Jump to content


Photo

Windows - Display Driver Stopped Responding


  • This topic is locked This topic is locked
42 replies to this topic

#1 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 27 July 2010 - 12:27 PM

[UPDATE/EDITED BELOW]

Hi guys, and thanks in advance for your help. I'm running Windows XP.

Whenever I'm watching youtube videos my display driver goes out of whack. It only lets me watch 2 or 3 videos, then blam! The computer freezes for a couple of seconds, and the screen gets all weird looking. Big icons, weird colors, dumb shadows. And the window that pops up says this:

Windows - Display Driver Stopped Responding
The ati2dvag display driver has stopped working normally. Save your work and reboot the system to restore full display functionality. The next time you rebook the machine a dialog will be displayed giving you a chance to upload data about this failure to Microsoft.

And on the youtube screen, I can still make out letters, and on the video it says Flash has crashed.

And yes in fact, i reboot and I'm back to normal. But as soon as i watch youtube videos again, within 2 or 3 videos, the same problem. And this always happens, not just sometimes.

I have tried updating to the latest ATI display driver avalable for my computer, but I already have the latest (it does look like the last update to the driver was in 2003 however). I reinstalled it, and the same thing happens.

Thanks a lot guys, your help is really appreciated!


I did a MBAM and Spybot scan and found nothing.


00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4359

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/27/2010 1:48:32 PM
mbam-log-2010-07-27 (13-48-32).txt

Scan type: Quick scan
Objects scanned: 135578
Time elapsed: 12 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:51 PM, on 7/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S14F.tmp" /EF "HKCU"
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7172 bytes




[[[Major EDIT]]]


Hi guys, this morning, I did a routine scan with spybot. And it found something labeled as a Tracking Cookie, but with a weird name: Win32.PornPopUp.
I removed it. Then restated my computer, and scanned again, and it was no longer there.

To be safe, i did a full scan with MBAM, and it found nothing.

Then I did an online scan with FSecure. ANd this is what it found...

suspicious:w32/malware!Gemini
found in: system
http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml

PEV.EXI
found in: C:\WINDOWS\PEV.EXE
http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml

TRANSCRIBER.EXE
found in: C:\PROGRAM FILES\TALKITTYPEIT DELUXE\TRASNCRIBER.EXE
http://www.f-secure....2_generic.shtml

Now, i did not remove them, because I'm not entirely sure if they are bad. Namely because they are from heuristics (so i'm not sure if they are essential to the inner workings of my computer)and because the last one "Transcriber.exe" is from a software i use sometimes to transcribe my voice. But, if you guys think i should remove them, then i will scan, find them again, and remove them. Please do let me know.

Thanks guys, I did not even think this would be a malware problem, but these scans bring up weird things. That's why i placed this on a PCTroubleshooting and not malware section. Thanks again I really apprecaite your help!!

Also, here is a fresh hijackthis. thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:14 PM, on 7/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S14F.tmp" /EF "HKCU"
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7220 bytes

Edited by TimmU, 30 July 2010 - 04:13 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 30 July 2010 - 01:12 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 31 July 2010 - 06:42 AM

Hi,
I'm nasdaq and will be helping you.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Your log is clean.

I think that both files are good and you are getting a false positive from F-secure.

found in: C:\WINDOWS\PEV.EXE

found in: C:\PROGRAM FILES\TALKITTYPEIT DELUXE\TRASNCRIBER.EXE

You know about the TRASNCRIBER.EXE. You can rename pev.exe to pev.exe.old and it will no longer execute.
This file is know to come with ComboFix. If you used that tool then there is nothing to worry about.

You can submit the files to F-Secure for inspection.
http://www.f-secure...._EMEA/security/
Under the Submit Samples tab.
===

How much free space do you have in your Hard Disk?
If you have less then 15 % I suggest you delete all unwanted programs/files. Backup the Files you want to keep.
===

Please run this security check for my review.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just post the contents of the DDS.txt log in your next post.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 31 July 2010 - 12:56 PM

Hey nasdaq. thanks a lot.

I have about 65% free on my local disk c.

//
//

Great, so I renamed to pev.exe.old. Yes i was kindly helped with Combofix before. And transcriber.exe i left it.

What about this, should i leave it/ or have fsecure clean it/? Thanks:

suspicious:w32/malware!Gemini
found in: system
http://www.f-secure....re!gemini.shtml


//
//


SECURITYCHECK


Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee SecurityCenter
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java™ 6 Update 20
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


//
//

DDS



DDS (Ver_10-03-17.01) - NTFSx86
Run by Victor at 13:40:52.20 on Sat 07/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.222 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Victor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX5800F Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiala.exe /fu "c:\windows\temp\E_S14F.tmp" /EF "HKCU"
mRun: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
mRun: [CeEPOWER] c:\program files\toshiba\power management\CePMTray.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [CPATR10] c:\progra~1\ezbutton\CPATR10.EXE
mRun: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\wireless\client manager\CMAGS.EXE
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\victor\applic~1\mozilla\firefox\profiles\q8kw0fd7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\victor\application data\mozilla\firefox\profiles\q8kw0fd7.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-27 214664]
R2 DPortIO;Dritek Port I/O Driver;c:\windows\system32\drivers\DPORTIO.SYS [2001-4-12 3674]
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [2007-11-18 137344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-27 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-27 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-27 144704]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2002-8-7 34712]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [2007-11-18 12032]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-27 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-27 40552]
R3 wlags48d;Agere Wireless PCCard Service;c:\windows\system32\drivers\wlags48d.sys [2004-3-19 154112]
S3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [2008-8-17 16896]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-27 34248]

=============== Created Last 30 ================

2010-07-30 18:55:16 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-07-14 20:25:55 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-15 20:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2008-08-27 14:24:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat
2009-04-03 17:00:40 929824 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 13:43:17.71 ===============



//
Thanks a lot nasdaq. I appreciate it.

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 01 August 2010 - 06:47 AM

Lets see what this tool will find.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingc...opic114351.html

Do not mouse click combofix's window while it's running. That may cause it to stall
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 01 August 2010 - 11:03 AM

Thanks nasdaq. here they are:

ComboFix 10-07-31.04 - Victor 08/01/2010 9:09.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.318 [GMT -5:00]
Running from: c:\documents and settings\Victor\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Hook.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-07-30 18:55 . 2010-07-30 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-14 20:25 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 17:34 . 2007-04-23 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 17:08 . 2009-02-27 22:26 -------- d-----w- c:\program files\McAfee
2010-07-15 20:18 . 2009-02-27 22:28 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-14 14:31 . 2004-03-19 21:02 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-05-25 13:14 . 2010-05-25 13:14 503808 ----a-w- c:\documents and settings\Victor\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32354126-n\msvcp71.dll
2010-05-25 13:14 . 2010-05-25 13:14 61440 ----a-w- c:\documents and settings\Victor\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-30e1d92f-n\decora-sse.dll
2010-05-25 13:14 . 2010-05-25 13:14 499712 ----a-w- c:\documents and settings\Victor\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32354126-n\jmc.dll
2010-05-25 13:14 . 2010-05-25 13:14 348160 ----a-w- c:\documents and settings\Victor\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32354126-n\msvcr71.dll
2010-05-25 13:14 . 2010-05-25 13:14 12800 ----a-w- c:\documents and settings\Victor\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-30e1d92f-n\decora-d3d.dll
2010-05-06 10:41 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-04-03 17:00 . 2009-04-03 13:13 929824 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundFusion"="cwaprops.cpl" [2001-12-20 614912]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2002-07-19 90112]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2002-07-19 339968]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2002-07-25 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-04 40960]
"CPATR10"="c:\progra~1\EzButton\CPATR10.EXE" [2002-08-17 151552]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 49152]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-07-15 159744]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-03-29 122880]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"ATIModeChange"="Ati2mdxx.exe" [2002-04-23 28672]
"AtiPTA"="atiptaxx.exe" [2002-04-23 282624]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2002-05-30 163840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Client Manager.lnk - c:\program files\Wireless\Client Manager\CMAGS.EXE [2004-3-19 323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Victor^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Victor\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Toshiba\\Ivp\\NetInt\\Netint.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 DPortIO;Dritek Port I/O Driver;c:\windows\system32\drivers\DPORTIO.SYS [4/12/2001 6:04 PM 3674]
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [11/18/2007 10:55 PM 137344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/27/2009 5:34 PM 93320]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [8/7/2002 6:57 PM 34712]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [11/18/2007 10:55 PM 12032]
R3 wlags48d;Agere Wireless PCCard Service;c:\windows\system32\drivers\wlags48d.sys [3/19/2004 4:27 PM 154112]
S3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [8/17/2008 4:12 PM 16896]
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-27 17:22]

2002-08-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-30 19:23]

2010-07-31 c:\windows\Tasks\User_Feed_Synchronization-{C7DFE059-D9D2-452D-A1FB-27E22D6E30D4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\q8kw0fd7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\q8kw0fd7.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 09:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\Hw*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6118"
"DeviceInstanceIds"=multi:"\00"
.
Completion time: 2010-08-01 09:27:32
ComboFix-quarantined-files.txt 2010-08-01 14:27
ComboFix2.txt 2009-09-03 19:36
ComboFix3.txt 2009-06-25 02:43

Pre-Run: 25,323,249,664 bytes free
Post-Run: 25,659,858,944 bytes free

- - End Of File - - 822842C1E54A4C1C303F2C73E2068F55


//
//


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:26 PM, on 8/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7205 bytes

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 01 August 2010 - 11:42 AM

One suspicious file was deleted.

Are you still getting the same results about suspicious:w32/malware!Gemini from F-secure?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 01 August 2010 - 01:21 PM

One suspicious file was deleted.

Are you still getting the same results about suspicious:w32/malware!Gemini from F-secure?


Hm haven't run it again. Let me do a full f-secure scan again get back to you...thanks

#9 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 01 August 2010 - 04:46 PM

Hey nasdaq,

scanned again. here are the results. Again, I didnt clean anything. just got the report. here it is:

Suspicious:W32/Malware!Gemini (spyware)

* System (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\WINDOWS\PEV.EXE.OLD.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7FB4978-6866-4123-BB76-8116BAB3495B}\RP242\A0015902.EXE (Not cleaned & Submitted)

Gen:Trojan.Heur.JqW@yfbWVcpig (virus)

* C:\PROGRAM FILES\TALKITTYPEIT DELUXE\TRANSCRIBER.EXE (Not cleaned)




Do you think i should go ahead and get the stuff cleaned?


also, did a spybot scan again. had a cookie i dont remember ever seeing: hitbox. got that erased.

Edited by TimmU, 01 August 2010 - 05:52 PM.


#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 02 August 2010 - 07:24 AM

You know about the other two.

This one is being identified in your Restore point.


* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E7FB4978-6866-4123-BB76-8116BAB3495B}\RP242\A0015902.EXE (Not cleaned & Submitted)

Nothing to worry about.

Removing ComboFix will reset your restore point.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 02 August 2010 - 08:33 AM

Thanks nasdaq.

It says windows cannot find combofix. I think I sent it to recycling bin and then erased it. Should i do something else here?

//
//

And about the results: I know about TRANSCRIBER.EXE, and you informed me on PEV.EXE and the restore point. The only one I dont know about is this one in System:

Suspicious:W32/Malware!Gemini (spyware)
* System (Not cleaned)

..I''m guessing thats nothing to worry about either right? thanks

//
//

So do you think we are done malware searching?


... I know, lots of questions. I really appreciate it though. Thanks a lot nasdaq.

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 02 August 2010 - 09:06 AM

The program is located in Victor's profile/destop

Copy and paste
this in the Start > run box and press the OK button.

"%userprofile%/Desktop/ComboFix.exe" /Uninstall

If that does not work you
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 02 August 2010 - 10:17 AM

hey nasdaq.

i tried it, it still didnt work. Combofix is not located at the desktop. Only a file that i named "combofix log". The actual program is not there though.

Thank you.

#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 02 August 2010 - 12:11 PM

To completely remove it you will have do download it again.

When installed run this this removal procedure.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 02 August 2010 - 12:32 PM

haha. ok sorry. Now it's been removed. Please let me know of any next moves. Thanks a lot nasdaq. :)

Edited by TimmU, 03 August 2010 - 08:27 AM.


#16 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 06 August 2010 - 02:45 PM

Hey nasdaq. Wanted to give you an update. Still having the display driver stopped responding problem, but this update is about a spybot scan.

I did a full MBAM scan and d it showed clean.

Then i did a Sypbot scan. It found a couple of cookies. One of which is the same Win32.PornPopUp. It came back. here are some details:

Win32.PornPopUp
Tracking cookie ((Firefox:Victor(default))) adbrite.com/(Apache)
Tracking cookie ((Firefox:Victor(default))) adbrite.com/(vsd)
Tracking cookie ((Firefox:Victor(default))) adbrite.com/(rb)
Tracking cookie ((Firefox:Victor(default))) adbrite.com/(srh)

Not sure why these cookies come up. I don't feel i go to questionable websites. In fact, I think I'm pretty selective, and am careful not to open attachments and stuff. Most definitely no porn websites.

I'm not getting any porn pop ups or anything like that. Just the tracking cookie. And I'm not noticing anything suspicious. Also did a full McAfee scan and found nothing.

Thanks for your time and help nasdaq. I do appreciate it.

Also, did a BitDefender 60 second scan. and it was clean.

Edited by TimmU, 06 August 2010 - 07:22 PM.


#17 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 07 August 2010 - 06:03 AM

Tracking cookies are not malicious. Some site like to know where you have been and what you have looked at for Marketing purposes.

I use this HOSTS file to blocked a log of these cookies.

Download HostsXpert

Tutorial, go here:
http://i28.photobuck...HostsXpert4.jpg
  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.
Note: If a custom Hosts file was in place, also edit those entries back in.
*/*
I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

All you need to know about the hosts file.
http://www.mvps.org/...p2002/hosts.htm
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#18 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 07 August 2010 - 12:34 PM

Thanks a lot nasdaq. I appreciate it.

I'll be completely honest with you. I read the information you gave me, and I'm not sure why but i don't want to install the HOSTS file. I know its probably for the best but something (and i cant tell what it is) just tells me not to do it. Either way, I went against my gut and tried installing it. I got to step 3 (# Click: Make Writable? in the upper left corner.) but couldn't find the Make Writable button. This just made me change my mind and decide definitely to not install it.

I realize this is a completely emotional decision, and not backed by reason, but I've made it. None-the-less, you are very much appreciated.

So a couple of questions:

* Since I just got to step 2, and didn't go through to step 3, I didnt change anything did I? Do I have to uninstall, or can i just delete the HostXpert folders on my desktop?

* I'm thinking we are done searching for malware and my computer is clean. Is this correct in your opinion?

* Do you think you can help me with my original problem (Windows: Display driver stopped responding) or should i start a fresh topic?

Thank you very much nasdaq. You're awesome. I appreciate it.

#19 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 08 August 2010 - 06:38 AM

The decision to install the hosts file was always yours. I have not problem with it.

Lets find out if it was modified.

Make sure you can see all Hidden files.


Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Navigate to the HOSTS file no extension

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

Open the file with NotePad copy and paste the contents for me to review.
===

I went back to your first post. Since you covered the driver issues this may be out best lead.

And on the youtube screen, I can still make out letters, and on the video it says Flash has crashed.

What I suggest is that you check this out. If you have the latest version I suggest you uninstall it and install it again.

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

Latest Security update available for Adobe Flash Player
http://www.adobe.com.../apsb10-14.html

Keep me posted.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#20 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 08 August 2010 - 04:23 PM

nasdaq. Thanks a lot.

Here is the contents of hosts:

127.0.0.1 localhost

Also, I uninstalled flash player with the tool you provided. Then i proceeded to install a fresh one. Still I'm getting the same problem however.

Something i forgot to mention: Flash does not always crash immediately when display driver stops working. Sometimes I can still see the video play (distorted because of driver stopped working ), however when i try to play it again, or a different video, I can see flash has crashed.

Thanks a lot nasdaq.

#21 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 09 August 2010 - 07:49 AM

Ru the DSS tool again. T

The scan will create 2 logs, I would like to see the content of Attach.txt only.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#22 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 09 August 2010 - 09:30 AM

hey nasdaq. The tool says to zip and attach, so thats what i did. If you just want me to post it, please let me know.

thanks a lot

Attached Files



#23 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 10 August 2010 - 07:54 AM

Please post the Attach.txt contents.

I personally do not like to open zip files.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#24 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 10 August 2010 - 09:09 AM

Yep. I completely understand. I don't either. Thats why i thought it was a little weird for the tool to insist on attaching. Anyway, here it is. Thanks a lot.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/14/2004 4:38:53 PM
System Uptime: 8/9/2010 9:48:34 AM (1 hours ago)

Motherboard: Null | | BTR20
Processor: Intel® Pentium® 4 CPU 2.40GHz | WMT478/NWD | 2392/mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 25.808 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.3.3
Adobe Stock Photos 1.0
ALPS Touch Pad Driver
ATI Display Driver
CCleaner
Critical Update for Windows Media Player 11 (KB959772)
Drag'n Drop CD
E-KEY Utility
Easy Button
EPSON Printer Software
EPSON Scan
FileZilla (remove only)
Garmin USB Drivers
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® PRO Ethernet Adapter and Software
InterVideo WinDVD 4
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java™ 6 Update 21
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office XP Media Content
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network Device Switch
SAPI
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Spybot - Search & Destroy
TextPad
Toshiba Access
TOSHIBA Console
TOSHIBA Power Management Utility
Toshiba Registration
TOSHIBA Software Modem
Toshiba Software Upgrades
Toshiba System Stability Program
Toshiba Tbiosdrv Driver
TouchPad On/Off Utility
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Wireless Client Manager V3.04
Wireless Drivers

==== Event Viewer Messages From Past Week ========

8/9/2010 9:53:27 AM, error: System Error [1003] - Error code 000000ea, parameter1 82546da8, parameter2 82d47598, parameter3 82d5e0b8, parameter4 00000001.
8/7/2010 11:27:57 AM, error: System Error [1003] - Error code 000000ea, parameter1 8259a138, parameter2 82d4fae8, parameter3 82d60990, parameter4 00000001.
8/4/2010 8:57:29 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/4/2010 8:57:28 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
8/3/2010 8:25:32 AM, error: System Error [1003] - Error code 000000ea, parameter1 82ef6b30, parameter2 82d6d498, parameter3 82d39f38, parameter4 00000001.
8/3/2010 8:25:22 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/3/2010 8:25:22 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/2/2010 9:18:20 AM, error: System Error [1003] - Error code 000000ea, parameter1 82df84f8, parameter2 82c88130, parameter3 82cc3b40, parameter4 00000001.
8/2/2010 2:35:29 PM, error: ati2mtag [108] - The driver ati2dvag for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.
8/2/2010 10:56:49 AM, error: System Error [1003] - Error code 000000ea, parameter1 82a25960, parameter2 82cb1130, parameter3 82cd0108, parameter4 00000001.

==== End Of File ===========================

#25 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 11 August 2010 - 08:08 AM

I used Google and search for this string.
ati2mtag [108] - The driver ati2dvag for the display device

8/2/2010 2:35:29 PM, error: ati2mtag [108] - The driver ati2dvag for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.


Have a look at this link.

http://www.eventid.n...ti2mtag&phase=1

See if you can get the latest driver from ATI http://www.ati.com/ for your product.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#26 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 11 August 2010 - 01:58 PM

hey nasdaq, thanks a lot. I went to the ati website you listed but for my specific product, it directs me back to the computer manufacturer website (toshiba in this case). This is the same place where i got the driver last time. I navigate the site again and it gives me the same driver I already have.

Also, I took a look at the link you provided (thanks by the way). I am not sure which of the suggested steps to take or how to execute it to be honest. Could you give me any hints? Thanks a lot nasdaq. I really appreciate it.

#27 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 12 August 2010 - 07:37 AM

Run the DDS tool again.

Open the Attach.txt file with NotePad and post all that is listed in this section.

==== Event Viewer Messages From Past Week ========

....


I want to check if new information has been generated.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#28 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 12 August 2010 - 11:12 AM

Thanks a lot nasdaq. Here it is:

==== Event Viewer Messages From Past Week ========

8/9/2010 9:53:27 AM, error: System Error [1003] - Error code 000000ea, parameter1 82546da8, parameter2 82d47598, parameter3 82d5e0b8, parameter4 00000001.
8/7/2010 11:27:57 AM, error: System Error [1003] - Error code 000000ea, parameter1 8259a138, parameter2 82d4fae8, parameter3 82d60990, parameter4 00000001.
8/6/2010 9:25:06 PM, error: ati2mtag [108] - The driver ati2dvag for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.
8/5/2010 8:43:36 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/5/2010 8:43:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
8/11/2010 12:19:43 PM, error: System Error [1003] - Error code 000000ea, parameter1 825db5a0, parameter2 82c69718, parameter3 82cf0408, parameter4 00000001.
8/10/2010 9:03:22 PM, error: System Error [1003] - Error code 000000ea, parameter1 82ef5da8, parameter2 82fcdbb8, parameter3 82dfcb78, parameter4 00000001.
8/10/2010 8:11:14 AM, error: System Error [1003] - Error code 000000ea, parameter1 825fa360, parameter2 82da61b0, parameter3 82dfe670, parameter4 00000001.

==== End Of File ===========================

Edited by TimmU, 12 August 2010 - 11:17 AM.


#29 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 13 August 2010 - 09:20 AM

It looks like some hardware or some RAM issues.

Test your ram.

Read this article, print it and follow the directives.

http://oca.microsoft.../en/windiag.asp

Keep me posted.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#30 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 15 August 2010 - 03:06 PM

nasdaq, thanks a lot.

I'm hoping you can help me clarify something I read.

"If Windows Memory Diagnostic detects errors in your hardware, you should correct the errors and run Windows Memory Diagnostic again until you get a report of no errors before you attempt to run Windows again. If you do not, Windows may not work correctly. You can attempt to identify the specific failing memory component. However, if errors are detected and your computer is under warranty, we recommend that you contact the manufacturer for troubleshooting."

If in fact the diagnostic finds that there is an error with RAM, can i then exit the tool and keep using the computer like i am now (and keep you posted for example)? Or do i have to exit and replace whatever needs replacing before i can use the computer again ..because "if you do not, Windows may not work correctly"?

I guess my confusion is if the line "Windows may not work correctly" refers to further problems that may be caused after/because of running the diagnostic. So concretely my question is: if the diagnostic finds an error, can I exit and keep using the computer like I've been using it if i choose to not replace hardware at that immediate time, or is it possible that further windows problems may be triggered?

Thanks for your help nasdaq!!

#31 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 16 August 2010 - 06:53 AM

Windows will use all the available RAM. Then when more working area is required it will use space on your hard disk (swap file). If your RAM are damaged it will freeze before going to the swap file.

This trouble will not damage your computer except that you will have to live with the blue screen...

Have a look at this page.
http://www.ehow.com/...ram-memory.html

Check also the item listed on the right pane. Some may help.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#32 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 16 August 2010 - 03:43 PM

Thanks nasdaq. I think I wasn't clear enough with my question. Let me try again:


For the purpose of this question only, lets assume that there is an error with RAM.

Is it possible that the Windows Memory Diagnostic itself will trigger further errors because of the fact that I ran it, exited, and then ran windows again without first correcting the error?

...(hypothetical of course since i haven't ran it.)

The reason I ask is because that's the feeling I'm getting from the bold/italicized line below:

"If Windows Memory Diagnostic detects errors in your hardware, you should correct the errors and run Windows Memory Diagnostic again until you get a report of no errors before you attempt to run Windows again. If you do not, Windows may not work correctly. You can attempt to identify the specific failing memory component. However, if errors are detected and your computer is under warranty, we recommend that you contact the manufacturer for troubleshooting."

#33 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 17 August 2010 - 08:24 AM

From what I read there is not problem is running the diagnostic tool again.

It may give you some other errors to look after.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#34 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 17 August 2010 - 01:24 PM

Hey nasdaq. Here is an update: I tried to run the diagnostic, but am having a challenge.

I have the windiag.iso file to the disk. But the computer is having trouble reading the disk. I insert the disk into the computer but all it does is make noises as if its trying to read it then stops and tries to read it again and it does this over and over until I push the button to eject the disk.

I know the windiag.iso was succesfully written to the disk since i went on another computer to check to see if it was there.

I then tried to burn music to a cd, and it did it successfully. I played that music cd back on the computer and it did so successfully. I also tested by putting a software installation disk in and I could install successfully.

So I know it has no trouble reading music or software from cd. The problem lies with reading data. For example, I also tried to read a text file i have on another cd and got the same results as if trying to read windiag.iso

I also tried writing the windiag to cd on another computer, then reading on this computer. That didn't work either.

I couldn't find any driver updates for this cd drive from toshiba or from the device manager update attempts.

... So im thinking this Windows Memory Diagnostic is not going to be possible.. not sure what to do.

Thanks for your help nasdaq

Edited by TimmU, 17 August 2010 - 07:05 PM.


#35 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 18 August 2010 - 07:43 AM

You have to make sure that you CD drive is the boot drive.

Important

* In the boot sequence, the drive with the Windows Memory Diagnostic disk must precede any other devices on which there is a bootable program, such as a hard disk on which Windows is installed. You can configure the boot sequence in the BIOS settings. On most computers, the default boot sequence includes the floppy drive. For more information about configuring the boot sequence, see the documentation for your motherboard.

You can change to boot sequence in your BIOS.


Check your system here.
http://michaelsteven...anufacturer.htm

Change to boot sequence.
http://www.hiren.inf...bios-boot-cdrom

Make sure you do not change any other settings by error. You may not be able to restart your computer if inadvertently you change some other settings.

Make sure you change the boot sequence back to your previous settings.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#36 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 18 August 2010 - 09:40 AM

thanks nasdaq. but i think the problem is that the drive can play and write music CDs, and even write CD-ROMs, but can't read CD-ROMs. Something is defective there.

The computer will try to boot from the cd, but it will be stuck in an endless loop of trying and trying again, but not being able to because it can't read it. This loop goes on untill i press the button to eject the cd.

Even if i try to "explore" the cd by right-clicking on the drive to see if windiag.iso is on there i cant because its stuck in the same loop trying to read it. If i place the cd in another computer however, and "explore" it also, i can easily see that windiag.iso is in there. So the problem this computer can't read it.

Thanks nasdaq.

Edited by TimmU, 18 August 2010 - 09:45 AM.


#37 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 19 August 2010 - 07:24 AM

Have you tried to reinstall the CD-Rom it could be a driver issue.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#38 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 19 August 2010 - 09:50 AM

Right, that's what i was thinking too.

So I went to toshiba support website and they didnt have relevant driver so i can reinstall like you said. I called toshiba tech support and they gave me a registry change to raise and lower filters or something like that. That didn't work. They gave me a last resort option to reinstall windows to reset to factory settings. I don't have my windows install disk but I wouldn't be willing to go with that option anyway.

So that's what I've tried. Is there anything else I might try besides the Windows Memory Diagnostic? Thanks nasdaq. I appreciate your help.

#39 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 20 August 2010 - 08:09 AM

I do not know why the Toshiba rep. did not suggest you get a recovery disk.

https://www.csd.tosh...p?orderType=SFF
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#40 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 20 August 2010 - 03:00 PM

Thanks nasdaq. But like I said before, I'm not willing to go with that option at this time.

Is there anything else I might try besides the Windows Memory Diagnostic? Thanks nasdaq. I appreciate your help.

#41 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 21 August 2010 - 05:40 AM

Not that I can think of.

May be start a new topic in Toshiba's Forum.

http://forums.comput...rums/index.jspa
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#42 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 22 August 2010 - 11:43 AM

Alright. Thanks a lot nasdaq. Your help is really appreciated! you may close this threat if you'd like.

#43 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 02 September 2010 - 08:07 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




Member of UNITE
Support SpywareInfo Forum - click the button