also @ TechSpot: Building a Thin Mini-ITX PC: Small and Silent Performance

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Tidserv virus - redirecting webpages

Discussion in 'Virus and Malware Removal' started by lizmcreations, Apr 8, 2010.

Page 4 of 6

Broni Malware Annihilator Posts: 39,324 +175

Physically disconnect from the internet.
Boot from OTLPE and replace all atapi.sys files with my file.

Broni, Apr 12, 2010

#61
lizmcreations Newcomer, in training Posts: 60

OK, unplugged my router AND booted to OTLPE (the first time I tried to replace all 6 files I had booted to OTLPE but didn't unplug my router) ....

Still can't replace 2 of the atapi.sys files ...

they are located in:
windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.1805_none_df23a1261eab99e8

and
windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c

It says the file is in use and cannot be renamed and then therefore the new file can't be put in its place.

Could those two files be the ones causing the problems? I don't recall them even showing up in any of the other scans.

Liz

lizmcreations, Apr 12, 2010

#62
Broni Malware Annihilator Posts: 39,324 +175
I doubt, but let's try another way to replace them.
Keep the computer disconnected from the internet.
Restart computer in Safe Mode.

Using OTM...

Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes :Services :Reg :Files C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys|C:\atapi.sys /replace C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys|C:\atapi.sys /replace :Commands [purity] [emptytemp] [Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Broni, Apr 12, 2010

#63
lizmcreations Newcomer, in training Posts: 60

Ok, here are the contents of the log... can't tell if it replaced them or not, but I'm still having the redirect problem. Any other thoughts or suggestions?

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys with C:\atapi.sys without a reboot.
Unable to replace file: C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys with C:\atapi.sys without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Liz
->Temp folder emptied: 34556109 bytes
->Temporary Internet Files folder emptied: 1163910 bytes
->Java cache emptied: 9059 bytes
->FireFox cache emptied: 48747153 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 905 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 96 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 5190656 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 86.00 mb

OTM by OldTimer - Version 3.1.10.1 log created on 04122010_170028

lizmcreations, Apr 12, 2010

#64
Broni Malware Annihilator Posts: 39,324 +175

Delete your TDSSKiller file and download fresh one.
Run it and post fresh log.

Broni, Apr 12, 2010

#65

lizmcreations Newcomer, in training Posts: 60

OK, new log (no change in status - although I notice the log shows usbstor.sys "verdict 1" which I'm assuming means that file is infected as well? Should that driver be replaced too?)

18:06:01:980 5708 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
18:06:01:980 5708 ================================================================================
18:06:01:980 5708 SystemInfo:

18:06:01:980 5708 OS Version: 6.0.6002 ServicePack: 2.0
18:06:01:980 5708 Product type: Workstation
18:06:01:980 5708 ComputerName: LIZ-LAPTOP
18:06:01:980 5708 UserName: Liz
18:06:01:980 5708 Windows directory: C:\Windows
18:06:01:980 5708 Processor architecture: Intel x86
18:06:01:980 5708 Number of processors: 2
18:06:01:980 5708 Page size: 0x1000
18:06:01:980 5708 Boot type: Normal boot
18:06:01:980 5708 ================================================================================
18:06:01:980 5708 UnloadDriverW: NtUnloadDriver error 2
18:06:01:980 5708 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:06:01:996 5708 wfopen_ex: Trying to open file C:\Windows\system32\config\system
18:06:01:996 5708 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:06:01:996 5708 wfopen_ex: Trying to KLMD file open
18:06:01:996 5708 wfopen_ex: File opened ok (Flags 2)
18:06:02:027 5708 wfopen_ex: Trying to open file C:\Windows\system32\config\software
18:06:02:027 5708 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:06:02:027 5708 wfopen_ex: Trying to KLMD file open
18:06:02:027 5708 wfopen_ex: File opened ok (Flags 2)
18:06:02:027 5708 Initialize success
18:06:02:027 5708
18:06:02:027 5708 Scanning Services ...
18:06:02:901 5708 Raw services enum returned 436 services
18:06:02:901 5708
18:06:02:901 5708 Scanning Kernel memory ...
18:06:02:901 5708 Devices to scan: 2
18:06:02:901 5708
18:06:02:901 5708 Driver Name: USBSTOR
18:06:02:901 5708 IRP_MJ_CREATE : 903CDFC8
18:06:02:901 5708 IRP_MJ_CREATE_NAMED_PIPE : 81E63A22
18:06:02:901 5708 IRP_MJ_CLOSE : 903CE040
18:06:02:901 5708 IRP_MJ_READ : 903CE0B8
18:06:02:901 5708 IRP_MJ_WRITE : 903CE0B8
18:06:02:901 5708 IRP_MJ_QUERY_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_EA : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_EA : 81E63A22
18:06:02:901 5708 IRP_MJ_FLUSH_BUFFERS : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_VOLUME_INFORMATION : 81E63A22
18:06:02:901 5708 IRP_MJ_DIRECTORY_CONTROL : 81E63A22
18:06:02:901 5708 IRP_MJ_FILE_SYSTEM_CONTROL : 81E63A22
18:06:02:901 5708 IRP_MJ_DEVICE_CONTROL : 903CDBC4
18:06:02:901 5708 IRP_MJ_INTERNAL_DEVICE_CONTROL : 903C17E4
18:06:02:901 5708 IRP_MJ_SHUTDOWN : 81E63A22
18:06:02:901 5708 IRP_MJ_LOCK_CONTROL : 81E63A22
18:06:02:901 5708 IRP_MJ_CLEANUP : 81E63A22
18:06:02:901 5708 IRP_MJ_CREATE_MAILSLOT : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_SECURITY : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_SECURITY : 81E63A22
18:06:02:901 5708 IRP_MJ_POWER : 903CC59C
18:06:02:901 5708 IRP_MJ_SYSTEM_CONTROL : 903C97A2
18:06:02:901 5708 IRP_MJ_DEVICE_CHANGE : 81E63A22
18:06:02:901 5708 IRP_MJ_QUERY_QUOTA : 81E63A22
18:06:02:901 5708 IRP_MJ_SET_QUOTA : 81E63A22
18:06:02:916 5708 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
18:06:02:916 5708
18:06:02:916 5708 Driver Name: atapi
18:06:02:916 5708 IRP_MJ_CREATE : 8570DAC8
18:06:02:916 5708 IRP_MJ_CREATE_NAMED_PIPE : 8570DAC8
18:06:02:916 5708 IRP_MJ_CLOSE : 8570DAC8
18:06:02:916 5708 IRP_MJ_READ : 8570DAC8
18:06:02:916 5708 IRP_MJ_WRITE : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_EA : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_EA : 8570DAC8
18:06:02:916 5708 IRP_MJ_FLUSH_BUFFERS : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_VOLUME_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_VOLUME_INFORMATION : 8570DAC8
18:06:02:916 5708 IRP_MJ_DIRECTORY_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_FILE_SYSTEM_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_DEVICE_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_SHUTDOWN : 8570DAC8
18:06:02:916 5708 IRP_MJ_LOCK_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_CLEANUP : 8570DAC8
18:06:02:916 5708 IRP_MJ_CREATE_MAILSLOT : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_SECURITY : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_SECURITY : 8570DAC8
18:06:02:916 5708 IRP_MJ_POWER : 8570DAC8
18:06:02:916 5708 IRP_MJ_SYSTEM_CONTROL : 8570DAC8
18:06:02:916 5708 IRP_MJ_DEVICE_CHANGE : 8570DAC8
18:06:02:916 5708 IRP_MJ_QUERY_QUOTA : 8570DAC8
18:06:02:916 5708 IRP_MJ_SET_QUOTA : 8570DAC8
18:06:02:916 5708 Driver "atapi" infected by TDSS rootkit!
18:06:02:916 5708 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
18:06:02:916 5708 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 18:06:02:916 5708 Processing driver file: C:\Windows\system32\drivers\atapi.sys
18:06:04:913 5708 vfvi6
18:06:04:991 5708 dsvbh1
18:06:07:674 5708 fdfb1
18:06:07:674 5708 Backup copy found, using it..
18:06:07:674 5708 will be cured on next reboot
18:06:07:674 5708 Reboot required for cure complete..
18:06:07:690 5708 Cure on reboot scheduled successfully
18:06:07:690 5708
18:06:07:690 5708 Completed
18:06:07:690 5708
18:06:07:690 5708 Results:
18:06:07:690 5708 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
18:06:07:690 5708 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:06:07:690 5708 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:06:07:690 5708
18:06:07:690 5708 fclose_ex: Trying to close file C:\Windows\system32\config\system
18:06:07:690 5708 fclose_ex: Trying to close file C:\Windows\system32\config\software
18:06:07:690 5708 UnloadDriverW: NtUnloadDriver error 1
18:06:07:690 5708 KLMD(ARK) unloaded successfully

lizmcreations, Apr 12, 2010

#66

Broni Malware Annihilator Posts: 39,324 +175
Download and save HelpAsst_mebroot_fix.exe to your desktop.

Close all open programs.

Double click HelpAsst_mebroot_fix.exe to run it.

Pay attention to the running tool.

If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.

After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

Click Start>Run and copy and paste the following command, then hit Enter:

mbr -f

Repeat the above step one more time

Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.

Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
Broni, Apr 12, 2010

#67
lizmcreations Newcomer, in training Posts: 60

it says that the tool is not compatible with my system ... doesn't run - I'm running Windows Vista Home Premium 32 bit.

Liz

lizmcreations, Apr 12, 2010

#68
Broni Malware Annihilator Posts: 39,324 +175
I'd like to see something.
Please, run fresh OTL scan.

* Double click on OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Broni, Apr 12, 2010

#69
lizmcreations Newcomer, in training Posts: 60
ok, logs attached ...

Anything else to try?

Thanks,

Liz
Attached Files:
- Extras.Txt
  
  File size:
  
  47.6 KB
  
  Views:
  
  1
- OTL.Txt
  
  File size:
  
  90.5 KB
  
  Views:
  
  3
lizmcreations, Apr 12, 2010

#70
Broni Malware Annihilator Posts: 39,324 +175

What happened to my atapi.sys in C:\ directory?

Broni, Apr 12, 2010

#71
lizmcreations Newcomer, in training Posts: 60

sorry, the second time I tried to replace all the atapi.sys files I put your file on my usb thumb drive rather than on the c: drive ... I deleted it after the OTM.exe file move ... didn't even think about it, I was just thinking I would download it again "fresh" if I needed it again ... or use the one I kept on my thumb drive just in case somehow just being on the c: drive was causing the file to get infected or something ....

Probably doesn't make any sense, but I'm just trying to do whatever I can to get the computer back to functioning and I appreciate all the help you're providing me.

Liz

lizmcreations, Apr 12, 2010

#72
Broni Malware Annihilator Posts: 39,324 +175

No big deal
We're both little bit frustrated...hmmmm...

You still have my zipped file on your desktop.
Please, unzip it, copy and paste atapi.sys into C:\ directory.
Then, re-run OTL, using instructions from my reply #69.
I need the scan to see that file so I can compare hash numbers (MD5).

Broni, Apr 12, 2010

#73
Broni Malware Annihilator Posts: 39,324 +175

Yeah, it looks like we're dealing with the newest version of TDSS rootkit.
I just found out more about it today.
There are some test fixes ready, so hopefully we can do something about it.

In addition to my previous instructions...

Delete any GMER file, if you have one.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

I'll be back here tomorrow evening (PST)

Broni, Apr 13, 2010

#74
lizmcreations Newcomer, in training Posts: 60
Alright, I am not sure what is going on ... but I've run OTL.exe several times (deleted the .exe file and then re-downloaded it again) and I CANNOT get the extras.txt file! I didn't change any settings and I didn't pay enough attention to the settings when I did get the extras.txt file to notice if there was any difference. I have shut down and restarted and run it to try to get the extras.txt file and I can't seem to get it.

But, attached is otl.txt.

Will follow the next instructions shortly.

Liz
Attached Files:
- OTL.Txt
  
  File size:
  
  90.2 KB
  
  Views:
  
  1
lizmcreations, Apr 13, 2010

#75
lizmcreations Newcomer, in training Posts: 60

I downloaded a brand new gmer and I still can't get it to finish running ... always has a problem and stops working and then the windows "this program has stopped working..." window pops-up.

Liz

lizmcreations, Apr 13, 2010

#76
lizmcreations Newcomer, in training Posts: 60

I downloaded gmer.exe from a different site to see if I could get it to finish ... still no go. But, this time I noticed that the status on the bottom (in case it makes a difference or tells you something)...

It was scanning:
\Device\HarddiskVolumeShadowCopy2

Like I said, that might mean nothing .. but it might also tell you why the program (gmer.exe) is failing.

Liz

lizmcreations, Apr 13, 2010

#77
Broni Malware Annihilator Posts: 39,324 +175

I just got home, so I'll be slow with replying (tons of other topics).

If we're dealing with this new type of TDSS rootkit ( and it looks like we do), we'll have to make GMER running. As of now, it's the only tool, which actually detects this new type of TDSS.

Run rKill first.
When you start GMER, UN-check "Devices" in right pane and try to run it.

If still a problem, restart in Safe Mode and try from there.

From OTL log I can see, that the infection is still there.
Don't worry about Extras. It's not important at all at this moment.

Broni, Apr 13, 2010

#78
lizmcreations Newcomer, in training Posts: 60

ok, ran rkill and then gmer without the "devices" checked ... got farther in the process but I got the "blue screen of death" while it was searching files. So I booted back-up in safe mode and re-ran gmer. Has run fine so far, still running for just aout 12 hours at this point. Just giving a quick update in case you login ... I will post the log as soon as it stops running, which I think will be soon.

Thanks,

Liz

lizmcreations, Apr 14, 2010

#79
lizmcreations Newcomer, in training Posts: 60

Ok, after more than 12 hours (I have a lot of files) the gmer scan has finally finished ... Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-14 11:44:28
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Liz\AppData\Local\Temp\pwloakow.sys

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\msahci.sys entry point in ".rsrc" section [0x807C9014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtProtectVirtualMemory 77454D34 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtWriteVirtualMemory 77455674 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!KiUserExceptionDispatcher 77455DC8 5 Bytes JMP 001D000A
.text C:\Windows\Explorer.EXE[1176] ntdll.dll!NtProtectVirtualMemory 77454D34 5 Bytes JMP 007D000A
.text C:\Windows\Explorer.EXE[1176] ntdll.dll!NtWriteVirtualMemory 77455674 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[1176] ntdll.dll!KiUserExceptionDispatcher 77455DC8 5 Bytes JMP 007C000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EE7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F3A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EEBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73EDF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EE75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73EDE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F18395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73EEDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73EDFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73EDFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73ED71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F6CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F0C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73EDD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73ED6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73ED687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1176] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EE2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\msahci.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Hopefully, that gave you the information you need and we can get my laptop back to functioning at 100% now --- thank you again for all the help you've given me.

Liz

lizmcreations, Apr 14, 2010

#80

Page 4 of 6

Topic Status:: Not open for further replies.

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.