Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cann't perform system tasks

Started by shal , Sep 05 2009 10:15 AM

  • Please log in to reply

#1
shal
Posted 05 September 2009 - 10:15 AM

shal

    New Member

  • Member
  • Pip
  • 7 posts
Hi,
I have the following problem with my system:
I cann't open control panel.I cann't view the display properties , registry editor and I cann't perform most of all the system tasks.When I try to perform ,the following message is shown:
"The operation has been cancelled due to the restriction in effect of this computer.Please contact the system administrator".(this is shown twice)
No one other than me is using this system.
Please help me
thanking you..........
shal
  • 0

Advertisements

#2
shal
Posted 08 September 2009 - 10:32 AM

shal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
This is my hijackthis log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:16 PM, on 9/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\KHATRA.exe
C:\WINDOWS\System\gHost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AutorunRemover\AutorunRemover.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\Xplorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolba...ml?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolba...ml?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server.toolba...ml?mode=toolbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server.toolba...ml?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Exploiter
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Rediff Toolbar\3.0\tbu8F\redifftoolbar.dll (file missing)
R3 - URLSearchHook: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTog1.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTog1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: XBTBPos00 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\REDIFF~1\3.0\tbu8F\REDIFF~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Rediff Toolbar\3.0\tbu8F\redifftoolbar.dll (file missing)
O3 - Toolbar: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTog1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\WINDOWS\Xplorer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\WINDOWS\system32\KHATRA.exe
O4 - HKLM\..\Run: [Xplorer] "C:\WINDOWS\Xplorer.exe" /Windows
O4 - HKLM\..\Run: [7292A4] C:\WINDOWS\system32\DD3BC6\7292A4.EXE
O4 - HKLM\..\Run: [AutorunRemover.exe] C:\Program Files\AutorunRemover\AutorunRemover.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKLM\..\Policies\Explorer\Run: [G_Host] "C:\WINDOWS\System\gHost.exe" /Reproduce
O4 - Startup: (Empty).LNK = C:\KHATRA.exe
O4 - Global Startup: (Empty).LNK = C:\KHATRA.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Rediff Toolbar\3.0\tbu8F\redifftoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Rediff Toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Rediff Toolbar\3.0\tbu8F\redifftoolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: JavaWebServer - Unknown owner - C:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Snort (SnortSvc) - Unknown owner - C:\Snort\bin\snort.exe (file missing)

--
End of file - 9136 bytes
  • 0

#3
fenzodahl512
Posted 10 September 2009 - 10:31 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GAMERS result..
  • 0

#4
shal
Posted 13 September 2009 - 09:07 AM

shal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I cann't run commedian.exe The following error message is shown:
commedian.exe is not a valid win32 application
  • 0

#5
fenzodahl512
Posted 13 September 2009 - 10:06 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE


Then proceed with the other steps (Beginning with Malwarebytes')
  • 0

#6
shal
Posted 17 September 2009 - 01:43 AM

shal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I cann't run malwarebytes ,RSIT and GMER
when I tried to run the following message is shown:Files are corrupted& it is not a valid Win32 application
  • 0

#7
fenzodahl512
Posted 17 September 2009 - 01:50 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please save this file to your Desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
  • 0

#8
shal
Posted 19 September 2009 - 11:43 AM

shal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Win32Diag.txt:


WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!
  • 0

#9
fenzodahl512
Posted 19 September 2009 - 12:55 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

#10
shal
Posted 22 September 2009 - 12:36 PM

shal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Log.txt:

ComboFix 09-09-22.01 - db2admin 09/22/2009 23:35.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190.26 [GMT 5.5:30]
Running from: c:\program files\Mozilla Firefox\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1229 [VPS 080923-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\db2admin\LOCALS~1\Temp\E_N4
c:\docume~1\db2admin\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\db2admin\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\db2admin\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\db2admin\LOCALS~1\Temp\E_N4\krnln.fnr
c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
c:\documents and settings\Shalini\Desktop\Smart Virus Remover.exe.lnk
c:\program files\WinPCap
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
F:\WinRAR.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_AVPsys
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-17 06:20 . 2009-09-17 06:20 -------- d-----w- c:\documents and settings\db2admin\Application Data\vlc
2009-09-15 09:08 . 2009-09-15 09:26 -------- d-----w- c:\documents and settings\Shalini\Application Data\WinHKIAV
2009-09-11 12:17 . 2009-07-28 11:03 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-11 12:17 . 2009-03-30 05:03 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-11 12:17 . 2009-02-13 06:59 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-11 12:17 . 2009-02-13 06:47 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-11 12:17 . 2009-09-11 12:17 -------- d-----w- c:\program files\Avira
2009-09-09 13:39 . 2009-09-09 13:39 -------- d-----w- c:\program files\M Autorun Killer 1.5
2009-09-09 13:35 . 2009-09-15 08:56 -------- d-----w- c:\program files\Smart Virus Remover
2009-09-08 16:18 . 2009-09-11 04:20 -------- d-----w- c:\program files\Trend Micro
2009-09-07 08:19 . 2009-09-07 08:19 65816 ----a-w- c:\documents and settings\db2admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 05:16 . 2009-09-06 05:18 -------- d-----w- c:\documents and settings\db2admin\Local Settings\Application Data\Adobe
2009-09-05 14:57 . 2009-09-05 14:57 -------- d-----w- c:\documents and settings\db2admin\Local Settings\Application Data\AVG Security Toolbar
2009-09-05 14:55 . 2009-09-05 14:55 -------- d-----w- c:\documents and settings\db2admin\Local Settings\Application Data\Mozilla
2009-09-05 14:54 . 2009-09-05 14:54 -------- d-----w- c:\documents and settings\db2admin\Application Data\Yahoo!
2009-09-05 14:54 . 2009-09-05 14:54 -------- d-----w- c:\documents and settings\db2admin\Local Settings\Application Data\Conduit
2009-09-05 14:54 . 2009-09-05 14:55 -------- d-----w- c:\documents and settings\db2admin\Local Settings\Application Data\ToggleEN
2009-09-01 12:22 . 2009-09-05 14:22 -------- d-----w- c:\windows\K.Backup
2009-09-01 12:20 . 2009-09-03 05:19 -------- d--h--w- c:\windows\system32\D6B6B3
2009-09-01 12:20 . 2009-09-01 13:36 -------- d--h--w- c:\windows\system32\F69FCF
2009-09-01 12:20 . 2009-09-11 14:38 -------- d--h--w- c:\windows\system32\BEC71F
2009-09-01 12:20 . 2009-09-03 15:34 -------- d--h--w- c:\windows\system32\DD3BC6
2009-08-30 08:16 . 2009-08-30 08:49 -------- d-----w- c:\program files\Lame for Audacity
2009-08-30 08:11 . 2009-08-30 08:11 -------- d-----w- c:\program files\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 12:17 . 2003-12-31 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-09 14:10 . 2009-08-11 06:27 -------- d-----w- c:\program files\AutorunRemover
2009-09-08 14:20 . 2009-08-11 04:05 -------- d-----w- c:\documents and settings\Shalini\Application Data\IDM
2009-09-08 14:20 . 2009-08-11 04:04 -------- d-----w- c:\program files\Internet Download Manager
2009-09-08 13:24 . 2009-08-11 04:05 -------- d-----w- c:\documents and settings\Shalini\Application Data\DMCache
2009-08-22 15:40 . 2009-08-11 04:49 -------- d-----w- c:\program files\Smallvideosoft
2009-08-21 12:12 . 2009-08-21 12:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-08-21 12:12 . 2009-08-21 12:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-08-21 12:05 . 2009-08-21 12:05 -------- d-----w- c:\program files\Cucusoft
2009-08-14 11:09 . 2009-08-10 12:39 -------- d-----w- c:\documents and settings\Shalini\Application Data\GetRightToGo
2009-08-14 09:55 . 2009-08-14 09:55 -------- d-----w- c:\documents and settings\Shalini\Application Data\Xilisoft Corporation
2009-08-11 05:10 . 2009-08-11 05:10 -------- d-----w- c:\documents and settings\db2admin\Application Data\Datalayer
2009-08-11 05:05 . 2009-08-11 05:05 -------- d-----w- c:\documents and settings\db2admin\Application Data\PC Suite
2009-08-10 13:38 . 2009-07-03 08:29 -------- d-----w- c:\documents and settings\Shalini\Application Data\uTorrent
2009-07-26 12:31 . 2009-07-26 12:31 -------- d-----w- c:\documents and settings\Shalini\Application Data\MSNInstaller
2009-07-26 12:30 . 2009-07-25 11:53 -------- d-----w- c:\program files\Mp3DoctorPRO
2006-07-10 18:41 . 2006-07-10 18:41 317 ----a-w- c:\program files\db2cli.ini
2008-02-02 10:07 . 2009-03-06 13:12 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2009-03-06 13:12 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2009-03-06 13:12 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2009-03-06 13:12 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2009-03-06 13:12 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-07-22 15:28 2215960 ----a-w- c:\program files\ToggleEN\tbTog1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTog1.dll" [2009-07-22 2215960]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTog1.dll" [2009-07-22 2215960]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-08-06 155648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2004-03-03 19968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9263:TCP"= 9263:TCP:ctucu

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/1/2009 3:35 PM 78416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/11/2009 5:47 PM 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/1/2009 3:35 PM 20560]
S2 eahhd;Support Security;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
S2 ihcqfxd;Boot Time;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
S2 JavaWebServer;JavaWebServer;c:\javawebserver2.0\bin\jservsvc.exe --> c:\javawebserver2.0\bin\jservsvc.exe [?]
S2 obzdzp;Universal Update;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 AM 14336]
S2 SnortSvc;Snort;c:\snort\bin\snort /SERVICE --> c:\snort\bin\snort [?]
S3 uti4mty3;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uti4mty3.sys --> c:\windows\system32\Drivers\uti4mty3.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ihcqfxd
obzdzp
eahhd
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\db2admin\Application Data\Mozilla\Firefox\Profiles\wu750agw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2004933&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Peer2Peer-EN Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2004933&SearchSource=2&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-Run-InCD - c:\windows\Xplorer.exe
HKLM-Run-Xplorer - c:\windows\Xplorer.exe
HKLM-Run-7292A4 - c:\windows\system32\DD3BC6\7292A4.EXE
HKLM-Run-AutorunRemover.exe - c:\program files\AutorunRemover\AutorunRemover.exe
HKLM-Explorer_Run-G_Host - c:\windows\System\gHost.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 23:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SnortSvc]
"ImagePath"="c:\snort\bin\snort /SERVICE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eahhd]
"ServiceDll"="c:\windows\system32\cqctk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ihcqfxd]
"ServiceDll"="c:\windows\system32\cqctk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\obzdzp]
"ServiceDll"="c:\windows\system32\cqctk.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ce,b7,47,bf,69,00,83,fe,4f,bb,0a,b8,55,74,cf,8f,62,b4,db,25,33,
53,81,5d,b7,7b,ff,0e,a4,38,8e,28,b6,ee,c7,cc,b3,9a,dd,9d,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f3417cf0-4a76-49ce-94c0-084ab3269c86}]
@Denied: (Full) (Everyone)
"Model"=dword:000000fa
"Therad"=dword:0000001d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4044)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\sessmgr.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2009-09-22 23:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 18:17

Pre-Run: 6,790,139,904 bytes free
Post-Run: 8,237,707,264 bytes free

224



My problem is almost solved
Thank you very much .............
:) :) :)
shal

Edited by shal, 22 September 2009 - 12:39 PM.

  • 0

#11
emeraldnzl
Posted 22 September 2009 - 01:50 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello shal,

Unless I am mistaken I see two anti-virus programs running in that ComboFix log. Also I see AVG8 in your earlier HijackThis log.

Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

Please uninstall either Avira or Avast. If you still have AVG8... this should also be uninstalled unless you decide to retain it rather than one of the other two.

After you have removed all but one of those please do this:

There are a couple of items in that ComboFix log that look unusual. I would like to have a look at a new CF log, so:

Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and download a new version of Combofix.

Download ComboFix from one of these locations:

NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without asupervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#12
shal
Posted 25 September 2009 - 11:43 AM

shal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I had uninstalled AVG
But I couldn't uninstall avira
that is another problem
  • 0

#13
emeraldnzl
Posted 25 September 2009 - 01:32 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

But I couldn't uninstall avira


Okay let's leave removing it for now.

Just make sure your anti-virus programs are disabled and then run ComboFix.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP