Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FakeAlert trojans


  • This topic is locked This topic is locked
21 replies to this topic

#1 projectxp

projectxp

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 19 January 2010 - 11:41 PM

Hi, I got hit with a trojan that changed my desktop background, locked me out of task manager and now my HJT log looks different from a couple days ago. Also opened a DOS window and had an NTVDM CPU illegal instruction error related to a 41.exe file.
I run eset smart security, superantispyware and malwarebytes. Here is what they stopped, found and fixed.

(ESET blocked)
Win32/TrojanDownloader.FakeAlert.AQQ trojan
Js/Exploit.Pdfka.ASD trojan

(SuperAntiSpyware found)
Trojan.Agent/Gen-InternetSecurity[Fake]
Trojan.Agent/Gen-FA[WL32]
Trojan.Agent/Gen-FA[SMSS32]
Rogue.Agent/Gen

(Malwarebytes found)
D:\WINDOWS\system32\41.exe (Trojan.FakeAlert) + registry entries
D:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert)

When this happened I unplugged my lan, ran scans/removed what was found and restarted in safe mode to rescan. Some came back when restarting in safe mode so i removed those and when i restarted everything was back to normal for the most part. My background came back even but was fuzzy and the icon text a different color so i re-added it. I also noticed a smss32 process in my startup menu(msconfig) so i unchecked it and deleted it from the list with ccleaner. So far all seems normal other than my HJT log.

EDIT: Forgot to mention i had system restore shut down when cleaning in safe mode. Also i have noticed web pages loading slightly slower.

If you could take a look I'd appreciate it. Thanks



DDS (Ver_09-12-01.01) - NTFSx86
Run by LW at 22:42:26.10 on Tue 01/19/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1332 [GMT -5:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
D:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\LW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=d:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - d:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] d:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "d:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [egui] "d:\program files\eset\eset smart security\egui.exe" /hide /waitservice
IE: Google Sidewiki... - d:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - hxxp://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\lw\applic~1\mozilla\firefox\profiles\qantlsfd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://Google.com
FF - component: d:\documents and settings\lw\application data\mozilla\firefox\profiles\qantlsfd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: d:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 ekrn;ESET Service;d:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
R3 tmcfw;tmcfw;d:\windows\system32\drivers\TM_CFW.sys [2008-2-15 333328]
S2 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S3 BDTPBWYDBQWWLA;BDTPBWYDBQWWLA;d:\docume~1\lw\locals~1\temp\BDTPBWYDBQWWLA.exe [2008-9-1 551808]

=============== Created Last 30 ================

2010-01-20 01:56:20 0 d-----w- D:\HJT Trend
2010-01-19 05:57:52 142096 ----a-w- d:\windows\system32\drivers\tmcomm.sys
2010-01-19 05:57:52 0 d-----w- d:\documents and settings\lw\log
2010-01-19 05:22:59 0 d-----w- d:\program files\ESET
2010-01-18 13:41:00 0 ----a-w- d:\windows\system32\19169.exe
2010-01-18 13:21:00 0 ----a-w- d:\windows\system32\26500.exe
2010-01-18 13:01:00 0 ----a-w- d:\windows\system32\6334.exe
2010-01-18 12:41:00 0 ----a-w- d:\windows\system32\18467.exe
2010-01-14 17:54:02 0 d-----w- d:\windows\system32\wbem\Repository
2010-01-03 13:41:16 0 d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-03 13:39:35 0 d-----w- d:\program files\SUPERAntiSpyware
2010-01-03 13:39:35 0 d-----w- d:\docume~1\lw\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-10-29 05:38:23 667136 ----a-w- d:\windows\system32\wininet.dll
2009-10-23 00:56:45 189392 ----a-w- d:\windows\system32\PnkBstrB.exe
2008-02-26 04:07:12 18725 ----a-w- d:\program files\Readme.txt

============= FINISH: 22:42:33.01 ===============

Attached Files


Edited by projectxp, 20 January 2010 - 05:54 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 25 January 2010 - 01:00 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 projectxp

projectxp
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 26 January 2010 - 09:51 AM

Hey EB, thanks for the reply. Looks like ya'll have a lot to handle around here so don't worry about the delay.

I've attached the updated logs you requested and i'm including a gmer log from yesterday.

So far the pc runs like normal. I did see this pop up earlier today but other than that nothing has changed since my last post.

1/26/2010 4:20:51 AM HTTP filter file http:// ditrnbibarsp. com/kav/kav1.html/oHd5684029V0100f060006Rf129df8a102T9e36f444204l0409K2c1727d8317]http://ditrnbibarsp.com/kav/kav1.html/oHd5...409K2c1727d8317 JS/Exploit.Pdfka.ASD trojan connection terminated - quarantined Threat was detected upon access to web by the application: D:\Program Files\Internet Explorer\iexplore.exe.



Thanks for your help

EDIT: added spaces to the link eset stopped so it wouldn't hyperlink.

Attached Files


Edited by projectxp, 26 January 2010 - 11:31 AM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 26 January 2010 - 11:48 AM

Hello.

Thanks for those logs and the explanation. I still see a few things we can take care of.

We will start with CF.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 projectxp

projectxp
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 26 January 2010 - 12:14 PM

That was fast!

What do you see that is wrong? I would like to learn so i don't have to bug you guys/gals and may be able to help others. Plus i just like to learn. I have read where combofix has on rare occasions messed up drives and I'm not backed up 100% and have no way of doing so at the moment so don't take it as me being ungrateful for asking questions.

Edited by projectxp, 26 January 2010 - 12:16 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 26 January 2010 - 01:18 PM

Hello,

CF is safe to use but if used incorrectly for private uses then it can lead to disastrous problem. If you don't feel safe running it then we can deal with it manually however, please understand that nothing is 100% safe. Malware changes constantly and it's only so much we can do to keep everything updated and tackle with it. Each system is also different but it has been tested and ran on several machines and should be fine. In addition, we can't really "teach" you how to deal and remove malware in one post it takes a long time. Infections are not always the same and can be displayed differently so there is no "constant" fix to something.

Combofix Disclaimer:
QUOTE
ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer. Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.


Regarding this:
QUOTE
1/26/2010 4:20:51 AM HTTP filter file http:// ditrnbibarsp. com/kav/kav1.html/oHd5684029V0100f060006Rf129df8a102T9e36f444204l0409K2c1727d8317]http://ditrnbibarsp.com/kav/kav1.html/oHd5...409K2c1727d8317 JS/Exploit.Pdfka.ASD trojan connection terminated - quarantined Threat was detected upon access to web by the application: D:\Program Files\Internet Explorer\iexplore.exe.

That was probably due to a malicious website that it detected which you were on using internet explorer. Iexplore.exe isn't infected it's that site.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 projectxp

projectxp
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 26 January 2010 - 02:15 PM

QUOTE(extremeboy @ Jan 26 2010, 01:18 PM) View Post
Hello,

CF is safe to use but if used incorrectly for private uses then it can lead to disastrous problem. If you don't feel safe running it then we can deal with it manually however, please understand that nothing is 100% safe. Malware changes constantly and it's only so much we can do to keep everything updated and tackle with it. Each system is also different but it has been tested and ran on several machines and should be fine. In addition, we can't really "teach" you how to deal and remove malware in one post it takes a long time. Infections are not always the same and can be displayed differently so there is no "constant" fix to something.



Regarding this:
QUOTE
1/26/2010 4:20:51 AM HTTP filter file http:// ditrnbibarsp. com/kav/kav1.html/oHd5684029V0100f060006Rf129df8a102T9e36f444204l0409K2c1727d8317]http://ditrnbibarsp.com/kav/kav1.html/oHd5...409K2c1727d8317 JS/Exploit.Pdfka.ASD trojan connection terminated - quarantined Threat was detected upon access to web by the application: D:\Program Files\Internet Explorer\iexplore.exe.

That was probably due to a malicious website that it detected which you were on using internet explorer. Iexplore.exe isn't infected it's that site.

With Regards,
Extremeboy


Would i be safe to connect to a external HDD and not infect it? I haven't done that since this happened because i don't want to infect my only back up. It had been a couple weeks since my last back up also because i've been over confident i guess. I have some cdrw's but they seem like junk and wouldn't hold the data i need to save anyway.
I'm ok with manual but warn you i am a self taught noob with only 5 years computer experience. Either way i would like to back up first.

On the JS/Exploit.Pdfka.ASD ... it was in the first round when these problems started also. Both times i had been on long time usage sites(forums) when it happened. I can't be certain which one because i have a habbit of having a few windows open and switching back and forth. Would ad's , pics(or host site) ,google or youtube cause this? I was blaming myspace at first since i had just opened a page when i got the first attack. Could there be a delay from visiting to attack? Is it something that is hiding on my pc?

I'll add also that not long before this i was having an issue with video drivers i guess. Maybe 3 times in the previous month my pc would lock up with an orange screen much like what sometimes happens if you take GPU clocks farther than they will go. I had never had that before and i usually only restart about once a month. The only programs added recently where EVE related other than superantispyware . Evemon and eve fitting tool where the only ones other than the game. Been running smooth for a couple of years.

Thanks

Edited by projectxp, 26 January 2010 - 02:23 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 26 January 2010 - 02:30 PM

Hello.

Okay, I understand.

Regarding backup, external hard-drive is probably the most convient way but not the safest if infections are active. You can backup but try to only backup data related files. No executable.

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Also, you might want to run this tool first to help prevent autorun infections. This tool also disables autorun...

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 projectxp

projectxp
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 26 January 2010 - 02:54 PM

Will that work for large drives that are mostly full? I'm guessing it makes a file named that because to overwrite would cause a prompt and not just run?


My back ups would be favorites folder , files from other programs and other settings. Wouldn't this include some of the dot extensions you say not to back up? Seeming like a format will be inevetable so let me move some stuff around on another pc and see if i can free up some space. Then i'll give the combofix a go.

Also what are you seeing wrong in my logs? All scanners i have tried are showing clean.
If something isn't working right then i want to know so i can look for an alternative.

Will be later this evening before i run combofix.

Thanks

Edited by projectxp, 26 January 2010 - 03:23 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 26 January 2010 - 05:14 PM

Hello.

The favorites folder, is mainly URLs I believe? They should be okay, but any executable including .exe, .scr, .com should be avoided however. Programs you can probably download and install at another time so there's no point in backing up a program file unless you really need it but it's still not recommended. Your log overall is okay, but there are some disabled and orphaned entries still and perhaps more lurking around we'll see and I'll let you know once I see the CF log. Post it whenever you're done.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 projectxp

projectxp
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 28 January 2010 - 12:34 PM

I had to run this in safe mode because my pc wouldn't boot normaly and still will not.


ComboFix 10-01-27.06 - LW 01/28/2010 12:20:40.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1784 [GMT -5:00]
Running from: d:\documents and settings\LW\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\18467.exe
d:\windows\system32\19169.exe
d:\windows\system32\26500.exe
d:\windows\system32\6334.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-28 16:53 . 2010-01-28 16:53 -------- d-----w- d:\windows\system32\wbem\Repository
2010-01-21 09:11 . 2010-01-21 09:11 -------- d--h--w- d:\windows\system32\GroupPolicy
2010-01-20 01:56 . 2010-01-28 16:26 -------- d-----w- D:\HJT Trend
2010-01-19 14:42 . 2009-11-20 11:08 38784 ----a-w- d:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-19 14:42 . 2010-01-19 14:42 -------- d-----w- d:\program files\Common Files\Adobe AIR
2010-01-19 14:41 . 2010-01-19 14:41 86016 ----a-w- d:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-19 14:35 . 2010-01-24 22:42 -------- d-----w- d:\documents and settings\All Users\Application Data\NOS
2010-01-19 09:34 . 2010-01-19 09:34 152576 ----a-w- d:\documents and settings\LW\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-19 09:34 . 2010-01-19 09:34 79488 ----a-w- d:\documents and settings\LW\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-19 05:57 . 2010-01-19 05:57 -------- d-----w- d:\documents and settings\LW\log
2010-01-19 05:57 . 2010-01-19 05:57 142096 ----a-w- d:\windows\system32\drivers\tmcomm.sys
2010-01-19 05:22 . 2010-01-19 05:22 -------- d-----w- d:\program files\ESET
2010-01-03 13:45 . 2010-01-12 16:41 52224 ----a-w- d:\documents and settings\LW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-03 13:45 . 2010-01-25 12:10 117760 ----a-w- d:\documents and settings\LW\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-03 13:41 . 2010-01-03 13:41 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-03 13:39 . 2010-01-18 23:24 -------- d-----w- d:\program files\SUPERAntiSpyware
2010-01-03 13:39 . 2010-01-03 13:39 -------- d-----w- d:\documents and settings\LW\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 07:08 . 2008-08-22 05:50 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2010-01-19 14:57 . 2008-10-04 09:29 -------- d-----w- d:\program files\Common Files\Adobe
2010-01-19 09:35 . 2009-04-02 09:18 -------- d-----w- d:\program files\Java
2010-01-18 23:57 . 2009-02-11 09:45 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-01-18 23:57 . 2009-02-16 16:44 5115824 ----a-w- d:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-02-11 09:45 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-02-11 09:45 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-01-03 13:37 . 2009-03-22 00:09 -------- d-----w- d:\program files\Common Files\Wise Installation Wizard
2010-01-01 04:41 . 2009-11-11 11:00 -------- d-----w- d:\program files\Steam
2010-01-01 02:32 . 2009-11-14 23:05 -------- d-----w- d:\documents and settings\LW\Application Data\EVEMon
2009-12-22 05:21 . 2004-08-04 12:00 667136 ----a-w- d:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 12:00 81920 ----a-w- d:\windows\system32\ieencode.dll
2009-12-20 03:01 . 2008-08-17 23:27 -------- d-----w- d:\program files\Google
2009-12-09 11:48 . 2009-07-21 00:10 -------- d-----w- d:\documents and settings\All Users\Application Data\AA3DeployClient
2009-12-03 07:29 . 2009-12-03 07:29 -------- d-----w- d:\program files\CCP
2009-12-03 07:29 . 2009-12-03 07:29 -------- d-----w- d:\documents and settings\All Users\Application Data\CCP
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- d:\windows\AppPatch\aclayers.dll
2009-11-19 16:48 . 2009-11-30 18:53 43008 ----a-w- d:\documents and settings\LW\Application Data\Mozilla\Firefox\Profiles\qantlsfd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 16:48 . 2009-11-30 18:53 346624 ----a-w- d:\documents and settings\LW\Application Data\Mozilla\Firefox\Profiles\qantlsfd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-19 16:48 . 2009-11-30 18:53 340480 ----a-w- d:\documents and settings\LW\Application Data\Mozilla\Firefox\Profiles\qantlsfd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 16:48 . 2009-11-30 18:53 872960 ----a-w- d:\documents and settings\LW\Application Data\Mozilla\Firefox\Profiles\qantlsfd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-16 14:06 . 2009-11-16 14:06 55768 ----a-w- d:\windows\system32\drivers\epfwtdi.sys
2009-11-16 14:06 . 2009-11-16 14:06 135048 ----a-w- d:\windows\system32\drivers\epfw.sys
2009-11-16 14:03 . 2009-11-16 14:03 108792 ----a-w- d:\windows\system32\drivers\ehdrv.sys
2009-11-16 13:56 . 2009-11-16 13:56 116520 ----a-w- d:\windows\system32\drivers\eamon.sys
2008-02-26 04:07 . 2008-02-26 04:07 18725 ----a-w- d:\program files\Readme.txt
2008-08-20 04:19 . 2008-08-17 23:18 67696 ----a-w- d:\program files\mozilla firefox\components\jar50.dll
2008-08-20 04:19 . 2008-08-17 23:18 54376 ----a-w- d:\program files\mozilla firefox\components\jsd3250.dll
2008-08-20 04:19 . 2008-08-17 23:18 34952 ----a-w- d:\program files\mozilla firefox\components\myspell.dll
2008-08-20 04:19 . 2008-08-17 23:18 46720 ----a-w- d:\program files\mozilla firefox\components\spellchk.dll
2008-08-20 04:19 . 2008-08-17 23:18 172144 ----a-w- d:\program files\mozilla firefox\components\xpinstal.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"StartCCC"="d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"ATICustomerCare"="d:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\D:^Documents and Settings^LW^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=d:\documents and settings\LW\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=d:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 19:18 202024 ----a-w- d:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2008-07-22 17:34 2772992 ----a-w- d:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
2007-08-14 19:10 20480 ----a-w- d:\program files\Gigabyte\ET5\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2009-11-16 14:03 2054360 ----a-w- d:\program files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 21:07 1394000 ----a-w- d:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 13:51 1836328 ----a-w- d:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 16:50 155648 ----a-w- d:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- d:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-11 11:00 1217808 ----a-w- d:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-12-16 21:26 2002160 ----a-w- d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-22 05:50 68856 ----a-w- d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)
"TmProxy"=2 (0x2)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"NMIndexingService"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"d:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\eve online\\eve.exe"=

R3 tmcfw;tmcfw;d:\windows\system32\drivers\TM_CFW.sys [2/15/2008 11:39 PM 333328]
S1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]
S1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
S1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [12/19/2009 10:01 PM 135664]
S3 BDTPBWYDBQWWLA;BDTPBWYDBQWWLA;d:\docume~1\LW\LOCALS~1\Temp\BDTPBWYDBQWWLA.exe --> d:\docume~1\LW\LOCALS~1\Temp\BDTPBWYDBQWWLA.exe [?]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S4 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
.
Contents of the 'Scheduled Tasks' folder

2010-01-28 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-22 21:30]

2010-01-28 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 03:01]

2010-01-28 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 03:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - d:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - d:\documents and settings\LW\Application Data\Mozilla\Firefox\Profiles\qantlsfd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://Google.com
FF - component: d:\documents and settings\LW\Application Data\Mozilla\Firefox\Profiles\qantlsfd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: d:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-InCD - d:\program files\ahead\InCD\InCD.exe
MSConfigStartUp-UfSeAgnt - d:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
MSConfigStartUp-Veoh - d:\program files\Veoh Networks\Veoh\VeohClient.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 12:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-28 12:27:42
ComboFix-quarantined-files.txt 2010-01-28 17:27

Pre-Run: 15,680,614,400 bytes free
Post-Run: 31,151,845,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2CC52FB5AB273FF6386129E4D4929FBD

Edited by projectxp, 28 January 2010 - 12:48 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 28 January 2010 - 01:02 PM

Hi.

QUOTE
I had to run this in safe mode because my pc wouldn't boot normaly and still will not.

Can you elaborate on that. What's the situation currently?

Download and run Fix & Scan with OTL
  1. Download OTL by OldTimer and save it to your desktop.
  2. Double click on the icon on your desktop. If you are using Vista, please right-click and select run as administrator
  3. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :Services
    BDTPBWYDBQWWLA
    :Files
    d:\docume~1\LW\LOCALS~1\Temp\BDTPBWYDBQWWLA.exe
    :commands
    [EmptyTemp]
    [Reboot]
  4. Push
  5. OTLI2 may ask to reboot the machine. Please do so if asked.
  6. Click .
  7. A report will open. Copy and Paste that report in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. The name of the log will in the following format: xxxxxxxx_xxxxxx. x representing the month, date, year and time the log was created. Eg: 03062009_170403
  • Open OTL again upon the reboot.
  • Click the "Scan All Users" checkbox.
  • Under the textbox, copy and paste the following code below.
    CODE
    %systemroot%\system32\*.sys /lockedfiles
  • Now push the button.
  • It will now begin to scan, please be paitent while it scans.
  • Two reports will open once it's done.
  • Please copy and paste them in your next reply:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
Post those logs in your next reply.

With Regards,
Extremeboy

Edited by extremeboy, 28 January 2010 - 01:02 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 projectxp

projectxp
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 28 January 2010 - 01:08 PM

When attemping to boot normaly it will show the windows splash with bar then flashes instantly a blue screen and restarts. After a time or two of this it will land on the F8 page. Safe modes work fine.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 28 January 2010 - 01:17 PM

Can you perhaps take an image of what you're seeing. Post those logs in your next reply.

To access safe mode, simply keep pressing the F8 button before the BIOS apperas and you should have the advanced menu to select Safe Mode.

Let me know if you can get in to Normal Mode now, or does the blue screen of death just appear each time.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 projectxp

projectxp
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 28 January 2010 - 01:31 PM

It goes to fast to get a screen shot or take a pic but if i would start normaly i do have vid of it from my phone.

EDIT: No luck on getting it to boot normal.

Attached Files


Edited by projectxp, 28 January 2010 - 01:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users