Win64:Sirefef Infection
- Thread starter dinosaur58
- Start date
dinosaur58
New member
Latest run
Ran CF with script. Proceeded same as previous runs. Connection problem occurred again. After CF run - DeQuarantine log opens in Notepad. I searched for Normal CF log using Win Explorer but couldn't find one. I then double clicked on the Firefox icon on my desktop. Firefox opened normally and I clicked on the link to this website in the 'History' dropdown menu, but got the connection reset message. To be sure that it was a global problem I tried to connect to another website and got the same message.
As mentioned above, no CF log - DeQuarantine log follows:
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir -> c:\windows\system32\Bass.dll ( 92216 bytes )
Ran CF with script. Proceeded same as previous runs. Connection problem occurred again. After CF run - DeQuarantine log opens in Notepad. I searched for Normal CF log using Win Explorer but couldn't find one. I then double clicked on the Firefox icon on my desktop. Firefox opened normally and I clicked on the link to this website in the 'History' dropdown menu, but got the connection reset message. To be sure that it was a global problem I tried to connect to another website and got the same message.
As mentioned above, no CF log - DeQuarantine log follows:
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir -> c:\windows\system32\Bass.dll ( 92216 bytes )
Hi,
Has the problem occured only after these two previous ComboFix run where CFScript.txt was used?
If Files_for_submission.zip still exists on your desktop delete it. Then open notepad and copy/paste the text in the codebox below into it:
Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this:
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop.
Please upload that zip file to this website. Kindly include a link to this topic in the message.
Has the problem occured only after these two previous ComboFix run where CFScript.txt was used?
If Files_for_submission.zip still exists on your desktop delete it. Then open notepad and copy/paste the text in the codebox below into it:
Code:
@echo off
for %%g in (
c:\windows\system32\Bass.dll
) do zip Files_for_submission %%g
del %0Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this:
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop.
Please upload that zip file to this website. Kindly include a link to this topic in the message.
dinosaur58
New member
File submitted
Problem also occured before first CF run, when infection had been acitve for several days. On that occurrence the loss of internet access recieved 'the server cannot be found' messages for all sites rather than 'Connection Reset'.
File submitted to bleepingcomputer. Also submitted to Virustotal [I use that site to check suspicious files] to see how they measure up: 0/42 detections.
Problem also occured before first CF run, when infection had been acitve for several days. On that occurrence the loss of internet access recieved 'the server cannot be found' messages for all sites rather than 'Connection Reset'.
File submitted to bleepingcomputer. Also submitted to Virustotal [I use that site to check suspicious files] to see how they measure up: 0/42 detections.
dinosaur58
New member
Correct.
dinosaur58
New member
CF run proceeded the same in safe mode. Not sure if problem recurred, since Safe Mode [no networking] required reboot, and reboot solved internet access problem last time.
CF log follows:
ComboFix 12-07-18.04 - Administrator 07/18/2012 10:34:02.22.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3169 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\Country11.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-18 09:59 . 2012-07-18 09:59 92216 ----a-w- c:\windows\system32\Bass.dll
2012-07-17 06:26 . 2012-07-17 06:26 -------- d-----w- c:\windows\system32\Filters
2012-07-17 05:07 . 2012-07-17 06:27 -------- d-----w- C:\Country10
2012-07-16 14:49 . 2012-07-16 14:49 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\PrivacIE
2012-07-16 14:43 . 2012-07-16 14:43 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\IETldCache
2012-07-16 14:37 . 2012-07-16 14:38 -------- dc-h--w- c:\windows\ie8
2012-07-16 14:34 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-07-16 14:34 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-16 14:34 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-16 14:34 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-16 14:34 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-07-16 14:34 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-16 14:34 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-07-15 20:07 . 2012-07-15 20:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:07 . 2012-07-15 20:07 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07 . 2012-07-15 20:07 -------- d-----w- c:\program files\Java
2012-07-15 20:04 . 2012-07-15 20:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42 . 2012-07-15 19:42 -------- d-----w- c:\program files\Foxit Software
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 20:07 . 2010-07-04 16:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2012-07-15 19:49 . 2012-07-15 19:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-17_12.16.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 22:42 . 2012-07-18 16:37 82750 c:\windows\system32\perfc009.dat
+ 2007-10-23 22:42 . 2012-07-18 16:37 466606 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\DRIVERS\MDP100_XP.sys --> c:\windows\system32\DRIVERS\MDP100_XP.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/15/2012 01:49 PM 129976]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 10:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@Allowed: (Read) (RestrictedCode)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
.
Completion time: 2012-07-18 10:41:46
ComboFix-quarantined-files.txt 2012-07-18 16:41
ComboFix12.txt 2012-07-17 12:18
ComboFix13.txt 2012-07-16 14:03
ComboFix14.txt 2012-07-15 17:49
ComboFix15.txt 2012-07-18 09:53
.
Pre-Run: 411,279,839,232 bytes free
Post-Run: 411,304,819,200 bytes free
.
- - End Of File - - 838021B7BD7DAAA916BCAF738BD18092
CF log follows:
ComboFix 12-07-18.04 - Administrator 07/18/2012 10:34:02.22.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3169 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\Country11.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-18 09:59 . 2012-07-18 09:59 92216 ----a-w- c:\windows\system32\Bass.dll
2012-07-17 06:26 . 2012-07-17 06:26 -------- d-----w- c:\windows\system32\Filters
2012-07-17 05:07 . 2012-07-17 06:27 -------- d-----w- C:\Country10
2012-07-16 14:49 . 2012-07-16 14:49 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\PrivacIE
2012-07-16 14:43 . 2012-07-16 14:43 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\IETldCache
2012-07-16 14:37 . 2012-07-16 14:38 -------- dc-h--w- c:\windows\ie8
2012-07-16 14:34 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-07-16 14:34 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-16 14:34 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-16 14:34 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-16 14:34 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-07-16 14:34 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-16 14:34 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-07-15 20:07 . 2012-07-15 20:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:07 . 2012-07-15 20:07 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07 . 2012-07-15 20:07 -------- d-----w- c:\program files\Java
2012-07-15 20:04 . 2012-07-15 20:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42 . 2012-07-15 19:42 -------- d-----w- c:\program files\Foxit Software
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 20:07 . 2010-07-04 16:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2012-07-15 19:49 . 2012-07-15 19:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-17_12.16.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 22:42 . 2012-07-18 16:37 82750 c:\windows\system32\perfc009.dat
+ 2007-10-23 22:42 . 2012-07-18 16:37 466606 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\DRIVERS\MDP100_XP.sys --> c:\windows\system32\DRIVERS\MDP100_XP.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/15/2012 01:49 PM 129976]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 10:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@Allowed: (Read) (RestrictedCode)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
.
Completion time: 2012-07-18 10:41:46
ComboFix-quarantined-files.txt 2012-07-18 16:41
ComboFix12.txt 2012-07-17 12:18
ComboFix13.txt 2012-07-16 14:03
ComboFix14.txt 2012-07-15 17:49
ComboFix15.txt 2012-07-18 09:53
.
Pre-Run: 411,279,839,232 bytes free
Post-Run: 411,304,819,200 bytes free
.
- - End Of File - - 838021B7BD7DAAA916BCAF738BD18092
dinosaur58
New member
Forgot to mention
It's probably not important, but for some reason CF detects Avast realtime shields as active in safe mode. No processes for Avast show up in Task Mgr [only 15 total processes]. I started Avast just to be sure, and it showed shields off. I then closed Avast and checked using process explorer [no avast processes]. I clicked to proceed with scan anyway.
It's probably not important, but for some reason CF detects Avast realtime shields as active in safe mode. No processes for Avast show up in Task Mgr [only 15 total processes]. I started Avast just to be sure, and it showed shields off. I then closed Avast and checked using process explorer [no avast processes]. I clicked to proceed with scan anyway.
Hi,
Nothing in logs indicate remaining infection. Those two latest runs with CFScript were different compared to earlier ones. I believe that's why connection went off. I suggest to monitor situation for a few days now. If symptoms stay away then we can have a look at the final steps.
Nothing in logs indicate remaining infection. Those two latest runs with CFScript were different compared to earlier ones. I believe that's why connection went off. I suggest to monitor situation for a few days now. If symptoms stay away then we can have a look at the final steps.
dinosaur58
New member
Holding for now
System overall seems to be running better than in quite a while. I may even test some wmv or flv files. I have been unable to play these in any of my players for a long time without getting a BSOD.
System overall seems to be running better than in quite a while. I may even test some wmv or flv files. I have been unable to play these in any of my players for a long time without getting a BSOD.
dinosaur58
New member
Update
Well, so far so good. Cursor freeze in Photoshop has returned [maybe never really gone?]. WMV files still don't play, but that's nothing to do with the virus. Everything else is running smoothly. No browser hijacks, no loss of internet access, no unknown startup/shutdown sounds. Looking good.
Well, so far so good. Cursor freeze in Photoshop has returned [maybe never really gone?]. WMV files still don't play, but that's nothing to do with the virus. Everything else is running smoothly. No browser hijacks, no loss of internet access, no unknown startup/shutdown sounds. Looking good.
It's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.
Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
- Click START then RUN
- Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.
Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade
dinosaur58
New member
Updated
System restore reset, Secunia PSI installed, and all programs that can be updated have been. It's too bad there are no settings in PSI for an 'ignore list' [unless I missed them]. It sees Adobe SVG viewer v1 and v2 [not on 'Add Remove Programs' list and I have v3 installed and updated. Also some programs I can't afford to update like Photoshop and MSFT Office [would need new versions].
The good news is that one of the updates restored wmv video capability. Restart seemed to be working for a while during the cleanup of the virus, but has returned to not working. Restart stops after BIOS screen with flashing cursor on black screen. I have researched the issue on line, but never found anything that worked. This is particularly inconvenient because I have my DVR hooked up to my PC, and Shutdown/Startup sends a backdoor power spike through the firewire cable [the setup with firewire is the only one I could get to work] which knocks out the guide for the 12 or so hours it takes to re-download from Comcast.
Still, overall much improved even over function before infection. If you think it's safe to do so I will find and purchase a HD Drive to install for my C: drive so I can make [and keep updated] a full Acronis backup.
System restore reset, Secunia PSI installed, and all programs that can be updated have been. It's too bad there are no settings in PSI for an 'ignore list' [unless I missed them]. It sees Adobe SVG viewer v1 and v2 [not on 'Add Remove Programs' list and I have v3 installed and updated. Also some programs I can't afford to update like Photoshop and MSFT Office [would need new versions].
The good news is that one of the updates restored wmv video capability. Restart seemed to be working for a while during the cleanup of the virus, but has returned to not working. Restart stops after BIOS screen with flashing cursor on black screen. I have researched the issue on line, but never found anything that worked. This is particularly inconvenient because I have my DVR hooked up to my PC, and Shutdown/Startup sends a backdoor power spike through the firewire cable [the setup with firewire is the only one I could get to work] which knocks out the guide for the 12 or so hours it takes to re-download from Comcast.
Still, overall much improved even over function before infection. If you think it's safe to do so I will find and purchase a HD Drive to install for my C: drive so I can make [and keep updated] a full Acronis backup.
dinosaur58
New member
Finished?
Before we call this topic closed I have some questions.
1]Now that I have the ability to restore my system from backup how important would you say installing Service Pack 3 is? I did this for a friend when reinstalling his system from scratch [nothing to loose], but it was a big hassle - something about getting the installer to properly recognize administrative privileges. I couldn't have managed it without my PC up and running to use for web searches/fixes.
2]"Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly." I did visit it as part of your instructions, but all the updates had already been installed [except SP3 ^] by Automatic Updates. Do I still need to visit the site if I get regular automatic updates?
3]Can you recommend a forum for expert WinXP help getting my Restart problem fixed?
I would like to add - THANK YOU, Thank You,Thank You, Thank You VERY MUCH!!! for your help fixing my system.
Signed, Dinosaur58
Before we call this topic closed I have some questions.
1]Now that I have the ability to restore my system from backup how important would you say installing Service Pack 3 is? I did this for a friend when reinstalling his system from scratch [nothing to loose], but it was a big hassle - something about getting the installer to properly recognize administrative privileges. I couldn't have managed it without my PC up and running to use for web searches/fixes.
2]"Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly." I did visit it as part of your instructions, but all the updates had already been installed [except SP3 ^] by Automatic Updates. Do I still need to visit the site if I get regular automatic updates?
3]Can you recommend a forum for expert WinXP help getting my Restart problem fixed?
I would like to add - THANK YOU, Thank You,Thank You, Thank You VERY MUCH!!! for your help fixing my system.
Signed, Dinosaur58
Hi,
Please find some answers below
1) Very important. I strongly recommend getting it.
2) After SP3 is installed there'll likely be more updates offered. If AU is enabled then it's not that big must to visit the Windows Update site.
3) You could try WhatTheTech.
Please find some answers below
1) Very important. I strongly recommend getting it.
2) After SP3 is installed there'll likely be more updates offered. If AU is enabled then it's not that big must to visit the Windows Update site.
3) You could try WhatTheTech.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.