Free Malware Removal Forum

by **x4xp** » February 24th, 2010, 3:23 pm

Hi,

First of all, I do not have an antivirus software installed in my computer, that is why I am pretty sure there is something wrong going in my laptop. I am working with windows xp Service Pack 2. Here is the problem; my laptop sometimes Shuts down without asking. Not in the sense that it shows you the shutdown window. No! I just see suddenly my laptop out of electricity and the screen turns to dark! I have a Malwarebyte's'Anti-Malware installed in my pc and it has twice gave me a trojan a alert. But, I do not remeber the name of the trojan because it is not appearing anymore. Another thing is when I try to visit antvirus websites, most of them do not open for me! I do not know if the virus or the trojan is that smart to know that! My internet conncetion usually gets slow. I am feeling really frustrated because when I am in the middle of something important, the secreen suddenly turns to black. Also, when I want to use Ctrl+Alt+Delete, I get the following error message; Task Manage has been disabled by your administrator. At the end, I could download a trial version of ESET NOD32 Antivirus. But the bad new was when I tried to install it something was forcing the installation to quit. I restarted the laptop and tried to install the software again and the I was getting the following message as shown below

Also, my internet connection gets disconnected when I start up my windows for the first time.

Any help would be appreciated.

contents of HijackThis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:14 م, on 24/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\x4xp\LOCALS~1\Temp\winikpgq.exe
C:\DOCUME~1\x4xp\LOCALS~1\Temp\uqsjfl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ae/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Real Madrid News Toolbar - {598dd77f-1390-4074-8c50-0286894f4185} - C:\Program Files\Real_Madrid_News\tbReal.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Real Madrid News Toolbar - {598dd77f-1390-4074-8c50-0286894f4185} - C:\Program Files\Real_Madrid_News\tbReal.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [TPSMain] "TPSMain.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TMEPROP] "C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe" -S
O4 - HKLM\..\Run: [DockMsgFrom] "C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Norton Internet Security\cfgwiz.exe" /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\x4xp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB100\WUSB100.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/sc ... canner.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TME3SRV - IEC - C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe

--
End of file - 10897 bytes

Content of uninstall_list.txt

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bluetooth Stack for Windows by Toshiba
Byki
Byki Express
Canon Camera Access Library
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CC_ccProxyExt
ccCommon
ccPxyCore
CD/DVD Drive Acoustic Silencer
CDisplay 1.8
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Internet Download Manager
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0
Linksys WUSB100 RangePlus Wireless USB Adapter
LiveReg (Symantec Corporation)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.7)
MSRedist
MSVCRT
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
Real_Madrid_News Toolbar
RealPlayer
Revo Uninstaller 1.85
SD Secure Module
Segoe UI
SMSC IrCC V5.1.3600.5
Sonic DLA
Sonic RecordNow!
SoundMAX
SPBBC
Symantec Script Blocking Installer
SymNet
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA Manuals
TOSHIBA Mobile Extension 3
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Zooming Utility
Touch and Launch
VLC media player 1.0.3
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB889673
WinRAR archiver
Yahoo! Messenger

by **MWR 3 day Mod** » February 27th, 2010, 11:46 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

by **jmw3** » March 1st, 2010, 7:10 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:

Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2

Double-Click on dds.scr and a command window will appear. This is normal
Shortly after two logs will appear, DDS.txt & Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here.

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

by **x4xp** » March 2nd, 2010, 3:05 pm

Hello,

Thanks for replying and sorry for being late

Contents of DDS log

DDS (Ver_09-12-01.01) - NTFSx86
Run by x4xp at 19:57:59.98 on Mon 03/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.1023.548 [GMT 4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\Toshiba Applet\TMEPROP.exe
C:\Program Files\Toshiba\Toshiba Applet\DockMsgFrom.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\x4xp\LOCALS~1\Temp\uleipr.exe
C:\DOCUME~1\x4xp\LOCALS~1\Temp\winssupx.exe
C:\Documents and Settings\x4xp\Desktop\malware\dds.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ae/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = proxy1.emirates.net.ae:8080
uInternet Settings,ProxyServer = proxy1.emirates.net.ae:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Real Madrid News Toolbar: {598dd77f-1390-4074-8c50-0286894f4185} - c:\program files\real_madrid_news\tbReal.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Real Madrid News Toolbar: {598dd77f-1390-4074-8c50-0286894f4185} - c:\program files\real_madrid_news\tbReal.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\x4xp\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SoundMAXPnP] "c:\program files\analog devices\soundmax\SMax4PNP.exe"
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [THotkey] "c:\program files\toshiba\toshiba applet\thotkey.exe"
mRun: [AGRSMMSG] "AGRSMMSG.exe"
mRun: [PadTouch] "c:\program files\toshiba\touch and launch\PadExe.exe"
mRun: [TPSMain] "TPSMain.exe"
mRun: [SmoothView] "c:\program files\toshiba\toshiba zooming utility\SmoothView.exe"
mRun: [TFncKy] TFncKy.exe
mRun: [TMEPROP] "c:\program files\toshiba\toshiba applet\TMEPROP.exe" -S
mRun: [DockMsgFrom] "c:\program files\toshiba\toshiba applet\DockMsgFrom.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] "c:\program files\norton internet security\cfgwiz.exe" /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [SSC_UserPrompt] "c:\program files\common files\symantec shared\security center\UsrPrmpt.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] "c:\windows\ime\imkr6_1\IMEKRMIG.EXE"
mRun: [MSPY2002] "c:\windows\system32\ime\pintlgnt\ImScInst.exe" /SYNC
mRun: [PHIME2002ASync] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /SYNC
mRun: [PHIME2002A] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /IMEName
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\x4xp\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb100\WUSB100.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://download.tenebril.com/pub/bin/sc ... canner.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\x4xp\applic~1\mozilla\firefox\profiles\d69xg61r.default\
FF - component: c:\documents and settings\x4xp\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\x4xp\application data\mozilla\firefox\profiles\d69xg61r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\x4xp\application data\mozilla\firefox\profiles\d69xg61r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\x4xp\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2004-7-23 49808]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qlmmsn.sys --> c:\windows\system32\drivers\qlmmsn.sys [?]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 213488]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-30 132224]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-28 144504]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20050124.008\NAVENG.Sys [2005-1-25 73728]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20050124.008\NavEx15.Sys [2005-1-25 631040]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2004-7-23 335504]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2004-7-23 197864]

=============== Created Last 30 ================

2010-02-26 21:35:40 0 d--h--w- c:\windows\PIF
2010-02-25 23:36:00 440 --sha-r- c:\documents and settings\x4xp\ntuser.pol
2010-02-25 15:24:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-02-24 19:05:19 0 d-----w- c:\program files\Trend Micro
2010-02-24 17:11:39 0 d-----w- c:\docume~1\x4xp\applic~1\AVG8
2010-02-22 16:01:35 0 ----a-w- c:\documents and settings\x4xp\defogger_reenable
2010-02-22 15:27:47 0 d-----w- c:\program files\MSSOAP
2010-02-22 15:27:20 0 d-----w- c:\program files\Webroot
2010-02-22 15:27:20 0 d-----w- c:\docume~1\x4xp\applic~1\Webroot
2010-02-19 18:19:23 0 dc-h--w- c:\windows\ie8
2010-02-19 13:50:05 0 d-----w- c:\program files\VS Revo Group
2010-02-19 13:05:05 0 d-----w- C:\!KillBox
2010-02-18 04:36:56 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2010-02-18 04:36:51 0 d-----w- c:\program files\Transparent
2010-02-18 04:36:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Transparent
2010-02-16 20:39:10 0 d-----w- c:\program files\Real_Madrid_News
2010-02-16 20:39:10 0 d-----w- c:\program files\Conduit
2010-02-16 13:17:02 202048 ----a-w- c:\windows\system32\AVLibrary.dll
2010-02-16 13:16:58 0 d-----w- c:\program files\Hide The IP 2010
2010-02-12 20:40:46 0 d-sh--w- c:\documents and settings\x4xp\IECompatCache
2010-02-10 19:33:57 0 d-----w- c:\windows\system32\LogFiles
2010-02-10 12:49:27 600 ----a-w- c:\documents and settings\x4xp\PUTTY.RND
2010-02-10 12:33:40 0 d--h--w- c:\windows\system32\GroupPolicy
2010-02-10 11:58:40 0 d-----w- c:\docume~1\x4xp\applic~1\Propel
2010-02-10 11:58:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Propel
2010-02-09 13:51:06 0 d-sh--w- c:\documents and settings\x4xp\PrivacIE
2010-02-09 13:49:21 0 d-sh--w- c:\documents and settings\x4xp\IETldCache
2010-02-09 13:42:29 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-07 17:14:40 0 d-----w- c:\program files\Yahoo!
2010-02-05 20:36:41 0 d-----w- c:\docume~1\x4xp\applic~1\IDM
2010-02-05 20:36:39 0 d-----w- c:\docume~1\x4xp\applic~1\DMCache
2010-02-05 20:36:36 0 d-----w- c:\program files\Internet Download Manager
2010-02-02 14:31:26 0 d-----w- c:\documents and settings\x4xp\Tracing
2010-02-02 12:52:58 0 d-----w- c:\program files\Microsoft
2010-02-02 12:52:40 0 d-----w- c:\program files\Windows Live SkyDrive
2010-02-02 12:34:56 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

============= FINISH: 19:58:15.21 ===============

Contents of Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 19/12/2009 09:45:09 م
System Uptime: 03/01/2010 07:52:43 م (1368 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) M processor 1.86GHz | mFCPGA | 1862/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 122.452 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP55: 14/02/2010 02:09:59 م - System Checkpoint
RP56: 15/02/2010 05:07:28 م - System Checkpoint
RP57: 17/02/2010 01:09:08 ص - System Checkpoint
RP58: 18/02/2010 01:31:34 ص - System Checkpoint
RP59: 19/02/2010 02:05:54 ص - System Checkpoint
RP60: 19/02/2010 05:50:38 م - Revo Uninstaller's restore point - Windows Live Essentials
RP61: 19/02/2010 05:53:56 م - Revo Uninstaller's restore point - Propel Accelerator
RP62: 19/02/2010 10:28:11 م - Installed Windows Internet Explorer 8.
RP63: 20/02/2010 11:58:03 م - System Checkpoint
RP64: 22/02/2010 02:46:10 ص - System Checkpoint
RP65: 23/02/2010 08:18:31 م - System Checkpoint
RP66: 24/02/2010 08:29:12 م - System Checkpoint
RP67: 24/02/2010 09:11:34 م - avast! Internet Security Setup
RP68: 25/02/2010 07:34:04 م - Revo Uninstaller's restore point - Norton Internet Security 2005 (Symantec Corporation)
RP69: 25/02/2010 07:47:01 م - Revo Uninstaller's restore point - Norton Internet Security 2005 (Symantec Corporation)
RP70: 27/02/2010 03:00:09 ص - Removed Windows Live Upload Tool
RP71: 28/02/2010 04:02:11 م - System Checkpoint
RP72: 01/03/2010 07:41:45 م - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bluetooth Stack for Windows by Toshiba
Byki
Byki Express
Canon Camera Access Library
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CC_ccProxyExt
ccCommon
ccPxyCore
CD/DVD Drive Acoustic Silencer
CDisplay 1.8
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Internet Download Manager
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0
Linksys WUSB100 RangePlus Wireless USB Adapter
LiveReg (Symantec Corporation)
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.7)
MSRedist
MSVCRT
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton WMI Update
Real_Madrid_News Toolbar
RealPlayer
Revo Uninstaller 1.85
SD Secure Module
Segoe UI
SMSC IrCC V5.1.3600.5
Sonic DLA
Sonic RecordNow!
SoundMAX
SPBBC
Symantec Script Blocking Installer
SymNet
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21/x515
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA Manuals
TOSHIBA Mobile Extension 3
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Zooming Utility
Touch and Launch
VLC media player 1.0.3
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB889673
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

25/02/2010 07:23:41 م, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume I:.
24/02/2010 08:34:42 م, error: PlugPlayManager [11] - The device Root\LEGACY_SSIDRV\0000 disappeared from the system without first being prepared for removal.
24/02/2010 08:34:42 م, error: PlugPlayManager [11] - The device Root\LEGACY_SSHRMD\0000 disappeared from the system without first being prepared for removal.
24/02/2010 08:34:42 م, error: PlugPlayManager [11] - The device Root\LEGACY_SSFS0BBC\0000 disappeared from the system without first being prepared for removal.
24/02/2010 08:34:36 م, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
24/02/2010 08:34:33 م, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
24/02/2010 07:50:07 م, error: ssidrv [26] -
24/02/2010 03:17:18 ص, error: ssidrv [26] -
23/02/2010 12:11:06 ص, error: PlugPlayManager [11] - The device Root\LEGACY_SSIDRV\0000 disappeared from the system without first being prepared for removal.
23/02/2010 12:11:05 ص, error: PlugPlayManager [11] - The device Root\LEGACY_SSHRMD\0000 disappeared from the system without first being prepared for removal.
23/02/2010 12:11:05 ص, error: PlugPlayManager [11] - The device Root\LEGACY_SSFS0BBC\0000 disappeared from the system without first being prepared for removal.
23/02/2010 12:10:52 ص, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Contents of Gmer log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 22:57:52
Windows 5.1.2600 Service Pack 2
Running: gi9mve39.exe; Driver: C:\DOCUME~1\x4xp\LOCALS~1\Temp\pfxoafob.sys

---- System - GMER 1.0.15 ----

SSDT 8642F648 ZwConnectPort

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:860] EE2B7820
Thread System [4:864] EE2A7410

---- EOF - GMER 1.0.15 ----

by **jmw3** » March 2nd, 2010, 7:55 pm

Hi

Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Norton AntiVirus 2005
Real_Madrid_News Toolbar

If some programs listed are not present, please do not panic

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
ComboFix log
Update on how the computer is running

by **x4xp** » March 3rd, 2010, 10:16 am

Hi,

I have tried before removing Norton AntiVirus 2005 from Add/Remove Programs and I could not, becuase it was giving me some kind of error message and it was like the sysem going to crash. So I installed a software called Revo Uninstaller and tried to uninstall norton antivirus manually. When I removed the files using the previous software ( and I think I have removed some important files from the system by mistake!) I found out that the files for Norton were still available in program files but it was not available any more in Add/Remove Programs. That was 2 weeks back I guess. When I tried to run ComboFix, It was giving me the warning that Norton is still working. I do not know how to disable it coz there is no icon for it in the taskbar. :pale:

by **jmw3** » March 3rd, 2010, 4:10 pm

Hi
See if this helps:
http://service1.symantec.com/SUPPORT/ni ... 1515220236

by **x4xp** » March 4th, 2010, 5:49 am

Hi,

The page does not open for me. I think the virus does not allow to visit antivirus websites. I will try to open it from another pc and will get back to you.

by **x4xp** » March 4th, 2010, 5:36 pm

I downloaded norton removal tool and removed Norton Internet Security 2005. After a long torture with combofix and with getting hundres of error messages I got at the end the log file of it

here it is

ComboFix 10-03-01.04 - x4xp 03/05/2010 1:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.1023.620 [GMT 4:00]
Running from: c:\documents and settings\x4xp\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\x4xp\My Documents\Downloads\Switchgear & transformers\Switchgear & transformers\QCS Section 21\Section 21\Desktop_.ini
c:\recycler\S-1-5-21-448539723-113007714-839522115-500
c:\recycler\S-1-5-21-983245944-3557640236-3503602924-500
c:\windows\EventSystem.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5

((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 20:36 . 2010-03-04 20:38 918176 ----a-w- c:\documents and settings\x4xp\Application Data\IDM\DwnlData\x4xp\Norton_Removal_Tool_151\Norton_Removal_Tool.exe
2010-03-01 22:10 . 2010-03-01 22:11 -------- d-----w- c:\program files\ULTRA SURF 9.9 Türkçe
2010-02-26 21:35 . 2010-02-26 21:35 -------- d--h--w- c:\windows\PIF
2010-02-25 15:24 . 2010-02-25 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-24 19:05 . 2010-02-24 19:05 -------- d-----w- c:\program files\Trend Micro
2010-02-24 17:11 . 2010-02-24 17:11 -------- d-----w- c:\documents and settings\x4xp\Application Data\AVG8
2010-02-22 15:27 . 2010-02-22 15:27 -------- d-----w- c:\program files\MSSOAP
2010-02-22 15:27 . 2010-02-24 16:35 -------- d-----w- c:\documents and settings\x4xp\Application Data\Webroot
2010-02-22 15:27 . 2010-02-22 15:27 -------- d-----w- c:\program files\Webroot
2010-02-22 15:24 . 2009-05-21 03:51 40577080 ----a-w- c:\documents and settings\x4xp\Application Data\IDM\Webroot SpySweeper 6.1.0.128\SpySweeperRegSetup_EN.exe
2010-02-19 18:19 . 2010-02-19 18:28 -------- dc-h--w- c:\windows\ie8
2010-02-19 13:50 . 2010-02-19 13:50 -------- d-----w- c:\program files\VS Revo Group
2010-02-19 13:05 . 2010-02-19 13:05 -------- d-----w- C:\!KillBox
2010-02-18 04:36 . 2010-02-18 04:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2010-02-18 04:36 . 2009-01-12 20:49 2694448 -c--a-w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}\BYKI4Installer.exe
2010-02-18 04:36 . 2010-02-18 04:36 -------- d-----w- c:\program files\Transparent
2010-02-18 04:36 . 2010-02-18 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2010-02-16 13:17 . 2009-11-28 16:58 202048 ----a-w- c:\windows\system32\AVLibrary.dll
2010-02-16 13:16 . 2010-02-18 14:13 -------- d-----w- c:\program files\Hide The IP 2010
2010-02-16 13:16 . 2010-02-16 13:16 -------- d-----w- c:\documents and settings\x4xp\Local Settings\Application Data\PackageAware
2010-02-12 20:40 . 2010-02-12 20:40 -------- d-sh--w- c:\documents and settings\x4xp\IECompatCache
2010-02-10 19:33 . 2010-02-10 19:33 -------- d-----w- c:\windows\system32\LogFiles
2010-02-10 12:33 . 2010-02-19 13:01 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-10 12:27 . 2010-02-10 12:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-10 11:58 . 2010-02-10 11:58 -------- d-----w- c:\documents and settings\x4xp\Application Data\Propel
2010-02-10 11:58 . 2010-02-10 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Propel
2010-02-09 13:51 . 2010-02-09 13:51 -------- d-sh--w- c:\documents and settings\x4xp\PrivacIE
2010-02-09 13:49 . 2010-02-09 13:49 -------- d-sh--w- c:\documents and settings\x4xp\IETldCache
2010-02-09 13:42 . 2009-01-07 14:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-07 17:44 . 2010-02-07 17:44 -------- d-----w- c:\documents and settings\x4xp\Local Settings\Application Data\Yahoo
2010-02-07 17:44 . 2010-02-07 17:44 -------- d-----w- c:\documents and settings\x4xp\Application Data\Yahoo!
2010-02-07 17:29 . 2010-02-07 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-07 17:29 . 2009-11-10 10:39 681200 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-02-07 17:14 . 2010-02-07 17:29 -------- d-----w- c:\program files\Yahoo!
2010-02-05 20:36 . 2010-02-05 20:36 198064 ----a-w- c:\documents and settings\x4xp\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-02-05 20:36 . 2010-02-22 16:01 -------- d-----w- c:\documents and settings\x4xp\Application Data\IDM
2010-02-05 20:36 . 2010-03-04 21:21 -------- d-----w- c:\documents and settings\x4xp\Application Data\DMCache
2010-02-05 20:36 . 2010-02-05 20:37 -------- d-----w- c:\program files\Internet Download Manager
2010-02-03 18:56 . 2010-02-03 18:56 -------- d-----w- c:\documents and settings\x4xp\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 20:46 . 2005-01-25 08:04 -------- d-----w- c:\program files\Symantec
2010-03-02 00:08 . 2009-12-31 13:47 -------- d-----w- c:\documents and settings\x4xp\Application Data\vlc
2010-02-26 23:00 . 2010-02-02 12:52 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-19 13:51 . 2010-02-02 12:52 -------- d-----w- c:\program files\Windows Live
2010-02-18 16:09 . 2009-12-21 09:55 93144 ----a-w- c:\documents and settings\x4xp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\UHZJB171.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\2RH7PJ71.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\X7H79NBP.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\FZ7PB9V7.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\FLRBXF57.DAT
2010-02-09 11:12 . 2009-12-31 15:10 -------- d-----w- c:\documents and settings\x4xp\Application Data\dvdcss
2010-02-05 17:01 . 2010-01-15 03:49 -------- d-----w- c:\documents and settings\x4xp\Application Data\ZoomBrowser EX
2010-02-05 15:38 . 2010-01-15 03:48 -------- d-----w- c:\documents and settings\x4xp\Application Data\CameraWindowDC
2010-02-02 12:52 . 2010-02-02 12:52 -------- d-----w- c:\program files\Microsoft
2010-02-02 12:34 . 2010-02-02 12:34 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-31 10:11 . 2009-12-30 15:22 -------- d-----w- c:\program files\Google
2010-01-27 13:43 . 2010-01-27 13:43 -------- d-----w- c:\program files\CDisplay
2010-01-26 08:12 . 2010-01-26 08:12 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-15 03:48 . 2010-01-15 03:48 -------- d-----w- c:\documents and settings\x4xp\Application Data\CANON INC
2010-01-15 03:37 . 2010-01-15 03:33 -------- d-----w- c:\program files\Canon
2010-01-15 03:33 . 2010-01-15 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-15 03:31 . 2010-01-15 03:31 -------- d-----w- c:\program files\Common Files\Canon
2010-01-09 21:05 . 2010-01-09 21:05 0 ----a-w- c:\windows\nsreg.dat
2010-01-06 08:08 . 2010-01-09 21:48 614912 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 08:08 . 2010-01-09 21:48 57856 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 08:08 . 2010-01-09 21:48 4726272 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 08:08 . 2010-01-09 21:48 4725760 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 08:08 . 2010-01-09 21:48 413696 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 08:08 . 2010-01-09 21:48 153600 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-06 08:08 . 2010-01-09 21:48 103424 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-03 23:54 . 2010-01-03 23:54 -------- d-----w- c:\program files\Common Files\xing shared
2010-01-03 23:54 . 2010-01-03 23:54 -------- d-----w- c:\program files\Common Files\Real
2010-01-03 23:54 . 2010-01-03 23:54 -------- d-----w- c:\program files\Real
2009-12-20 13:56 . 2009-12-20 13:56 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-20 13:18 . 2009-12-20 13:18 2232 ----a-w- c:\windows\java\Packages\Data\1NVXFV3T.DAT
2009-12-20 13:18 . 2009-12-20 13:18 155995 ----a-w- c:\windows\java\Packages\RFT7H7NJ.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 131072]
"Google Update"="c:\documents and settings\x4xp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-29 209392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-30 39408]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-02-05 3253680]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5322040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-07 417792]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1454080]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 176218]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 766042]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-14 552960]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 153899]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1155151]
"TPSMain"="TPSMain.exe" [2005-01-21 335872]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-12-21 188416]
"TFncKy"="TFncKy.exe" [BU]
"TMEPROP"="c:\program files\Toshiba\Toshiba Applet\TMEPROP.exe" [2005-01-14 323584]
"DockMsgFrom"="c:\program files\Toshiba\Toshiba Applet\DockMsgFrom.exe" [2004-11-11 180224]
"NDSTray.exe"="NDSTray.exe" [BU]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 200763]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 96552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-03 253997]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\x4xp\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 164168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 103424]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB100\WUSB100.exe [2008-3-14 5816320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\x4xp\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Linksys\\WUSB100\\WUSB100.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiprbxx.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\TMEPROP.exe"=
"c:\\WINDOWS\\system32\\TPSMain.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=
"c:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"=
"c:\\WINDOWS\\system32\\TPSBattM.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1005MC.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTEM.EXE"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"c:\\WINDOWS\\AGRSMMSG.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\NDSTray.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\DockMsgFrom.exe"=
"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Controls\\TFncKy.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Internet Download Manager\\IEMonitor.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Documents and Settings\\x4xp\\Desktop\\HJTInstall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Google\\Update\\1.2.183.17\\GoogleCrashHandler.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=

R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [28/07/2007 02:50 م 517632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 02:11 م 213488]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 10:11]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 10:11]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2266744587-4235065632-195420792-1005Core.job
- c:\documents and settings\x4xp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-29 23:35]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2266744587-4235065632-195420792-1005UA.job
- c:\documents and settings\x4xp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-29 23:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ae/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://download.tenebril.com/pub/bin/sc ... canner.ocx
FF - ProfilePath - c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 9666
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 9666
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9666
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\x4xp\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\x4xp\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 01:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\SynTPFcs.dll
c:\program files\Toshiba\Toshiba Applet\TMEEJDLL.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1005MC.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\dwwin.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-03-05 01:25:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 21:25

Pre-Run: 131,455,057,920 bytes free
Post-Run: 131,761,070,080 bytes free

- - End Of File - - 397308DAA28D7D01D004B225D1D82C86

And regarding the condition of the computer. It been few days I am getting an error message when starting up my windows. You can see it below

by **jmw3** » March 6th, 2010, 2:50 am

Hi

Apologies for the not getting back to you sooner. I was called away on business & had no internet access while away.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"UacDisableNotify"=dword:00000000
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

Download the latest version of Java Runtime Environment (JRE) 6 Here
Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
Click the orange Download JRE button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan
Once the scan is complete, it will display the results. Click on View Scan Report
You will see a list of infected items there. Click on Save Report As...
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
Please post this log in your next reply

Pictured tutorial if required.

To post in next reply:
ComboFix log
Kaspersky Online Scan log
Update on how the computer is running

by **x4xp** » March 6th, 2010, 10:57 am

Hi,

No problem dude.

I would like to show you the error I am getting while running ComboFix.

It is the same error I was talking about and was preventing CombFix to run properly. I can continue running Combofix by clicking on send Error Report or Don't Send repeately, but I think then it would not function as it is supposed to do.

Any suggestions! :bounce:

And I think it is good to mention is that ComboFix does not run each time I restrart my PC. I get an error. If i would like to use it, I have to download it to desktop again so it would run.

by **x4xp** » March 6th, 2010, 11:43 am

Anyway, I countinued running ComboFix while getting the error message shown above and I got the log file

ComboFix log

ComboFix 10-03-05.03 - x4xp 03/06/2010 18:12:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.1023.652 [GMT 4:00]
Running from: c:\documents and settings\x4xp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\x4xp\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5

((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-04 20:36 . 2010-03-04 20:38 918176 ----a-w- c:\documents and settings\x4xp\Application Data\IDM\DwnlData\x4xp\Norton_Removal_Tool_151\Norton_Removal_Tool.exe
2010-03-01 22:10 . 2010-03-01 22:11 -------- d-----w- c:\program files\ULTRA SURF 9.9 Türkçe
2010-02-26 21:35 . 2010-02-26 21:35 -------- d--h--w- c:\windows\PIF
2010-02-25 15:24 . 2010-02-25 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-24 19:05 . 2010-02-24 19:05 -------- d-----w- c:\program files\Trend Micro
2010-02-24 17:11 . 2010-02-24 17:11 -------- d-----w- c:\documents and settings\x4xp\Application Data\AVG8
2010-02-22 15:27 . 2010-02-22 15:27 -------- d-----w- c:\program files\MSSOAP
2010-02-22 15:27 . 2010-02-24 16:35 -------- d-----w- c:\documents and settings\x4xp\Application Data\Webroot
2010-02-22 15:27 . 2010-02-22 15:27 -------- d-----w- c:\program files\Webroot
2010-02-22 15:24 . 2009-05-21 03:51 40577080 ----a-w- c:\documents and settings\x4xp\Application Data\IDM\Webroot SpySweeper 6.1.0.128\SpySweeperRegSetup_EN.exe
2010-02-19 18:19 . 2010-02-19 18:28 -------- dc-h--w- c:\windows\ie8
2010-02-19 13:50 . 2010-02-19 13:50 -------- d-----w- c:\program files\VS Revo Group
2010-02-19 13:05 . 2010-02-19 13:05 -------- d-----w- C:\!KillBox
2010-02-18 04:36 . 2010-02-18 04:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2010-02-18 04:36 . 2009-01-12 20:49 2694448 -c--a-w- c:\documents and settings\All Users\Application Data\{7D4B3D1D-104E-4507-9123-568BC721B7E2}\BYKI4Installer.exe
2010-02-18 04:36 . 2010-02-18 04:36 -------- d-----w- c:\program files\Transparent
2010-02-18 04:36 . 2010-02-18 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2010-02-16 13:17 . 2009-11-28 16:58 202048 ----a-w- c:\windows\system32\AVLibrary.dll
2010-02-16 13:16 . 2010-02-18 14:13 -------- d-----w- c:\program files\Hide The IP 2010
2010-02-16 13:16 . 2010-02-16 13:16 -------- d-----w- c:\documents and settings\x4xp\Local Settings\Application Data\PackageAware
2010-02-12 20:40 . 2010-02-12 20:40 -------- d-sh--w- c:\documents and settings\x4xp\IECompatCache
2010-02-10 19:33 . 2010-02-10 19:33 -------- d-----w- c:\windows\system32\LogFiles
2010-02-10 12:33 . 2010-02-19 13:01 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-10 12:27 . 2010-02-10 12:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-10 11:58 . 2010-02-10 11:58 -------- d-----w- c:\documents and settings\x4xp\Application Data\Propel
2010-02-10 11:58 . 2010-02-10 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Propel
2010-02-09 13:51 . 2010-02-09 13:51 -------- d-sh--w- c:\documents and settings\x4xp\PrivacIE
2010-02-09 13:49 . 2010-02-09 13:49 -------- d-sh--w- c:\documents and settings\x4xp\IETldCache
2010-02-09 13:42 . 2009-01-07 14:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-07 17:44 . 2010-02-07 17:44 -------- d-----w- c:\documents and settings\x4xp\Local Settings\Application Data\Yahoo
2010-02-07 17:44 . 2010-02-07 17:44 -------- d-----w- c:\documents and settings\x4xp\Application Data\Yahoo!
2010-02-07 17:29 . 2010-02-07 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-07 17:29 . 2009-11-10 10:39 681200 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-02-07 17:14 . 2010-02-07 17:29 -------- d-----w- c:\program files\Yahoo!
2010-02-05 20:36 . 2010-02-05 20:36 198064 ----a-w- c:\documents and settings\x4xp\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-02-05 20:36 . 2010-02-22 16:01 -------- d-----w- c:\documents and settings\x4xp\Application Data\IDM
2010-02-05 20:36 . 2010-03-06 15:08 -------- d-----w- c:\documents and settings\x4xp\Application Data\DMCache
2010-02-05 20:36 . 2010-02-05 20:37 -------- d-----w- c:\program files\Internet Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 00:43 . 2009-12-31 13:47 -------- d-----w- c:\documents and settings\x4xp\Application Data\vlc
2010-03-04 20:46 . 2005-01-25 08:04 -------- d-----w- c:\program files\Symantec
2010-02-26 23:00 . 2010-02-02 12:52 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-19 13:51 . 2010-02-02 12:52 -------- d-----w- c:\program files\Windows Live
2010-02-18 16:09 . 2009-12-21 09:55 93144 ----a-w- c:\documents and settings\x4xp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\UHZJB171.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\2RH7PJ71.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\X7H79NBP.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\FZ7PB9V7.DAT
2010-02-12 14:39 . 2010-02-12 14:39 2678 ----a-w- c:\windows\java\Packages\Data\FLRBXF57.DAT
2010-02-09 11:12 . 2009-12-31 15:10 -------- d-----w- c:\documents and settings\x4xp\Application Data\dvdcss
2010-02-05 17:01 . 2010-01-15 03:49 -------- d-----w- c:\documents and settings\x4xp\Application Data\ZoomBrowser EX
2010-02-05 15:38 . 2010-01-15 03:48 -------- d-----w- c:\documents and settings\x4xp\Application Data\CameraWindowDC
2010-02-02 12:52 . 2010-02-02 12:52 -------- d-----w- c:\program files\Microsoft
2010-02-02 12:34 . 2010-02-02 12:34 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-31 10:11 . 2009-12-30 15:22 -------- d-----w- c:\program files\Google
2010-01-27 13:43 . 2010-01-27 13:43 -------- d-----w- c:\program files\CDisplay
2010-01-26 08:12 . 2010-01-26 08:12 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-15 03:48 . 2010-01-15 03:48 -------- d-----w- c:\documents and settings\x4xp\Application Data\CANON INC
2010-01-15 03:37 . 2010-01-15 03:33 -------- d-----w- c:\program files\Canon
2010-01-15 03:33 . 2010-01-15 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-15 03:31 . 2010-01-15 03:31 -------- d-----w- c:\program files\Common Files\Canon
2010-01-09 21:05 . 2010-01-09 21:05 0 ----a-w- c:\windows\nsreg.dat
2010-01-06 08:08 . 2010-01-09 21:48 614912 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 08:08 . 2010-01-09 21:48 57856 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 08:08 . 2010-01-09 21:48 4726272 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 08:08 . 2010-01-09 21:48 4725760 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 08:08 . 2010-01-09 21:48 413696 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 08:08 . 2010-01-09 21:48 153600 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-06 08:08 . 2010-01-09 21:48 103424 ----a-w- c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-12-20 13:56 . 2009-12-20 13:56 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-20 13:18 . 2009-12-20 13:18 2232 ----a-w- c:\windows\java\Packages\Data\1NVXFV3T.DAT
2009-12-20 13:18 . 2009-12-20 13:18 155995 ----a-w- c:\windows\java\Packages\RFT7H7NJ.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 131072]
"Google Update"="c:\documents and settings\x4xp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-29 209392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-30 39408]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-02-05 3253680]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5322040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-07 417792]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1454080]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 176218]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 766042]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-14 552960]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 153899]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1155151]
"TPSMain"="TPSMain.exe" [2005-01-21 335872]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-12-21 188416]
"TFncKy"="TFncKy.exe" [BU]
"TMEPROP"="c:\program files\Toshiba\Toshiba Applet\TMEPROP.exe" [2005-01-14 323584]
"DockMsgFrom"="c:\program files\Toshiba\Toshiba Applet\DockMsgFrom.exe" [2004-11-11 180224]
"NDSTray.exe"="NDSTray.exe" [BU]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 200763]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-03 253997]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\x4xp\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 164168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 103424]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB100\WUSB100.exe [2008-3-14 5816320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 20:47 96552 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\x4xp\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Linksys\\WUSB100\\WUSB100.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiprbxx.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\TMEPROP.exe"=
"c:\\WINDOWS\\system32\\TPSMain.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=
"c:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"=
"c:\\WINDOWS\\system32\\TPSBattM.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1005MC.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTEM.EXE"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"c:\\WINDOWS\\AGRSMMSG.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\NDSTray.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"=
"c:\\Program Files\\Toshiba\\Toshiba Applet\\DockMsgFrom.exe"=
"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=
"c:\\Program Files\\TOSHIBA\\TOSHIBA Controls\\TFncKy.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Internet Download Manager\\IEMonitor.exe"=
"c:\\PROGRA~1\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Documents and Settings\\x4xp\\Desktop\\HJTInstall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Google\\Update\\1.2.183.17\\GoogleCrashHandler.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Documents and Settings\\x4xp\\Desktop\\New potable Ultra Surf 9.92_ultrasurf 9.92_New Full Ultrasurf, ultra suf.exe"=

R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [28/07/2007 02:50 م 517632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 02:11 م 213488]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 10:11]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 10:11]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2266744587-4235065632-195420792-1005Core.job
- c:\documents and settings\x4xp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-29 23:35]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2266744587-4235065632-195420792-1005UA.job
- c:\documents and settings\x4xp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-29 23:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ae/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://download.tenebril.com/pub/bin/sc ... canner.ocx
FF - ProfilePath - c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 9666
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 9666
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9666
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\x4xp\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\x4xp\Application Data\Mozilla\Firefox\Profiles\d69xg61r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 19:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\TOSHIBA\TOSHIBA Applet\tme3srv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1005MC.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-03-06 19:11:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 15:10
ComboFix2.txt 2010-03-04 21:25

Pre-Run: 130,539,110,400 bytes free
Post-Run: 130,213,572,608 bytes free

- - End Of File - - DC51AFEB682822CB51A381FFEC11CC03

Regarding the Kaspersky Online Scan log, as I have said before; I can not visit anitivirus websites. They do not open in this PC

by **jmw3** » March 6th, 2010, 8:02 pm

Hi
I'm afraid I have some bad news for you. It looks as though our computer is infected with a polymorphic file infector named Sality.
http://www.threatexpert.com/report.aspx ... d1f4f13cef
http://www.ca.com/us/securityadvisor/vi ... x?id=74007

Sality is capable of infecting all the machine's executable files (.exe), & screensaver files (.scr). As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT under any circumstances backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable. Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

There are no tools available that can successfully fix this infection at the moment.

Let me know if you need some assistance in formatting your computer.

by **x4xp** » March 7th, 2010, 4:11 am

Hi,

That's really bad news :cry:

Then I do not have other choice rather than formatting

I know how to fomat my PC, but the thing is I have already added a rar file to my external hardisk which had an executable file inside it. How can I check now if my hardisk is infected or no?!

by **jmw3** » March 7th, 2010, 1:51 pm

Hi

It will be difficult to tell if your hard drive is infected. Let's try this:

USBNoRisk
Download USBNoRisk by bobby from Here & save it to your Desktop.

Double click on usbnorisk.exe to run the program
Wait a couple of seconds for initial scan to finish
Connect all of the USB storage devices to the PC, one at a time, & keep each one connected at least for 10 seconds
If there are more USB storage devices to scan, take a note about the order in which these were connected
Once all the devices are scanned, right-click anywhere in the Monitor screen then choose Save log. A log will open in Notepad
Copy/paste the contents of the log in your next reply

Explanation: USB storage devices are all the USB devices that get their own partition letter when connecting to a computer, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Free Malware Removal Forum

My Screen gets into black!

My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Re: My Screen gets into black!

Who is online