:\WINDOWS\system32\4DW4R3kGHEVbUMPv.dll 
C:\WINDOWS\system32\4DW4R3lvLLWlkMpq.dll 
C:\WINDOWS\system32\4DW4R3sv.dat 
C:\WINDOWS\system32\4DW4R3wvseMTYUWn.dll 
C:\WINDOWS\system32\4DW4R3XJfavSPQTx.dll 
C:\WINDOWS\system32\4DW4R3XMeVlrkspe.dll
C:\WINDOWS\system32\smss32.exe

Folders to delete:
c:\Program Files\Paladin Antivirus

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

=================

After that run Combofix and post that log.

Link to post
Share on other sites
mmwashin

mmwashin

Posted
  • Author
Posted

Here are the logs. After running both of these, everything *looks* normal again with the desktop and there weren't any pop-ups.

Avenger

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "4DW4R3" found!

ImagePath: \systemroot\system32\drivers\4DW4R3tSLkuGoWMT.sys

Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "4DW4R3" disabled successfully.

Driver "_VOIDd.sys" disabled successfully.

Driver "vwaukqvx" disabled successfully.

Driver "4DW4R3" deleted successfully.

Driver "_VOIDd.sys" deleted successfully.

Driver "vwaukqvx" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3c.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3hksPptiSEy.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3hWdBfkoTBl.dll" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3DqIoUprLjm.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3fXRrlreCDb.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3gmYEpdvXdj.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3INYuBqoYrd.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3PMQdltWjsq.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3tSLkuGoWMT.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3UqOntpTwkE.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3USxkNePIBu.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\4DW4R3xExBeeTiJi.sys" deleted successfully.

File "C:\WINDOWS\system32\drivers\vwaukqvx.sys" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3jmWvMGjbXh.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3JsJtPjRfUV.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3kGHEVbUMPv.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3lvLLWlkMpq.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3sv.dat" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3wvseMTYUWn.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3XJfavSPQTx.dll" deleted successfully.

File "C:\WINDOWS\system32\4DW4R3XMeVlrkspe.dll" deleted successfully.

File "C:\WINDOWS\system32\smss32.exe" deleted successfully.

Error: folder "c:\Program Files\Paladin Antivirus" not found!

Deletion of folder "c:\Program Files\Paladin Antivirus" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

ComboFix

ComboFix 10-02-28.04 - MMW 03/01/2010 16:03:04.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.88 [GMT -5:00]

Running from: D:\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\MMW\LOCALS~1\Temp\svchost.exe

c:\docume~1\MMW\LOCALS~1\Temp\winlogon.exe

c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll

c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll

c:\documents and settings\All Users\Application Data\mswintmp.dat

c:\windows\msa.exe

c:\windows\system32\_VOIDvpphwbrnsw.dll

c:\windows\system32\_VOIDvtvoagdije.dat

c:\windows\system32\_VOIDwvmjoypull.dll

c:\windows\system32\_VOIDxnqqpxtewq.dll

c:\windows\system32\11478.exe

c:\windows\system32\14814.exe

c:\windows\system32\15724.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\26500.exe

c:\windows\system32\41.exe

c:\windows\system32\4DW4R3GfRwLbyUEc.dll

c:\windows\system32\4DW4R3lYQIYDVNyN.dll

c:\windows\system32\4DW4R3oapmcOxsqp.dll

c:\windows\system32\4DW4R3QPOcVdmXtg.dll

c:\windows\system32\6334.exe

c:\windows\system32\6to4v32.dll

c:\windows\system32\certstore.dat

c:\windows\system32\drivers\_VOIDmxiuakmpfn.sys

c:\windows\system32\drivers\4DW4R3lbcpaxVsKV.sys

c:\windows\system32\drivers\4DW4R3qiYfdTkoNo.sys

c:\windows\system32\drivers\4DW4R3UyPvPmtIQk.sys

c:\windows\system32\drivers\4DW4R3VBwtikXJlL.sys

c:\windows\system32\drivers\fad.sys

c:\windows\system32\ES15.exe

c:\windows\system32\fogehile.dll

c:\windows\system32\helpers32.dll

c:\windows\system32\hugeloko.dll

c:\windows\system32\net.net

c:\windows\system32\nusoyeta.dll

c:\windows\system32\smss32.exe

c:\windows\system32\spool\prtprocs\w32x86\00007e6f.tmp

c:\windows\system32\twain_32.dll

c:\windows\system32\warnings.html

c:\windows\system32\winlogon32.exe

c:\windows\system32\wumomara.dll

c:\windows\system32\zcm1r5.dll

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :D

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Legacy_IPRIP

-------\Service_6to4

-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))

.

2010-03-01 20:42 . 2010-03-01 20:42 704 ----a-w- C:\avexport.bat

2010-02-28 00:53 . 2010-02-28 00:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-02-28 00:53 . 2010-02-28 00:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-02-22 21:25 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-22 21:25 . 2010-02-22 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-22 21:25 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-22 00:43 . 2010-02-22 00:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-02-22 00:39 . 2010-02-22 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-20 22:10 . 2010-02-20 22:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-02-20 20:56 . 2010-02-20 21:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-02-20 20:30 . 2010-02-20 20:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-02-20 20:29 . 2010-02-20 20:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-02-13 07:14 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-02-13 07:14 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-02-13 07:14 . 2004-08-04 03:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-02-13 07:14 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-02-07 00:43 . 2010-02-21 01:02 -------- d-----w- c:\documents and settings\MMW\Application Data\Dropbox

2010-02-01 04:46 . 2010-02-01 04:46 160096 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-20 19:40 . 2008-12-23 05:56 -------- d-----w- c:\program files\Dell

2010-02-20 19:40 . 2008-12-23 06:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-20 17:06 . 2008-12-23 06:33 56680 ----a-w- c:\documents and settings\MMW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-07 00:43 . 2010-02-07 00:43 89854 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\Uninstall.exe

2010-01-12 21:50 . 2008-12-26 01:10 -------- d-----w- c:\program files\QuickTime

2010-01-12 21:49 . 2008-12-26 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\program files\Common Files\Apple

2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\program files\Apple Software Update

2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-12-31 16:14 . 2004-08-04 10:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-31 00:48 . 2009-12-31 00:48 21968784 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\Dropbox.exe

2009-12-14 07:35 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-10 15:32 . 2009-12-11 00:02 911168 ----a-w- c:\documents and settings\MMW\Application Data\Mozilla\Firefox\Profiles\jl40batw.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}\mywebtattoo.exe

2009-12-09 01:19 . 2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

2009-12-08 18:14 . 2005-03-30 01:23 2185984 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 17:35 . 2005-03-30 01:01 2063104 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 14:41 . 2004-08-04 10:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

1601-01-01 00:03 . 1601-01-01 00:03 45568 --sha-w- c:\windows\system32\vovuhinu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"CARPService"="carpserv.exe" [2002-10-17 4608]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 126976]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 561152]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-08 294912]

"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 163840]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]

"AS00_WPN511"="c:\program files\NETGEAR\WPN511\Utility\WPN511.exe" [2007-02-06 1130496]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-25 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli rg1admng.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\NETGEAR\\WPN511\\Utility\\WPN511.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\MMW\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2009 12:23 AM 24652]

R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [12/27/2008 12:35 PM 16194]

R3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\drivers\wpn511.sys [12/27/2008 12:35 PM 488992]

S2 gupdate1ca16da4ca4f8e0;Google Update Service (gupdate1ca16da4ca4f8e0);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2009 4:10 PM 133104]

S3 fmfdisk;fmfdisk;c:\windows\system32\fmfdisk.sys [8/4/2004 5:00 AM 2304]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/22/2010 4:25 PM 38224]

S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [12/25/2008 7:41 PM 23296]

.

Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-06 21:10]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-06 21:10]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = https://my.netgear-support.com/myNETGEAR/ENG/login.asp

Trusted Zone: buy-security-essentials.com

Trusted Zone: download-soft-package.com

Trusted Zone: download-software-package.com

Trusted Zone: get-key-se10.com

Trusted Zone: is-software-download.com

Trusted Zone: buy-security-essentials.com

Trusted Zone: get-key-se10.com

TCP: {1868AA57-CDEA-4D8B-9827-1F7B46274B70} = 83.149.115.157,4.2.2.1,93.188.164.221,93.188.161.89

TCP: {4F3FC019-F047-4D2D-ACA4-46A2DFA4F431} = 83.149.115.157,4.2.2.1,192.168.2.1

FF - ProfilePath - c:\documents and settings\MMW\Application Data\Mozilla\Firefox\Profiles\jl40batw.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=

FF - prefs.js: browser.search.selectedEngine - Fast Browser Search

FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={DA0DAC83-4624-B863-CD22-43B809D1ABB4}&q=

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{3fe11970-c31e-4a24-9a69-0f7efde581d0} - nusoyeta.dll

BHO-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\zcm1r5.dll

HKCU-Run-Aim6 - (no file)

HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe

HKCU-Run-Remote System Protection - c:\windows\system32\zcm1r5.dll

HKCU-Run-Security essentials 2010 - c:\program files\Securityessentials2010\SE2010.exe

HKCU-Run-Paladin Antivirus - c:\program files\Paladin Antivirus\pav.exe

HKLM-Run-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe

HKLM-Run-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe

HKLM-Run-vofugobeda - wumomara.dll

HKU-Default-Run-Remote System Protection - c:\windows\system32\zcm1r5.dll

SharedTaskScheduler-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\zcm1r5.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-01 16:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SGPUpdater = c:\program files\Search Guard PlusU\sgpUpdaters.exe??o?and Site Terms. http://help.fastbrowsersearc

FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe?and Site Terms. http://help.fastbrowsersearc

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,55,f9,23,e3,63,50,4f,97,0f,3a,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,55,f9,23,e3,63,50,4f,97,0f,3a,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(760)

c:\windows\rg1admng.dll

- - - - - - - > 'explorer.exe'(3748)

c:\windows\system32\SynTPFcs.dll

c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\progra~1\mcafee.com\vso\McVSSkt.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msls31.dll

c:\windows\rg1admng.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Bonjour\mdnsNSP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\progra~1\mcafee.com\agent\mctskshd.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\carpserv.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-03-01 16:20:05 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-01 21:20

Pre-Run: 97,575,317,504 bytes free

Post-Run: 100,344,725,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A8F30E7E37F4E0E2EBE4314261892E8A

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?act=post&do=reply_post&f=7&t=41830

Collect::
c:\windows\rg1admng.dll
c:\windows\system32\vovuhinu.dll

DDS::
Trusted Zone: buy-security-essentials.com
Trusted Zone: download-soft-package.com
Trusted Zone: download-software-package.com
Trusted Zone: get-key-se10.com
Trusted Zone: is-software-download.com
Trusted Zone: buy-security-essentials.com
Trusted Zone: get-key-se10.com
TCP: {1868AA57-CDEA-4D8B-9827-1F7B46274B70} = 83.149.115.157,4.2.2.1,93.188.164.221,93.188.161.89
TCP: {4F3FC019-F047-4D2D-ACA4-46A2DFA4F431} = 83.149.115.157,4.2.2.1,192.168.2.1

Firefox::
FF - ProfilePath - c:\documents and settings\MMW\Application Data\Mozilla\Firefox\Profiles\jl40batw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={DA0DAC83-4624-B863-CD22-43B809D1ABB4}&q=



Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"SGPUpdater"=- 
"FBSearch"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites
mmwashin

mmwashin

Posted
  • Author
Posted

ComboFix Log

ComboFix 10-02-28.04 - MMW 03/01/2010 20:47:47.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.75 [GMT -5:00]

Running from: c:\documents and settings\MMW\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\MMW\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

file zipped: c:\windows\rg1admng.dll

file zipped: c:\windows\system32\vovuhinu.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\MMW\Local Settings\Application Data\{E437B8AD-FC1A-4656-B8D1-E0268CF7E732}

c:\documents and settings\MMW\Local Settings\Application Data\{E437B8AD-FC1A-4656-B8D1-E0268CF7E732}\chrome.manifest

c:\documents and settings\MMW\Local Settings\Application Data\{E437B8AD-FC1A-4656-B8D1-E0268CF7E732}\chrome\content\_cfg.js

c:\documents and settings\MMW\Local Settings\Application Data\{E437B8AD-FC1A-4656-B8D1-E0268CF7E732}\chrome\content\overlay.xul

c:\documents and settings\MMW\Local Settings\Application Data\{E437B8AD-FC1A-4656-B8D1-E0268CF7E732}\install.rdf

c:\windows\igoweciq.dll

c:\windows\rg1admng.dll

c:\windows\system32\vovuhinu.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))

.

2010-03-01 22:43 . 2010-03-01 22:43 -------- d-----w- c:\windows\Sun

2010-03-01 20:42 . 2010-03-01 20:42 704 ----a-w- C:\avexport.bat

2010-02-28 00:53 . 2010-02-28 00:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-02-28 00:53 . 2010-02-28 00:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-02-22 21:25 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-22 21:25 . 2010-02-22 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-22 21:25 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-22 00:43 . 2010-02-22 00:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-02-22 00:39 . 2010-02-22 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-20 22:10 . 2010-02-20 22:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-02-20 20:56 . 2010-02-20 21:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-02-20 20:30 . 2010-02-20 20:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-02-20 20:29 . 2010-02-20 20:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-02-13 07:14 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-02-13 07:14 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-02-13 07:14 . 2004-08-04 03:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-02-13 07:14 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-02-07 00:43 . 2010-02-07 00:43 89854 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\Uninstall.exe

2010-02-07 00:43 . 2010-02-21 01:02 -------- d-----w- c:\documents and settings\MMW\Application Data\Dropbox

2010-02-01 04:46 . 2010-02-01 04:46 160096 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-20 19:40 . 2008-12-23 05:56 -------- d-----w- c:\program files\Dell

2010-02-20 19:40 . 2008-12-23 06:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-20 17:06 . 2008-12-23 06:33 56680 ----a-w- c:\documents and settings\MMW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-12 21:50 . 2008-12-26 01:10 -------- d-----w- c:\program files\QuickTime

2010-01-12 21:49 . 2008-12-26 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\program files\Common Files\Apple

2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\program files\Apple Software Update

2010-01-12 21:48 . 2010-01-12 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-12-31 16:14 . 2004-08-04 10:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-31 00:48 . 2009-12-31 00:48 21968784 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\Dropbox.exe

2009-12-14 07:35 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-10 15:32 . 2009-12-11 00:02 911168 ----a-w- c:\documents and settings\MMW\Application Data\Mozilla\Firefox\Profiles\jl40batw.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}\mywebtattoo.exe

2009-12-09 01:19 . 2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

2009-12-08 18:14 . 2005-03-30 01:23 2185984 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 17:35 . 2005-03-30 01:01 2063104 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 14:41 . 2004-08-04 10:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"CARPService"="carpserv.exe" [2002-10-17 4608]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 126976]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 561152]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-08 294912]

"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]

"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]

"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]

"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 163840]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-09-16 274432]

"AS00_WPN511"="c:\program files\NETGEAR\WPN511\Utility\WPN511.exe" [2007-02-06 1130496]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-25 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\NETGEAR\\WPN511\\Utility\\WPN511.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\MMW\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2009 12:23 AM 24652]

R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [12/27/2008 12:35 PM 16194]

R3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\drivers\wpn511.sys [12/27/2008 12:35 PM 488992]

S2 gupdate1ca16da4ca4f8e0;Google Update Service (gupdate1ca16da4ca4f8e0);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2009 4:10 PM 133104]

S3 fmfdisk;fmfdisk;c:\windows\system32\fmfdisk.sys [8/4/2004 5:00 AM 2304]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/22/2010 4:25 PM 38224]

S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [12/25/2008 7:41 PM 23296]

.

Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-06 21:10]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-06 21:10]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = https://my.netgear-support.com/myNETGEAR/ENG/login.asp

FF - ProfilePath - c:\documents and settings\MMW\Application Data\Mozilla\Firefox\Profiles\jl40batw.default\

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Eyeyizuf - c:\windows\igoweciq.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-01 20:56

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3136)

c:\windows\system32\SynTPFcs.dll

c:\documents and settings\MMW\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\system32\ieframe.dll

c:\progra~1\mcafee.com\vso\McVSSkt.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\progra~1\mcafee.com\agent\mctskshd.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\carpserv.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-03-01 21:02:19 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-02 02:02

ComboFix2.txt 2010-03-01 21:20

Pre-Run: 100,318,171,136 bytes free

Post-Run: 100,285,915,136 bytes free

- - End Of File - - BEC3C5A707C850F79FCE2C8D317F352A

I uploaded the file to the link provided.

I also wanted to let you know, incase it is important, that during the time ComboFix was running, this message popped up 18 times.

"RUNDLL

Error loading C:\Windows\rg1admng.dll

Invalid access to memory location."

Thank you SO much again for taking the time to help me figure out the issues with my laptop.

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

You are welcome :D

Those messages will stop when we are finished.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites
mmwashin

mmwashin

Posted
  • Author
Posted

MBAM

Malwarebytes' Anti-Malware 1.44

Database version: 3817

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18372

3/2/2010 9:12:40 PM

mbam-log-2010-03-02 (21-12-40).txt

Scan type: Quick Scan

Objects scanned: 119220

Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\1267334697.bak (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fmfdisk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Ipripex.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\MMW\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\MMW\Application Data\Microsoft\Internet Explorer\Quick Launch\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Kaspersky

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, March 3, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, March 03, 2010 00:33:27

Records in database: 3689876

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 75847

Threats found: 11

Infected objects found: 18

Suspicious objects found: 0

Scan duration: 03:34:14

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Packed.Win32.Krap.as 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\4DW4R3GfRwLbyUEc.dll.vir Infected: Rootkit.Win32.Agent.azyf 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\4DW4R3lYQIYDVNyN.dll.vir Infected: Rootkit.Win32.Agent.azyf 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\4DW4R3oapmcOxsqp.dll.vir Infected: Rootkit.Win32.Agent.azyf 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\4DW4R3QPOcVdmXtg.dll.vir Infected: Rootkit.Win32.Agent.azyf 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Infected: Backdoor.Win32.Agent.apny 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3lbcpaxVsKV.sys.vir Infected: Rootkit.Win32.Agent.aibm 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3qiYfdTkoNo.sys.vir Infected: Rootkit.Win32.Agent.aibm 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3UyPvPmtIQk.sys.vir Infected: Rootkit.Win32.Agent.aibm 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3VBwtikXJlL.sys.vir Infected: Rootkit.Win32.Agent.aibm 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.gmc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00007e6f.tmp.vir Infected: Trojan.Win32.Cosmu.mna 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\warnings.html.vir Infected: Trojan.HTML.Fraud.ad 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.gmc 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\zcm1r5.dll.vir Infected: Trojan-Downloader.Win32.Agent.demw 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\_VOIDxnqqpxtewq.dll.vir Infected: Trojan.Win32.Tdss.awfn 1

C:\Qoobox\Quarantine\[4]-Submit_2010-03-01_20.47.41.zip Infected: Trojan-Spy.Win32.Zbot.aewz 1

Selected area has been scanned.

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Hi sorry for the late reply I wasn't notified of your reply.

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_2010-03-01_20.47.41.zip

Click Here to upload the submit.zip please.

Let me know when that is done and let me know how the system is running as well.

===============================

Please download DDS and save it to your desktop.

  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open as well as attach.txt.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

attach.txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept