[Inactive] Help! having problems with my laptop

[ilovetea]

Hi, I'm new here and I hope I'm posting in the correct forum.

Okay so my laptop appeared to be running fine until I tried opening Microsoft Word. The program opens fine but a blank page for typing does not appear. I have since tried running the task manager and found that it opens, but is missing any text from the tabs, description boxes, and buttons.

Has anyone got any ideas what is happening and what i can do to fix it?
Any information would greatly be appreciated.

Thanks!

[dneilson]

Have you run Antivirus and Malware scans?

[ilovetea]

Yes, I've ran AVG and while I cannot see anything in the scan section, it does complete a scan and a green tick icon appears (which I'm guessing means that it hasn't found a threat).

[Train]

Malwarebytes' Anti-Malware: http://www.malwarebytes.org/products/malwarebytes_free

Download, install, update then run it.
Post the log. Posting it makes it easier to read.

[ilovetea]

Hi, i downloaded and ran the program. It found 6 threats all adware. I cannot select the log tab until i remove all threats so i did. Here is the log that appeared shortly afterwards:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jenny :: JENNY-VAIO [administrator]

29/06/2012 11:22:03 AM
mbam-log-2012-06-29 (11-22-03).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 385394
Time elapsed: 1 hour(s), 30 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 13
HKCR\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\ClickPotatoLiteAx.Info (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\ClickPotatoLiteAx.Info.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCU\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Mozilla\Firefox\extensions|ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Data: C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\firefox\extensions -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 10
C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Users\Jenny\AppData\Roaming\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato (Adware.ClickPotato) -> Quarantined and deleted successfully.

Files Detected: 12
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\ClickPotatoLiteSAHook.dll (Adware.HotBar.Gen) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSA.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSAau.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\firefox\extensions\chrome.manifest (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files (x86)\ClickPotatoLite\bin\10.0.530.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

(end)


thanks!

[Train]

AVG is not designed to remove the malware that Malwarebytes Anti-Malware does remove.

How is the computer doing?

[ilovetea]

It appears to be running as normal now I've opened Microsoft word and all is back to normal. Thank you very much for your quick response, greatly appreciated.

[ilovetea]

The same problem appears to have returned. i have ran the malware program again but this time it has detected no threats. Any suggestions as to what this may be?

[jdc2000]

Follow the instructions at the link below and post all logs.

http://discussions.virtualdr.com/sho...d.php?t=167915

[ilovetea]

I followed instructions. GMER results: GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-01 21:13:18
Windows 6.1.7601 Service Pack 1
Running: ngdrqil6.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313fe70ca
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x98 0x49 0x1F 0xB1 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313fe70ca (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x98 0x49 0x1F 0xB1 ...

---- EOF - GMER 1.0.15 ----

[ilovetea]

aswMBR results:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-01 21:18:09
-----------------------------
21:18:09.474 OS Version: Windows x64 6.1.7601 Service Pack 1
21:18:09.474 Number of processors: 2 586 0x603
21:18:09.474 ComputerName: JENNY-VAIO UserName: Jenny
21:18:11.455 Initialize success
21:18:31.403 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000064
21:18:31.403 Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 305245MB BusType: 11
21:18:31.418 Disk 0 MBR read successfully
21:18:31.418 Disk 0 MBR scan
21:18:31.434 Disk 0 Windows 7 default MBR code
21:18:31.450 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10174 MB offset 2048
21:18:31.465 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 20840448
21:18:31.496 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 294969 MB offset 21045248
21:18:31.512 Disk 0 scanning C:\Windows\system32\drivers
21:18:46.426 Service scanning
21:19:04.132 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
21:19:11.526 Modules scanning
21:19:11.542 Disk 0 trace - called modules:
21:19:11.573 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8002ea92c0]<<sphm.sys amd_xata.sys ACPI.sys storport.sys hal.dll amd_sata.sys
21:19:11.573 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800325d5d0]
21:19:11.589 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80031e9040]
21:19:11.589 \Driver\amd_xata[0xfffffa8002f3bac0] -> IRP_MJ_CREATE -> 0xfffffa8002ea92c0
21:19:11.604 5 amd_xata.sys[fffff880011d67a8] -> nt!IofCallDriver -> [0xfffffa80031e0d30]
21:19:11.604 7 ACPI.sys[fffff88000e3a7a1] -> nt!IofCallDriver -> \Device\00000064[0xfffffa80031dd060]
21:19:11.620 \Driver\amd_sata[0xfffffa8002f3bcb0] -> IRP_MJ_CREATE -> 0xfffffa8002ea72c0
21:19:11.620 Scan finished successfully
21:19:38.282 Disk 0 MBR has been saved successfully to "C:\Users\Jenny\Desktop\MBR.dat"
21:19:38.282 The log file has been saved successfully to "C:\Users\Jenny\Desktop\aswMBR.txt"

[ilovetea]

Step 4 cannot be completed. Mirror one opens a new blank tab, and Mirror 2 loads a Spanish website and will not allow me to download the file.

[Train]

Download it with another computer, burn it to a cd, or place it on a thumb drive and transfer it to you computer.

[ilovetea]

I have tried downloading it on another computer and the same thing is happening. One just opens a blank tab, the other won't download anything when I click to download.

[Train]

http://download.bleepingcomputer.com/sUBs/dds.scr

That is a direct link DDS. Save it to you drive. Then open it after it has finished downloading.