Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS Log provided please diagnose


  • This topic is locked This topic is locked
25 replies to this topic

#1 PixelPlay

PixelPlay

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 02 December 2011 - 06:18 AM

Please read.

I'm on my girlfriend's HP mini netbook running Windows 7 Starter. She uses the windows firewall provided on it and Avira Antivirus Free Edition. She also uses Mozilla Firefox and the add-on WOT (Web of Trust) to safely browse Google. Lately there have been some unusual things happening on it. Recently she was unable to shutdown the netbook through the start menu shutdown option and had to physically use the switch on the laptop to turn it off. We performed a System Restore which helped make it able to shut it down. Afterward we did a Full Scan using Malwarebytes' Anti-Malware. It didn't come up with anything but during the scan it must have triggered something because Avira's live protection:

Virus or unwanted program 'EXP/Pdfka.QG [exploit]'
detected in file 'C:\Users\Caitlin\AppData\Local\Mozilla\Firefox\Profiles\yym8fxmt.default\Cache\6\58\3A1D0d01.
Action performed: Deny access

and

The file 'C:\Users\Caitlin\AppData\Local\Mozilla\Firefox\Profiles\yym8fxmt.default\Cache\6\58\3A1D0d01'
contained a virus or unwanted program 'EXP/Pdfka.QG' [exploit]
Action(s) taken:
The file was moved to the quarantine directory under the name '4ba20d3f.qua'.

After the scan from malwarebytes we didn't expect much so we left it at that. Then recently she signed up on eBay and naturally PayPal along with that. And tonight we experienced some sort of hacking activity. She was locked out of both her eBay and PayPal accounts as if someone changed her passwords luckily we were able to recover that and nothing else happened beyond that, well hopefully.

After those events I immediately headed here and had HiJackThis installed onto her netbook but when trying to perform a scan and provide a logfile from HJT in the middle of scanning it comes up with an error saying "For some reason your system has denied write access to the Hosts file. If any hijacked domains are in this file, HiJackThis may NOT be able to fix this." then provides some instructions. After clicking OK the scan continues and then notepad opens and says "Cannot find the C:\Program Files\Trend Micro\HiJackThis\hijackthis.log file. Do you want to create a new file?" When clicking Yes it just opens a blank notepad.

Ran DDS instead. Tried using GMER but it takes too long and crashes the netbook. We were unable to provide a GMER log.

Anyways I hope you can help us rid anything that is malicious on her netbook thank you so much for your help! DDS follows in next reply.

Edited by PixelPlay, 02 December 2011 - 06:31 AM.


BC AdBot (Login to Remove)

 


#2 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 02 December 2011 - 06:20 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by Caitlin at 1:11:45 on 2011-12-02
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1012.114 [GMT -8:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe
C:\Windows\Explorer.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=c:\program files\oceanis\systemsetting\WallPaperAgent.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
BHO: Windows 7 Starter Helper: {d381ff29-7cfb-4d4e-b92a-c4eddc696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: @c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [AmIcoSinglun] c:\program files\amicosinglun\AmIcoSinglun.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HP Quick Launch] c:\program files\hewlett-packard\hp quick launch\HPMSGSVC.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpmedi~1.lnk - c:\program files\hewlett-packard\hp media suite\home\ArcStart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{9AF9545E-008D-4B57-8CEC-437C4D371CAC} : DhcpNameServer = 192.168.72.2
TCP: Interfaces\{F03B7D21-3FBD-4C30-A1CE-B9F224EA4C17} : DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{F03B7D21-3FBD-4C30-A1CE-B9F224EA4C17}\2416B6562767965677F59484F405 : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{F03B7D21-3FBD-4C30-A1CE-B9F224EA4C17}\D496272796F6E644F6272716 : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
mASetup: {4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B} - c:\program files\hewlett-packard\hp media suite\home\HPMediaSuite.exe "/installer"
mASetup: {4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B} - c:\windows\system32\wscript.exe "c:\program files\hewlett-packard\hp media suite\home\PinItem.vbs"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\caitlin\appdata\roaming\mozilla\firefox\profiles\yym8fxmt.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [2009-11-11 18136]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-1-12 81920]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-7-6 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-7-6 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-7-6 66616]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\hpqwmm\quickweb\qw.sys\config\DVMExportService.exe [2010-9-28 338208]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-7-21 103992]
R2 HPClientSvc;HP Client Services;c:\program files\hewlett-packard\hp client services\HPClientServices.exe [2010-8-5 210488]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPWMISVC;HPWMISVC;c:\program files\hewlett-packard\hp quick launch\HPWMISVC.exe [2010-8-23 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-1-12 13336]
R2 RoxioNow Service;RoxioNow Service;c:\program files\roxio\roxionow player\RNowSvc.exe [2010-9-11 399344]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-1-12 275048]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NovacomD;Palm Novacom;c:\users\caitlin\desktop\android\bin\novacomd\x86\novacomd.exe --> c:\users\caitlin\desktop\android\bin\novacomd\x86\novacomd.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
.
=============== Created Last 30 ================
.
2011-12-02 08:34:36 388096 ----a-r- c:\users\caitlin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-02 08:34:35 -------- d-----w- c:\program files\Trend Micro
2011-11-29 11:07:53 -------- d-----w- c:\users\caitlin\appdata\local\Downloaded Installations
2011-11-29 07:33:00 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-29 07:32:59 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-29 07:32:58 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 21:43:54 -------- d-----w- c:\programdata\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-11-03 08:39:27 -------- d-----w- c:\users\caitlin\appdata\roaming\Jason Robitaille
2011-11-03 08:38:42 -------- d-----w- c:\program files\Palm, Inc
.
==================== Find3M ====================
.
2011-11-03 09:05:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-23 23:36:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 1:13:19.68 ===============

Attached Files



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 07 December 2011 - 06:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430352 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 07 December 2011 - 03:28 PM

Hello we still need help. We haven't encountered any symptoms but I have also advised my girlfriend not to use her eBay account like log in. But the things that were described in the last post I wouldn't want to go unnoticed so that is why we are here. I'll give you the DDS log right now and then attempt using GMER. We look forward to your further responses. Thank you.

Edit

We do not have the original "Windows CD/DVD". We are working with a netbook.

The netbook is running Windows 7 Starter with a 32-bit Operating System.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by Caitlin at 12:18:11 on 2011-12-07
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1012.104 [GMT -8:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\conhost.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe
C:\Windows\Explorer.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=c:\program files\oceanis\systemsetting\WallPaperAgent.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
BHO: Windows 7 Starter Helper: {d381ff29-7cfb-4d4e-b92a-c4eddc696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: @c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [AmIcoSinglun] c:\program files\amicosinglun\AmIcoSinglun.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HP Quick Launch] c:\program files\hewlett-packard\hp quick launch\HPMSGSVC.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpmedi~1.lnk - c:\program files\hewlett-packard\hp media suite\home\ArcStart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9AF9545E-008D-4B57-8CEC-437C4D371CAC} : DhcpNameServer = 192.168.72.2
TCP: Interfaces\{F03B7D21-3FBD-4C30-A1CE-B9F224EA4C17} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F03B7D21-3FBD-4C30-A1CE-B9F224EA4C17}\2416B6562767965677F59484F405 : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{F03B7D21-3FBD-4C30-A1CE-B9F224EA4C17}\A5978554C4 : DhcpNameServer = 192.168.0.1 205.171.3.25
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
mASetup: {4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B} - c:\program files\hewlett-packard\hp media suite\home\HPMediaSuite.exe "/installer"
mASetup: {4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B} - c:\windows\system32\wscript.exe "c:\program files\hewlett-packard\hp media suite\home\PinItem.vbs"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\caitlin\appdata\roaming\mozilla\firefox\profiles\yym8fxmt.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\msn toolbar\platform\6.0.2282.0\npwinext.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [2009-11-11 18136]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-1-12 81920]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-7-6 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-7-6 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-7-6 66616]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\hpqwmm\quickweb\qw.sys\config\DVMExportService.exe [2010-9-28 338208]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-7-21 103992]
R2 HPClientSvc;HP Client Services;c:\program files\hewlett-packard\hp client services\HPClientServices.exe [2010-8-5 210488]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPWMISVC;HPWMISVC;c:\program files\hewlett-packard\hp quick launch\HPWMISVC.exe [2010-8-23 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-1-12 13336]
R2 RoxioNow Service;RoxioNow Service;c:\program files\roxio\roxionow player\RNowSvc.exe [2010-9-11 399344]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-1-12 275048]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NovacomD;Palm Novacom;c:\users\caitlin\desktop\android\bin\novacomd\x86\novacomd.exe --> c:\users\caitlin\desktop\android\bin\novacomd\x86\novacomd.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
.
=============== Created Last 30 ================
.
2011-12-02 08:34:36 388096 ----a-r- c:\users\caitlin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-02 08:34:35 -------- d-----w- c:\program files\Trend Micro
2011-11-29 11:07:53 -------- d-----w- c:\users\caitlin\appdata\local\Downloaded Installations
2011-11-29 07:33:00 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-29 07:32:59 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-29 07:32:58 2341888 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-11-03 09:05:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-23 23:36:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 12:20:45.08 ===============

Attached Files


Edited by PixelPlay, 07 December 2011 - 04:21 PM.


#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 PM

Posted 12 December 2011 - 06:25 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,917 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:58 PM

Posted 12 December 2011 - 08:27 AM

Topic reopened at member's request.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 12 December 2011 - 09:17 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Gmer and Windows 7 don't mix, so please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#8 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 13 December 2011 - 05:22 AM

Hello m0le thank you very much for your response. I would like to say sorry for not thoroughly reading through helpbot's post causing the thread to be closed. I don't typically neglect instructions.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-13 01:54:54
-----------------------------
01:54:54.545 OS Version: Windows 6.1.7601 Service Pack 1
01:54:54.545 Number of processors: 2 586 0x1C0A
01:54:54.560 ComputerName: MAJUNGATHOLUS UserName: Caitlin
01:55:35.841 Initialize success
02:01:17.108 AVAST engine defs: 11121201
02:03:07.920 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
02:03:07.934 Disk 0 Vendor: Hitachi_ PC2O Size: 238475MB BusType: 3
02:03:07.964 Disk 0 MBR read successfully
02:03:07.974 Disk 0 MBR scan
02:03:08.490 Disk 0 unknown MBR code
02:03:08.531 Disk 0 scanning sectors +488395120
02:03:08.757 Disk 0 scanning C:\Windows\system32\drivers
02:03:43.556 Service scanning
02:03:45.381 Modules scanning
02:04:02.276 Disk 0 trace - called modules:
02:04:02.307
02:04:03.586 AVAST engine scan C:\Windows
02:04:07.393 AVAST engine scan C:\Windows\system32
02:08:27.679 AVAST engine scan C:\Windows\system32\drivers
02:08:47.881 AVAST engine scan C:\Users\Caitlin
02:15:13.514 Disk 0 MBR has been saved successfully to "C:\Users\Caitlin\Desktop\MBR.dat"
02:15:13.529 The log file has been saved successfully to "C:\Users\Caitlin\Desktop\aswMBR.txt"

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 13 December 2011 - 05:18 PM

Possible MBR infection here so let's confirm that.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#10 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 13 December 2011 - 05:38 PM

Hello m0le, could you tell me more information about an MBR infection? Thank you for your continued support! Here's the log.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Starter Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Mini 210-2100
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 188):
0x81A45000 \SystemRoot\system32\ntkrnlpa.exe
0x81A0E000 \SystemRoot\system32\halmacpi.dll
0x8192E000 \SystemRoot\system32\kdcom.dll
0x8600C000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x86091000 \SystemRoot\system32\PSHED.dll
0x860A2000 \SystemRoot\system32\BOOTVID.dll
0x860AA000 \SystemRoot\system32\CLFS.SYS
0x860EC000 \SystemRoot\system32\CI.dll
0x8621B000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8628C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8629A000 \SystemRoot\system32\drivers\ACPI.sys
0x862E2000 \SystemRoot\system32\drivers\WMILIB.SYS
0x862EB000 \SystemRoot\system32\drivers\msisadrv.sys
0x862F3000 \SystemRoot\system32\drivers\pci.sys
0x8631D000 \SystemRoot\system32\drivers\vdrvroot.sys
0x86328000 \SystemRoot\System32\drivers\partmgr.sys
0x86339000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x86341000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8634C000 \SystemRoot\system32\drivers\volmgr.sys
0x8635C000 \SystemRoot\System32\drivers\volmgrx.sys
0x863A7000 \SystemRoot\System32\drivers\mountmgr.sys
0x8641A000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x865CF000 \SystemRoot\system32\drivers\atapi.sys
0x865D8000 \SystemRoot\system32\drivers\ataport.SYS
0x86400000 \SystemRoot\system32\drivers\msahci.sys
0x8640A000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x863BD000 \SystemRoot\system32\drivers\amdxata.sys
0x863C6000 \SystemRoot\system32\drivers\fltmgr.sys
0x86200000 \SystemRoot\system32\drivers\fileinfo.sys
0x8660E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8673D000 \SystemRoot\System32\Drivers\msrpc.sys
0x86768000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8677B000 \SystemRoot\System32\Drivers\cng.sys
0x867D8000 \SystemRoot\System32\drivers\pcw.sys
0x867E6000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x86835000 \SystemRoot\system32\drivers\ndis.sys
0x868EC000 \SystemRoot\system32\drivers\NETIO.SYS
0x8692A000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x86A18000 \SystemRoot\System32\drivers\tcpip.sys
0x86B62000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x86B93000 \SystemRoot\system32\DRIVERS\wd.sys
0x86B9B000 \SystemRoot\system32\drivers\volsnap.sys
0x86BDA000 \SystemRoot\System32\Drivers\spldr.sys
0x8694F000 \SystemRoot\System32\drivers\rdyboost.sys
0x86BE2000 \SystemRoot\System32\Drivers\mup.sys
0x86BF2000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8697C000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x86A00000 \SystemRoot\system32\DRIVERS\disk.sys
0x869AE000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8A000000 \SystemRoot\System32\Drivers\Null.SYS
0x8A007000 \SystemRoot\System32\Drivers\Beep.SYS
0x8A1DE000 \SystemRoot\System32\drivers\vga.sys
0x86800000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8A1EA000 \SystemRoot\System32\drivers\watchdog.sys
0x8A1F7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8A00E000 \SystemRoot\system32\drivers\rdpencdd.sys
0x86821000 \SystemRoot\system32\drivers\rdprefmp.sys
0x86829000 \SystemRoot\System32\Drivers\Msfs.SYS
0x869E0000 \SystemRoot\System32\Drivers\Npfs.SYS
0x86197000 \SystemRoot\system32\DRIVERS\tdx.sys
0x869EE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8A63E000 \SystemRoot\system32\drivers\afd.sys
0x8A698000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8A6CA000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8A6D1000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8A6F0000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8A701000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8A70F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8A722000 \SystemRoot\system32\drivers\termdd.sys
0x8A733000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8A739000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8A77A000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8A784000 \SystemRoot\system32\drivers\mssmbios.sys
0x8A78E000 \SystemRoot\system32\DRIVERS\dvmio.sys
0x8A791000 \SystemRoot\System32\drivers\discache.sys
0x8A79D000 \SystemRoot\System32\Drivers\dfsc.sys
0x8A7B5000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8A7C3000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8A600000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A621000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8A633000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8A7EA000 \SystemRoot\system32\drivers\wmiacpi.sys
0x8B22A000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8B732000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x861AE000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8B200000 \SystemRoot\system32\drivers\HDAudBus.sys
0x8C421000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8C6BB000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8C6E5000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x8C6EF000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x8C734000 \SystemRoot\system32\drivers\usbuhci.sys
0x8C73F000 \SystemRoot\system32\drivers\USBPORT.SYS
0x8C78A000 \SystemRoot\system32\drivers\usbehci.sys
0x8C799000 \SystemRoot\system32\drivers\i8042prt.sys
0x8C7B1000 \SystemRoot\system32\drivers\kbdclass.sys
0x8C834000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8C972000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8C974000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8C981000 \SystemRoot\system32\drivers\CompositeBus.sys
0x8C98E000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8C9A0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8C9B8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8C9C3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8C9E5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8C800000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8C817000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8C82E000 \SystemRoot\system32\drivers\swenum.sys
0x8C7BE000 \SystemRoot\system32\drivers\ks.sys
0x8C7F2000 \SystemRoot\system32\drivers\umbus.sys
0x80C38000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x80C7C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x80C8D000 \SystemRoot\system32\DRIVERS\stwrt.sys
0x80CFB000 \SystemRoot\system32\DRIVERS\portcls.sys
0x80D2A000 \SystemRoot\system32\DRIVERS\drmk.sys
0x80D43000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8A016000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x80D50000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x8E3A0000 \SystemRoot\System32\win32k.sys
0x80D61000 \SystemRoot\System32\drivers\Dxapi.sys
0x80D6B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x80D76000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x80D89000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x80D90000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x80D9B000 \SystemRoot\system32\DRIVERS\monitor.sys
0x80DA6000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x80DBD000 \SystemRoot\System32\Drivers\usbvideo.sys
0x8E200000 \SystemRoot\System32\TSDDD.dll
0x8E230000 \SystemRoot\System32\cdd.dll
0x8E250000 \SystemRoot\System32\ATMFD.DLL
0x80DE1000 \SystemRoot\system32\drivers\luafv.sys
0x80C00000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x80C17000 \SystemRoot\system32\drivers\WudfPf.sys
0x8C400000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA4618000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xA465E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA466E000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA4681000 \SystemRoot\system32\drivers\HTTP.sys
0xA4706000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA471F000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA4731000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA4754000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA478F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA7826000 \SystemRoot\system32\drivers\peauth.sys
0xA78BD000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA78C7000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA78E8000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA78F5000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA7945000 \SystemRoot\System32\DRIVERS\srv.sys
0xB0A14000 \SystemRoot\system32\drivers\spsys.sys
0x77440000 \Windows\System32\ntdll.dll
0x47930000 \Windows\System32\smss.exe
0x77680000 \Windows\System32\apisetschema.dll
0x00AC0000 \Windows\System32\autochk.exe
0x77630000 \Windows\System32\ws2_32.dll
0x77620000 \Windows\System32\normaliz.dll
0x77610000 \Windows\System32\lpk.dll
0x775C0000 \Windows\System32\gdi32.dll
0x77240000 \Windows\System32\iertutil.dll
0x771B0000 \Windows\System32\oleaut32.dll
0x775B0000 \Windows\System32\psapi.dll
0x77100000 \Windows\System32\rpcrt4.dll
0x770B0000 \Windows\System32\Wldap32.dll
0x77010000 \Windows\System32\advapi32.dll
0x763C0000 \Windows\System32\shell32.dll
0x77590000 \Windows\System32\sechost.dll
0x762F0000 \Windows\System32\msctf.dll
0x76240000 \Windows\System32\msvcrt.dll
0x761A0000 \Windows\System32\usp10.dll
0x77580000 \Windows\System32\nsi.dll
0x76040000 \Windows\System32\ole32.dll
0x75F60000 \Windows\System32\kernel32.dll
0x75F40000 \Windows\System32\imm32.dll
0x75E00000 \Windows\System32\urlmon.dll
0x75DA0000 \Windows\System32\shlwapi.dll
0x75C00000 \Windows\System32\setupapi.dll
0x75B70000 \Windows\System32\clbcatq.dll
0x75B40000 \Windows\System32\imagehlp.dll
0x75AC0000 \Windows\System32\comdlg32.dll
0x759F0000 \Windows\System32\user32.dll
0x75990000 \Windows\System32\difxapi.dll
0x75890000 \Windows\System32\wininet.dll
0x75870000 \Windows\System32\devobj.dll
0x757E0000 \Windows\System32\comctl32.dll
0x757B0000 \Windows\System32\cfgmgr32.dll
0x75690000 \Windows\System32\crypt32.dll
0x75640000 \Windows\System32\KernelBase.dll
0x75610000 \Windows\System32\wintrust.dll
0x75600000 \Windows\System32\msasn1.dll

Processes (total 81):
0 System Idle Process
4 System
284 C:\Windows\System32\smss.exe
384 csrss.exe
440 C:\Windows\System32\wininit.exe
448 csrss.exe
496 C:\Windows\System32\winlogon.exe
540 C:\Windows\System32\services.exe
556 C:\Windows\System32\lsass.exe
564 C:\Windows\System32\lsm.exe
676 C:\Windows\System32\svchost.exe
760 C:\Windows\System32\svchost.exe
840 C:\Windows\System32\svchost.exe
912 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\svchost.exe
988 C:\Program Files\IDT\WDM\stacsv.exe
1056 C:\Windows\System32\audiodg.exe
1232 C:\Windows\System32\svchost.exe
1336 C:\Windows\System32\svchost.exe
1420 C:\Windows\System32\wlanext.exe
1428 C:\Windows\System32\conhost.exe
1500 C:\Windows\System32\spoolsv.exe
1536 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1556 C:\Windows\System32\svchost.exe
1660 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
1704 C:\Program Files\IDT\WDM\AEstSrv.exe
1736 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1780 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1812 C:\Program Files\Bonjour\mDNSResponder.exe
1876 C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe
1892 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1900 C:\Windows\System32\conhost.exe
1972 C:\Windows\System32\svchost.exe
2000 C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
2028 C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
304 C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
612 C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe
780 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1260 C:\Windows\System32\svchost.exe
1172 C:\Windows\System32\taskhost.exe
748 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2072 C:\Windows\System32\dwm.exe
2120 C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe
2240 C:\Windows\explorer.exe
2336 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2516 C:\Windows\System32\igfxtray.exe
2528 C:\Windows\System32\hkcmd.exe
2536 C:\Windows\System32\igfxpers.exe
2552 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2576 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
2612 C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
2620 C:\Program Files\IDT\WDM\sttray.exe
2692 C:\Windows\System32\igfxsrvc.exe
2708 C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
2812 C:\Program Files\iTunes\iTunesHelper.exe
2820 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2844 WmiPrvSE.exe
2864 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2936 C:\Program Files\PictureMover\Bin\PictureMover.exe
3504 C:\Program Files\iPod\bin\iPodService.exe
3588 C:\Windows\System32\SearchIndexer.exe
3644 C:\Windows\System32\svchost.exe
3672 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
3968 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4028 C:\Windows\System32\SearchProtocolHost.exe
2100 C:\Windows\System32\SearchFilterHost.exe
2524 C:\Program Files\Windows Media Player\wmpnetwk.exe
544 C:\Program Files\Mozilla Firefox\firefox.exe
3616 C:\Windows\System32\taskeng.exe
640 C:\Program Files\Mozilla Firefox\plugin-container.exe
1164 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
3004 C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
3884 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
3744 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
3512 C:\Windows\System32\sppsvc.exe
3908 WmiPrvSE.exe
4228 C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
4448 dllhost.exe
4484 dllhost.exe
4516 C:\Users\Caitlin\Desktop\MBRCheck.exe
4528 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0c800000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000035`add00000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS725025A9A364, Rev: PC2OCH0A

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3879F02FB1B98A90C1AC1D939344809640F466F0


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 13 December 2011 - 05:49 PM

MBR infections are rife at the moment. The malware is rewriting the master boot record, a sector of the hard drive, and setting it to boot to a partition that it has made on the system. Before that they were just resetting the MBR to boot to the exact specifications that made it impossible to fight and often would stop the machine booting at all.

The MBR should be recognised but in your case it hasn't been. That doesn't mean it's malicious though and we must get an offline dump of the MBR next


Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#12 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 13 December 2011 - 06:02 PM

Ah alright thanks for the description m0le. Among reading your instructions I noticed it asks to burn a CD. I was wondering if there were an alternative as this netbook doesn't have an optical drive.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 13 December 2011 - 06:06 PM

USB option? No problem. :)

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#14 PixelPlay

PixelPlay
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 14 December 2011 - 04:20 AM

Hello m0le, had a little trouble with your instructions and was afraid I wasn't going to be able to follow through. This HP netbook just had a different way in booting into a USB drive. Hopefully this suffices..

Attached Files

  • Attached File  mbr.zip   1.91KB   2 downloads

Edited by PixelPlay, 14 December 2011 - 04:21 AM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 14 December 2011 - 07:16 PM

Nope, the MBR is clean. :)


Please run the OTL scanner next

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users