Charles W Posted December 9, 2010 ID:358920 Share Posted December 9, 2010 i was on the internet the other day and visited some site (i forget which one), but there was a popup that said firefox update recommended, and i usually trust firefox, and this one looked legit, but when i executed it, i knew i made a mistake, and i think thats the problem. anyway, i now have ads pop up every five minutes or so (even if i have no internet), and when i run mbam, it scans for about 3 minutes and then my computer restarts without warning. i ran hijackthis and heres my log. any help would be appreciated. thanks!Logfile of Trend Micro HijackThis v2.0.4Scan saved at 5:34:14 PM, on 12/9/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\savedump.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\ltmoh\Ltmoh.exeC:\PROGRA~1\LAUNCH~1\CPLBCL53.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Charles\My Documents\Downloads\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Java Link to post Share on other sites More sharing options...
Maniac Posted December 10, 2010 ID:359114 Share Posted December 10, 2010 Hello Charles W! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.Step 1Please, open HiJackThis and select Do a system scan only.Check the following entries:O4 - HKCU\..\Run: [JP595IR86O] C:\DOCUME~1\Charles\LOCALS~1\Temp\Wdl.exeThen, close all open windows except that of HijackThis, and select Fix Checked.Step 2Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.Step 3Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:To get an Uninstall List from HijackThis:Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.In your next reply, please include these log(s):Malwarebytes' Anti-Malware logAdd or Remove Programs lista new fresh HiJackThis log Link to post Share on other sites More sharing options...
Charles W Posted December 10, 2010 Author ID:359272 Share Posted December 10, 2010 Hi, thanks for the reply! I removed the thing using hijackthis as you asked, but when I ran MBAM, it ran for a minute or so, but a message popped up saying:Run time error '6':OverflowI tried running MBAM again, but got the same results. MBAM closed immediately without finishing the scan or leaving a log file. But I have the uninstall list as well as the new hijackthis log:Uninstall List:7-Zip 4.65Adobe AIRAdobe AIRAdobe Flash Player 10 ActiveXAdobe Flash Player 10 PluginAdobe Reader 6.0Adobe Shockwave Player 11.5Agere Systems AC'97 ModemApple Application SupportApple Mobile Device SupportApple Software UpdateATI - 3nAe?N Link to post Share on other sites More sharing options...
Maniac Posted December 10, 2010 ID:359319 Share Posted December 10, 2010 Step 1Going over your logs I noticed that you have BitTorrent installed. Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smorgasbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.It is pretty much certain that if you continue to use P2P programs, you will get infected again.I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.If you wish to keep it, please do not use it until your computer is cleaned.Step 2Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, change it to Cure and then click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.Click the Report button and copy/paste the contents of it into your next replyNote:It will also create a log in the C:\ directory. Link to post Share on other sites More sharing options...
Charles W Posted December 11, 2010 Author ID:359342 Share Posted December 11, 2010 Hi, I got rid of BitTorrent and ran TDSSKiller. Here's the log. It said nothing was found:2010/12/10 19:31:46.0940 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:402010/12/10 19:31:46.0940 ================================================================================2010/12/10 19:31:46.0940 SystemInfo:2010/12/10 19:31:46.0940 2010/12/10 19:31:46.0940 OS Version: 5.1.2600 ServicePack: 2.02010/12/10 19:31:46.0940 Product type: Workstation2010/12/10 19:31:46.0940 ComputerName: ACER-IZH1HI2TKI2010/12/10 19:31:47.0020 UserName: Charles2010/12/10 19:31:47.0020 Windows directory: C:\WINDOWS2010/12/10 19:31:47.0020 System windows directory: C:\WINDOWS2010/12/10 19:31:47.0020 Processor architecture: Intel x862010/12/10 19:31:47.0020 Number of processors: 12010/12/10 19:31:47.0020 Page size: 0x10002010/12/10 19:31:47.0020 Boot type: Normal boot2010/12/10 19:31:47.0020 ================================================================================2010/12/10 19:31:48.0623 Initialize success2010/12/10 19:32:39.0686 ================================================================================2010/12/10 19:32:39.0686 Scan started2010/12/10 19:32:39.0686 Mode: Manual; 2010/12/10 19:32:39.0686 ================================================================================2010/12/10 19:32:41.0679 ACPI (2e76d0847098458b6f6776323d36a6fa) C:\WINDOWS\system32\DRIVERS\ACPI.sys2010/12/10 19:32:41.0889 ACPIEC (619410be0b33801f0fa0ad994b153cb4) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys2010/12/10 19:32:42.0260 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys2010/12/10 19:32:42.0480 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys2010/12/10 19:32:42.0881 AgereSoftModem (5a2a96b15fa7e766d0fd1ac08eff2acb) C:\WINDOWS\system32\DRIVERS\AGRSM.sys2010/12/10 19:32:43.0201 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys2010/12/10 19:32:44.0032 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS2010/12/10 19:32:44.0383 ALCXWDM (391344370018a87a6c478ab76c7a47a8) C:\WINDOWS\system32\drivers\ALCXWDM.SYS2010/12/10 19:32:44.0903 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys2010/12/10 19:32:45.0604 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys2010/12/10 19:32:45.0855 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys2010/12/10 19:32:46.0436 ati2mtag (8303b347a02ed4bbf94e5682a6d22619) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys2010/12/10 19:32:46.0676 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys2010/12/10 19:32:46.0876 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys2010/12/10 19:32:47.0607 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys2010/12/10 19:32:47.0948 BTWUSB (faf0c0e706a0d45f6efbc1503daf914d) C:\WINDOWS\system32\Drivers\btwusb.sys2010/12/10 19:32:48.0158 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys2010/12/10 19:32:48.0469 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys2010/12/10 19:32:48.0659 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys2010/12/10 19:32:48.0799 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys2010/12/10 19:32:49.0210 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys2010/12/10 19:32:49.0570 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys2010/12/10 19:32:50.0471 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys2010/12/10 19:32:50.0752 DKbFltr (581bba11019d7f5b13ce00f618dad09b) C:\WINDOWS\system32\Drivers\DKbFltr.sys2010/12/10 19:32:50.0922 dmboot (48fa74a11fc3da495b9b546d640f8950) C:\WINDOWS\system32\drivers\dmboot.sys2010/12/10 19:32:51.0172 dmio (b99078c1719a26bfe2ca9aa2a50e0b10) C:\WINDOWS\system32\drivers\dmio.sys2010/12/10 19:32:51.0313 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys2010/12/10 19:32:51.0523 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys2010/12/10 19:32:51.0944 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys2010/12/10 19:32:52.0524 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys2010/12/10 19:32:52.0735 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys2010/12/10 19:32:52.0885 Fips (baac25464472a8112e7703e7eb38f603) C:\WINDOWS\system32\drivers\Fips.sys2010/12/10 19:32:53.0065 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys2010/12/10 19:32:53.0316 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys2010/12/10 19:32:53.0456 FsVga (10a80a866a41490a43fdcccfeef0dce4) C:\WINDOWS\system32\DRIVERS\fsvga.sys2010/12/10 19:32:53.0626 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys2010/12/10 19:32:53.0736 Ftdisk (de92525813b461317e95221a2a0d49ca) C:\WINDOWS\system32\DRIVERS\ftdisk.sys2010/12/10 19:32:53.0956 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys2010/12/10 19:32:54.0087 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys2010/12/10 19:32:54.0297 gv3 (ee916090b49976d06a220c4a21e5d302) C:\WINDOWS\system32\DRIVERS\gv3.sys2010/12/10 19:32:55.0288 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys2010/12/10 19:32:55.0709 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys2010/12/10 19:32:56.0320 i8042prt (5f07dcfd005e94d54d99d881cef962cc) C:\WINDOWS\system32\DRIVERS\i8042prt.sys2010/12/10 19:32:56.0560 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys2010/12/10 19:32:56.0981 IntelIde (abbd1814791a011613ca1395e1344b7e) C:\WINDOWS\system32\DRIVERS\intelide.sys2010/12/10 19:32:57.0151 intelppm (00273ace71b53cf8c006ed6574feeeb4) C:\WINDOWS\system32\DRIVERS\intelppm.sys2010/12/10 19:32:57.0451 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys2010/12/10 19:32:57.0562 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys2010/12/10 19:32:57.0782 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys2010/12/10 19:32:57.0962 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys2010/12/10 19:32:58.0193 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys2010/12/10 19:32:58.0393 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys2010/12/10 19:32:58.0643 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys2010/12/10 19:32:58.0874 isapnp (691914b157afb302d6831484d8e0d9d3) C:\WINDOWS\system32\DRIVERS\isapnp.sys2010/12/10 19:32:59.0124 Kbdclass (8ccdd51821bbacd3dba1afa5e7c4d756) C:\WINDOWS\system32\DRIVERS\kbdclass.sys2010/12/10 19:32:59.0354 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys2010/12/10 19:32:59.0514 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys2010/12/10 19:33:00.0386 MBAMSwissArmy (e74dc2f3f9675a6025a4aa020edd4341) C:\WINDOWS\system32\drivers\mbamswissarmy.sys2010/12/10 19:33:00.0626 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys2010/12/10 19:33:00.0816 Modem (746a1a3d73a648c57398c9cb8af315ed) C:\WINDOWS\system32\drivers\Modem.sys2010/12/10 19:33:00.0977 Mouclass (c145c60f25efe006b9a22a046ce5883f) C:\WINDOWS\system32\DRIVERS\mouclass.sys2010/12/10 19:33:01.0187 mouhid (44cacbcea57a1a1dc44f1454d033178c) C:\WINDOWS\system32\DRIVERS\mouhid.sys2010/12/10 19:33:01.0457 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys2010/12/10 19:33:01.0818 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys2010/12/10 19:33:01.0988 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys2010/12/10 19:33:02.0188 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys2010/12/10 19:33:02.0369 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys2010/12/10 19:33:02.0579 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys2010/12/10 19:33:02.0709 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys2010/12/10 19:33:02.0919 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys2010/12/10 19:33:03.0150 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys2010/12/10 19:33:03.0340 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys2010/12/10 19:33:03.0510 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys2010/12/10 19:33:03.0650 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys2010/12/10 19:33:03.0821 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys2010/12/10 19:33:03.0931 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys2010/12/10 19:33:04.0091 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys2010/12/10 19:33:04.0221 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys2010/12/10 19:33:04.0462 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys2010/12/10 19:33:04.0692 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys2010/12/10 19:33:04.0822 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys2010/12/10 19:33:05.0112 NTIDrvr (15a72d5b8f0b6a718207f14bd5ebb8ff) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys2010/12/10 19:33:05.0253 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys2010/12/10 19:33:05.0423 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys2010/12/10 19:33:05.0543 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys2010/12/10 19:33:05.0773 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys2010/12/10 19:33:06.0054 Parport (25e7306d56ddd7177f8197a008961757) C:\WINDOWS\system32\DRIVERS\parport.sys2010/12/10 19:33:06.0234 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys2010/12/10 19:33:06.0354 ParVdm (3d531ced44f72ef076ff795c001aa9f8) C:\WINDOWS\system32\drivers\ParVdm.sys2010/12/10 19:33:06.0625 PCI (ada684c2be7064411d092efdc090faa3) C:\WINDOWS\system32\DRIVERS\pci.sys2010/12/10 19:33:07.0105 PCIIde (ac2184c04a60148445a6a7d31c1e8c4f) C:\WINDOWS\system32\DRIVERS\pciide.sys2010/12/10 19:33:07.0286 Pcmcia (59f94f258b7935b4d921ba5b9b01d0aa) C:\WINDOWS\system32\DRIVERS\pcmcia.sys2010/12/10 19:33:08.0728 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys2010/12/10 19:33:08.0828 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys2010/12/10 19:33:08.0878 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys2010/12/10 19:33:09.0749 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys2010/12/10 19:33:09.0990 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys2010/12/10 19:33:10.0070 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys2010/12/10 19:33:10.0190 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys2010/12/10 19:33:10.0270 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys2010/12/10 19:33:10.0490 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys2010/12/10 19:33:10.0580 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys2010/12/10 19:33:10.0811 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys2010/12/10 19:33:11.0021 redbook (8bf05f5f9408a097f86113829def844b) C:\WINDOWS\system32\DRIVERS\redbook.sys2010/12/10 19:33:11.0301 RTL8023 (31c3ebb3a71fe56b8109bfb4ed20ae69) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys2010/12/10 19:33:11.0542 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys2010/12/10 19:33:11.0652 Serial (58670ee2faf94fd65d19bb3e7927b485) C:\WINDOWS\system32\drivers\Serial.sys2010/12/10 19:33:11.0822 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys2010/12/10 19:33:12.0243 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys2010/12/10 19:33:12.0623 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys2010/12/10 19:33:12.0794 sr (272f4bba833ef3553734eb02d6164f2b) C:\WINDOWS\system32\DRIVERS\sr.sys2010/12/10 19:33:12.0934 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys2010/12/10 19:33:13.0114 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys2010/12/10 19:33:13.0284 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys2010/12/10 19:33:14.0246 SynTP (ed85f3cf8e5eb581df32b1cd07b072a2) C:\WINDOWS\system32\DRIVERS\SynTP.sys2010/12/10 19:33:14.0376 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys2010/12/10 19:33:14.0726 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys2010/12/10 19:33:15.0047 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys2010/12/10 19:33:15.0257 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys2010/12/10 19:33:15.0507 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys2010/12/10 19:33:16.0108 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys2010/12/10 19:33:16.0599 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys2010/12/10 19:33:16.0869 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys2010/12/10 19:33:17.0130 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys2010/12/10 19:33:17.0370 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys2010/12/10 19:33:17.0641 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys2010/12/10 19:33:17.0901 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys2010/12/10 19:33:18.0181 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys2010/12/10 19:33:18.0402 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS2010/12/10 19:33:18.0662 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys2010/12/10 19:33:18.0902 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys2010/12/10 19:33:19.0333 VolSnap (a3105e8b54eab87a0ad0031aa02084b3) C:\WINDOWS\system32\drivers\VolSnap.sys2010/12/10 19:33:19.0713 w22n51 (b6cb2cce557ce57c72c3d31e701e6e39) C:\WINDOWS\system32\DRIVERS\w22n51.sys2010/12/10 19:33:20.0284 w70n51 (10540531217a1f5a14892cb62524a9cd) C:\WINDOWS\system32\DRIVERS\w70n51.sys2010/12/10 19:33:20.0715 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys2010/12/10 19:33:21.0166 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys2010/12/10 19:33:21.0676 ================================================================================2010/12/10 19:33:21.0676 Scan finished2010/12/10 19:33:21.0676 ================================================================================ Link to post Share on other sites More sharing options...
Maniac Posted December 11, 2010 ID:359346 Share Posted December 11, 2010 **Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
Charles W Posted December 11, 2010 Author ID:359395 Share Posted December 11, 2010 Hi, I saved combofix to my desktop as Combo-Fix, but when I ran it, it wanted to install some Microsoft thing. I looked at the bleepingcomputer site and it said it was fine, so I clicked yes, but then the script said invalid argument. At first, I ignored it and went on with the scan, but it sat there for 30 minutes without doing anything (i read that there were supposed to be 34 steps for the scan, and i didn't want to waste 18+hours waiting). am i doing something wrong? should i continue to wait? Thanks. Link to post Share on other sites More sharing options...
Maniac Posted December 11, 2010 ID:359458 Share Posted December 11, 2010 Let's try again in Safe Mode with Networking.http://www.microsoft.com/resources/documen...t_failsafe.mspx Link to post Share on other sites More sharing options...
Charles W Posted December 12, 2010 Author ID:359670 Share Posted December 12, 2010 i tried using safe mode, but strangely, it didn't work. i couldn't even log on with safe mode. it just went to a black screen. this has never happened to me before (safe mode not working, even though regular does) Link to post Share on other sites More sharing options...
Maniac Posted December 12, 2010 ID:359772 Share Posted December 12, 2010 Try to rename ComboFix.exe to Combo-Fix.com and try again. Link to post Share on other sites More sharing options...
Charles W Posted December 12, 2010 Author ID:359966 Share Posted December 12, 2010 hi, i wasn't sure what to do, cuz i tried naming it to Combo-Fix.com, but it saved it as Combo-Fix.com.exe...so i guess i'll just try that right now. or am i supposed to rename it after downloading it as Combo-Fix? thanks. Link to post Share on other sites More sharing options...
Charles W Posted December 12, 2010 Author ID:359972 Share Posted December 12, 2010 it didn't work with Combo-Fix.com either. first, it said something about the back-up files failing or something, and then it couldn't download the thing from microsoft. afterwards, when it started to scan, it sat there for about 15 minutes and then froze until i restarted the computer. Link to post Share on other sites More sharing options...
Maniac Posted December 12, 2010 ID:359979 Share Posted December 12, 2010 Download OTL to your desktop.Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.Once OTL has completed its first scan it will save notepad copies of the scans in the folder that OTL was started from. Unless set to produce an Extras log it will only produce OTL.txt in subsequent scans.A copy of an OTL fix log is saved in a text file at :\_OTL\Moved Filesin most cases this will be C:\_OTL\Moved Files Link to post Share on other sites More sharing options...
Charles W Posted December 12, 2010 Author ID:360008 Share Posted December 12, 2010 Hi, here are the logfiles:OTL logfile created on: 12/12/2010 5:01:21 PM - Run 1OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Charles\??Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 6.0.2900.2180)Locale: 00000409 | Country: ?? | Language: ENU | Date Format: M/d/yyyy255.00 Mb Total Physical Memory | 95.00 Mb Available Physical Memory | 37.00% Memory free619.00 Mb Paging File | 352.00 Mb Available in Paging File | 57.00% Paging File freePaging file location(s): C:\pagefile.sys 384 768 [binary data]%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program FilesDrive C: | 27.47 Gb Total Space | 18.12 Gb Free Space | 65.97% Space Free | Partition Type: FAT32Drive D: | 9.76 Gb Total Space | 8.39 Gb Free Space | 85.97% Space Free | Partition Type: FAT32Computer Name: ACER-IZH1HI2TKI | User Name: Charles | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current userCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days========== Processes (SafeList) ==========PRC - C:\Documents and Settings\Charles\??\OTL.exe (OldTimer Tools)PRC - C:\Documents and Settings\Charles\Local Settings\Temp\Wdl.exe ()PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)PRC - C:\Program Files\Launch Manager\CPLBCL53.EXE (Dritek System Inc.)PRC - C:\Program Files\ltmoh\ltmoh.exe (Agere Systems)========== Modules (SafeList) ==========MOD - C:\Documents and Settings\Charles\??\OTL.exe (OldTimer Tools)MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)========== Win32 Services (SafeList) ==========SRV - (PEVSystemStart) -- C:\Combo-Fix3058C\PEV.cfx File not foundSRV - (HidServ) -- C:\windows\System32\hidserv.dll File not foundSRV - (AppMgmt) -- C:\windows\System32\appmgmts.dll File not foundSRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)========== Driver Services (SafeList) ==========DRV - (EagleNT) -- C:\windows\System32\drivers\EagleNT.sys File not foundDRV - (w22n51) Intel® -- C:\WINDOWS\system32\drivers\w22n51.sys (Intel Link to post Share on other sites More sharing options...
Maniac Posted December 13, 2010 ID:360205 Share Posted December 13, 2010 Run OTL.exeUnder Custom Scans/Fixes post the following script::filesC:\FOUND.000C:\Documents and Settings\Charles\??\*.tmpC:\windows\System32\*.tmp filesC:\windows\*.tmpC:\windows\tasks\xtjkmkb.jobC:\windows\Wfeboa.exe:Commands[purity][emptytemp]Then click the Run Fix button at the topLet the program run unhindered,when it is done it will say "Fix Complete press ok to open log"Please post that log in your next reply. Link to post Share on other sites More sharing options...
Charles W Posted December 13, 2010 Author ID:360541 Share Posted December 13, 2010 Hi, last night, my computer shut down unexpectedly, and when I turned it on, it said something about not being able to boot C:/ then the screen turned black. i think that's bad Link to post Share on other sites More sharing options...
Charles W Posted December 13, 2010 Author ID:360546 Share Posted December 13, 2010 do you think there's any way i can just back-up all of my stuff onto a dvd and reinstall my hard drive? Link to post Share on other sites More sharing options...
Maniac Posted December 14, 2010 ID:360701 Share Posted December 14, 2010 Try to run your PC in Safe Mode. http://www.microsoft.com/resources/documen...t_failsafe.mspx Link to post Share on other sites More sharing options...
Charles W Posted December 14, 2010 Author ID:360976 Share Posted December 14, 2010 Hi, for some reason, Safe Mode doesn't work for me. When I try it, the screen goes black, but now, I can't even get to the boot selection page. The computer just shows the acer logo and goes black. My mom took it to a technician to try to salvage the files onto a cd, and I'll reinstall the hard drive using a recovery disk. Do you think that's okay? Thanks. Link to post Share on other sites More sharing options...
Maniac Posted December 15, 2010 ID:361220 Share Posted December 15, 2010 It's the fastest and easier solution I think. Sorry about that! Link to post Share on other sites More sharing options...
Charles W Posted December 15, 2010 Author ID:361546 Share Posted December 15, 2010 Oh no, don't be sorry! I appreciate your time and effort, and you were a great help! Thanks!!~Charles Wang Link to post Share on other sites More sharing options...
Maniac Posted December 16, 2010 ID:361676 Share Posted December 16, 2010 Thanks anad good luck, Charles! Link to post Share on other sites More sharing options...
Staff screen317 Posted December 16, 2010 Staff ID:361707 Share Posted December 16, 2010 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts