Jump to content

I'm an idiot and didn't follow the instructions before. Trying again now!


ju2tin

Recommended Posts

I posted about this before but didn't read the instructions thoroughly so I am trying again and I hope I got it all correct this time. I pasted my HJT and DDS logs as text below, and I attached Attach.txt and Ark.txt as a zipped file.

I noticed my computer was running very slow a lot of the time when loading web pages. I had an old version of MBAM that detected TDSS rootkit but failed to remove it and delivered an error message 731 (0, 6) after detecting it.

So I updated to the latest version of MBAM. Now MBAM shuts down and closes about 10 seconds into a scan. So I cannot post a copy of a MBAM log file.

I tried Root Repealer. It didn't show any of the designated .sys files on my system.

HELLLLP!!!!

HJT log:

==============================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:40:33, on 2010/09/04

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\vsnpstd2.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Atheros\ACU.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live ????? ???? - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java

Attach.zip

Link to post
Share on other sites

Please don't start multiply threads....stay in this one from now on!

For TDSS rootkit follow this guide, post back the logs here, MrC

Thanks for responding; please feel free to delete my other thread. I appreciate your help.

I followed the steps at the link you provided. I ran MBAM afterwards, but it crashed 28 seconds into the scan. This makes me think that there is still some malware on my system making it crash.

Here are the results of my following the steps at the link you provided:

(1) OTM appeared to run successfully and text appeared in the Results window. However, OTM seemed to "hang" after it finished running and some of my computer functions seemed to not work (e.g., my desktop icons disappeared) so I could not copy and paste the text from the Results window into this post.

(2) I ran GooredFix.

(3) I ran TDSSKiller but it found no problems on my computer! The TDSSKiller scan report is below:

-----------------------------------------------

2010/09/05 08:09:50.0203 TDSS rootkit removing tool 2.4.2.0 Sep 3 2010 10:26:06

2010/09/05 08:09:50.0203 ================================================================================

2010/09/05 08:09:50.0203 SystemInfo:

2010/09/05 08:09:50.0203

2010/09/05 08:09:50.0203 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/05 08:09:50.0203 Product type: Workstation

2010/09/05 08:09:50.0203 ComputerName: YOUR-9AE00B3318

2010/09/05 08:09:50.0203 UserName: Shi Ye

2010/09/05 08:09:50.0203 Windows directory: C:\WINDOWS

2010/09/05 08:09:50.0203 System windows directory: C:\WINDOWS

2010/09/05 08:09:50.0203 Processor architecture: Intel x86

2010/09/05 08:09:50.0203 Number of processors: 1

2010/09/05 08:09:50.0203 Page size: 0x1000

2010/09/05 08:09:50.0203 Boot type: Normal boot

2010/09/05 08:09:50.0203 ================================================================================

2010/09/05 08:09:51.0156 Initialize success

2010/09/05 08:09:59.0421 ================================================================================

2010/09/05 08:09:59.0421 Scan started

2010/09/05 08:09:59.0421 Mode: Manual;

2010/09/05 08:09:59.0421 ================================================================================

2010/09/05 08:10:02.0171 ACPI (7a1cdb2db39841ad75bc7c7f0464efb2) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/05 08:10:02.0218 ACPIEC (8838eab3a389c0b096ee691130f5c6c3) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/09/05 08:10:02.0375 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/05 08:10:02.0546 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/09/05 08:10:02.0875 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/05 08:10:03.0250 AR5211 (f0a8370d570428e83d78593e9dfb2e5a) C:\WINDOWS\system32\DRIVERS\ar5211.sys

2010/09/05 08:10:03.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/05 08:10:03.0562 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/05 08:10:03.0796 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/09/05 08:10:04.0250 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/05 08:10:04.0375 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/05 08:10:04.0578 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/09/05 08:10:04.0703 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/09/05 08:10:04.0906 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/09/05 08:10:05.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/05 08:10:05.0187 BLKWGN (10a2536c1ee43ae3bf5fa2233e3e5369) C:\WINDOWS\system32\DRIVERS\BLKWGN.sys

2010/09/05 08:10:05.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/05 08:10:05.0359 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/09/05 08:10:05.0656 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/05 08:10:05.0750 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/05 08:10:05.0843 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/05 08:10:06.0046 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/09/05 08:10:06.0156 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/09/05 08:10:06.0562 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/05 08:10:06.0718 DLABOIOM (efae981c8ba3dad4103a76bcb5955b07) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2010/09/05 08:10:06.0953 DLACDBHM (8d45ac148fd8c1a25204aeca1397fa7e) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2010/09/05 08:10:07.0062 DLADResN (a82a8169b762ea97a2a046aa4cd821c9) C:\WINDOWS\system32\DLA\DLADResN.SYS

2010/09/05 08:10:07.0156 DLAIFS_M (2aef49904bde7398d0f09b6a603738ef) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2010/09/05 08:10:07.0250 DLAOPIOM (46fa268a829384256179f4ccb6eb308f) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2010/09/05 08:10:07.0312 DLAPoolM (26e89839af248625a4e7c4cf5873375d) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2010/09/05 08:10:07.0375 DLARTL_N (94accf8f7b87fbeaa27266927319e6ba) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2010/09/05 08:10:07.0546 DLAUDFAM (5e914bd7f68dde3fb4bffe005162c1e6) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2010/09/05 08:10:07.0828 DLAUDF_M (8c3cfb22a7fb3be67e0c321fa10b8b50) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2010/09/05 08:10:08.0000 dmboot (d2588be561221dc503eff3b4c49066af) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/05 08:10:08.0203 dmio (88991ec18e8d1e42c59a84d92e342d45) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/05 08:10:08.0343 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/05 08:10:08.0609 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/05 08:10:08.0828 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/05 08:10:08.0953 DRVMCDB (ab6c5c26fff9b3c456aeaf7e0093c2fe) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2010/09/05 08:10:09.0218 DRVNDDM (4a307ade1638d9358b6eb90076481cc6) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2010/09/05 08:10:09.0421 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/05 08:10:09.0562 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/09/05 08:10:09.0750 Fips (225cb09b8c3a59fd177423fbe8d44b02) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/05 08:10:09.0968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/09/05 08:10:10.0078 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/05 08:10:10.0187 FsVga (9dd699bca7c08ca6c42d70b3ccbbb3f7) C:\WINDOWS\system32\DRIVERS\fsvga.sys

2010/09/05 08:10:10.0281 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/05 08:10:10.0406 Ftdisk (7b32415cf596fe0306c90b05fe29f325) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/05 08:10:10.0687 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/09/05 08:10:10.0734 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/05 08:10:10.0828 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/05 08:10:10.0937 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/05 08:10:11.0328 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/05 08:10:11.0468 i8042prt (e2960fb6d8e099be41a33374f3528aeb) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/05 08:10:11.0562 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/05 08:10:11.0984 IntcAzAudAddService (1a5b97b5bffde5742f4209f734c4faf0) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/09/05 08:10:12.0437 intelppm (2d7d0f3eca9ef18200a7b42e9902b2f8) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/05 08:10:12.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/05 08:10:12.0656 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/05 08:10:12.0812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/05 08:10:12.0890 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/05 08:10:12.0953 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/05 08:10:13.0171 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/05 08:10:13.0265 isapnp (232774f529ef6e0b5d94a423de736812) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/05 08:10:13.0468 Kbdclass (bcfffeba2503a221741bfc49b8253fdc) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/05 08:10:13.0546 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/05 08:10:13.0781 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/05 08:10:13.0953 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010/09/05 08:10:14.0140 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys

2010/09/05 08:10:14.0218 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/05 08:10:14.0359 Modem (60445bf3606095104f66e85723ff2dc8) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/05 08:10:14.0593 Mouclass (264c4cd6aa9237ce23b79200d5044909) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/05 08:10:14.0812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/05 08:10:14.0968 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/05 08:10:15.0140 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/05 08:10:15.0328 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/05 08:10:15.0421 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/05 08:10:15.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/05 08:10:15.0687 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/05 08:10:15.0734 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/05 08:10:15.0796 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/09/05 08:10:15.0968 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/05 08:10:16.0203 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/09/05 08:10:16.0328 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/05 08:10:16.0531 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/09/05 08:10:16.0609 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/05 08:10:16.0921 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/05 08:10:17.0078 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/05 08:10:17.0218 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/05 08:10:17.0390 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/05 08:10:17.0500 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/05 08:10:17.0687 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/05 08:10:17.0843 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/05 08:10:18.0109 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/05 08:10:18.0187 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/05 08:10:18.0281 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/05 08:10:18.0421 Parport (bff867941573da75b046f0dfab96ca59) C:\WINDOWS\system32\drivers\Parport.sys

2010/09/05 08:10:18.0640 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/05 08:10:18.0796 ParVdm (acd12767f76bb6e7109fe17b00823543) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/05 08:10:18.0890 PCI (dc51fa93029662b7b42d41a8d0750c0e) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/05 08:10:19.0031 PCIIde (72d152abf38eb26671488f9ba23c78a8) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/05 08:10:19.0171 Pcmcia (2bd31d5e6c7100d795eec72ac4feac14) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/09/05 08:10:19.0671 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/05 08:10:19.0796 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/05 08:10:19.0890 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/05 08:10:19.0984 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/09/05 08:10:20.0218 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/05 08:10:20.0296 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/05 08:10:20.0406 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/05 08:10:20.0609 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/05 08:10:20.0687 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/05 08:10:20.0812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/05 08:10:20.0921 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/05 08:10:21.0093 redbook (c5927f08f38a8da6ce16b2d1017d8782) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/05 08:10:21.0343 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2010/09/05 08:10:21.0437 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/09/05 08:10:21.0562 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/05 08:10:21.0687 Serial (32be213745551fb893713308a28e832e) C:\WINDOWS\system32\drivers\Serial.sys

2010/09/05 08:10:21.0875 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/09/05 08:10:22.0125 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/09/05 08:10:22.0250 snpstd2 (6db1737f710860c1685bface72798535) C:\WINDOWS\system32\DRIVERS\snpstd2.sys

2010/09/05 08:10:22.0390 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/05 08:10:22.0515 sr (293f6452dbbd46d37bd0e1274dbe227e) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/05 08:10:22.0703 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/05 08:10:22.0906 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/09/05 08:10:23.0000 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/09/05 08:10:23.0078 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/05 08:10:23.0171 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/05 08:10:23.0656 SynTP (f6770219b73bd989d5613d2e9c78a227) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/09/05 08:10:23.0781 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/05 08:10:23.0953 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\WINDOWS\system32\DRIVERS\tapvpn.sys

2010/09/05 08:10:24.0093 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/05 08:10:24.0187 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/05 08:10:24.0437 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/05 08:10:24.0515 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/05 08:10:24.0718 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys

2010/09/05 08:10:24.0843 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/05 08:10:25.0046 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/05 08:10:25.0312 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/09/05 08:10:25.0421 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/05 08:10:25.0484 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/05 08:10:25.0546 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/05 08:10:25.0625 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/09/05 08:10:25.0671 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/05 08:10:25.0796 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/05 08:10:26.0046 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/05 08:10:26.0218 VolSnap (72a85441a8285ef8af2794c42d87935f) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/05 08:10:26.0343 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/05 08:10:26.0500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/05 08:10:26.0718 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/09/05 08:10:26.0921 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/09/05 08:10:27.0046 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/05 08:10:27.0109 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/05 08:10:27.0265 ================================================================================

2010/09/05 08:10:27.0265 Scan finished

2010/09/05 08:10:27.0265 ================================================================================

-----------------------------------------------

Link to post
Share on other sites

Okay, I tried the whole thing again and got OTM to run to completion this time, including a system reboot. I still couldn't copy and paste the text from the green Results window, but I got a report log when my system rebooted. I also saved the GooredFix log. TDSSKiller still did not find anything wrong with my computer though. And then I ran MBAM as a test to see if the problem was fixed, but MBAM crashed again, this time after 30 seconds.

Here are my logs:

OTM log, after reboot:

----------------------------------------------------------

All processes killed

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Shi Ye\??????\cmd.bat deleted successfully.

C:\Documents and Settings\Shi Ye\??????\cmd.txt deleted successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Shi Ye

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 18490592 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 664 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.15.0 log created on 09052010_082616

Files moved on Reboot...

Registry entries deleted on Reboot...

----------------------------------------------------------

GooredFix log:

----------------------------------------------------------

GooredFix by jpshortstuff (03.07.10.1)

Log created at 08:37 on 05/09/2010 (Shi Ye)

Firefox version 3.6.8 (ja)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [14:10 20/03/2006]

{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [10:25 18/05/2009]

C:\Documents and Settings\Shi Ye\Application Data\Mozilla\Firefox\Profiles\absjaxdc.default\extensions\

optout@google.com [01:45 28/03/2010]

{e3f6c2cc-d8db-498c-af6c-499fb211db97} [11:05 29/06/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [10:25 18/05/2009]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [15:05 17/06/2010]

---------- Old Logs ----------

GooredFix[23.05.52_04-09-2010].txt

-=E.O.F=-

----------------------------------------------------------

TDSSKiller log:

----------------------------------------------------------

2010/09/05 08:38:01.0125 TDSS rootkit removing tool 2.4.2.0 Sep 3 2010 10:26:06

2010/09/05 08:38:01.0125 ================================================================================

2010/09/05 08:38:01.0125 SystemInfo:

2010/09/05 08:38:01.0125

2010/09/05 08:38:01.0125 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/05 08:38:01.0125 Product type: Workstation

2010/09/05 08:38:01.0125 ComputerName: YOUR-9AE00B3318

2010/09/05 08:38:01.0125 UserName: Shi Ye

2010/09/05 08:38:01.0125 Windows directory: C:\WINDOWS

2010/09/05 08:38:01.0125 System windows directory: C:\WINDOWS

2010/09/05 08:38:01.0125 Processor architecture: Intel x86

2010/09/05 08:38:01.0125 Number of processors: 1

2010/09/05 08:38:01.0125 Page size: 0x1000

2010/09/05 08:38:01.0125 Boot type: Normal boot

2010/09/05 08:38:01.0125 ================================================================================

2010/09/05 08:38:01.0640 Initialize success

2010/09/05 08:38:06.0156 ================================================================================

2010/09/05 08:38:06.0156 Scan started

2010/09/05 08:38:06.0156 Mode: Manual;

2010/09/05 08:38:06.0156 ================================================================================

2010/09/05 08:38:09.0078 ACPI (7a1cdb2db39841ad75bc7c7f0464efb2) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/05 08:38:09.0171 ACPIEC (8838eab3a389c0b096ee691130f5c6c3) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/09/05 08:38:09.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/05 08:38:09.0421 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/09/05 08:38:09.0593 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/05 08:38:09.0968 AR5211 (f0a8370d570428e83d78593e9dfb2e5a) C:\WINDOWS\system32\DRIVERS\ar5211.sys

2010/09/05 08:38:10.0218 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/05 08:38:10.0312 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/05 08:38:10.0468 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/09/05 08:38:10.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/05 08:38:11.0015 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/05 08:38:11.0218 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/09/05 08:38:11.0296 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/09/05 08:38:11.0500 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/09/05 08:38:11.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/05 08:38:11.0812 BLKWGN (10a2536c1ee43ae3bf5fa2233e3e5369) C:\WINDOWS\system32\DRIVERS\BLKWGN.sys

2010/09/05 08:38:11.0890 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/05 08:38:12.0000 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/09/05 08:38:12.0109 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/05 08:38:12.0296 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/05 08:38:12.0484 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/05 08:38:12.0703 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/09/05 08:38:12.0875 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/09/05 08:38:13.0171 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/05 08:38:13.0281 DLABOIOM (efae981c8ba3dad4103a76bcb5955b07) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2010/09/05 08:38:13.0375 DLACDBHM (8d45ac148fd8c1a25204aeca1397fa7e) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2010/09/05 08:38:13.0453 DLADResN (a82a8169b762ea97a2a046aa4cd821c9) C:\WINDOWS\system32\DLA\DLADResN.SYS

2010/09/05 08:38:13.0562 DLAIFS_M (2aef49904bde7398d0f09b6a603738ef) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2010/09/05 08:38:13.0625 DLAOPIOM (46fa268a829384256179f4ccb6eb308f) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2010/09/05 08:38:13.0812 DLAPoolM (26e89839af248625a4e7c4cf5873375d) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2010/09/05 08:38:13.0921 DLARTL_N (94accf8f7b87fbeaa27266927319e6ba) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2010/09/05 08:38:14.0015 DLAUDFAM (5e914bd7f68dde3fb4bffe005162c1e6) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2010/09/05 08:38:14.0140 DLAUDF_M (8c3cfb22a7fb3be67e0c321fa10b8b50) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2010/09/05 08:38:14.0312 dmboot (d2588be561221dc503eff3b4c49066af) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/05 08:38:14.0562 dmio (88991ec18e8d1e42c59a84d92e342d45) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/05 08:38:14.0671 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/05 08:38:14.0828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/05 08:38:15.0046 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/05 08:38:15.0093 DRVMCDB (ab6c5c26fff9b3c456aeaf7e0093c2fe) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2010/09/05 08:38:15.0296 DRVNDDM (4a307ade1638d9358b6eb90076481cc6) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2010/09/05 08:38:15.0515 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/05 08:38:15.0625 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/09/05 08:38:15.0656 Fips (225cb09b8c3a59fd177423fbe8d44b02) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/05 08:38:15.0796 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/09/05 08:38:15.0875 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/05 08:38:15.0984 FsVga (9dd699bca7c08ca6c42d70b3ccbbb3f7) C:\WINDOWS\system32\DRIVERS\fsvga.sys

2010/09/05 08:38:16.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/05 08:38:16.0250 Ftdisk (7b32415cf596fe0306c90b05fe29f325) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/05 08:38:16.0453 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/09/05 08:38:16.0546 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/05 08:38:16.0640 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/05 08:38:16.0734 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/05 08:38:16.0984 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/05 08:38:17.0140 i8042prt (e2960fb6d8e099be41a33374f3528aeb) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/05 08:38:17.0281 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/05 08:38:17.0640 IntcAzAudAddService (1a5b97b5bffde5742f4209f734c4faf0) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/09/05 08:38:17.0921 intelppm (2d7d0f3eca9ef18200a7b42e9902b2f8) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/05 08:38:17.0968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/05 08:38:18.0062 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/05 08:38:18.0234 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/05 08:38:18.0296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/05 08:38:18.0375 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/05 08:38:18.0546 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/05 08:38:18.0625 isapnp (232774f529ef6e0b5d94a423de736812) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/05 08:38:18.0718 Kbdclass (bcfffeba2503a221741bfc49b8253fdc) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/05 08:38:18.0796 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/05 08:38:18.0968 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/05 08:38:19.0156 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010/09/05 08:38:19.0328 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys

2010/09/05 08:38:19.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/05 08:38:19.0625 Modem (60445bf3606095104f66e85723ff2dc8) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/05 08:38:19.0781 Mouclass (264c4cd6aa9237ce23b79200d5044909) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/05 08:38:19.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/05 08:38:20.0046 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/05 08:38:20.0187 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/05 08:38:20.0328 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/05 08:38:20.0500 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/05 08:38:20.0625 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/05 08:38:20.0812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/05 08:38:20.0921 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/05 08:38:21.0062 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/09/05 08:38:21.0203 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/05 08:38:21.0375 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/09/05 08:38:21.0453 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/05 08:38:21.0718 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/09/05 08:38:21.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/05 08:38:21.0984 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/05 08:38:22.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/05 08:38:22.0203 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/05 08:38:22.0390 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/05 08:38:22.0562 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/05 08:38:22.0734 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/05 08:38:22.0828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/05 08:38:22.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/05 08:38:23.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/05 08:38:23.0234 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/05 08:38:23.0406 Parport (bff867941573da75b046f0dfab96ca59) C:\WINDOWS\system32\drivers\Parport.sys

2010/09/05 08:38:23.0546 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/05 08:38:23.0625 ParVdm (acd12767f76bb6e7109fe17b00823543) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/05 08:38:23.0734 PCI (dc51fa93029662b7b42d41a8d0750c0e) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/05 08:38:23.0859 PCIIde (72d152abf38eb26671488f9ba23c78a8) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/05 08:38:23.0968 Pcmcia (2bd31d5e6c7100d795eec72ac4feac14) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/09/05 08:38:24.0453 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/05 08:38:24.0546 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/05 08:38:24.0656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/05 08:38:24.0750 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/09/05 08:38:25.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/05 08:38:25.0046 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/05 08:38:25.0109 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/05 08:38:25.0156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/05 08:38:25.0328 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/05 08:38:25.0468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/05 08:38:25.0593 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/05 08:38:25.0750 redbook (c5927f08f38a8da6ce16b2d1017d8782) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/05 08:38:25.0875 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2010/09/05 08:38:25.0953 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/09/05 08:38:26.0125 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/05 08:38:26.0328 Serial (32be213745551fb893713308a28e832e) C:\WINDOWS\system32\drivers\Serial.sys

2010/09/05 08:38:26.0500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/09/05 08:38:26.0640 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/09/05 08:38:26.0765 snpstd2 (6db1737f710860c1685bface72798535) C:\WINDOWS\system32\DRIVERS\snpstd2.sys

2010/09/05 08:38:26.0953 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/05 08:38:27.0125 sr (293f6452dbbd46d37bd0e1274dbe227e) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/05 08:38:27.0312 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/05 08:38:27.0421 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/09/05 08:38:27.0562 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/09/05 08:38:27.0765 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/05 08:38:27.0937 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/05 08:38:28.0265 SynTP (f6770219b73bd989d5613d2e9c78a227) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/09/05 08:38:28.0406 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/05 08:38:28.0546 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\WINDOWS\system32\DRIVERS\tapvpn.sys

2010/09/05 08:38:28.0750 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/05 08:38:28.0906 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/05 08:38:28.0984 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/05 08:38:29.0140 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/05 08:38:29.0281 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys

2010/09/05 08:38:29.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/05 08:38:29.0593 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/05 08:38:29.0796 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/09/05 08:38:30.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/05 08:38:30.0140 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/05 08:38:30.0312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/05 08:38:30.0500 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/09/05 08:38:30.0609 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/05 08:38:30.0765 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/05 08:38:30.0843 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/05 08:38:31.0031 VolSnap (72a85441a8285ef8af2794c42d87935f) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/05 08:38:31.0125 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/05 08:38:31.0250 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/05 08:38:31.0484 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/09/05 08:38:31.0640 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/09/05 08:38:31.0859 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/05 08:38:31.0937 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/05 08:38:32.0109 ================================================================================

2010/09/05 08:38:32.0109 Scan finished

2010/09/05 08:38:32.0109 ================================================================================

----------------------------------------------------------

Link to post
Share on other sites

Are you using a router?

-----------------------------------

Please do this:

Download ComboFix from one of these locations:

Link 1

Link 2

ComboFix Guide

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

Yes, I am using a router. My computer has a wireless connection to a Buffalo AirStation router. I believe my wireless network is password protected, although I am not sure how to check. It's been years since I set up the network and I pretty much forgot everything about how it's set up.

I ran ComboFix; the log file is pasted below. I also updated and ran MBAM afterwards, to see if it would complete a quick scan. However, it crashed and closed 46 seconds into the scan. This is farther into the scan than it's gotten before, but something is still preventing it from completing the scan. This makes me think there is still some malware on my computer, although surfing the Internet on it now does seem quicker than it was before I did all these steps you've been recommending.

ComboFix log follows:

-------------------------------------------------------

ComboFix 10-09-04.05 - Shi Ye 2010/09/05 15:11:44.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1041.18.446.173 [GMT 9:00]

Running from: c:\documents and settings\Shi Ye\??????\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gasfkyrxehbakl.dat

c:\windows\system32\?????.scr

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPOL

-------\Legacy_USNJSVC

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))

.

2010-09-05 04:13 . 2010-09-05 04:16 -------- d-----w- c:\documents and settings\safe\Local Settings\Application Data\Adobe

2010-09-05 04:07 . 2010-09-05 04:07 -------- d-----w- c:\documents and settings\safe\Local Settings\Application Data\Mozilla

2010-09-04 22:43 . 2010-09-04 22:43 -------- d-----w- C:\_OTM

2010-09-04 22:41 . 2010-09-04 22:41 -------- d-----w- c:\program files\ERUNT

2010-09-03 23:19 . 2010-03-01 01:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-09-03 23:19 . 2010-02-16 05:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-09-03 23:19 . 2009-05-11 03:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-09-03 23:19 . 2009-05-11 03:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-09-03 23:19 . 2010-09-03 23:19 -------- d-----w- c:\program files\Avira

2010-09-03 23:19 . 2010-09-03 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-09-03 21:32 . 2010-09-03 21:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-09-03 21:27 . 2010-09-03 22:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-03 21:24 . 2010-09-03 21:25 80729096 ----a-w- c:\documents and settings\All Users\Application Data\PC Tools\DownloadManager\Spyware Doctor8.0\sdsetup_aff_dl.exe

2010-09-03 21:24 . 2010-09-03 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-08-15 11:38 . 2010-08-15 11:38 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-08-15 11:38 . 2010-08-15 11:38 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-08-15 11:38 . 2010-08-15 11:38 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-08-15 11:38 . 2010-08-15 11:38 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-08-15 11:36 . 2010-08-15 11:36 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-08-15 11:36 . 2010-08-15 11:36 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-08-15 11:36 . 2010-08-15 11:36 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-03 23:40 . 2005-11-23 12:31 -------- d-----w- c:\program files\Trend Micro

2010-09-03 22:37 . 2010-08-15 11:37 -------- d-----w- c:\documents and settings\Shi Ye\Application Data\DivX

2010-09-03 22:20 . 2009-10-09 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-03 21:28 . 2010-09-03 21:28 743136 ----a-w- c:\windows\system32\drivers\Cat.DB

2010-08-15 12:03 . 2010-04-09 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-08-15 12:03 . 2010-04-09 14:46 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-08-15 11:38 . 2010-04-09 14:40 -------- d-----w- c:\program files\DivX

2010-08-15 11:37 . 2010-08-15 11:37 84054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-08-15 11:37 . 2010-08-15 11:37 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-08-15 11:32 . 2010-04-09 14:46 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-08-15 11:32 . 2010-04-09 14:45 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-08-12 13:30 . 2005-11-23 09:54 71388 ----a-w- c:\windows\system32\perfc011.dat

2010-08-12 13:30 . 2005-11-23 09:54 228186 ----a-w- c:\windows\system32\perfh011.dat

2010-07-31 12:52 . 2007-01-26 05:26 -------- d-----w- c:\documents and settings\Shi Ye\Application Data\Skype

2010-07-31 12:36 . 2008-05-14 08:10 -------- d-----w- c:\documents and settings\Shi Ye\Application Data\skypePM

2010-07-29 23:42 . 2006-03-18 03:33 64848 ----a-w- c:\documents and settings\Shi Ye\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-30 12:31 . 2005-11-23 09:54 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2005-11-23 09:54 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 09:01 . 2005-11-23 09:54 1851520 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2005-11-23 09:54 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2005-11-23 09:54 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2005-11-23 10:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2005-11-23 09:54 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-09 23:01 . 2010-08-15 11:37 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-09 23:01 . 2010-08-15 11:37 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-09 23:01 . 2010-08-15 11:37 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-09 23:01 . 2005-11-23 12:27 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-06-09 23:01 . 2005-11-23 12:27 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-06-09 23:01 . 2005-03-28 17:03 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-01-05 40960]

"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 15473664]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]

"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-05 44032]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-07-31 122940]

"ACU"="c:\program files\Atheros\ACU.exe" [2005-07-11 311296]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\Shi Ye\???? ????\?????\???????\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

Microsoft Office OneNote 2003 ??????.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\???? ????\?????\???????\

Microsoft Office OneNote 2003 ??????.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-11-23 155648]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200411]

Ime File REG_SZ imjp9.ime

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^???? ????^?????^???????^dynabook?????.lnk]

path=c:\documents and settings\All Users\???? ????\?????\???????\dynabook?????.lnk

backup=c:\windows\pss\dynabook?????.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^???? ????^?????^???????^Photo Loader supervisory.lnk]

path=c:\documents and settings\All Users\???? ????\?????\???????\Photo Loader supervisory.lnk

backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 13:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2005-08-05 12:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen]

2008-12-09 11:08 495616 ----a-w- c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-04-02 07:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 02:26 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 02:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]

2005-07-15 01:52 1077322 ----a-w- c:\program files\TOSHIBA\PadTouch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 08:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-05-18 10:25 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2004-10-14 06:26 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

2004-10-14 06:28 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]

2005-11-25 04:07 352256 ----a-w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-09-26 01:25 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]

2004-12-29 15:32 65536 ----a-w- c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010/09/04 8:19 135336]

R3 BLKWGN;Belkin Wireless G Notebook Card Service;c:\windows\system32\drivers\BLKWGN.sys [2007/01/07 4:48 463872]

S1 acordeof;acordeof;\??\c:\windows\system32\drivers\acordeof.sys --> c:\windows\system32\drivers\acordeof.sys [?]

S1 exsdqzns;exsdqzns;\??\c:\windows\system32\drivers\exsdqzns.sys --> c:\windows\system32\drivers\exsdqzns.sys [?]

S3 ATICDSDr;ATICDSDr;\??\d:\comp39\setup\bin\atiicdxx.sys --> d:\comp39\setup\bin\atiicdxx.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009/10/09 21:52 38224]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.co.jp/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Microsoft Excel ???????(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: msjwwdat - {BAAB02DC-913E-40aa-B9ED-8068DEE42CFA} - c:\program files\Microsoft Office\Home Style\JWW\JWWData.dll

FF - ProfilePath - c:\documents and settings\Shi Ye\Application Data\Mozilla\Firefox\Profiles\absjaxdc.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! JAPAN

FF - prefs.js: browser.startup.homepage - hxxp://www.jimmyr.com/

FF - component: c:\documents and settings\Shi Ye\Application Data\Mozilla\Firefox\Profiles\absjaxdc.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Mini\3.2\Apps\apdproxy.exe

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

MSConfigStartUp-pccguide - c:\program files\Trend Micro\Virus Buster 2006\pccguide.exe

MSConfigStartUp-SmoothView - c:\program files\TOSHIBA\TOSHIBA Smooth View\SmoothView.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-05 15:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\AppEvents\Schemes\Apps\Conf\*?^\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\LocalService\AppEvents\Schemes\Apps\Conf\*?^\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-20\AppEvents\Schemes\Apps\Conf\*?^\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_USERS\S-1-5-21-3498092979-4126409471-3516178215-1007\AppEvents\Schemes\Apps\Conf\*?^\.Current]

@="c:\\Program Files\\NetMeeting\\Blip.wav"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*?0??0??0??0\CLSID]

@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*?0??0??0??0\CurVer]

@="BDATuner.???????.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\P*C*:?e?0??]

"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,30,d7,14,

aa,ad,be,c6,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\

"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\?0??0??0?0??n0?0?0?0?0?0?0 *?0???0]

@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"

"Description"="???????? Windows ????????????????????? ?????????????????????????"

"Display"="?????????? ??????????? ????"

"IconPath"=expand:"%SystemRoot%\\system32\\osuninst.EXE,0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)

c:\windows\system32\Ati2evxx.dll

c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(1236)

c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\acs.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\conime.exe

c:\windows\RTHDCPL.EXE

.

**************************************************************************

.

Completion time: 2010-09-05 15:30:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-05 06:30

Pre-Run: 39,974,051,840 ????????

Post-Run: 39,854,477,312 ????????

- - End Of File - - CA4C5B72C1C0FA8152E160078C3E7683

-------------------------------------------------------

Link to post
Share on other sites

Find these two files and upload them to Virus Total for a free scan, post the results back here.

You may be able to just copy the url of the results.

You may have to enable hidden file to see them:

http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

c:\windows\system32\drivers\acordeof.sys

c:\windows\system32\drivers\exsdqzns.sys

------------------------------------------------------

As far a MBAM crashing, lets try to rename it and see if it runs:

Navigate to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe in there:

RENAME the mbam.exe to iexplore.exe

Now double click on iexplore.exe to run a scan, make sure you update MBAM before you run it.

-------------------------------------

If that doesn't work:

Try using SUPERAntiSpyware Portable Scanner.

It's easy to use, just download SAS Portable Scanner to the sick computer, double click on it, check for updates and then run it.

(also the scanner is saved under a random filename so that malware infections won't block the scanner.)

Post the log back here.

Once you close the program, the logs and quarantined items are lost, so please look over what was quarantined (especially files located in system32) before closing SAS.

Let me know, MrC

Link to post
Share on other sites

Hello, here is my latest progress report:

(1) I could not find c:\windows\system32\drivers\acordeof.sys or c:\windows\system32\drivers\exsdqzns.sys in that location on my system even after making sure all hidden files are visible. So I could not upload them to try that part of your advice.

(2) I re-named MBAM as advised and updated it, but it still crashes early into a quick scan.

(3) I downloaded, updated, and ran SAS. It found 578 adware cookies and 1 Trojan.Agent/Gen-Rogue[installer]. This last file was at C:\Documents and Settings\Shi Ye\?????\reajpeg.exe. I followed SAS's advice to quarantine it.

My computer seems more or less okay right now, although sometimes it still runs slow when browsing the Internet. I don't know if that problem will come back again, but MBAM still won't scan all the way through.

Link to post
Share on other sites

OK, those two files most likely don't exist on the computer but we had to check.

I would still like to get MBAM to run, please try this:

Uninstall MBAM and download and install a fresh copy, update it, disable AntiVir and see if it runs.

If it crashes, reboot into safe mode and then try it.

Let me know, MrC

Link to post
Share on other sites

Okay, I uninstalled MBAM and re-installed it (but did not rename it to iexplore.exe, should I have done that too?), disabled my antivirus, updated and ran MBAM. It crashed 18 seconds into the quick scan.

So I rebooted in safe mode. This time MBAM hung for a while at the 19 seconds mark and I thought it was going to crash... but it got back to work and kept on going! I really thought it was going to make it all the way through this time, but it crashed at 7 minutes and 4 seconds into the scan. So, it is still not running all the way through a quick scan.

Also, my PC is still slow some of the time, especially on startup, although it is better than it used to be because sometimes now it works fine.

Link to post
Share on other sites

Please do this:

Download Sophos Anti-Rootkit and save it to your desktop. It can also can be found Here, just scroll to the bottom of the page and click Submit

  • Double-click sarsfx.exe to extract the files.
  • Click the Accept button at the EULA, then Install to the default directory
  • At the next prompt, click Yes to start the program
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives

    [*]Click the Start Scan button.

    [*]Allow the program to scan your computer - please be patient as it may take some time

    [*]Once the scan has completed a window will pop-up with the results of the scan - click OK to this

    [*]In the main window, you will see each of the entries found by the scan (if any, not all are bad)

    [*]Note: If the scanner generated any warning messages, please click on each warning and copy and paste the text back here for me to review

    [*]If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry

    [*]To clean up these entries click on the Clean up checked items button

    [*]If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up

    [*]Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so

To view the log:

Go Start > Run > copy and paste this in:

%TEMP%\sarscan.log

Click OK

Post it back here, MrC

Link to post
Share on other sites

Sophos found 6 files but nothing was recommended for cleanup.

The messages about the 6 files were:

Area: Local hard drives

Description: Unknown hidden file

Location: C:\app&drv\Adobe\AdbeRdr705_jpn_full.exe

Removable: Yes (but clean up not recommended for this file)

Notes: (no more detail available)

Area: Local hard drives

Description: Unknown hidden file

Location: C:\app&drv\Vbuster\Adobe\AdbeRdr60_jpn_full.exe

Removable: Yes (but clean up not recommended for this file)

Notes: (no more detail available)

Area: Local hard drives

Description: Unknown hidden file

Location: C:\Documents and Settings\Shi Ye\??????\Misc\LTRM2_WWEFG_win.exe

Removable: Yes (but clean up not recommended for this file)

Notes: (no more detail available)

Area: Local hard drives

Description: Unknown hidden file

Location: C:\Program Files\Internet Explorer\MUI\0411\mscorier.dll

Removable: Yes (but clean up not recommended for this file)

Notes: (no more detail available)

Area: Local hard drives

Description: Unknown hidden file

Location: C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Royale\3.0.0.0__31bf3856ad364e35\PresentationFramework.Royale.dll

Removable: Yes (but clean up not recommended for this file)

Notes: (no more detail available)

Area: Local hard drives

Description: Unknown hidden file

Location: C:\Documents and Settings\Shi Ye\Local Settings\Application Data\Microsoft\Messenger\victorychina@hotmail.co.jp\SharingMetadata\shizaixiang@hotmail.com\DFSR\Staging\CS{1DA93729-3B98-8BF5-379D-B68D91838F84}\01\11-{1DA93729-3B98-8BF5-379D-B68D91838F84}-v1-{5017E570-F668-4A01-B3A4-F19D7D9A0981}-v11-Downloaded.frx

Removable: Yes (but clean up not recommended for this file)

Notes: (no more detail available)

Here is the log of the Sophos scan:

Sophos Anti-Rootkit Version 1.5.4 © 2009 Sophos Plc

Started logging on 2010/09/08 at 22:09:58

User "Shi Ye" on computer "YOUR-9AE00B3318"

Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32

Info: Starting process scan.

Info: Starting registry scan.

Info: Starting disk scan of C: (NTFS).

Hidden: file C:\app&drv\Adobe\AdbeRdr705_jpn_full.exe

Hidden: file C:\app&drv\Vbuster\Adobe\AdbeRdr60_jpn_full.exe

Hidden: file C:\Documents and Settings\Shi Ye\??????\Misc\LTRM2_WWEFG_win.exe

Hidden: file C:\Program Files\Internet Explorer\MUI\0411\mscorier.dll

Hidden: file C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Royale\3.0.0.0__31bf3856ad364e35\PresentationFramework.Royale.dll

Hidden: file C:\Documents and Settings\Shi Ye\Local Settings\Application Data\Microsoft\Messenger\victorychina@hotmail.co.jp\SharingMetadata\shizaixiang@hotmail.com\DFSR\Staging\CS{1DA93729-3B98-8BF5-379D-B68D91838F84}\01\11-{1DA93729-3B98-8BF5-379D-B68D91838F84}-v1-{5017E570-F668-4A01-B3A4-F19D7D9A0981}-v11-Downloaded.frx

Info: Starting disk scan of D: (FAT).

Stopped logging on 2010/09/08 at 22:43:19

Link to post
Share on other sites

That looks OK.

Please do this:

Delete or uninstall your version of HJT (look in your control panels add/remove programs if listed), it's an old version.

Download and install the newest version:

You can download the HJT installer HERE:

Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Save the log to a convenient location.

Copy and paste it into your post.

-------------------------------------

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

HijackThis:

==================================================

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 21:51:16, on 2010/09/10

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\vsnpstd2.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Atheros\ACU.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live ????? ???? - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sNPSTD2] C:\WINDOWS\vsnpstd2.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [iMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')

O8 - Extra context menu item: Microsoft Excel ???????(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: ???? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/assistpc/index_j.htm

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://mdev.temple.edu/webcams/AxisCamControl.ocx

O18 - Protocol: msjwwdat - {BAAB02DC-913E-40AA-B9ED-8068DEE42CFA} - C:\Program Files\Microsoft Office\Home Style\JWW\JWWData.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Atheros ?????? (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: iPod ???? (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 5727 bytes

==================================================

Security check:

==================================================

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 13

Out of date Java installed!

Adobe Flash Player 10.1.82.76

Adobe Reader 8.1.2 - Japanese

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.9)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

Please do this:

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click on Fix Checked when finished and exit HijackThis.

-------------------------------

You have a lot of unnecessary programs running at startup that aren't really needed.

At some point I would suggest you use a program like Starter to manage them. You'll have to play around with it to determine what programs you really do need. You don't have to do this now but I would suggest you try it sometime in the future.

These are the programs in question:

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [iMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

Your Java is out of date, older versions of Java are vulnerable to malware.

Please go to your control panels add/remove programs and uninstall any listed Java and then install the latest version which can be found at the link below:

http://www.java.com/en/download/manual.jsp

Java

Link to post
Share on other sites

I did everything you recommended in your last post, and the ESET scan is running right now. However, it seems to be stuck 10% of the way through the scan, on one particular file:

C:\appdrv\FUDE\Main\cost.txt

It has been stuck on this file for about 6 minutes. I'm going to let it sit there and if it doesn't make any progress in another 10 minutes or so, I am going to cancel it.

By the way, I do not know if I am using a firewall. Possibly I am not using one.

Link to post
Share on other sites

OK, please do this:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
     :dir
    C:\appdrv
    C:\appdrv\FUDE
    C:\appdrv\FUDE\Main


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

----------------------------------------

As for the firewall, I like and use this one:

http://www.pctools.com/firewall/

After it's installed, make sure the Windows firewall is disabled:

http://support.microsoft.com/kb/283673

--------------------

MrC

Link to post
Share on other sites

OK, first I got this:

SystemLook 04.09.10 by jpshortstuff

Log created at 07:19 on 12/09/2010 by Shi Ye

Administrator - Elevation successful

========== dir ==========

C:\appdrv - Unable to find folder.

C:\appdrv\FUDE - Unable to find folder.

C:\appdrv\FUDE\Main - Unable to find folder.

-= EOF =-

Then I realized that appdrv is actually "app&drv" on my system, so I ran SystemLook with that change, and I got this:

SystemLook 04.09.10 by jpshortstuff

Log created at 07:22 on 12/09/2010 by Shi Ye

Administrator - Elevation successful

========== dir ==========

C:\app&drv - Parameters: "(none)"

---Files---

App.log --a---- 99 bytes [09:41 23/11/2005] [09:41 23/11/2005]

---Folders---

Adobe d-a---- [09:41 23/11/2005]

audio d-a---- [09:39 23/11/2005]

bns d-a---- [09:42 23/11/2005]

configss d-a---- [09:40 23/11/2005]

confree d-a---- [09:40 23/11/2005]

dekiru d-a---- [09:40 23/11/2005]

dion d-a---- [09:41 23/11/2005]

DLA d-a---- [09:42 23/11/2005]

dvd d-a---- [09:42 23/11/2005]

dvdram d-a---- [09:39 23/11/2005]

dynabookBanner d-a---- [09:48 23/11/2005]

dynabookLauncher d-a---- [09:48 23/11/2005]

final d-a---- [09:43 23/11/2005]

FUDE d-a---- [09:41 23/11/2005]

hikkosi d-a---- [09:41 23/11/2005]

HTML d-a---- [09:48 23/11/2005]

INFOPEPP d-a---- [09:41 23/11/2005]

KABE d-a---- [09:41 23/11/2005]

KB873333 d-a---- [09:38 23/11/2005]

KB873339 d-a---- [09:38 23/11/2005]

KB884018 d-a---- [09:38 23/11/2005]

KB885250 d-a---- [09:38 23/11/2005]

KB885835 d-a---- [09:38 23/11/2005]

KB885836 d-a---- [09:38 23/11/2005]

KB885855 d-a---- [09:38 23/11/2005]

KB885884 d-a---- [09:38 23/11/2005]

KB886185 d-a---- [09:38 23/11/2005]

KB887219 d-a---- [09:39 23/11/2005]

KB887472 d-a---- [09:38 23/11/2005]

KB888113 d-a---- [09:38 23/11/2005]

KB888302 d-a---- [09:38 23/11/2005]

KB889673 d-a---- [09:38 23/11/2005]

KB890046 d-a---- [09:38 23/11/2005]

KB890175 d-a---- [09:38 23/11/2005]

KB890859 d-a---- [09:38 23/11/2005]

KB891781 d-a---- [09:38 23/11/2005]

KB893056 d-a---- [09:38 23/11/2005]

KB893066 d-a---- [09:38 23/11/2005]

KB893357 d-a---- [09:38 23/11/2005]

KB893756 d-a---- [09:38 23/11/2005]

KB893803 d-a---- [09:38 23/11/2005]

KB894391 d-a---- [09:38 23/11/2005]

KB894871 d-a---- [09:38 23/11/2005]

KB895200 d-a---- [09:38 23/11/2005]

KB896358 d-a---- [09:38 23/11/2005]

KB896422 d-a---- [09:38 23/11/2005]

KB896423 d-a---- [09:38 23/11/2005]

KB896428 d-a---- [09:38 23/11/2005]

KB896688 d-a---- [09:38 23/11/2005]

KB898458 d-a---- [09:38 23/11/2005]

KB899587 d-a---- [09:38 23/11/2005]

KB899591 d-a---- [09:38 23/11/2005]

KB901214 d-a---- [09:38 23/11/2005]

KB902400 d-a---- [09:38 23/11/2005]

KB904706 d-a---- [09:38 23/11/2005]

LAN d-a---- [09:39 23/11/2005]

modem d-a---- [09:39 23/11/2005]

odn d-a---- [09:41 23/11/2005]

Office2003SP d-a---- [09:48 23/11/2005]

okiniiri d-a---- [09:41 23/11/2005]

OneNoteSP d-a---- [09:48 23/11/2005]

online d-a---- [09:40 23/11/2005]

opdevmgr d-a---- [09:48 23/11/2005]

PadTouch d-a---- [09:40 23/11/2005]

palachan d-a---- [09:41 23/11/2005]

RDCLcher d-a---- [09:43 23/11/2005]

Record d-a---- [09:42 23/11/2005]

Release d-a---- [09:40 23/11/2005]

shindan d-a---- [09:40 23/11/2005]

Silencer d-a---- [09:40 23/11/2005]

Smooth d-a---- [09:40 23/11/2005]

SunJava d-a---- [09:38 23/11/2005]

Tcommon d-a---- [09:39 23/11/2005]

Tcont d-a---- [09:41 23/11/2005]

Thotutil d-a---- [09:39 23/11/2005]

Tosuty d-a---- [09:39 23/11/2005]

Touched d-a---- [09:40 23/11/2005]

Touchpad d-a---- [09:39 23/11/2005]

touroku d-a---- [09:40 23/11/2005]

Tpower d-a---- [09:40 23/11/2005]

TTS d-a---- [09:40 23/11/2005]

Vbuster d-a---- [09:42 23/11/2005]

video d-a---- [09:38 23/11/2005]

WLanuty_ath d-a---- [09:39 23/11/2005]

W_Lan_ath d-a---- [09:39 23/11/2005]

YahooTool d-a---- [09:42 23/11/2005]

C:\app&drv\FUDE - Parameters: "(none)"

---Files---

Autorun.inf --a---- 48 bytes [09:41 23/11/2005] [04:01 07/09/2005]

image001.png --a---- 7733 bytes [09:41 23/11/2005] [04:01 07/09/2005]

Outlook.htm --a---- 7103 bytes [09:41 23/11/2005] [04:01 07/09/2005]

README.html --a---- 24354 bytes [09:41 23/11/2005] [04:01 07/09/2005]

rev.txt --a---- 33 bytes [09:41 23/11/2005] [11:00 26/09/2005]

Setup.exe --a---- 77824 bytes [09:41 23/11/2005] [04:01 07/09/2005]

SetupA.exe --ah--- 1298432 bytes [09:41 23/11/2005] [04:01 07/09/2005]

SetupW.exe --ah--- 1310720 bytes [09:41 23/11/2005] [04:01 07/09/2005]

SETUP_HD.BAT --a---- 44 bytes [09:41 23/11/2005] [11:57 17/06/2004]

SETUP_HD.PIF --a---- 967 bytes [09:41 23/11/2005] [15:57 26/11/1999]

---Folders---

html d-a---- [09:41 23/11/2005]

Main d-a---- [09:41 23/11/2005]

C:\app&drv\FUDE\Main - Parameters: "(none)"

---Files---

0x0411.ini --a---- 5887 bytes [09:41 23/11/2005] [06:37 15/04/2004]

Autorun.inf --a---- 27 bytes [09:41 23/11/2005] [04:01 07/09/2005]

cost.txt --a---- 11 bytes [09:41 23/11/2005] [04:01 07/09/2005]

Data1.cab --a---- 239031653 bytes [09:41 23/11/2005] [04:01 07/09/2005]

dx80a.exe --a---- 26065872 bytes [09:42 23/11/2005] [23:06 20/06/2001]

Fgw13.msi --a---- 3527972 bytes [09:42 23/11/2005] [04:01 07/09/2005]

instmsi30.exe --a---- 2003176 bytes [09:42 23/11/2005] [22:50 15/11/2004]

instmsia.exe --a---- 1708856 bytes [09:42 23/11/2005] [23:45 10/03/2002]

instmsiw.exe --a---- 1822520 bytes [09:42 23/11/2005] [00:06 11/03/2002]

setup.exe --a---- 253952 bytes [09:42 23/11/2005] [00:41 13/08/2005]

Setup.ini --a---- 1950 bytes [09:42 23/11/2005] [04:01 07/09/2005]

---Folders---

None found.

-= EOF =-

Link to post
Share on other sites

Okay, after a few tries, it seems that I had to put the entire FUDE folder in the recycle bin and empty it (didn't need FUDE anyway, I think it's Japanese handwriting recognition software that came with the computer but I never used it). And then ESET was able to finish a scan.

It found no threats.

So then I updated and ran MBAM again, and it crashed 14 seconds into a quick scan.

I feel like my computer is working well, except for MBAM not completing a scan. I don't know if that is a sign of a malware problem that will emerge later.

Link to post
Share on other sites

OK, I very confident that the computers is clean, I'm not sure why MBAM crashes....probably the same reasons ESET wouldn't run.

Based on all the other scans I would say we are done.

If you have any questions/comments, please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.