Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Member
    Join Date
    Nov 2011
    Posts
    6
    Points
    0

    Default Suspicious entries have been found and BSOD

    Today after I started Windows Bsod appears, I have run anti virus scans(avast! Free Antivirus), which found nothing.
    Does anyone have any idea what my problem could be?

    Malwarebytes' Anti-Malware 1.51.2.1300
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: 8239

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    25.11.2011 21:35:26
    mbam-log-2011-11-25 (21-35-25).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 241194
    Time elapsed: 1 hour(s), 19 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 11/25/2011 at 08:03 PM

    Application Version : 5.0.1136

    Core Rules Database Version : 7986
    Trace Rules Database Version: 5798

    Scan type : Complete Scan
    Total Scan Time : 00:33:27

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
    Administrator

    Memory items scanned : 454
    Memory threats detected : 0
    Registry items scanned : 39204
    Registry threats detected : 48
    File items scanned : 23636
    File threats detected : 35

    Security.HiJack[ImageFileExecutionOptions]
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACAD.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACAD.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACSIGNAPPLY.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACSIGNAPPLY.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADMIGRATOR.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADMIGRATOR.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADREFMAN.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADREFMAN.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWGCHECKSTANDARDS.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWGCHECKSTANDARDS.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAW.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAW.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAWS.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JAVAWS.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPVIEW.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPVIEW.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC3EXE.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC3EXE.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PLU26.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PLU26.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\STYEXE.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\STYEXE.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSCONTENTINSTALLER.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSCONTENTINSTALLER.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSLAUNCHER.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSLAUNCHER.EXE#Debugger
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE#Debugger

    Adware.Tracking Cookie
    C:\Documents and Settings\Korisnik\Cookies\MSS62HM9.txt [ /tribalfusion.com ]
    C:\Documents and Settings\Korisnik\Cookies\AYP3LJOX.txt [ /statcounter.com ]
    C:\Documents and Settings\Korisnik\Cookies\9PO6CTO9.txt [ /ads.ad4game.com ]
    C:\Documents and Settings\Korisnik\Cookies\1I4MMJK0.txt [ /invitemedia.com ]
    C:\Documents and Settings\Korisnik\Cookies\QPRV26SN.txt [ /yadro.ru ]
    C:\Documents and Settings\Korisnik\Cookies\RFBYQMNS.txt [ /linksynergy.com ]
    C:\Documents and Settings\Korisnik\Cookies\19UE7VV7.txt [ /counters.gigya.com ]
    C:\Documents and Settings\Korisnik\Cookies\QHK6512K.txt [ /r1-ads.ace.advertising.com ]
    C:\Documents and Settings\Korisnik\Cookies\3FPINSJM.txt [ /ads2.zeusclicks.com ]
    C:\Documents and Settings\Korisnik\Cookies\SG612B6T.txt [ /ru4.com ]
    C:\Documents and Settings\Korisnik\Cookies\0IB0K2K6.txt [ /adbrite.com ]
    C:\Documents and Settings\Korisnik\Cookies\AIJU9R7Y.txt [ /ads.fling.com ]
    C:\Documents and Settings\Korisnik\Cookies\A201RWTR.txt [ /ad.adperium.com ]
    C:\Documents and Settings\Korisnik\Cookies\ONSFMCFS.txt [ /ads.crakmedia.com ]
    C:\Documents and Settings\Korisnik\Cookies\XL6LV9XT.txt [ /pubads.g.doubleclick.net ]
    C:\Documents and Settings\Korisnik\Cookies\WWTNWJJ6.txt [ /specificclick.net ]
    C:\Documents and Settings\Korisnik\Cookies\Y0FRK8RX.txt [ /mediaplex.com ]
    C:\Documents and Settings\Korisnik\Cookies\NBY9CGPP.txt [ /revsci.net ]
    C:\Documents and Settings\Korisnik\Cookies\PLCEL1L8.txt [ /ad.yieldmanager.com ]
    C:\Documents and Settings\Korisnik\Cookies\SGEDGVIG.txt [ /ads.dothads.com ]
    C:\Documents and Settings\Korisnik\Cookies\26J6C6LQ.txt [ /doubleclick.net ]
    C:\Documents and Settings\Korisnik\Cookies\TT1JNI7A.txt [ /serving-sys.com ]
    C:\Documents and Settings\Korisnik\Cookies\TG0CKKZ4.txt [ /ads.zeusclicks.com ]
    C:\Documents and Settings\Korisnik\Cookies\R0P3KZMO.txt [ /ads.traffikings.com ]
    C:\Documents and Settings\Korisnik\Cookies\JWPZXF8K.txt [ /fastclick.net ]
    C:\Documents and Settings\Korisnik\Cookies\TGVO26CG.txt [ /atdmt.com ]
    C:\Documents and Settings\Korisnik\Cookies\E287KX0Z.txt [ /advertising.com ]


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 21:44:52, on 25.11.2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DriverMax] (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1288901520859
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1288901510000
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53A9A3F3-FC3E-4AD4-9D60-62D295012469}: NameServer = 212.39.98.162 212.39.98.161
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Usluga Google ažuriranje (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Usluga Google ažuriranje (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
    O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe

    --
    End of file - 7479 bytes

    Here is report from WhoCrashed:

    Crash dump directory: C:\WINDOWS\Minidump

    Crash dumps are enabled on your computer.


    On Fri 25.11.2011 15:03:14 GMT your computer crashed
    crash dump file: C:\WINDOWS\Minidump\Mini112511-01.dmp
    This was probably caused by the following module: sptd.sys (sptd+0x17219)
    Bugcheck code: 0x100000D1 (0xC, 0x5, 0x1, 0xFFFFFFFFF83555F7)
    Error: CUSTOM_ERROR
    file path: C:\WINDOWS\system32\drivers\sptd.sys
    A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: sptd.sys .
    Google query: sptd.sys CUSTOM_ERROR
    Attached Files

  2. #2
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello and welcome to Help2Go

    We apologize for the delay in responding to your request for help. Here at Help2Go we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

    Please take note:

    1. If you have since resolved the original problem you were having, we would appreciate you letting us know.
    2. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
      • If you are unsure about any of these characteristics just post what you can and we will guide you.
    3. Please tell us if you have your original Windows CD/DVD available.
    4. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
    5. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
    6. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
    7. If you have already posted a DDS log, please do so again, as your situation may have changed.
    8. Use the 'Add Reply' and add the new log to this thread.


    We need to see some information about what is happening in your machine. Please perform the following scan again:

    • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results.
    • Follow the instructions that pop up for posting the results.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


    We also need a new log from the GMER anti-rootkit Scanner.

    Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

    Please first disable any CD emulation programs using the steps found in this topic:

    Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:


    Note:
    If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.




    Thanks and again sorry for the delay.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  3. #3
    Member
    Join Date
    Nov 2011
    Posts
    6
    Points
    0

    Default

    Thanks for your answer.

    Since my last post i uninstall sptd.sys using (SPTDinst-v179-x86.exe) and problems with BSOD where solved.
    i scan my computer with DDS but when i try to scan with GMER i get another BSOD (i used Defogger to disable CD emulation).
    i will try to run scan with aswMBR.

    DDS scan log:
    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Korisnik at 12:02:30 on 2011-11-30
    Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.2047.1634 [GMT 1:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ba/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [<NO NAME>]
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: MaxRecentDocs = 11 (0xb)
    uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: I&zvoz u Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288901520859
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288901510000
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: Interfaces\{EE51BA83-D09E-4541-881C-119518404567} : DhcpNameServer = 192.168.1.1 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\korisnik\application data\mozilla\firefox\profiles\vk726ih4.default\
    FF - prefs.js: browser.startup.homepage - hxxp://hr.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:hrfficial
    FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.max-connections - 32
    FF - user.js: network.http.max-connections-per-server - 8
    FF - user.js: network.http.max-persistent-connections-per-proxy - 4
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-25 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-25 314456]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-25 20568]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-25 44768]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-11-20 21992]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2011-11-2 1479488]
    R3 egxfilter;egxfilter;c:\windows\system32\drivers\egxfilter.sys [2011-11-13 140800]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2011-10-31 10064]
    S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2011-11-13 14336]
    S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-11-18 23456]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-5 22712]
    S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\FIDE.SYS [2011-7-3 14468]
    S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-5 366640]
    .
    =============== File Associations ===============
    .
    .scr=AutoCADScriptFile
    .
    =============== Created Last 30 ================
    .
    2011-11-28 19:56:58 -------- d-----w- c:\documents and settings\korisnik\application data\WinPatrol
    2011-11-25 18:15:07 -------- d-----w- c:\documents and settings\korisnik\application data\SUPERAntiSpyware.com
    2011-11-25 18:14:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-11-25 18:14:21 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-11-25 17:56:59 388096 ----a-r- c:\documents and settings\korisnik\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-25 17:56:56 -------- d-----w- c:\program files\Trend Micro
    2011-11-20 20:41:43 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2011-11-20 20:41:42 -------- d-----w- c:\program files\CPUID
    2011-11-20 15:00:43 28992 ----a-w- c:\windows\system32\uxtuneup.dll
    2011-11-20 14:22:21 31552 ----a-w- c:\windows\system32\TURegOpt.exe
    2011-11-20 14:21:08 -------- d-----w- c:\program files\TuneUp Utilities 2012
    2011-11-20 14:20:26 -------- d-sh--w- c:\documents and settings\all users\application data\{32364CEA-7855-4A3C-B674-53D8E9B97936}
    2011-11-18 16:22:48 -------- d-----w- c:\documents and settings\all users\application data\Global Locate
    2011-11-18 16:11:48 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
    2011-11-17 13:09:27 89360 ----a-w- c:\windows\system32\VB5DB.DLL
    2011-11-14 18:43:46 -------- d-----w- c:\documents and settings\korisnik\FinalWire.AIDA64.Extreme.Edition.v2.00.1700.Multilingual.Incl.Keymaker-ZWT
    2011-11-14 17:59:52 -------- d-----w- c:\documents and settings\korisnik\WINDOWS
    2011-11-14 14:08:28 -------- d-----w- c:\program files\common files\Innovative Solutions
    2011-11-13 19:17:27 -------- d-----w- C:\DriveKey
    2011-11-13 09:17:51 140800 ----a-w- c:\windows\system32\drivers\egxfilter.sys
    2011-11-13 09:17:26 -------- d-----w- c:\windows\SiS
    2011-11-13 09:17:16 32768 ----a-w- c:\windows\system32\drivers\sisnicxp.sys
    2011-11-13 09:13:41 35712 ----a-w- c:\windows\system32\drivers\SISAGPX.SYS
    2011-11-13 09:09:37 6016 ----a-w- c:\windows\system32\drivers\siside.sys
    2011-11-13 09:02:10 217088 ----a-w- c:\windows\Alcrmv.exe
    2011-11-13 08:56:03 14336 ----a-w- c:\windows\system32\drivers\Amps2prt.sys
    2011-11-13 08:38:33 -------- d-----w- c:\documents and settings\all users\Uniblue
    2011-11-13 07:38:11 -------- d-----w- c:\program files\WhoCrashed
    2011-11-13 07:29:35 -------- d-----w- c:\documents and settings\korisnik\local settings\application data\Apple
    2011-11-13 07:28:47 -------- d-----w- c:\documents and settings\korisnik\local settings\application data\Apple Computer
    2011-11-13 07:09:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-11-13 07:09:50 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-11-13 07:08:56 -------- d-----w- c:\windows\system32\QuickTime
    2011-11-11 17:37:35 -------- d-----w- c:\documents and settings\korisnik\Graphisoft
    2011-11-11 17:37:35 -------- d-----w- c:\documents and settings\korisnik\application data\Graphisoft
    2011-11-11 17:32:49 1409 ----a-w- c:\windows\QTFont.for
    2011-11-11 15:57:33 -------- d-----w- c:\documents and settings\korisnik\local settings\application data\{7148F0A6-6813-11D6-A77B-00B0D0142040}
    2011-11-04 13:19:25 -------- d-----w- c:\program files\Autodesk Civil 3D 2006
    2011-11-02 14:52:00 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll
    2011-11-02 14:37:46 -------- d-----w- c:\documents and settings\korisnik\application data\AVS4YOU
    2011-11-02 14:35:03 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
    2011-11-02 14:35:03 -------- d-----w- c:\program files\common files\AVSMedia
    2011-11-02 14:35:02 24576 ----a-w- c:\windows\system32\msxml3a.dll
    2011-11-02 14:35:02 -------- d-----w- c:\program files\AVS4YOU
    2011-11-02 14:35:02 -------- d-----w- c:\documents and settings\all users\application data\AVS4YOU
    2011-11-02 14:26:04 -------- d-----w- c:\program files\ACM Converter
    .
    ==================== Find3M ====================
    .
    2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-11-22 17:51:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-13 09:02:11 4122368 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
    2011-11-13 09:02:07 577536 ----a-w- c:\windows\SOUNDMAN.EXE
    2011-11-13 09:02:06 147456 ----a-w- c:\windows\system32\RTLCPAPI.dll
    2011-11-13 09:02:06 10528768 ----a-w- c:\windows\system32\RTLCPL.EXE
    2011-11-13 09:02:01 18804736 ----a-w- c:\windows\system32\ALSNDMGR.CPL
    2011-10-24 13:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 13:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 12:03:28,10 ===============

    WhoCrashed report

    Crash dump directory: C:\WINDOWS\Minidump

    Crash dumps are enabled on your computer.


    On Wed 30.11.2011 11:26:04 GMT your computer crashed
    crash dump file: C:\WINDOWS\Minidump\Mini113011-02.dmp
    This was probably caused by the following module: atapi.sys (atapi+0x86AB)
    Bugcheck code: 0x100000D1 (0x60, 0x5, 0x0, 0xFFFFFFFFF74A26AB)
    Error: CUSTOM_ERROR
    file path: C:\WINDOWS\system32\drivers\atapi.sys
    product: Microsoft® Windows® Operating System
    company: Microsoft Corporation
    description: IDE/ATAPI Port Driver
    The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system which cannot be identified at this time.


    On Wed 30.11.2011 11:17:24 GMT your computer crashed
    crash dump file: C:\WINDOWS\Minidump\Mini113011-01.dmp
    This was probably caused by the following module: atapi.sys (atapi+0x85F7)
    Bugcheck code: 0x100000D1 (0xC, 0x5, 0x1, 0xFFFFFFFFF74A25F7)
    Error: CUSTOM_ERROR
    file path: C:\WINDOWS\system32\drivers\atapi.sys
    product: Microsoft® Windows® Operating System
    company: Microsoft Corporation
    description: IDE/ATAPI Port Driver
    The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system which cannot be identified at this time.
    Attached Files

  4. #4
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,

    I dont see anything in your log to indicate and infection. Let go ahead and run a couple of tools and see what they find.


    1.
    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
      Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C.
    • Copy and paste the contents of that file in your next reply.




    2.
    Install Recovery Console and Run ComboFix

    This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

    Download Combofix from any of the links below, and save it to your desktop.

    Link 1
    Link 2
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
    • Close any open windows, including this one.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • If you did not have it installed, you will see the prompt below. Choose YES.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
    should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
    Leave your computer alone while ComboFix is running.
    ComboFix will restart your computer if malware is found; allow it to do so.


    Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


    Things to include in your next reply::
    TDSSKiller log
    Combofix.txt
    Still getting BSODs?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  5. #5
    Member
    Join Date
    Nov 2011
    Posts
    6
    Points
    0

    Default

    Hi fireman4it thanks for your help with my problems.

    I run scan with these two programs (TDSSKiller, ComboFix),I also run quick scan with aswMBR and luckily BSOD did not appear.
    But with GMER BSOD appear. (atapi.sys)

    All 3 scan logs (TDSSKiller, ComboFix, aswMBR) are in attachment.
    Attached Files

  6. #6
    Member
    Join Date
    Nov 2011
    Posts
    6
    Points
    0

    Default

    Hi fireman4it, today after my last post i rollback Windows updates and then perform scan with GMER everything was god no BSOD and here is report in attachments.

    Is there a way to check whether the atapi.sys is infected or not.
    Atapi Sys Blue Screen | How To Fix Blue Screen Of Death
    Attached Files

  7. #7
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,

    i rollback Windows updates
    What do you mean rollback Windows updates?Please don't make any changes other than I suggest until we get you all cleaned up.


    Is there a way to check whether the atapi.sys is infected or not.
    Atapi is not infected I do believe, but we will check it anyway.


    Some of the problems you could have been having with the BSOD could have been with your Registry Cleaner


    1.
    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Jotti

    When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\Windows\system32\drivers\atapi.sys

    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Virustotal: VirusTotal - Free Online Virus, Malware and URL Scanner


    2.
    Please download Malwarebytes Anti-Malware and save it to your desktop.
    • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.

    Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

    • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
      For instructions with screenshots, please refer to this Guide.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

    • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
    • Click on the Scan button.
    • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked and then click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.

    Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


    3.
    I'd like us to scan your machine with ESET OnlineScan
    1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the
        icon on your desktop.
    4. Check "YES, I accept the Terms of Use."
    5. Click the Start button.
    6. Accept any security warnings from your browser.
    7. Under scan settings, check "Scan Archives" and "Remove found threats"
    8. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, click List Threats
    11. Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Click the Back button.
    13. Click the Finish button.


    4.
    We need to check your hard disk for errors.

    To check the volume for errors:
    • Click start and then My Computer.
    • Right click the drive C and select Properties.
    • Under Tools tab press Check Now...
    • Put a check mark in both items and press start.
    • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.

    *NOTE: This scan could take along time to complete, but let it finish.



    Things to include in your next reply::
    Jotti Results
    MBAM log
    Eset log
    How is your machine running now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  8. #8
    Member
    Join Date
    Nov 2011
    Posts
    6
    Points
    0

    Default

    What do you mean rollback Windows updates?Please don't make any changes other than I suggest until we get you all cleaned up.
    Last windows updates where installed 11-25-2011 so I uninstall all updates from that day.

    All logs are in attachments.

    I dont have any more BSODs problems with my machine, all problems seems to gone after i uninstall windows updates.
    Attached Files

  9. #9
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello, Nindzaa.
    Congratulations! You now appear clean!



    Uninstall Combofix
    • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
      o *If it is not on your Desktop, the below will not work.
    • Click on then Run....
    • Now copy & paste the green bolded text in the run-box and click OK.

      ComboFix /Uninstall



      <Notice the space between the "x" and "/".> <--- It needs to be there
      Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

    • Please advise if this step is missed for any reason as it performs some important actions:
      "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
      It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".





    Are things running okay? Do you have any more questions?

    System Still Slow?
    You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
    If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

    We Need to Clean Up Our Mess
    • Download OTC by OldTimer and save it to your desktop.
    • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
    • Then Click the big button.
    • You will get a prompt saying "Being Cleanup Process". Please select Yes.
    • Restart your computer when prompted.




    One of the most common questions found when cleaning malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are not practicing Safe Internet, you are not running the proper security software or that your computer's security settings are set too low.

    Below I have outlined a series of categories that outline how you can increase the security of your computer to help reduce the chance of being infected again in the future.

    Do not use P2P programs
    Peer-to-peer or file-sharing programs (such as uTorrent, Limewire and Bitorrent) are probably the primary route of infection nowadays. These programs allow file sharing between users as the name(s) suggest. It is almost impossible to know whether the file you’re downloading through P2P programs is safe.

    It is therefore possible to be infected by downloading infected files via peer-to-peer programs and so I recommend that you do not use these programs. Should you wish to use them, they must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

    In addition, P2P programs facilitate cyber crime and help distribute pirated software, movies and other illegal material.

    Practice Safe Internet
    Another one of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.

    Below are a list of simple precautions to take to keep your computer clean and running securely:
    1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
    2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
    3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know who is themselves infected with malware which is trying to infect everyone in their address book. A key thing to look out for here is: does the email sound as though it’s from the person you know? Often, the email may simply have a web link or a “Run this file to make your PC run fast” message in it.
    4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop-ups, or Foistware, you should read this article: Foistware, And how to avoid it.
      There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. Removal instructions for a lot of these "rogues" can be found here.
    5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you, or will download a file to your PC without your knowledge. You can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake. DO NOT click on these windows, instead close them by finding the open window on your Taskbar, right click and chose close.
    6. Do not visit pornographic websites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do, as this can often form part of their funding.
    7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link you should message back to the person asking if it is legit.
    8. Stay away from Warez and Crack sites! As with Peer-2-Peer programs, in addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download files from a site, and are not sure if they are legitimate, you can use tools such as BitDefender Traffic Light, Norton Safe Web, or McAfee SiteAdvisor to look up info on the site and stay protected against malicious sites. Please be sure to only choose and install one of those tool bars.
    10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
      Sometimes even legitimate programs will try to bundle extra, unwanted, software with the program you want - this is done to raise money for the program. Be sure to untick any boxes which may indicate that other programs will be downloaded.


    Keep Windows up-to-date
    Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

    • Windows XP users
      You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.
    • Windows Vista users
      You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.
    • Windows 7 users
      You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP1) can be obtained directly from Microsoft here



    Keep your browser secure
    Most modern browsers have come on in leaps and bounds with their inbuilt, default security. The best way to keep your browser secure nowadays is simply to keep it up-to-date.

    The latest versions of the three common browsers can be found below:


    Use an AntiVirus Software
    It is very important that your computer has an up-to-date anti-virus software on it which has a real-time agent running. This alone can save you a lot of trouble with malware in the future.
    See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources, a couple of free Anti-Virus programs you may be interested in are Microsoft Security Essentials and Avast.

    It is imperative that you update your Antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

    Use a Firewall
    I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

    All versions of Windows starting from XP have an in-built firewall. With Windows XP this firewall will protect you from incoming traffic (i.e. hackers). Starting with Windows Vista, the firewall was beefed up to also protect you against outgoing traffic (i.e. malicious programs installed on your machine should be blocked from sending data, such as your bank details and passwords, out).

    In addition, if you connect to the internet via a router, this will normally have a firewall in-built.

    Some people will recommend installing a different firewall (instead of the Windows’ built one), this is personal choice, but the message is to definitely have one! For a tutorial on Firewalls and a listing of some available ones see this link: Understanding and Using Firewalls

    Install an Anti-Malware program
    Recommended, and free, Anti-Malware programs are Malwarebytes Anti-Malware and SuperAntiSpyware.

    You should regularly (perhaps once a week) scan your computer with an Anti-Malware program just as you would with an antivirus software.

    Make sure your applications have all of their updates
    It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is very important to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities (such as Adobe Reader and Java). You can check these by visiting Secunia Software Inspector.

    Follow this list and your potential for being infected again will reduce dramatically.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  10. #10
    Member
    Join Date
    Nov 2011
    Posts
    6
    Points
    0

    Default

    Thanks for your help, everything is fine now.

Page 1 of 2 12 LastLast