Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus soft infection (requested logs included)


  • This topic is locked This topic is locked
26 replies to this topic

#1 angicx

angicx

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 11 February 2010 - 05:49 PM

im using an acer aspire laptop, windows xp pro
internet explorer / alternate firefox

here's some info from original post:
(original thread link if needed http://www.bleepingcomputer.com/forums/topic294620.html)

ORIGINAL PROBLEM (posting it because not sure if it's important or if problems were completely fixed)

i followed guide to removing antivirus soft. i was able to download and run rkil but it found nothing in safe mode. i had to boot normally and run it before antivirus soft initiated startup. it found the similar files that you listed in your guide and i was able to remove them with killbox, but when i ran malwarebytes-anti malware (ran first, and again after), it found none of the files, no infections, nothing.

here are the files found by rkill.

C:\WINDOWS\system32\igfxsrvc.exe,
C:\WINDOWS\system32\ntvdm.exe,
C:\DOCUME~1\user\LOCALS~1\Temp\RtkBtMnt.exe
C:\DOCUME~1\USER\MYDOCU~1\RKILL.COM
(this last one is the rkill program itself, correct? is this normal?)


my computer is freezing up constantly, mouse function frozen (yes i've made sure it was turned on), can't do control alt delete/escape, only hard boot works. sometimes the boot gets stuck in a loop and at the desktop (sometimes after about a minute or so after destop loads, sometimes right away) a blue screen full of writing appears and it goes back into reboot. the screen only flashes so i can't read anything but the top line which says something to the effect that a problem has been detected..
sometimes after beginning to boot, it just goes to a black screen.
ive had it freeze up loading in safe mode also when all the info is still running across the screen, just locks up right in the middle of it all.
it freezes all the time in various ways you see
after rebooting several times it will usually work for awhile before freezing up again. it seems to do it more often than not if i leave it sitting idle for even a minute or two. im not movig the machine around alot or bumping it, but it does move somewhat.. it is a laptop.

also 9 times out of 10 my wireless conection is showing an issue, so i try and repair the connnection (right click on repair on toolbar icon) and it says it was unable to, but then it will start working again on its own. not sure if its related to my problem.

NEW RESULTS after i ran updated mbam, atf, and sas in regular boot mode:

mbam found 1 trojan, the others found several issues, all were repaired or deleted.
so far laptop is not freezing as much and i haven't had any reboot issues because i haven't had to reboot.
rkill is still finding the files listed below.

C:\WINDOWS\system32\ntvdm.exe,
C:\DOCUME~1\user\LOCALS~1\Temp\RtkBtMnt.exe
C:\DOCUME~1\USER\MYDOCU~1\RKILL.COM

additional or ongoing problems:
when doing a browser search (google, yahoo, bing), instead of pop-ups, my browser redirects to different kinds of advertisements or offers (full pages). sometimes when hitting the back button, it won't let me navigate away from the page, and sometime it goes to the originally intended search page.

still having redirect issues with browser and freeze ups.
was going to back up my system as directed but cannot open the link "windows xp backup made easy" online (page just stays blank very time i try to access link and i've tried clicking on link, and typing it in directly, and with different search engines...also while holding down control alt to bypass popup blocker. i guess it's an issue with ths virus or malware?)

DDS.txt log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 15:14:25.73 on Thu 02/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.149 [GMT -6:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
uRun: [LClock] c:\program files\lclock\LClock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
dRun: [LClock] c:\program files\lclock\LClock.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264793842359
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\1j74l2yn.default\
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-3-13 33800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-3-13 472320]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-12-8 120232]

=============== Created Last 30 ================

2010-02-11 20:51:26 1686377472 ----a-w- C:\backup.bkf
2010-02-11 19:55:33 0 d-----w- c:\windows\system32\NtmsData
2010-02-10 07:34:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-10 07:34:27 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-10 07:34:27 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-02-10 07:31:53 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-07 23:16:16 0 d--h--w- c:\windows\PIF
2010-02-07 18:40:40 0 d-----w- C:\!KillBox
2010-02-07 07:24:46 0 d-----w- c:\docume~1\user\applic~1\StumbleUpon
2010-02-07 07:24:41 0 d-----w- c:\program files\StumbleUpon
2010-02-06 21:15:22 79872 ----a-w- c:\windows\system32\MSNAUDIO.ACM
2010-02-06 21:15:21 57344 ----a-w- c:\windows\system32\COMMTB32.DLL
2010-02-06 21:15:21 28672 ----a-w- c:\windows\system32\HLP95EN.DLL
2010-02-06 21:15:21 169984 ----a-w- c:\windows\system32\P2D.DLL
2010-02-06 21:15:21 161552 ----a-w- c:\windows\system32\ASYCPICT.DLL
2010-02-06 21:15:21 127488 ----a-w- c:\windows\system32\ISCTRLS.OCX
2010-02-06 21:15:11 0 d-----w- c:\program files\ActiveX Control Pad
2010-02-06 20:47:48 151 ----a-w- c:\windows\PhotoSnapViewer.INI
2010-02-06 03:58:50 3255 ----a-w- c:\windows\system32\wbem\Outlook_01caa6e0b088dcc8.mof
2010-02-01 01:58:50 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-02-01 01:58:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 01:58:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-01 01:58:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 01:58:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 01:33:29 0 d-sh--w- c:\documents and settings\user\IECompatCache
2010-01-31 01:27:09 0 d-sh--w- c:\documents and settings\user\PrivacIE
2010-01-31 01:24:34 0 d-sh--w- c:\documents and settings\user\IETldCache
2010-01-31 01:21:20 0 d-----w- c:\windows\ie8updates
2010-01-31 01:18:41 0 dc-h--w- c:\windows\ie8
2010-01-31 01:13:13 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-31 01:10:57 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-31 01:10:57 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-29 19:38:08 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2010-01-31 17:09:40 90112 ----a-w- c:\windows\DUMP4a28.tmp
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:05 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:03 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:14:03 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:14:03 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:03 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:14:03 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:14:01 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-29 23:30:38 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-10-29 23:30:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-10-29 23:30:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102920081030\index.dat
2008-10-29 23:30:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 15:14:59.28 ===============

Thank you in advance for your help smile.gif
Angi C

Attached Files


Edited by angicx, 11 February 2010 - 05:53 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 AM

Posted 11 February 2010 - 06:49 PM

Hi angicx,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. Go to start > Run copy and paste the following lines one by one in the run box and click OK after each line:

    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f


    A window flashes it is normal.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 12 February 2010 - 06:52 PM

Hi farbar, and thank you for your quick response.
Please forgive me, but I have a quick question first. smile.gif

Right after I posted my issue and logs above, I had agreed to let Windows install some updates upon shutdown. Automatic updates had been turned off for a while and I turned them back on thinking maybe updating would help if all this was security related... anyway, there were 45 to install. When I tried to reboot, it went to the black, "windows did not shut down properly" screen. I tried starting with every option there (normally, safe mode, ect), but could only get to the Windows loading screen for about 2 seconds before a blue screen would flash for an instant and it would go back into reboot and continued the loop indefinitely. I had a borrowed windows cd so I called windows support and spent 3 hours today deleting all the updates in the recovery console with their help. I can now get back into my comp and online, but all the problems I had before are still there, as expected. A windows tech is supposed to call me back 2mor so we can go back thru and figure out which update it was.. Should I do this before we go forward with your instructions to take care of my problem, or should I make him wait until after we are done with your instructions? I really don't want to mess with them again at all, but he was very nice and helpful and he said they need to know what the problem with the update was so I hate to blow him off, but since you said no more changes or updates after we begin the process, I wanted your advice. Also, I don't want to mess my machine up again.
Thanks so much,
Angi C

Edited by angicx, 12 February 2010 - 06:56 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 AM

Posted 12 February 2010 - 07:12 PM

Hi Angi C,

I know you already regret updating and my post started with warning you about changing the system including updating Windows. The truth is that your system is infected with a rootkit and as long as it is not taken care the Windows tech will have a hard time fixing the computer unless he is malware expert too and knows the recent rootkits.

I can assist you removing the malware and then updating Windows, but I let you decide on it. I can wait and give the Windows tech space to try it. After that I'll ask new logs to start fresh.



#5 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 12 February 2010 - 08:25 PM

Hi farbar smile.gif

You bet I regret it. I wish I'd have waited for a response to my post first, but I didn't, and I didn't know it might create an issue.. it was windows update after all and I thought it was safe.
I also wanted to tell you that I haven't ever used any of the peer to peer programs installed, but I got this laptop second hand, so maybe it was already infected.
I will go ahead and follow your advice tonight and if my tech calls me back 2mor, maybe you will have had time to review it and we will have it fixed.. if not, then I will instruct him to call back at a later date. I'm going to begin with your instructions now, but I have kids so it may take some time to complete.
Thanks, AC

#6 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 12 February 2010 - 08:54 PM

Internet explorer error window popped up several times saying it needed to close. I clicked on "don't send error report" each time. I had closed it and everything else and disabled virus and malware protection as far as I could tell, prior to running combofix so I hope the log is accurate.
Thanks

ComboFix 10-02-12.01 - user 02/12/2010 19:40:02.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.277 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Desktopicon
c:\documents and settings\Default User\Application Data\Desktopicon
c:\documents and settings\user\Application Data\Desktopicon

.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-11 23:29 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\tlntsess.exe
2010-02-11 23:29 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\telnet.exe
2010-02-11 23:28 . 2009-10-12 13:38 149504 ----a-w- c:\windows\system32\rastls.dll
2010-02-11 23:28 . 2009-10-12 13:38 79872 ----a-w- c:\windows\system32\raschap.dll
2010-02-11 23:28 . 2008-04-14 12:00 1435648 ----a-w- c:\windows\system32\query.dll
2010-02-11 23:28 . 2008-04-14 12:00 32256 ----a-w- c:\windows\system32\csrsrv.dll
2010-02-11 23:26 . 2009-02-09 12:10 473600 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-02-11 23:25 . 2008-06-12 14:23 58880 ----a-w- c:\windows\system32\msdtclog.dll
2010-02-11 23:22 . 2009-10-13 10:30 270336 ----a-w- c:\windows\system32\oakley.dll
2010-02-11 23:22 . 2008-05-18 11:07 47616 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-11 23:22 . 2008-05-18 11:06 8192 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-11 23:22 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2010-02-11 23:22 . 2008-04-14 12:00 25600 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-11 23:22 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2010-02-11 23:20 . 2009-06-25 08:25 56832 ----a-w- c:\windows\system32\secur32.dll
2010-02-11 23:20 . 2009-06-25 08:25 54272 ----a-w- c:\windows\system32\wdigest.dll
2010-02-11 23:20 . 2009-06-25 08:25 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-02-11 23:20 . 2009-06-25 08:25 147456 ----a-w- c:\windows\system32\schannel.dll
2010-02-11 23:20 . 2008-04-14 12:00 92288 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-02-11 23:20 . 2008-04-14 12:00 728064 ----a-w- c:\windows\system32\lsasrv.dll
2010-02-11 19:55 . 2010-02-11 21:04 -------- d-----w- c:\windows\system32\NtmsData
2010-02-10 20:02 . 2010-02-10 20:02 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Yahoo!
2010-02-10 07:35 . 2010-02-10 07:35 52224 ------w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-10 07:35 . 2010-02-10 07:35 117760 ------w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-10 07:34 . 2010-02-10 07:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-10 07:34 . 2010-02-10 07:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-10 07:34 . 2010-02-10 07:34 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2010-02-10 07:31 . 2010-02-10 07:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-07 23:16 . 2010-02-07 23:16 -------- d--h--w- c:\windows\PIF
2010-02-07 18:40 . 2010-02-10 08:20 -------- d-----w- C:\!KillBox
2010-02-07 18:26 . 2010-02-07 18:26 75728 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-07 18:23 . 2010-02-07 18:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-07 18:06 . 2010-02-07 18:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-02-07 18:06 . 2010-02-07 18:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-07 08:05 . 2010-02-08 17:52 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\hlvene
2010-02-07 08:05 . 2010-02-07 08:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-02-07 07:24 . 2010-02-13 01:35 -------- d-----w- c:\documents and settings\user\Application Data\StumbleUpon
2010-02-07 07:24 . 2010-02-07 07:24 -------- d-----w- c:\program files\StumbleUpon
2010-02-06 21:15 . 2010-02-06 21:15 57344 ----a-w- c:\windows\system32\COMMTB32.DLL
2010-02-06 21:15 . 2010-02-06 21:15 28672 ----a-w- c:\windows\system32\HLP95EN.DLL
2010-02-06 21:15 . 2010-02-06 21:15 169984 ----a-w- c:\windows\system32\P2D.DLL
2010-02-06 21:15 . 2010-02-06 21:15 161552 ----a-w- c:\windows\system32\ASYCPICT.DLL
2010-02-06 21:15 . 2010-02-06 21:15 -------- d-----w- c:\program files\ActiveX Control Pad
2010-02-02 04:17 . 2010-02-02 04:17 -------- d-----w- c:\documents and settings\user\Application Data\Talkback
2010-02-02 04:16 . 2010-02-02 04:16 0 ----a-w- c:\windows\nsreg.dat
2010-02-02 04:16 . 2010-02-02 04:16 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Mozilla
2010-02-01 01:58 . 2010-02-01 01:58 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-02-01 01:58 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 01:58 . 2010-02-01 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 01:58 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 01:58 . 2010-02-01 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 20:59 . 2010-01-31 20:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-31 20:49 . 2010-01-31 20:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-31 17:18 . 2010-01-31 17:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-31 01:33 . 2010-01-31 01:33 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2010-01-31 01:27 . 2010-01-31 01:27 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2010-01-31 01:24 . 2010-01-31 01:24 -------- d-sh--w- c:\documents and settings\user\IETldCache
2010-01-31 01:21 . 2010-02-11 23:21 -------- d-----w- c:\windows\ie8updates
2010-01-31 01:18 . 2010-01-31 01:20 -------- dc-h--w- c:\windows\ie8
2010-01-31 01:13 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-31 01:10 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-31 01:10 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-30 20:26 . 2010-01-30 20:26 152576 ------w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-30 20:24 . 2010-01-30 20:24 79488 ------w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 18:45 . 2008-10-29 23:27 -------- d-----w- c:\program files\Hunt Virus Utilities
2010-02-01 03:32 . 2008-10-29 23:23 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-01 02:58 . 2009-03-12 05:27 -------- d-----w- c:\documents and settings\user\Application Data\CaribbeanHideaway
2010-02-01 02:35 . 2009-10-08 03:27 -------- d-----w- c:\program files\eGames
2010-02-01 02:33 . 2009-01-12 23:01 -------- d-----w- c:\program files\Big Kahuna Reef 2
2010-02-01 01:45 . 2008-10-29 23:28 -------- d-----w- c:\program files\PowerCmd
2010-01-31 17:09 . 2008-10-29 16:55 90112 ----a-w- c:\windows\DUMP4a28.tmp
2010-01-30 19:27 . 2008-10-29 23:28 -------- d-----w- c:\program files\Unlocker
2010-01-30 19:25 . 2009-01-12 23:01 -------- d-----w- c:\program files\Solitaire Pop
2009-12-21 19:14 . 2008-05-18 11:03 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2010-02-11 23:28 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-04-07 06:59 . 2008-10-29 23:26 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-10-29 23:26 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-10-29 23:26 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-10-29 23:26 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-10-29 23:26 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
[-] 2008-05-18 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-05-18 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-05-18 10:38 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-05-12 16:49 210168 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 33800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/13/2008 4:49 PM 472320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [12/8/2009 4:41 PM 120232]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-12 c:\windows\Tasks\User_Feed_Synchronization-{1B642F2B-D640-4D0B-8631-16C7ED7BC420}.job
- c:\windows\system32\msfeedssync.exe [2008-10-29 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\1j74l2yn.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-RocketDock - c:\program files\RocketDock\RocketDock.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 19:45
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x833418C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8847f28
\Driver\ACPI -> ACPI.sys @ 0xf87bacb8
\Driver\atapi -> atapi.sys @ 0xf8731b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf863abb0
PacketIndicateHandler -> NDIS.sys @ 0xf8629a0d
SendHandler -> NDIS.sys @ 0xf863db40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(3556)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-02-12 19:48:50
ComboFix-quarantined-files.txt 2010-02-13 01:48

Pre-Run: 68,553,199,616 bytes free
Post-Run: 68,578,811,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

- - End Of File - - F8A1E78B972954E7CA451177627AB80B


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 AM

Posted 13 February 2010 - 04:34 AM

Anything new about the Windows tech?

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c dir /a /s c:\atapi.* > log.txt&start log.txt

A text file (log.txt) will be open. Please post its content to your reply.

#8 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 13 February 2010 - 12:20 PM

the tech is supposed to call around 4pm central. i had to go thru reboot 6 times before i could get on and i'm in safe mode with networking right now. it kept freezing up in the middle of different screens while booting. i'm going to leave everything on but if i walk away sometimes (most times) when i come back the mouse or screen has frozen... my point is, if you don't hear back from me right away, it may be because i'm unable to get online.
thanks in advance, angi c

Volume in drive C has no label.
Volume Serial Number is 5012-B8CB

Directory of c:\cmdcons

08/03/2004 10:59 PM 49,558 ATAPI.SY_
1 File(s) 49,558 bytes

Directory of c:\WINDOWS\ERDNT\cache

04/13/2008 05:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\drivers

04/13/2008 05:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Total Files Listed:
3 File(s) 242,582 bytes
0 Dir(s) 69,083,082,752 bytes free


#9 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 13 February 2010 - 01:37 PM

Had to reboot several times again. The blue window that I've mentioned previously that always just flashed for an instant finally came up and stayed up. Here's that info (paraphrased to cut back on length) in case it's important.

a problem was detected and windows shut down to prevent damage to computer.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

check to make sure hardware/software is properly installed. if problem continues, disable or remove newly installed hardware/software.
(only recent installations are tools recommended on your site for infection removal, and windows undates, already uninstalled thru help of windows tech... oh and a freeware game dl but this was after all the problems started so i don't think it's the cause)

disable bios memory options; caching and shadowing

tech info
stop:0x000000D1 (0x00000094, 0x00000002, 0x00000000, 0xf853fbd2)

ar5211.sys address f853fbd2 base at f84e0000 datestamp 46a901ca

beginning dump of physical memory

Edited by angicx, 13 February 2010 - 02:29 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 AM

Posted 13 February 2010 - 08:25 PM

Thanks for the detailed feedback angicx.

The situation might look very bad to you, but it might not be as bad as it might look. What makes me hesitate to proceed is the Windows tech. Let me know when he is done then we will proceed.

#11 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 14 February 2010 - 12:54 PM

I understand, but I'm afraid I soon won't be able to get on at all if he can't help. Also, he said he'd call at 4pm yesterday and he never called.
Computer froze yesterday after my last post and I must have tried over 20 times to get it to reboot... it kept freezing up in different screens of the reboot.. sometimes I'd make it as far as the desktop and even got online at one point before it locked up again. This morning I put the windows cd in to see if there were some other options i overlooked... i even considered trying to do a sys restore if i could locate it in time before the freeze, but it booted for me... still running funny tho and I know it's only a matter of time before i'm kicked off again. i really need my compuer to work. i'm stuck out in the sticks and don't even have access to another comp to check on your reply should this one crash.
what to do?
thanks, ac

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 AM

Posted 14 February 2010 - 01:05 PM

It is all up to you and I can't make the decision for you. When you know you are going to use my assistance, we start an proceed to the end, from which time I need you to avoid making any change to the system.

Also the more you wait and reboot the more the possibility that the computer becomes unportable. If you could not read my reply I can't help either.

Edited by farbar, 14 February 2010 - 01:19 PM.


#13 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 14 February 2010 - 01:23 PM

no i absolutely want to proceed and won't do anything to the comp without your say so from here on out. if i get kicked off ill try and get back on but if you don't hear back from me, it will be because i am unable.. however i will be here if possible starting now beause this is priority #1 for me.. whe i was having problems yesterday, at one point i was able to get to my desktop and tried running superspy in a desperate attempt for a quick fix to get online... it only found 100 tracking cookies but the computer crashed before it finished i think... i'm sorry, do you need new logs?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:00 AM

Posted 14 February 2010 - 01:35 PM

I'll tell you when I need any log.

Don't reboot the computer unless needed.

In the following fix I have assumed the drive letter of your CD-ROM is E. Check it before running the fix and change the drive letter if needed.

Insert your Windows CD into the computer but don't open it.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the quote box into a new file:

QUOTE
@echo off
expand e:\I386\atapi.sy_ c:\ >c:\log.txt
cd\
ren atapi.sy_ atapi.sys
dir /a c:\atapi.sys >>c:\log.txt
start c:\log.txt
del %0


  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click dirlook.bat on the desktop.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#15 angicx

angicx
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:beaumont, tx
  • Local time:08:00 PM

Posted 14 February 2010 - 01:44 PM

Microsoft ® File Expansion Utility Version 5.1.2600.0
Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding d:\i386\atapi.sy_ to c:\atapi.sy_.
d:\i386\atapi.sy_: 49558 bytes expanded to 95360 bytes, 92% increase.

Volume in drive C has no label.
Volume Serial Number is 5012-B8CB

Directory of c:\

08/03/2004 10:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
0 Dir(s) 68,643,717,120 bytes free




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users