Jump to content


Photo

Browser crashes, Malwarebytes crashes etc


  • This topic is locked This topic is locked
44 replies to this topic

#1 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 04 June 2012 - 06:03 PM

Hello,

First, thank you in advance for your time and your help!

Symptoms: in Safe Mode -- constant browser crash (Firefox), Malwarebytes crashes, SecurityCheck crashes, can't install Kapersky free scan. I have been able to run HijackThis and DDS. I'm attached the logs.

(ps I do have a firewall, Outpost. But I just uninstalled it, fearing it might be causing a memory leak.)



HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:48:41 PM, on 6/4/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Hijack This\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.advrider.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.download.dir", "C:\\Program Files\\CWShredder");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.tabs.forceHide", true);
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-1");
user_pref("prefs.converted-to-utf8", t
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.download.dir", "C:\\Program Files\\CWShredder");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.tabs.forceHide", true);
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-1");
user_pref("prefs.converted-to-utf8", t
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1614895754-2111687655-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1614895754-2111687655-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} (Java Plug-in 1.6.0_19) -
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} (Java Plug-in 1.6.0_21) -
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} (Java Plug-in 1.6.0_22) -
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} (Java Plug-in 1.6.0_25) -
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} (Java Plug-in 1.6.0_26) -
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10231 bytes







DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Microsoft User at 19:53:00 on 2012-06-04
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.advrider.com/
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\profil~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: ppctlcab - hxxp://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://ppupdates.ca.com/downloads/scanner/axscanner.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{40B5347C-4CC6-48E1-801B-08406B01411B} : DhcpNameServer = 10.0.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\microsoft user\application data\mozilla\firefox\profiles\a0znfgyh.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\microsoft user\application data\mozilla\firefox\profiles\a0znfgyh.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\microsoft user\application data\mozilla\firefox\profiles\a0znfgyh.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-06-04 22:02:22 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
==================== Find3M ====================
.
2012-05-12 02:02:13 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 02:02:12 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 19:54:09.37 ===============

Edited by wxwax, 04 June 2012 - 08:25 PM.


#2 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 05 June 2012 - 03:23 PM

Also, I forgot to mention that Search and Destroy also generates error messages and crashes.

#3 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 06 June 2012 - 12:47 PM

Bump.

#4 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 07 June 2012 - 06:56 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#5 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 07 June 2012 - 12:44 PM

Hello wxwax. Sorry you've had to wait...

I don't spot any malware in your logs, but the DDS log is strange.. No running processes??

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingc...opic114351.html

Do not mouse click combofix's window while it's running. That may cause it to stall
===
If you get an error after running COmboFix, rebooting and running it again will usually fix that.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#6 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 08 June 2012 - 03:58 PM

Thank you, mama! I'll give it a go and report back.

#7 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 08 June 2012 - 05:41 PM

Here it is.

I should note that Combix generated 3 error messages that I had to click on, before it would complete its run. Should I give it a second run?






ComboFix 12-06-08.02 - Microsoft User 06/08/2012 19:26:08.2.1 - x86 NETWORK
Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Microsoft User\Application Data\MiconoRbJPEGLib110b5.dll
c:\documents and settings\Microsoft User\WINDOWS
c:\program files\D
c:\program files\D\address\address.001.dat
c:\program files\D\address\address.bak
c:\program files\D\address\address.dat
c:\program files\D\address\UiPrefs.dat
c:\program files\D\address\Unfiled.ABA
c:\program files\D\Archive\Graffiti_ShortCuts.PRC
c:\program files\D\Archive\Graffiti_ShortCuts_.PRC
c:\program files\D\Archive\Graffiti_ShortCuts__.PRC
c:\program files\D\Archive\Graffiti_ShortCuts___.PRC
c:\program files\D\Backup\AddressCitiesDB.PDB
c:\program files\D\Backup\AddressCompaniesDB.PDB
c:\program files\D\Backup\AddressCountriesDB.PDB
c:\program files\D\Backup\AddressStatesDB.PDB
c:\program files\D\Backup\AddressTitlesDB.PDB
c:\program files\D\Backup\BlackJack.PRC
c:\program files\D\Backup\CasinoCraps.PRC
c:\program files\D\Backup\ConnectionMgrDB.PDB
c:\program files\D\Backup\Convdb_FIGO.PDB
c:\program files\D\Backup\Figaro.PRC
c:\program files\D\Backup\FigaroSkin.PRC
c:\program files\D\Backup\Giraffe.PRC
c:\program files\D\Backup\Giraffe_High_Score.PRC
c:\program files\D\Backup\Graffiti_ShortCuts___.PRC
c:\program files\D\Backup\LauncherDB.PDB
c:\program files\D\Backup\libmal.PRC
c:\program files\D\Backup\MathLib.PRC
c:\program files\D\Backup\MBlnUserConfig.PDB
c:\program files\D\Backup\MineHunt.PRC
c:\program files\D\Backup\MobileLink.PRC
c:\program files\D\Backup\NetworkDB.PDB
c:\program files\D\Backup\npadDB.PDB
c:\program files\D\Backup\Parens_Lite.PRC
c:\program files\D\Backup\psysLaunchDB.PDB
c:\program files\D\Backup\Saved_Preferences.PRC
c:\program files\D\Backup\SolFree.PRC
c:\program files\D\Backup\SolitaireFreeData.PDB
c:\program files\D\Backup\SubHunt.PRC
c:\program files\D\Backup\System_MIDI_Sounds.PDB
c:\program files\D\Backup\TimePlace.PRC
c:\program files\D\Backup\TravelSync.PRC
c:\program files\D\Backup\TTPLDB.PDB
c:\program files\D\Backup\TTSYNC.PDB
c:\program files\D\Backup\VindigoComments.PDB
c:\program files\D\Backup\VindigoPrefs.PRC
c:\program files\D\Backup\VindigoUser.PDB
c:\program files\D\datebook\datebook.001.dat
c:\program files\D\datebook\datebook.bak
c:\program files\D\datebook\datebook.dat
c:\program files\D\datebook\UiPrefs.dat
c:\program files\D\expense\expense.bak
c:\program files\D\expense\expense.dat
c:\program files\D\expense\expense.db
c:\program files\D\expense\expense.txt
c:\program files\D\HotSync.Log
c:\program files\D\memopad\memopad.001.dat
c:\program files\D\memopad\memopad.bak
c:\program files\D\memopad\memopad.dat
c:\program files\D\Note Pad\Note Pad.BAK
c:\program files\D\Note Pad\Note Pad.dat
c:\program files\D\QuickInstall\DevInfo.dat
c:\program files\D\sync.ini
c:\program files\D\todo\todo.001.dat
c:\program files\D\todo\todo.bak
c:\program files\D\todo\todo.dat
c:\program files\D\todo\UiPrefs.dat
c:\scanjet\PrecisionScanPro\HPLamp.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))
.
.
2012-06-08 22:16 . 2012-06-08 22:16 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-08 22:16 . 2012-06-08 22:16 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-07 23:30 . 2012-06-08 22:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-04 21:41 . 2012-06-04 21:41 -------- d-----w- c:\windows\LastGood
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-12 02:02 . 2012-04-05 00:44 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 02:02 . 2011-05-16 08:38 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-04-11 16:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-08 22:16 . 2011-07-03 07:51 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[7] 2004-08-04 07:56 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2002-08-29 12:00 . C9702DDD814C39DC1254CF757C31C6E4 . 225280 . . [2001.12.4414.46] . . c:\windows\$NtUninstallKB828741$\es.dll
.
c:\windows\System32\es.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2006-05-13 94208]
"MXOBG"="c:\windows\MXOALDR.EXE" [2006-05-13 94208]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-02-08 823296]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-3-1 169472]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2006-5-13 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2006-5-13 954368]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Microsoft User^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Microsoft User\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
2002-09-24 21:39 147456 ------w- c:\program files\Iomega\AutoDisk\ADUserMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2004-01-30 07:32 26112 ------w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-04-01 18:49 36352 ------w- c:\program files\Winamp\winampa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-29 136360]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 136176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2004-07-16 14416]
R3 EyeOneDp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2006-01-30 44344]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 136176]
R3 i1;eye-one;c:\windows\system32\DRIVERS\i1.sys [2003-03-05 26045]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-06-08 40776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-08 113120]
R3 Mup4sb;Mup4sb; [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
R3 Sm0bminvp;Sm0bminvp; [x]
R3 Vaslinsv;Vaslinsv; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-08-18 64512]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 19:31]
.
2012-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 01:06]
.
2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 01:06]
.
2004-06-05 c:\windows\Tasks\System Diagnostic.job
- c:\progra~1\CYBERL~1\PowerDVD\CLDMA.exe [2003-06-30 16:06]
.
2012-01-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-13 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.advrider.com/
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\a0znfgyh.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HP Lamp - c:\scanjet\PrecisionScanPro\HPLamp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-08 19:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-2111687655-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1614895754-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* %T*)"]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1614895754-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* %T*)"\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6102"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\windows\System32\l3codeca.acm
.
Completion time: 2012-06-08 19:45:24
ComboFix-quarantined-files.txt 2012-06-08 23:45
ComboFix2.txt 2010-04-12 19:17
.
Pre-Run: 14,338,793,472 bytes free
Post-Run: 15,005,728,768 bytes free
.
- - End Of File - - 7AA2609A4A554BF9AD78BCD51D232FA0

#8 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 June 2012 - 06:45 PM

Your crashes are probably due to the missing es.dll. There are other questionable aspects but first let's find an es.dll.

Please download SystemLook from one of the links below and save it to your Desktop on the affected PC.
http://jpshortstuff..../SystemLook.exe
http://images.malwar.../SystemLook.exe
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
es.dll
Click the 'Look' button to start the scan and wait for a few minutes until the "Look" button reappears.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#9 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 08 June 2012 - 07:47 PM

Here's the log. (You probably know this, but I'm getting a lot of error messages every time I reboot.)


SystemLook 30.07.11 by jpshortstuff
Log created at 21:39 on 08/06/2012 by Microsoft User
Administrator - Elevation successful

========== filefind ==========

Searching for "es.dll"
C:\Documents and Settings\Microsoft User\Local Settings\Application Data\Google\Chrome\Application\16.0.912.21\Locales\es.dll --a---- 8248 bytes [16:51 03/11/2011] [09:32 01/11/2011] BB49D554AA180EF1FCDA180746F84872
C:\Documents and Settings\Microsoft User\Local Settings\Application Data\Google\Chrome\Application\16.0.912.32\Locales\es.dll --a---- 8248 bytes [01:51 09/11/2011] [16:24 08/11/2011] D776684F655F6D19E9352403FF7CEC70
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll --a---- 243200 bytes [04:20 26/07/2005] [04:20 26/07/2005] 95F5FEA4C6DE2C3F28784D0DCC8F0DD3
C:\WINDOWS\$NtServicePackUninstall$\es.dll -----c- 243200 bytes [01:28 13/04/2010] [07:56 04/08/2004] ACD36A2DD7D1E9D8A060AA651DC07E63
C:\WINDOWS\$NtUninstallKB828741$\es.dll -----c- 225280 bytes [13:02 20/04/2004] [12:00 29/08/2002] C9702DDD814C39DC1254CF757C31C6E4
C:\WINDOWS\ServicePackFiles\i386\es.dll ------- 246272 bytes [07:56 04/08/2004] [00:11 14/04/2008] 19A799805B24990867B00C120D300C3A

-= EOF =-

#10 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 June 2012 - 08:11 PM

Good. Found what looks like a legit es.sll we can use, and we'll also get rid of some very oddball Services.

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::
FCopy::
C:\WINDOWS\$NtServicePackUninstall$\es.dll c:\windows\System32\es.dll
Driver::
Mup4sb
Sm0bminvp
Vaslinsv


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)
If you get any error messages, tell me what they say, or attach screenshot. How to create and attach a screen shot
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#11 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 08 June 2012 - 08:38 PM

Just to clarify, I should drag the icon for the text file onto the icon for Combofix?

#12 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 June 2012 - 09:00 PM

Yes. Exactly.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#13 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 08 June 2012 - 10:10 PM

Can I do this in Safe Mode?

The problem with the computer is that after each reboot, it will only do one or two tasks before programs stop functioning. By the time I've disabled the anti-virus programs and dragged the text file, things have stopped working. I can't save a file, for example, so I can't save a screen grab.

On one attempt, Combofix went through its first phase -- the black screen with green fonts. But it stopped working when it got to the blue screen with white fonts. The command it was trying to execute when it stopped working was the very first one: "creating a restore point."

The computer kept prompting me to do a chkdsk, so I finally let it, Didn't make any difference. So I turned it off and we're both going to sleep on it. I'll try again in the morning, when it's had time to clear its head and get a better attitude about things.

Edited by wxwax, 08 June 2012 - 10:17 PM.


#14 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 June 2012 - 10:47 PM

Try it in Safe Mode. Hit F8 several times while booting to get the boot menu.
I hope it will be happier. :)
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#15 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 09 June 2012 - 05:41 PM

All day battle royale. I couldn't even get it to boot into Safe Mode for a good many tries. Then Combofix stopped running several times.

When Combofix runs, it keeps generating a slew of error messages. I'm attaching some of them below. Program Corrupt messages came up a lot, too. Combofix finally went through its cycle, despite the error messages.

At the end, the last thing it said before rebooting was that a System File was infected. It said it had fixed it. But when the machine rebooted, Combifix generated all the same error messages. And it stopped working before it could generate a log.

I'm going to run Combofix on its own, without the fix-it .txt file, to see if I can get a log.

I believe this machine is infected. The symptoms -- can't run any virus software, intermittent connection to the internet, can't log into g-mail, computer stops running programs -- all seem to point to that conclusion.

Attached Files


Edited by wxwax, 09 June 2012 - 05:42 PM.


#16 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 09 June 2012 - 06:19 PM

More of the same error messages, but it managed to generate a log this time.







ComboFix 12-06-09.02 - Microsoft User 06/09/2012 19:45:19.4.1 - x86 NETWORK
Running from: c:\documents and settings\Microsoft User\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
Infected copy of c:\windows\system32\IME\CINTLGNT\CINTSETP.EXE was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lang\cintsetp.exe
.
--------
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MUP4SB
-------\Legacy_VASLINSV
-------\Service_Mup4sb
-------\Service_Sm0bminvp
-------\Service_Vaslinsv
.
.
((((((((((((((((((((((((( Files Created from 2012-05-09 to 2012-06-09 )))))))))))))))))))))))))))))))
.
.
2012-06-09 17:36 . 2012-06-09 23:08 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-09 02:55 . 2012-06-09 02:55 -------- d-----w- c:\program files\GUM9.tmp
2012-06-09 02:55 . 2012-06-09 02:55 3993600 ----a-w- c:\program files\GUTA.tmp
2012-06-09 00:17 . 2012-06-09 00:17 -------- d-----w- C:\a6fc764535b2692d84a73144e17611
2012-06-09 00:05 . 2012-06-09 00:05 -------- d-----w- C:\344369292c9f3d9efa684d0447
2012-06-08 23:57 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-08 23:57 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-08 22:16 . 2012-06-08 22:16 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-08 22:16 . 2012-06-08 22:16 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-01-16 06:01 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-12 02:02 . 2012-04-05 00:44 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-12 02:02 . 2011-05-16 08:38 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:12 . 2002-08-29 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2002-08-29 12:00 2192640 ------w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2002-08-29 01:04 2069120 ------w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2010-04-11 16:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-08 22:16 . 2011-07-03 07:51 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-06-09_23.09.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-10 08:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2485376\spmsg.dll
+ 2011-02-10 08:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2479628\update\spcustom.dll
+ 2011-02-17 12:32 . 2011-02-17 12:32 5120 c:\windows\$hf_mig$\KB2508429\SP3QFE\xpsp4res.dll
+ 2011-02-10 08:04 . 2010-10-28 13:13 290048 c:\windows\$NtUninstallKB2485376$\atmfd.dll
+ 2011-02-10 08:03 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2483185$\spuninst\spuninst.exe
+ 2011-02-10 08:03 . 2008-04-14 00:12 438272 c:\windows\$NtUninstallKB2483185$\shimgvw.dll
- 2011-02-10 08:03 .02008-04-14 00:12 438272 c:\windows\$NtUninstallKB2483185$\shimgvw.dll
+ 2011-02-10 08:04 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2479628$\spuninst\updspapi.dll
+ 2011-02-10 08:04 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2479628$\spuninst\spuninst.exe
+ 2011-02-10 08:04 . 2009-06-25 08:25 301568 c:\windows\$NtUninstallKB2478971$\kerberos.dll
+ 2011-02-10 08:04 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2485376\update\updspapi.dll
+ 2011-02-10 08:03 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2483185\update\update.exe
+ 2011-02-10 08:04 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2478971\update\updspapi.dll
+ 2011-02-12 00:47 . 2011-02-12 00:47 12028928 c:\windows\Installer\50e8b0e.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2006-05-13 94208]
"MXOBG"="c:\windows\MXOALDR.EXE" [2006-05-13 94208]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-02-08 823296]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-3-1 169472]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2006-5-13 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2006-5-13 954368]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Microsoft User^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Microsoft User\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
2002-09-24 21:39 147456 ------w- c:\program files\Iomega\AutoDisk\ADUserMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2004-01-30 07:32 26112 ------w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-04-01 18:49 36352 ------w- c:\program files\Winamp\winampa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-29 136360]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 136176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2004-07-16 14416]
R3 EyeOneDp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2006-01-30 44344]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 136176]
R3 i1;eye-one;c:\windows\system32\DRIVERS\i1.sys [2003-03-05 26045]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-06-09 40776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-08 113120]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27064]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-08-18 64512]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd45eb4ff731e6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 01:06]
.
2012-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 01:06]
.
2004-06-05 c:\windows\Tasks\System Diagnostic.job
- c:\progra~1\CYBERL~1\PowerDVD\CLDMA.exe [2003-06-30 16:06]
.
2012-06-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-13 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.advrider.com/
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Microsoft User\Application Data\Mozilla\Firefox\Profiles\a0znfgyh.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-09 19:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1614895754-2111687655-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1614895754-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* %T*)"]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1614895754-2111687655-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* %T*)"\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6102"
"DeviceInstanceIds"=multi:"\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(612)
c:\windows\System32\l3codeca.acm
.
- - - - - - - > 'explorer.exe'(1472)
c:\windows\system32\WININET.dll
.
Completion time: 2012-06-09 20:00:22
ComboFix-quarantined-files.txt 2012-06-10 00:00
ComboFix2.txt 2012-06-08 23:45
ComboFix3.txt 2010-04-12 19:17
.
Pre-Run: 13,417,541,632 bytes free
Post-Run: 13,405,040,640 bytes free
.
- - End Of File - - 582C2023C15B5C823F7124720CC9E7DC

#17 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 09 June 2012 - 07:00 PM

I think we will need to approach it from outside of Windows.

Read all these directions before proceeding.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Summarizing:
  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.
Post the report.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#18 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 09 June 2012 - 07:43 PM

OK, thanks mama lion. This may take some time. One hurdle may be getting the machine to recognize USB. I shall report back.

Thank you for your help and for your patience!

#19 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 09 June 2012 - 07:46 PM

Make sure you create the USB or CD on a clean PC!
A CD may be more practical..

Edit: And you're welcome. We'll lick this thing yet. :bug:
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#20 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 13 June 2012 - 12:50 PM

Are you still with me?

What is the present situation?
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#21 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 15 June 2012 - 04:09 PM

Are you still with me?

What is the present situation?


I'm sorry for the delay. It's proving to be very difficult to find a machine I can be assured is clean!

In the meantime, in a reboot, the machine did a chkdsk. After which, the Avira software found a virus disguised as mbam. I quarantined it and ran another Avira scan, which found 4 more objects.

I plan to run Combofix again, to see if if still generates error messages.

Here's the Avira log:





Avira AntiVir Personal
Report file date: Friday, June 15, 2012 14:37

Scanning for 3840974 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MICROSOF-G12XZZ

Version information:
BUILD.DAT : 10.2.0.707 36070 Bytes 1/25/2012 13:11:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 6/28/2011 14:42:54
AVSCAN.DLL : 10.0.5.0 47464 Bytes 6/28/2011 14:42:54
LUKE.DLL : 10.3.0.5 45416 Bytes 6/28/2011 14:42:54
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 6/28/2011 14:42:55
AVREG.DLL : 10.3.0.9 88833 Bytes 7/13/2011 06:56:37
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 20:59:38
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 15:47:35
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 15:47:50
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 15:48:01
VBASE005.VDF : 7.11.29.136 2166272 Bytes 5/10/2012 15:48:10
VBASE006.VDF : 7.11.29.137 2048 Bytes 5/10/2012 15:48:10
VBASE007.VDF : 7.11.29.138 2048 Bytes 5/10/2012 15:48:11
VBASE008.VDF : 7.11.29.139 2048 Bytes 5/10/2012 15:48:11
VBASE009.VDF : 7.11.29.140 2048 Bytes 5/10/2012 15:48:11
VBASE010.VDF : 7.11.29.141 2048 Bytes 5/10/2012 15:48:11
VBASE011.VDF : 7.11.29.142 2048 Bytes 5/10/2012 15:48:12
VBASE012.VDF : 7.11.29.143 2048 Bytes 5/10/2012 15:48:12
VBASE013.VDF : 7.11.29.144 2048 Bytes 5/10/2012 15:48:13
VBASE014.VDF : 7.11.30.3 198144 Bytes 5/14/2012 15:48:14
VBASE015.VDF : 7.11.30.69 186368 Bytes 5/17/2012 15:48:15
VBASE016.VDF : 7.11.30.143 223744 Bytes 5/21/2012 15:48:16
VBASE017.VDF : 7.11.30.207 287744 Bytes 5/23/2012 15:48:18
VBASE018.VDF : 7.11.31.57 188416 Bytes 5/28/2012 15:48:19
VBASE019.VDF : 7.11.31.111 214528 Bytes 5/30/2012 15:48:20
VBASE020.VDF : 7.11.31.151 116736 Bytes 5/31/2012 15:48:21
VBASE021.VDF : 7.11.31.205 134144 Bytes 6/3/2012 15:48:22
VBASE022.VDF : 7.11.32.9 169472 Bytes 6/5/2012 15:48:23
VBASE023.VDF : 7.11.32.85 155648 Bytes 6/8/2012 15:48:24
VBASE024.VDF : 7.11.32.133 127488 Bytes 6/11/2012 15:48:25
VBASE025.VDF : 7.11.32.171 182784 Bytes 6/12/2012 18:35:24
VBASE026.VDF : 7.11.32.251 119296 Bytes 6/14/2012 18:35:25
VBASE027.VDF : 7.11.32.252 2048 Bytes 6/14/2012 18:35:25
VBASE028.VDF : 7.11.32.253 2048 Bytes 6/14/2012 18:35:25
VBASE029.VDF : 7.11.32.254 2048 Bytes 6/14/2012 18:35:25
VBASE030.VDF : 7.11.32.255 2048 Bytes 6/14/2012 18:35:26
VBASE031.VDF : 7.11.33.28 55296 Bytes 6/15/2012 18:35:26
Engineversion : 8.2.10.92
AEVDF.DLL : 8.1.2.8 106867 Bytes 6/12/2012 15:48:44
AESCRIPT.DLL : 8.1.4.26 450939 Bytes 6/15/2012 18:35:43
AESCN.DLL : 8.1.8.2 131444 Bytes 6/12/2012 15:48:43
AESBX.DLL : 8.2.5.12 606578 Bytes 6/15/2012 18:35:45
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 22:01:44
AEPACK.DLL : 8.2.16.18 807287 Bytes 6/15/2012 18:35:42
AEOFFICE.DLL : 8.1.2.36 201082 Bytes 6/15/2012 18:35:37
AEHEUR.DLL : 8.1.4.46 4923767 Bytes 6/15/2012 18:35:36
AEHELP.DLL : 8.1.21.0 254326 Bytes 6/12/2012 15:48:33
AEGEN.DLL : 8.1.5.30 422261 Bytes 6/15/2012 18:35:27
AEEXP.DLL : 8.1.0.52 82293 Bytes 6/15/2012 18:35:45
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 22:20:35
AECORE.DLL : 8.1.25.10 201080 Bytes 6/12/2012 15:48:30
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 20:58:09
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 6/28/2011 14:42:54
AVREP.DLL : 10.0.0.10 174120 Bytes 5/17/2011 17:16:58
AVARKT.DLL : 10.0.26.1 255336 Bytes 6/28/2011 14:42:54
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 6/28/2011 14:42:54
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 6/28/2011 14:42:53
RCTEXT.DLL : 10.0.64.0 97640 Bytes 6/28/2011 14:42:53

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced

Start of the scan: Friday, June 15, 2012 14:37

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'logon.scr' - '13' Module(s) have been scanned
Scan process 'vssvc.exe' - '34' Module(s) have been scanned
Scan process 'avscan.exe' - '70' Module(s) have been scanned
Scan process 'avcenter.exe' - '62' Module(s) have been scanned
Scan process 'AAWTray.exe' - '21' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'IBServer.exe' - '29' Module(s) have been scanned
Scan process 'wscntfy.exe' - '17' Module(s) have been scanned
Scan process 'ADService.exe' - '18' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'SMAgent.exe' - '14' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'AppServices.exe' - '9' Module(s) have been scanned
Scan process 'avshadow.exe' - '25' Module(s) have been scanned
Scan process 'IBGuard.exe' - '22' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '33' Module(s) have been scanned
Scan process 'ctfmon.exe' - '28' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '37' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '49' Module(s) have been scanned
Scan process 'jusched.exe' - '45' Module(s) have been scanned
Scan process 'QTTask.exe' - '18' Module(s) have been scanned
Scan process 'avgnt.exe' - '54' Module(s) have been scanned
Scan process 'Onetouch.exe' - '29' Module(s) have been scanned
Scan process 'MXOALDR.EXE' - '21' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '21' Module(s) have been scanned
Scan process 'Smtray.exe' - '22' Module(s) have been scanned
Scan process 'Explorer.EXE' - '95' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'sched.exe' - '47' Module(s) have been scanned
Scan process 'spoolsv.exe' - '56' Module(s) have been scanned
Scan process 'AAWService.exe' - '96' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '158' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'lsass.exe' - '61' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '79' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1092' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\6.0\40\7a0ff328-5a6dbd57
[0] Archive type: ZIP
--> notana.class
[DETECTION] Contains recognition pattern of the EXP/2011-3544.D exploit
C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\6.0\41\3d3fb229-66d4625d
[0] Archive type: ZIP
--> xmltree/armin.class
[DETECTION] Contains recognition pattern of the EXP/JAVA.Mabowl.Gen exploit
--> xmltree/erandus.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.A.14 exploit
--> xmltree/opkat.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840 exploit
C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\6.0\46\33de956e-24851e02
[0] Archive type: ZIP
--> Effect.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544.BU exploit
--> Field.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.A.22 exploit
--> Matrix.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.A.4 exploit
--> Photo.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840 exploit
C:\Documents and Settings\Microsoft User\Local Settings\temp\Av-test.txt
[DETECTION] Contains code of the Eicar-Test-Signature virus
Catched Exception in function <SCAN_Search> - Object <C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\Screens\Help\i1Pro\DCWizard\DCProfilingDonePage\Step3.jpg>
ACCESS_VIOLATION
EAX = 0008084C EBX = 0D359A68
ECX = 7FFDA000 EDX = 0008084C
ESI = 00CD1FC8 EDI = 00080800
EIP = 7C90100B EBP = 0AA7CFC0
ESP = 0AA7CFAC Flg = 00010206
CS = 00000023 SS = 0000001B

Beginning disinfection:
C:\Documents and Settings\Microsoft User\Local Settings\temp\Av-test.txt
[DETECTION] Contains code of the Eicar-Test-Signature virus
[NOTE] The file was moved to the quarantine directory under the name '5a861522.qua'.
C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\6.0\46\33de956e-24851e02
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840 exploit
[NOTE] The file was moved to the quarantine directory under the name '42263a43.qua'.
C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\6.0\41\3d3fb229-66d4625d
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840 exploit
[NOTE] The file was moved to the quarantine directory under the name '1048607c.qua'.
C:\Documents and Settings\Microsoft User\Application Data\Sun\Java\Deployment\cache\6.0\40\7a0ff328-5a6dbd57
[DETECTION] Contains recognition pattern of the EXP/2011-3544.D exploit
[NOTE] The file was moved to the quarantine directory under the name '767a2fbb.qua'.


End of the scan: Friday, June 15, 2012 18:03
Used time: 1:10:42 Hour(s)

The scan has been done completely.

13277 Scanned directories
169978 Files were scanned
9 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
169969 Files not concerned
1789 Archives were scanned
1 Warnings
4 Notes
478384 Objects were scanned with rootkit scan
0 Hidden objects were found

Edited by wxwax, 15 June 2012 - 04:10 PM.


#22 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 15 June 2012 - 04:51 PM

The detection of mbam is very likely a false positive. The other detections may also be false positives..

Submit the quarantined mbam to VirusTotal.
Please go to http://www.virustotal.com click on 'Choose file', and send the following file/s for analysis: You will only be able to have one file scanned at a time.

the quarantined mbam file

After you click 'Send file', allow the file to be scanned, and then please post a link to the results page here for me. Don't copy the page.


Yes, please do run ComboFix again. It has already taken care of several bits of malware and may be able to run better now.
ComboFix is frequently updated so please delete ComboFix from your Desktop and download a new copy to your Desktop.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#23 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 02:35 PM

Thank you. I ran Combofix again it generated a plethora of error messages, all of them different to the original batch. Then all the browsers on the machine told me I don't have an internet connect.

My best suggestion is that perhaps you can help me clean an old Windows laptop that I have, and I'll use that to image Kapersky Rescue Disk. (I've mostly been using a Mac to communicate in this thread.)

#24 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 02:57 PM

Can't you use the Mac to burn a CD or USB? The disk doesn't have anything to do with Windows.

We can certainly try to clean your Windows laptop. Start a new thread for it, and include a link to this one.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#25 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 03:46 PM

Can't you use the Mac to burn a CD or USB? The disk doesn't have anything to do with Windows.


Oh. Duh. I'll try it!

#26 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 04:00 PM

Burning a disk image file on a CD or DVD in Mac OS X

Avoid the self-burning USB download at Kaspersky; I assume that probably uses Windows.
Just download the plain image.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#27 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 06:18 PM

No luck, I'm afraid. I followed Mac directions for burning an image. But the computer ignored the CD when booting: it went to Windows no matter what I tried.

Below is the Bios page. I selected the highlighted option (and on separate efforts, also the line above the one which is highlighted.) When I hit Save and Exit, the computer booted to Windows. When I checked the CD drive to see if the .iso file was there, it was.


Posted Image

#28 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 06:37 PM

You need to move the CD to the top position in the boot order. But it's disabled?? I'm not sure your PC BIOS supports boot USB. Try enabling the CD. And make it # 1 boot.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#29 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 06:41 PM

Thank you. How do I make it the #1 boot?

#30 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 06:45 PM

I've found directions. Will follow your orders!

#31 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 06:55 PM

But when you say you checked the CD drive and the .ISO file was there - it sounds as though you copied the ISO file to the disk? which would be wrong. The image is a binary image of a disk and must be burned as an image, not as a file. When you look at the disk you should see two folders, boot and rescue and there are also rwo files image.squashfs and livecd.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#32 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 06:58 PM

Thanks. It booted to Kapersky. We went through the language option etc. Then it flashed through a bunch of script, some of which said the graphic interface failed.

It is now hanging on this screen.


Posted Image

#33 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 07:23 PM

Never heard of that happening. Can you think of any reason the graphic interface failed?

There are other resecue disks available but the Kaspersky seems the best to me.
Here is a list: http://www.malwarehe...d-download.html
No harm in trying BitDefender disk.
How to Use the BitDefender Rescue CD to Clean Your Infected PC
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#34 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 07:26 PM

Obviously, I don't know much about computers! I can only wonder whether there might be a problem with the graphics card.

I'll try Kapersky one more time, just in case. If that fails again, I'll move on to bitdefender.

Thanks again for your help!

#35 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 07:36 PM

I have ffound some suggestions, from http://www.howtogeek...r-infected-pc/. Probably some are just superstition. ;)

“What’s weird is that it didn’t work with a capital letter “A” for us, even though that’s what it shows in the screenshot. ”

Discovered quite by accident that you have to firstly, left click anywhere within the EULA before hitting ‘A’ to accept the agreement. Had been pulling my hair for it to work before the discovery!

Also discovered that the virus update engine can be quite slow; and that the update may not complete.


This sounds sensible:

If you are getting stuck when selecting graphic mode (as i was), Try Text mode, and from there go to graphic mode. You will get a drop down menu, select the 1st option (“Autoconfig” or something to that effect) and press enter. After I did that step, its working like a charm in the graphic mode.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#36 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 08:01 PM

I'm now going to try bitDefender.

I tried Kapersky three more times. Twice I got through to the scan window, and got the same error message. I hope you can read the image below. I also noticed that the battery icon at the bottom right said "no battery." Not sure what that means, so I've inked an image to that, as well. Is there a battery on the motherboard or the graphics card?




Posted Image



Posted Image

#37 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 08:15 PM

There is a battery on the motherboard that runs the clock and keeps the non-volatile memory alive. That is where some settings and other info are saved.

Basic overview: http://www.ehow.com/pc-battery/

Good directions: How to replace the CMOS battery

Before opening the case, shutdown the PC and then unplug it from electric power.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#38 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 08:15 PM

I have ffound some suggestions, from http://www.howtogeek...r-infected-pc/. Probably some are just superstition. ;)

“What’s weird is that it didn’t work with a capital letter “A” for us, even though that’s what it shows in the screenshot. ”

Discovered quite by accident that you have to firstly, left click anywhere within the EULA before hitting ‘A’ to accept the agreement. Had been pulling my hair for it to work before the discovery!

Also discovered that the virus update engine can be quite slow; and that the update may not complete.


This sounds sensible:

If you are getting stuck when selecting graphic mode (as i was), Try Text mode, and from there go to graphic mode. You will get a drop down menu, select the 1st option (“Autoconfig” or something to that effect) and press enter. After I did that step, its working like a charm in the graphic mode.



I tried the text interface twice. Both times, even when I told it to scan C, it ended up on a black page with text similar to the image I posted above.

On to BitDefender!

#39 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 08:34 PM

I think it will fail too if your battery is failing. You might have missed my post above.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#40 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 08:41 PM

Failed with BitDefender too.

Apparently the program needs an internet connection, which this machine now refuses to grant. Without its updates, apparently BitDefender is a BitDefenseless. (A little humor to lighten the mood!) Here's the error message.

Thank you for the battery info. I guess that's the next thing I should try. I have the original Windows disk. I suppose I may have wipe clean and start over, if it will even let me do that. *sigh* :-)



Posted Image

#41 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 June 2012 - 08:47 PM

Replacing the battery is easy and won't affect any programs. You'll see, nothing to be afraid of. Just do unplug the PC before you open the case.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#42 wxwax

wxwax

    Member

  • Full Member
  • Pip
  • 43 posts

Posted 16 June 2012 - 08:47 PM

I think it will fail too if your battery is failing. You might have missed my post above.



I saw it, thanks. Excellent links, I appreciate it!

#43 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 June 2012 - 11:37 AM

Keep me posted -
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#44 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 02 July 2012 - 01:58 PM

Are you still with me, wxwax?
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#45 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 10 July 2012 - 12:32 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE




Member of UNITE
Support SpywareInfo Forum - click the button