BleepingComputer.com: Blackhole rootkit infection

My wife was using IE on a site watching a video when AVG 10 posted a threat warning she didn't read very well. As she's conditioned to do, she ran an AVG scan and Malwarebytes which found a couple of trojans, but quarantining them didn't seem to work. When I got there I decided to run Malwarebytes, but in the middle of the scan I got an AVG notification that it had blocked an attempt by "Rootkit Blackhole" I freaked out and shut down the PC and rebooted in safe mode, ran both an AVG and Malwarebytes scan again (both came up negative). I rebooted in Safe Mode + Networking and brought up Firefox to hit the forums & find out the best way to ensure I was in the clear. Firefox popped up some weird site when I opened it, and from that point on whenever I tried to access a web site, it redirected me to a rogue site.

Once again I opened Malwarebytes but as it was opening, I noticed my AVG 10 tray icon had vanished from my tray. I tried manually restarting but it didn't work. When Malwarebytes came up again I updated the database and kicked off another scan but the program unexpectedly closed. I opened Task Manager and saw a process in there called something like "128082753247:0983872395.exe" that ignored any attempts to kill it.

From there I rebooted to regular (non-safe mode)with the computer physically disconnected from the router, copied over Defogger, DMS and GMER from a USB stick . Defogger and DMS worked and the logs are shown & attached as prescribed. GMER successfully completes a scan, but once the scan is done the program closes before I'm given the opportunity to save the log. I did manually record two lines that appeared in red in the display:

Module (noname) (***hidden***) ADA68000-ADA73000 (45056 bytes)

Disk \Device\Harddisk\DR0 TDL4@MBR code has been found

WINDOWS\system32\Drivers\mrxsmb.sys suspicious PE modification.

UPDATE: I had just read a separate thread where someone had mentioned "Zentom System Guard." If it's significant, there is a program group in my Start menu for "Zentom System Guard" without any shortcuts in it. As if it tried to install this on my PC and only got halfway through...

---
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 08:31 on 13/09/2011 (CMatthews)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

---

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by CMatthews at 8:35:34 on 2011-09-13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1805 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Nova Development\Photo Explosion 3.0\calcheck.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Gamesbar\SearchEngineProtection.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgscanx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - c:\program files\gamesbar\2.0.1.81\oberontb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - c:\program files\gamesbar\2.0.1.81\oberontb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_S7B.tmp" /EF "HKCU"
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [MAAgent] c:\program files\markany\contentsafer\MAAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion 3.0\calcheck.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\cmatth~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\program files\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\progra~1\broder~1\printmaster greeting cards\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quickenw\QWDLLS.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - c:\program files\gamesbar\2.0.1.81\oberontb.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: mswsock.dll
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1308412056288
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cmatthews\application data\mozilla\firefox\profiles\55aagqr6.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\documents and settings\cmatthews\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\cmatthews\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\cmatthews\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 hugoio;hugoio;c:\program files\i-menu\hugoio.sys [2011-7-25 9760]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-12-11 4608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-13 03:37:01 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-09-13 03:02:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-13 02:22:43 -------- d--h--w- c:\windows\PIF
2011-09-12 18:42:49 -------- d-----w- c:\documents and settings\cmatthews\application data\613A132D49974D16F812761C3EE93B64
2011-09-03 22:05:03 -------- d-----w- c:\documents and settings\cmatthews\local settings\application data\Lunar_Giant_Studios
2011-09-03 21:39:41 -------- d-----w- c:\documents and settings\cmatthews\local settings\application data\LunarGiantStudios
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-28 21:49:24 -------- d-----w- c:\windows\lhsp
2011-08-28 21:49:01 1409 ----a-w- c:\windows\system32\Vogen___.FOT
2011-08-28 21:49:01 1409 ----a-w- c:\windows\system32\Tubular.FOT
2011-08-28 21:49:01 1409 ----a-w- c:\windows\system32\Teletype.FOT
2011-08-28 21:49:00 1409 ----a-w- c:\windows\system32\Technn__.FOT
2011-08-28 21:49:00 1409 ----a-w- c:\windows\system32\Tabloid_.FOT
2011-08-28 21:49:00 1409 ----a-w- c:\windows\system32\Storyboo.FOT
2011-08-28 21:49:00 1409 ----a-w- c:\windows\system32\Socket.FOT
2011-08-28 21:49:00 1409 ----a-w- c:\windows\system32\Pegasus.FOT
2011-08-28 21:49:00 1409 ----a-w- c:\windows\system32\Patrick.FOT
2011-08-16 16:03:22 -------- d-----w- c:\documents and settings\cmatthews\.revenge_of_the_titans_1.80
2011-08-16 00:40:49 -------- d-----w- c:\documents and settings\cmatthews\application data\Friday's games
2011-08-14 23:53:27 -------- d-----w- c:\program files\Gourmania 3 - Zoo Zoom
2011-08-14 23:42:32 -------- d-----w- c:\documents and settings\cmatthews\application data\GameInvest
2011-08-14 23:39:50 -------- d-----w- c:\program files\Paranormal Crime Investigations - Brotherhood of the Crescent Snake
.
==================== Find3M ====================
.
2011-09-13 04:14:50 1233 ----a-w- c:\windows\system32\mmf.sys
2011-09-06 10:16:07 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-28 20:25:55 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-08-28 20:25:55 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-08-28 20:25:55 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-08-20 14:12:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-15 00:10:51 9760 ----a-w- c:\windows\system32\drivers\hugoio.sys
2011-08-12 02:58:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-08-12 02:58:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75JNA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A17331B
user & kernel MBR OK
.
============= FINISH: 8:41:32.25 ===============

This post has been edited by soupfist: 13 September 2011 - 11:15 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
  
  
• A window will open instructing you save & post the logs
  
• Save the logs to a convenient place such as your desktop
  
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
  
• Now double-click on RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan.
  
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  
• Wait till the scanner has finished and then click File, Save Report.
  
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following


• .logs from DDS
  
• log from RKUnHooker
  
• let me know of any problems you may have had

Gringo

You can close this thread. Computer was locking up just performing basic file operations in Windows Explorer. I think one or more drivers got damaged. I wiped the HD and reinstalled Windows.

Thanks anyway.

Thanks for letting us know


gringo

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.