Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NETSTAT causes spontaneous reboot


  • Please log in to reply
25 replies to this topic

#1 AndyNZ

AndyNZ

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 25 March 2009 - 03:07 AM

Hi all. First timer. Experienced user with a programming background, although mostly in the IBM world rather than PC stuff.

Windows XP Home SP3, running AVG Free 8.0. ADSL broadband connection, D-Link router with built-in firewall. Use P2P sometimes.

From the DOS box, running the NETSTAT command to investigate the state of my home network, either with no parameters specified or with "-b" added to the command, results in an immediate and repeatable reboot. Is this likely to be some kind of rootkit infection that AVG isn't picking up?

The PC is generally reliable, but my wife's been complaining of IE7 causing rebooting randomly & my son's games (local, not net based) all seem to lock up sooner or later! I've been putting this off for a while as I deal with computer's for a living......

I have HijackThis installed & have run it once to see what it turned up. Never posted the results anywhere.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:00 AM

Posted 25 March 2009 - 08:28 AM

You might want to turn off file and printer sharing and delete the workgroup from your lan if you have that setup.

The router is secured with a strong password?

I would run this on all 3 computers

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#3 AndyNZ

AndyNZ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 25 March 2009 - 05:17 PM

I will do as you ask DaChew, and post the outcome. What led you to believe I have 3 computers?

After my initial post, I downloaded and ran Sophos AntiRootkit. It came up with the following, which may be relevant:

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\asc3550p
Removable: No
Notes: (no more detail available)

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:00 AM

Posted 25 March 2009 - 08:01 PM

What led you to believe I have 3 computers?


but my wife's been complaining of IE7 causing rebooting randomly & my son's games (local, not net based) all seem to lock up sooner or later


My mistake
Chewy

No. Try not. Do... or do not. There is no try.

#5 AndyNZ

AndyNZ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 26 March 2009 - 12:25 AM

(1) You were accidentally correct actually :thumbsup: - we DO have 3 computers on our LAN, although they're not often all connected at the same time. Sorry to sound suspicious, but when I saw that in your post I thought "this person is looking into my router - he must have traced my IP!" Call it downunder paranoia.....
BTW, the only PC to which anyone claims exclusive ownership is my son's Vista laptop! The other is another, older XP laptop. I'll take your advice and repeat this process on the others anyway. The PC I've run it on already is the gateway.

(2) Temporary files etc. removed with ATF cleaner.

(3) Malware removed as per log below. I notice that the reg key Sophos was complaining about is not listed, although an almost identical one is (different control set). Makes me wonder if this has the potential to "re-spawn" itself from the Sophos-reported hidden key? Note: Sophos no longer reports this.

Malwarebytes' Anti-Malware 1.34
Database version: 1899
Windows 5.1.2600 Service Pack 3

26/03/2009 6:02:03 p.m.
mbam-log-2009-03-26 (18-02-03).txt

Scan type: Quick Scan
Objects scanned: 64613
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa (Rootkit.Bagle) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\XP Antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\downld\1264375.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\1330375.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\1478000.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\15152625.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\15223562.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\15342656.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\15476218.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\15511531.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\155828.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\1586359.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\1616046.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\213203.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\546656.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\656656.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\688343.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by AndyNZ, 26 March 2009 - 12:33 AM.


#6 AndyNZ

AndyNZ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 26 March 2009 - 04:36 AM

A Further scan after reboot produced the same reg key: I fear it will keep returning, as I mentioned before:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:00 AM

Posted 26 March 2009 - 06:02 AM

http://www.viruslist.com/en/viruses/encycl...irusid=21780028

Very nasty but an older infection?

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#8 AndyNZ

AndyNZ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 26 March 2009 - 11:17 PM

*** Bad News I'm afraid! Got the next utility installed and configured as per instructions, but I'm not able to get into SAFE mode at all using F8. It looks like it copies some backup files or something first - they fly by too quick to see - then just returns to the hard boot sequence and presents me with the good old "Windows failed to start properly last time" options. Selecting Safe Mode again from there just repeats the process. I am, however, able to boot "normally".

I would like to refer you to a very similar sounding problem I found - also from 2007 - on another forum. Hope this isn't considered poor etiquette! The solution involved ComboFix.... http://spywarewarrior.com/viewtopic.php?t=...=netstat+reboot

Many thanks for getting me this far anyhow - I really appreciate your time.

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:00 AM

Posted 26 March 2009 - 11:21 PM

Run cureit from normal mode with heuristics enabled

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by DaChew, 26 March 2009 - 11:21 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#10 AndyNZ

AndyNZ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 27 March 2009 - 04:27 AM

Hi Chewy.. that took ages! Of course I wasn't able to follow the parts of your instruction referring to safe mode, so I ran it as instructed in your first line. Express Scan produced nothing. Results below are from the full scan with heuristics.

I've got an old disk drive in the desktop I'd forgotten was there- it's my F: drive, containing an old W95 setup - no longer bootable, but we occasionally go back and look at old documents there. I noticed DrWeb found some stuff there - it's likely to be pretty old.

I suspect the "TelecomHelpAssistant" is probably a "false positive" because that's designed to assist the ISP's helpdesk in getting System Info etc.

DrWeb.csv:
TelecomHelpAssistant.exe/data016\data003;C:\Documents and Settings\Owner\Local Settings\Temp\TelecomHelpAssistant.exe/data016;Probably DLOADER.Trojan;;
data016;C:\Documents and Settings\Owner\Local Settings\Temp;Archive contains infected objects;;
TelecomHelpAssistant.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Archive contains infected objects;Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;Incurable.Moved.;
mmInstall.dll;F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox;Probably BACKDOOR.Trojan;Incurable.Moved.;
MUSICMATCH_7000149.exe/data002\\Trgtdir\mmInstall.dll;F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Setup\MUSICMATCH_7000149.exe/data002;Probably BACKDOOR.Trojan;;
data002;F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Setup;Archive contains infected objects;;
MUSICMATCH_7000149.exe;F:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Setup;Container contains infected objects;Moved.;
INSTALL.LOG;F:\Program Files\KaZaA Lite;Probably MACRO.SCRIPT.IRC.WORM.Virus;Incurable.Moved.;
A0135025.exe/data002\\Trgtdir\mmInstall.dll;F:\System Volume Information\_restore{2B1F3FA8-F53B-443D-8951-C2D596351EBC}\RP557\A0135025.exe/data002;Probably BACKDOOR.Trojan;;
data002;F:\System Volume Information\_restore{2B1F3FA8-F53B-443D-8951-C2D596351EBC}\RP557;Archive contains infected objects;;
A0135025.exe;F:\System Volume Information\_restore{2B1F3FA8-F53B-443D-8951-C2D596351EBC}\RP557;Container contains infected objects;Moved.;

Hope this is readable - tried opening it in both Excel (default) & Notepad but pretty much the same formatting.

Edited by AndyNZ, 27 March 2009 - 04:54 AM.


#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:00 AM

Posted 27 March 2009 - 05:19 AM

Run the ATFCleaner and MBAM quick scan again please.
Chewy

No. Try not. Do... or do not. There is no try.

#12 AndyNZ

AndyNZ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 27 March 2009 - 06:50 PM

Run the ATFCleaner and MBAM quick scan again please.


Done that. MBAM quick scan found (and removed) that same registry key only:

Malwarebytes' Anti-Malware 1.35
Database version: 1909
Windows 5.1.2600 Service Pack 3

28/03/2009 12:38:57 p.m.
mbam-log-2009-03-28 (12-38-57).txt

Scan type: Quick Scan
Objects scanned: 65139
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:00 AM

Posted 27 March 2009 - 10:24 PM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#14 AndyNZ

AndyNZ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 28 March 2009 - 04:33 AM

That seemed to go OK. Ran full scan without Internet connection, with AVG & XP firewall both disabled.

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-28 22:21:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 868F818F pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text tcpip.sys!IPTransmit + 10FC F4595D3A 6 Bytes CALL 868F8172
.text tcpip.sys!IPTransmit + 2A52 F4597690 6 Bytes CALL 868F8172
.text tcpip.sys!IPRegisterProtocol + 930 F45AD454 6 Bytes CALL 868F8172
.text wanarp.sys F77353FD 7 Bytes CALL 868F817F

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4064] ntdll.dll!wcstombs + 9F71 7C97A16A 1 Byte [EF]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] 868F74DB
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] 868F74D1

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:00 AM

Posted 28 March 2009 - 08:53 AM

Safe mode is still inoperative?

SAS from normal mode if so?

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users