Tricky redirect virus, please help me remove it!

[EthanJM]

I have some strange redirect virus, when you click on results in google it just redirects you to these random purchasing sites or retarded related search sites. AVG, malwarebytes, and superantispyware are not finding this virus. Internet explorer is also locking up constantly since I have noticed the redirect virus. I did some research and found the program TDSSKiller but it just says it, "encountered a problem and needs to close", when I run the .exe file after initialization at 80%. Also sometimes since I have noticed this virus I get an error report stating that a generic system 32 process needs to close. Any help would be appreciated, I usually have little trouble eliminating viruses but this one is being tricky.

 

[EthanJM]

Ok so I noticed in someone elses thread John wanted someone to run combofix, so I installed it and tried to run it, but I need to uninstall AVG first, so I go to do that and AVG will not remove, it says I encountered an error.

 

[GaryCantley]

If you have another PC, download AVG remover and install it on the affected PC from a memory stick.

I'm sure JohnB will be along soon to give better advice.

 

[johnb35]

Please download the following programs onto a usb flash drive from a different machine.

ccleaner - http://download.cnet.com/ccleaner/

AVG removal tool - http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe

Rkill (renamed IExplore.exe) - http://download.bleepingcomputer.com/grinler/iExplore.exe

combofix - http://www.bleepingcomputer.com/download/anti-virus/combofix

If you already have ccleaner and run it weekly then there is no need to run it again.

If you don't have it then do the following.

Boot to regular windows mode.

1. Run the avg removal tool (may take a few minutes to complete) When its completed make sure that the avg folder is gone from C:\program files.

2. Install ccleaner and run it. Open the program and click on run cleaner down on the bottom right corner. This may take some time if you haven't cleaned out your temp files.

When ccleaner is done then reboot into safe mode by pressing the f8 button on startup and select safe mode with networking on the safe mode options page and run the following tools in order.

1. Run rkill(renamed iexplore.exe) This will produce a black box on your screen and may take up to a couple minutes to run. When its completed it will produce a log that I need you to save to your flash drive.

2. Run combofix. This may take up to 20 minutes or so, be patient. It may reboot the computer, please allow it do so. If it detects rootkit activity (which it most likely will) it will say so and reboot the system and then restart, make sure you go back into safe mode though. When its done it produces a log which again, you need to save to your flash drive.

Then restart your computer in normal mode and copy and paste both of those logs along with a fresh hijackthis log in a reply back here.

 

[EthanJM]

Ok, I just ran rkill, but accidently ran it in normal mode, running it in safe mode now, but it did find and delete something, be back shortly. Log is below.




This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/22/2011 at 4:22:06.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\grpconv.exe


Rkill completed on 04/22/2011 at 4:22:16.

 

[EthanJM]

Ok, I just ran rkill, but accidently ran it in normal mode, running it in safe mode now, but it did find and delete something, be back shortly. Log is below.




This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/22/2011 at 4:22:06.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\grpconv.exe


Rkill completed on 04/22/2011 at 4:22:16.

Just ran Rkill in safe mode, found and terminated the same process, now I am running combofix on the problem computer.

 

[EthanJM]

Ok, ran Rkill and combofix in safe mode, here are the logs.





RKill Log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/22/2011 at 4:27:14.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\grpconv.exe


Rkill completed on 04/22/2011 at 4:27:24.





Combofix Log
ComboFix 11-04-21.03 - Ethan Messer 04/22/2011 4:36.1.4 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3063 [GMT -4:00]
Running from: c:\downloads\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-22 08:07 . 2011-04-22 08:07 -------- d-----w- c:\program files\AVG remover
2011-04-22 08:07 . 2011-04-22 08:07 -------- d-----w- C:\New Folder
2011-04-22 07:52 . 2011-04-22 07:52 -------- d-----w- c:\program files\CCleaner
2011-04-21 10:09 . 2011-04-21 10:09 77912 ----a-w- c:\windows\system32\drivers\klmd.sys
2011-04-21 10:02 . 2011-04-21 10:03 -------- d-----w- c:\program files\TDSSKiller
2011-04-21 09:54 . 2011-04-21 10:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-21 09:52 . 2011-04-21 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-04-20 09:21 . 2011-04-20 09:21 -------- d-----w- c:\documents and settings\Ethan Messer\Application Data\Malwarebytes
2011-04-20 09:21 . 2011-04-20 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-20 09:21 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 09:21 . 2011-04-20 09:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 09:21 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-18 07:08 . 2011-04-18 07:08 -------- d-----w- c:\program files\Common Files\Java
2011-04-17 20:03 . 2011-04-17 20:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-17 00:36 . 2011-04-17 00:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-11 21:26 . 2011-04-11 21:26 53248 ----a-r- c:\documents and settings\Ethan Messer\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-04-11 21:16 . 2011-04-11 21:31 -------- d-----w- c:\documents and settings\Ethan Messer\Application Data\Mount&Blade Warband
2011-04-11 21:16 . 2009-09-04 21:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2011-04-11 21:16 . 2009-09-04 21:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-04-11 21:16 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2011-04-11 21:16 . 2011-04-11 21:16 -------- d-----w- c:\windows\Logs
2011-04-01 01:31 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-04-01 01:31 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-04-01 01:31 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-04-01 01:31 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-03-27 05:15 . 2011-03-27 05:15 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2011-02-02 12:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-02-03 08:00 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 01:40 . 2011-02-02 15:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19 . 2011-02-02 15:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 15:03 . 2011-02-02 15:03 221184 ----a-w- c:\windows\Ants.scr
2011-02-02 14:32 . 2011-02-02 14:32 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-02-02 07:58 . 2011-02-02 12:52 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-02-02 12:52 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-02-22 26101032]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
"Steam"="c:\program files\Steam\Steam.exe" [2011-02-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-16 18782720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skulltag\\skulltag.exe"=
"c:\\Program Files\\Skulltag\\doomseeker.exe"=
"c:\\Program Files\\Skulltag\\rcon_utility.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\LFS\\LFS.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mountblade warband\\mb_warband.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2011 11:04 AM 136176]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2/2/2011 10:31 AM 10448]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/2/2011 9:39 AM 1684736]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - LBEEPKE
*NewlyCreated* - PARPORT
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-02 15:04]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-02 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
Notify-avgrsstarter - avgrsstx.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 04:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD10EADS-00M2B0 rev.01.00A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-a
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AC8E332
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(564)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-04-22 04:47:05
ComboFix-quarantined-files.txt 2011-04-22 08:47
.
Pre-Run: 975,347,027,968 bytes free
Post-Run: 977,319,350,272 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - A93A8ACE967072F40F31B7B501A07AAF

 

[EthanJM]

Still being redirected.

 

[EthanJM]

Ok, well I just did a new update on superantispyware, now it is coming up with 2 Trojan.Agent/Gen-Bancos and 1 Trojan.Agent/Gen/Nullo[Short] Hopefully that was it, be right back.

 

[EthanJM]

Ok, didn't fix the problem. I found this.

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

I followed the steps but just like before TDSSKiller just fails to start, I get an error report during initialization at 80% every time.

 

[cabinfever1977]

you could format your hard drive, then reload windows and your drivers, then it will work like new and it would be alot quicker.

 

[johnb35]

Please redownload tdsskiller from this link and save it to your desktop and run it from there. let me know if it sill errors.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.

Also do the following.

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  Found non-standard or infected MBR.
  Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

 

[EthanJM]

TDSSKiller is still failing at 80% even from that link and running from my desktop.
MBRCheck says Windows XP MBR Code detected. Log is below.
I am going to try this other program called GMER, be back with the results.





MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0x8AE1A000 \WINDOWS\system32\KDCOM.DLL
0xB84BC000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F31000 atapi.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7F11000 fltmgr.sys
0xB7EFF000 sr.sys
0xB7EE8000 KSecDD.sys
0xB7E5B000 Ntfs.sys
0xB7E2E000 NDIS.sys
0xB85AA000 speedfan.sys
0xB7E14000 Mup.sys
0xB8671000 giveio.sys
0xB8288000 \SystemRoot\system32\DRIVERS\AmdPPM.sys
0xB1A6C000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB1A58000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB1A23000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB8458000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB19FF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8460000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8298000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB82A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB19DC000 \SystemRoot\system32\DRIVERS\ks.sys
0xB19B4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8468000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8470000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB3D09000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB3D05000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB873B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB322D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB3D01000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB199D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB321D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB320D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8478000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB198C000 \SystemRoot\system32\DRIVERS\psched.sys
0xB31FD000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8480000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8488000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB31ED000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8490000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB8600000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB192E000 \SystemRoot\system32\DRIVERS\update.sys
0xB8564000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8568000 \SystemRoot\system32\drivers\WmBEnum.sys
0xB31DD000 \SystemRoot\system32\drivers\WmXlCore.sys
0xB241B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB860A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB240B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD3F2000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAD3CE000 \SystemRoot\system32\drivers\portcls.sys
0xB8228000 \SystemRoot\system32\drivers\drmk.sys
0xB8410000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB85B2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA8579000 \SystemRoot\System32\Drivers\Null.SYS
0xB85B4000 \SystemRoot\System32\Drivers\Beep.SYS
0xAC8FC000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAC8F4000 \SystemRoot\System32\drivers\vga.sys
0xB85B6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85B8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAC8EC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAC8E4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAD3B2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8233000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA81DA000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA81A0000 \SystemRoot\System32\Drivers\avgtdix.sys
0xA817A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xACCC4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAC8DC000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA38B9000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA16B7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA2B38000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xA16A7000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xA0279000 \SystemRoot\System32\Drivers\wdf01000.sys
0xA38B5000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA2B30000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xA0251000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA022F000 \SystemRoot\System32\drivers\afd.sys
0xA1677000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA020A000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xA2B18000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA01DF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA016F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA1657000 \SystemRoot\System32\Drivers\Fips.SYS
0xA2B10000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA013B000 \SystemRoot\System32\Drivers\avgldx86.sys
0x9FD1D000 \SystemRoot\system32\DRIVERS\lvuvc.sys
0xA03FB000 \SystemRoot\system32\drivers\usbaudio.sys
0x9FCD9000 \SystemRoot\system32\DRIVERS\lvrs.sys
0x9FCB5000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA83C7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9FC9D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA21FC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAC64F000 \SystemRoot\System32\drivers\Dxapi.sys
0xA0FCF000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB86E7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD62C000 \SystemRoot\System32\ATMFD.DLL
0xA87AC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9EF7A000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE7FC000 \SystemRoot\system32\drivers\sysaudio.sys
0x9EFDF000 \SystemRoot\system32\drivers\WmVirHid.sys
0x9EE02000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9EB3D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA826F000 \SystemRoot\System32\Drivers\LBeepKE.sys
0x9E8BE000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8390000 \SystemRoot\system32\Drivers\LVPr2Mon.sys
0x9E238000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8420000 \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
0x8BDFD000 \SystemRoot\system32\drivers\kmixer.sys
0x8BCEB000 \SystemRoot\system32\drivers\klmd.sys
0xB8380000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
640 C:\WINDOWS\system32\smss.exe
688 csrss.exe
712 C:\WINDOWS\system32\winlogon.exe
760 C:\WINDOWS\system32\services.exe
780 C:\WINDOWS\system32\lsass.exe
960 C:\WINDOWS\system32\nvsvc32.exe
1032 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1204 C:\WINDOWS\system32\svchost.exe
1308 svchost.exe
1424 svchost.exe
1444 C:\Program Files\AVG\AVG9\avgchsvx.exe
1468 C:\Program Files\AVG\AVG9\avgrsx.exe
1576 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1908 C:\WINDOWS\system32\spoolsv.exe
220 C:\WINDOWS\explorer.exe
572 C:\WINDOWS\RTHDCPL.EXE
400 C:\WINDOWS\system32\rundll32.exe
608 C:\Program Files\Logitech\Gaming Software\LWEMon.exe
632 C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
684 C:\Program Files\Logitech\SetPointP\SetPoint.exe
672 C:\Program Files\Common Files\Java\Java Update\jusched.exe
692 C:\PROGRA~1\AVG\AVG9\avgtray.exe
920 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
924 C:\Program Files\Skype\Phone\Skype.exe
980 C:\Program Files\Logitech\Vid HD\Vid.exe
1068 C:\WINDOWS\system32\ctfmon.exe
1300 C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
1360 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
2160 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
2600 svchost.exe
2800 C:\Program Files\AVG\AVG9\avgwdsvc.exe
2996 C:\Program Files\Skype\Plugin Manager\skypePM.exe
3104 C:\Program Files\Java\jre6\bin\jqs.exe
3256 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
3484 C:\Program Files\AVG\AVG9\avgnsx.exe
3676 C:\WINDOWS\system32\svchost.exe
232 C:\Program Files\AVG\AVG9\avgemc.exe
1380 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1400 C:\Program Files\Steam\Steam.exe
3732 alg.exe
3164 C:\Program Files\Logitech\LWS\LU\LULnchr.exe
3076 C:\Program Files\Logitech\LWS\LU\LogitechUpdate.exe
3548 C:\Program Files\Internet Explorer\iexplore.exe
3600 C:\Program Files\Internet Explorer\iexplore.exe
2752 C:\Documents and Settings\Ethan Messer\Desktop\MBRCheck.exe
2424 C:\Program Files\Internet Explorer\iexplore.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD10EADS-00M2B0, Rev: 01.00A01

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[EthanJM]

Gmer did say it found some rootkit activity, unfortunately I was unable to copy a log into notepad because no other programs were working after the scan, and some of the information was cut off and there was no way to highlight the whole line to read every font and digit. I had to get a pencil and paper and just write them down, here is what I saw highlighted in red.

Service C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V.2.0.50727\aspnet_st… [MANUAL] aspnet_state

Service C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V.2.0.50727\mscorsvw… [MANUAL]clr_optimization_v2.0.507

Service C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\
V.3.0\WINDOWS COMMU… [MANUAL] idsvc

Service C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\
V.3.0\WINDOWS COMMU… [DISABLED] NetTcpPortSharing

Service C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\
V.3.0\WPF\Presentatio… [MANUAL]FontCache3.0.0.0


I right clicked all of them and tried to delete them, but it wouldn't let me, so I tried to disable them instead, GMER says it disabled all of them, but I am still getting redirects and everything is still running strange and slow. I tried to find these manually but was unable to, they don't appear to be there, they must be hidden somehow. What do you make of this?

 

[johnb35]

What broswer do you use? I'm leaving for work shortly so i'll reply again when i get home tonight. Also post an uninstall list using hijackthis.

open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it. Then copy and paste it back here.

 

[EthanJM]

I use internet explorer. Here is the uninstall list. Thanks for your time so far, it is looking more and more like I might have to reformat though.

Adobe Flash Player 10 ActiveX
AMD Processor Driver
Apple Application Support
Apple Software Update
Audacity 1.3.12 (Unicode)
CameraHelperMsi
CCleaner
eReg
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Java(TM) 6 Update 24
K-Lite Codec Pack 5.6.1 (Standard)
Logitech Gaming Software 5.10
Logitech SetPoint 6.22
Logitech Vid HD
Logitech Webcam Software
Logitech Webcam Software Driver Package
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MuvEnum Address Bar - Windows Explorer Extension
NVIDIA Graphics Driver 266.58
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skulltag
Skype Toolbars
Skype™ 4.2
SpeedFan (remove only)
Steam
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Internet Explorer 8
Windows XP Service Pack 3
WinRAR archiver

 

[johnb35]

Download GMER Rootkit Scanner from here or here

•Extract the contents of the zipped file to desktop.
•Double click GMER.exe.
•If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..

•In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
◦Sections
◦IAT/EAT
◦Drives/Partition other than Systemdrive (typically C:\)
◦Show All (don't miss this one)
•Then click the Scan button & wait for it to finish.
•Once done click on the [Save..] button, and in the File name area, type in "gmerlog.txt"

•Save it where you can easily find it, such as your desktop and post its contents in your next reply.

 

[EthanJM]

I am unable to save anything after the gmer scan is complete. The copy button isn't copying, and saving it is impossible because when I click that it either brings up the "save as" menu that is completely blank with no text and non functional which is really bizarre, or it says it is unable to open the folder whatever that means. This time I even opened notepad before the scan because last time notepad would not open, and it just won’t copy for me. This virus is making my computer pretty useless, half the time when I try to restart it just gets stuck trying to boot up on that blue xp screen, or it boots my desktop background with no icons, no start button, no task manager, and no explorer. When the computer is on for any good amount of time it will also act up forcing a reboot, usually me hitting the restart button on the tower. I just don’t think it is fixable, I feel like I will have to reformat, and I am still hoping even after that it isn’t stuck on my drive encrypted somehow or in my bios, I read that rootkits can do that, not so sure on the validity of that information though. I just don’t understand why people can get away with this, many of my redirects take me to scour.com (don’t go there!), and even yellowbook.com is taking advantage of this hacking program to redirect me to their site over and over. In other words, whoever is scour.com, they seem to be responsible for this destructive rootkit (other companies seem to be paying them to have their urls added to the redirect list) and nobody gets in trouble. Some viruses out there want you to buy their anti virus software to get rid of the crap they put on your computer, and somehow nobody can trace the bank account that is wired to them through their website? I just don’t get it. Sorry for the ramble, but this is my second reformat in a short space of time because of some hyper virus that is impossible to remove, I hate the people who write this software. I can't reformat now, I have things to do, maybe in the next few days. If you have any more ideas that would be appreciated, but this rootkit is making my computer useless thus hard/impossible to find the rootkit to get rid of it.

 

[johnb35]

At this point, with you unable to finish running any other tools then I'm afraid a reformat is the next thing to do.

However, lets see if you can run A dds scan.

Download DDS from the following location

DDS Download Link

When you click on the above link you will see be brought to a download page. Please click on the Download Now button and a download prompt similar to Figure 1 below.

Click on the Save button. You will now be presented with a screen similar to Figure 2 below asking where you would like to save the file.

Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. Your computer will now download the file to your computer and save it on your Desktop. When it is done downloading you will now find an icon on your desktop that looks like Figure 3 below.

Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. This warning is shown in Figure 4 below.

Click on the Run button to start DDS. If no warning appeared, as shown above, then you should just continue reading.

DDS will now display a small black window providing information as to what DDS is doing on your computer as shown in Figure 5 below.

DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt as shown below.

You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.

We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option. You will now be presented with a screen similar to Figure 8 below asking where you would like to save the file.

Click once on the Desktop button, designated by the red arrow in the figure above, to save the file to your Desktop and then press the Save button. The DDS.txt log will now be saved to your Desktop. Now click on the Attach.txt Notepad window and perform the same steps to save that file to your Desktop as well.

Please copy and paste the contents of the dds.txt log and the attach.txt log in your next reply.