[A] Black screen, with all programs disappeared

By Nunupig · 4 replies
Feb 8, 2012
  1. Hi. I ran a AV and malware scan. what should i go next? Here's my malware log. Can someone help me?

    Malwarebytes Anti-Malware (Trial)

    Database version: v2012.02.08.02

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 6.0.2900.2180
    User :: PC [administrator]

    Protection: Enabled

    2012/2/8 下午 07:52:09
    mbam-log-2012-02-08 (19-52-09).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 164282
    Time elapsed: 3 minute(s), 5 second(s)

    Memory Processes Detected: 2
    C:\Documents and Settings\All Users\Application Data\QGuaayvrII.exe (Rogue.FakeHDD) -> 228 -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\lGp2l9xqFbYKFA.exe (Rogue.FakeHDD) -> 2828 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 4
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|QGuaayvrII.exe (Rogue.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\QGuaayvrII.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_XMLLookup (Hijacker.XMLLookup) -> Data: http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_intl (Hijacker.intl) -> Data: http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s -> Quarantined and deleted successfully.

    Registry Data Items Detected: 11
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|XMLLookup (Hijacker.XMLLookup) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|intl (Hijacker.intl) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Documents and Settings\All Users\Application Data\QGuaayvrII.exe (Rogue.FakeHDD) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\lGp2l9xqFbYKFA.exe (Rogue.FakeHDD) -> Delete on reboot.

  2. Nunupig

    Nunupig TS Rookie Topic Starter

    gmer log

    GMER - http://www.gmer.net
    Rootkit quick scan 2012-02-08 20:38:40
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 ST31000528AS rev.CC37
    Running: riqv7218[1].exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pgtdapow.sys

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA63AD7A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ProtectorA.sys (KeyboardProtection driver module/www.ISRA.org.cn)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ProtectorA.sys (KeyboardProtection driver module/www.ISRA.org.cn)

    ---- EOF - GMER 1.0.15 ----
  3. Nunupig

    Nunupig TS Rookie Topic Starter

    dds log

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180
    Run by User at 20:40:07 on 2012-02-08
    Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.3574.2564 [GMT 8:00]
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Norton 360\Engine\\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Norton 360\Engine\\ccSvcHst.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    E:\Program Files\Panasonic\ncrcore3.exe
    C:\Documents and Settings\User\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
    E:\Program Files\Panasonic\Ncrwd.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\SVNZI05T\riqv7218[1].exe
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://hk.yahoo.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: {02478d38-c3f9-4efb-9b51-7695eca05670}: 1 (0x1)
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\\ips\IPSBHO.DLL
    BHO: BOC ProcessProtect Class: {776b71e2-b4cc-4c94-bc7c-09103aa690b6} - c:\windows\system32\ProcessProtection.dll
    BHO: Windows Live 登入小幫手: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\\coIEPlg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Ncr3] e:\program files\panasonic\ncrcore3.exe
    uRun: [Octoshape Streaming Services] "c:\documents and settings\user\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    mRun: [SkyTel] SkyTel.EXE
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
    IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: 添加到QQ自定義面板 - c:\program files\tencent\qq\AddPanel.htm
    IE: 添加到QQ表情 - c:\program files\tencent\qq\AddEmotion.htm
    IE: 用QQ彩信發送該圖片 - c:\program files\tencent\qq\SendMMS.htm
    IE: {c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\tencent\qq\QQ.EXE
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: bankofchina.com
    Trusted Zone: boc.cn
    TCP: DhcpNameServer =
    TCP: Interfaces\{75C8BAD1-66B4-4866-9FD3-C1AC4EBA5524} : DhcpNameServer =
    TCP: Interfaces\{B2E8B5BA-862C-419C-BBB4-D23CE64B451F} : DhcpNameServer =
    TCP: Interfaces\{D0F40370-A024-4B80-9374-BB52EAAAC0EE} : DhcpNameServer =
    TCP: Interfaces\{E16E29A6-2296-4350-B2BA-37765EE5C776} : DhcpNameServer =
    TCP: Interfaces\{F5CB3797-4158-451A-A4A9-1872C21CB210} : DhcpNameServer =
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: igfxcui - igfxdev.dll
    ================= FIREFOX ===================
    FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\4sahe4n6.default\
    FF - prefs.js: browser.search.selectedEngine - Findbook
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npoctoshape.dll
    FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coFFPlgn
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0500000.07d\SymDS.sys [2012-2-8 340016]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0500000.07d\SymEFA.sys [2012-2-8 652336]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-8 314456]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-30 11608]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20101123.003\BHDrvx86.sys [2012-2-8 691248]
    R1 Protector;Protector;c:\windows\system32\drivers\Protector.sys [2010-6-9 32904]
    R1 ProtectorA;ProtectorA;c:\windows\system32\drivers\ProtectorA.sys [2010-6-9 14216]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0500000.07d\Ironx86.sys [2012-2-8 136312]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-30 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-30 269480]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-8 20568]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-8 44768]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-30 66616]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-8 652360]
    R2 N360;Norton 360;c:\program files\norton 360\engine\\ccSvcHst.exe [2012-2-8 130000]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-8 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20101201.001\IDSXpx86.sys [2012-2-8 341944]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-8 20464]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20101201.025\NAVENG.SYS [2012-2-8 86064]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20101201.025\NAVEX15.SYS [2012-2-8 1371184]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-10-12 1374464]
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-8 435032]
    S2 gupdate;Google 更新服務 (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
    S3 gupdatem;Google 更新 服務 (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-12-29 18432]
    =============== Created Last 30 ================
    2012-02-08 12:31:21 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-02-08 12:30:58 41184 ----a-w- c:\windows\avastSS.scr
    2012-02-08 12:30:50 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 12:30:50 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2012-02-08 11:49:52 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
    2012-02-08 11:49:47 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-02-08 11:49:46 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-08 11:49:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-08 11:40:17 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0401000.00F
    2012-02-08 11:40:17 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
    2012-02-08 11:40:13 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
    2012-02-08 09:54:26 -------- d--h--w- c:\windows\system32\NtmsData
    ==================== Find3M ====================
    2012-02-08 10:25:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2012-02-08 10:25:48 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    ============= FINISH: 20:44:07.65 ===============
  4. Nunupig

    Nunupig TS Rookie Topic Starter

    attach log

    DDS (Ver_2011-08-26.01)
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2007/10/16 下午 01:06:07
    System Uptime: 2012/2/8 下午 08:03:17 (0 hours ago)
    Motherboard: ASUSTeK Computer INC. | | P5KPL-AM
    Processor: Intel Pentium III Xeon 處理器 | Socket 775 | 2797/266mhz
    Processor: Intel Pentium III Xeon 處理器 | Socket 775 | 2797/266mhz
    ==== Disk Partitions =========================
    C: is FIXED (NTFS) - 232 GiB total, 217.069 GiB free.
    D: is FIXED (NTFS) - 195 GiB total, 191.302 GiB free.
    E: is FIXED (NTFS) - 495 GiB total, 444.778 GiB free.
    F: is CDROM (CDFS)
    ==== Disabled Device Manager Items =============
    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&2C575ACB&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&2C575ACB&0
    Service: i8042prt
    ==== System Restore Points ===================
    RP1: 2012/1/31 下午 02:24:40 - 系統檢查點
    RP2: 2012/2/2 下午 12:15:04 - 系統檢查點
    RP3: 2012/2/3 下午 05:36:13 - 系統檢查點
    RP4: 2012/2/6 下午 04:39:38 - 系統檢查點
    RP5: 2012/2/7 下午 05:30:34 - 系統檢查點
    RP6: 2012/2/8 下午 08:30:50 - avast! Free Antivirus Setup
    ==== Installed Programs ======================
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0 - Chinese Traditional
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    avast! Free Antivirus
    Avira AntiVir Personal - Free Antivirus
    C-Media WDM Audio Driver
    Choice Guard
    Final Media Player 2010
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    Intel(R) Graphics Media Accelerator Driver
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 13
    Malwarebytes Anti-Malware version
    Microsoft .NET Framework 2.0
    Microsoft Application Error Reporting
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.26)
    Network Camera Recorder with Viewer Software
    Norton 360
    Norton Bootable Recovery Tool Wizard
    Octoshape Streaming Services
    Real Alternative 1.60
    Realtek High Definition Audio Driver
    Segoe UI
    VIA 平台裝置管理員
    WebFldrs XP
    Windows Installer 3.1 (KB893803)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Messenger
    Windows Live 上載工具
    Windows Live 登入小幫手
    Windows Live 程式集
    WinRAR archiver
    Yahoo! Software Update
    笢弊窅俴厙奻窅俴假諷璃 1.5
    ==== End Of File ===========================
  5. Broni

    Broni Malware Annihilator Posts: 54,260   +383

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    You're running two AV programs, Avast and Avira.
    One of them has to go.
    Your choice.


    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.


    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...