[Joshua Mikhail C. Tumanda]

Hey there! I would gladly appreciate if any of you could help me out. I am currently being troubled by

 

a virus/malware? Not sure. I looked it up in the Task Manager its image name is 

"winmgr.exe" /  "microsoft.com"(ms-dos file) and its description is "SCSI Pass though Direct Setup"

 

the image name somehow changes from time to time but the description doesn't. I googled the

"winmgr" and the results say it's a malware or something. They recommended that I destroy it through some 

programs. I tried most but failed.

 

(JRT = won't open | Rogue Killer = doesn't seem to see it | Spybot = didn't seem to see it | Unhackme = didn't seem to see it.). 

 

What troubles me most is that it doesn't let me use Microsoft Security Essentials and Malwarebytes. 

When I download other anti-virus programs and install it, it will say is not a valid Win 32 application.

Also, it fills up my memory drastically. From 184 GB free now I only have 9.99 GB. There's more! My

Administrator capabilities are being disregarded. Hope you guys could help.

 

Ran the "Silent Runners.vbs"

 

"Silent Runners.vbs", revision 69.2, http://www.silentrunners.org/

Operating System: Microsoft® Windows Vista™ Home Premium Service Pack 2 (32-bit)

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [TOSHIBA]

uTorrent = "C:\Users\Guest\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED [BitTorrent Inc.]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

 

{326E768D-4182-46FD-9C16-1449A49795F4}\(Default) = Increase performance and video formats for your HTML5 <video>

  -> {HKLM...CLSID} = DivX Plus Web Player HTML5 <video>

                   \InProcServer32\(Default) = C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [DivX, LLC]

 

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = Java™ Plug-In SSV Helper

                   \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\ssv.dll [Oracle Corporation]

 

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)

  -> {HKLM...CLSID} = Java™ Plug-In 2 SSV Helper

                   \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\jp2ssv.dll [Oracle Corporation]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

 

{00020d75-0000-0000-c000-000000000046} = Microsoft Office Outlook Desktop Icon Handler

  -> {HKLM...CLSID} = Microsoft Office Outlook

                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL [MS]

 

{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler

  -> {HKLM...CLSID} = Microsoft Office Metadata Handler

                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS]

 

{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler

  -> {HKLM...CLSID} = Microsoft Office Thumbnail Handler

                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS]

 

{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} = Microsoft Office OneNote Namespace Extension for Windows Desktop Search

  -> {HKLM...CLSID} = Microsoft Office OneNote Namespace Extension for Windows Desktop Search

                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL [MS]

 

{42042206-2D85-11D3-8CFF-005004838597} = Microsoft Office HTML Icon Handler

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office12\msohevi.dll [MS]

 

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR shell extension

  -> {HKLM...CLSID} = WinRAR

                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]

 

{0006F045-0000-0000-C000-000000000046} = Microsoft Office Outlook Custom Icon Handler

  -> {HKLM...CLSID} = Outlook File Icon Extension

                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL [MS]

 

{AE424E85-F6DF-4910-A6A9-438797986431} = OpenOffice.org Property Handler

  -> {HKLM...CLSID} = OpenOffice.org Property Handler

                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\propertyhdl.dll [Apache Software Foundation]

 

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} = OpenOffice.org Column Handler

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]

 

{087B3AE3-E237-4467-B8DB-5A38AB959AC9} = OpenOffice.org Infotip Handler

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]

 

{63542C48-9552-494A-84F7-73AA6A7C99C1} = OpenOffice.org Property Sheet Handler

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]

 

{3B092F0C-7696-40E3-A80F-68D74DA84210} = OpenOffice.org Thumbnail Viewer

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]

 

{09A47860-11B0-4DA5-AFA5-26D86198A780} = EPP

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]

 

{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} = Revo Uninstaller Pro Extension

  -> {HKLM...CLSID} = RUShellExt Class

                   \InProcServer32\(Default) = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [VS Revo Group]

 

{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = UnlockerShellExtension

  -> {HKLM...CLSID} = UnlockerShellExtension

                   \InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\

 

{B65F237C-AAFF-4df7-8872-91B65663E41F}\(Default) = SmartFaceVCP

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = SmartFaceVCP.dll [null data]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

<<!>> AvastSvc.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> AvastUI.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avcenter.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avconfig.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avgcsrvx.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avgidsagent.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avgnt.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avgrsx.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avguard.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avgui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avgwdsvc.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avp.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> avscan.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> bdagent.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> ccuac.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> ComboFix.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> egui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> hijackthis.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> instup.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> keyscrambler.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> mbam.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> mbamgui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> mbampt.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> mbamscheduler.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> mbamservice.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> NisSrv.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> rstrui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> spybotsd.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> wireshark.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

<<!>> zlclient.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

 

<<!>> text/xml\CLSID = {807563E5-5146-11D5-A672-00B0D022E945}

  -> {HKLM...CLSID} = Microsoft Office InfoPath XML Mime Filter

                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL [MS]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

 

<<!>> ms-help\CLSID = {314111c7-a502-11d2-bbca-00c04f8ec294}

  -> {HKLM...CLSID} = HxProtocol Class

                   \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll [MS]

 

<<!>> ms-itss\CLSID = {0A9007C0-4076-11D3-8789-0000F8105754}

  -> {HKLM...CLSID} = Microsoft Infotech Storage Protocol for IE 4.0

                   \InProcServer32\(Default) = c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [MS]

 

<<!>> skype-ie-addon-data\CLSID = {91774881-D725-4E58-B298-07617B9B86A8}

  -> {HKLM...CLSID} = Skype IE add-on Pluggable Protocol

                   \InProcServer32\(Default) = C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [Skype Technologies S.A.]

 

<<!>> skype4com\CLSID = {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}

  -> {HKLM...CLSID} = IEProtocolHandler Class

                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL [Skype Technologies]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

 

EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]

 

WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}

  -> {HKLM...CLSID} = WinRAR

                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

 

UnlockerShellExtension\(Default) = {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}

  -> {HKLM...CLSID} = UnlockerShellExtension

                   \InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

 

EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]

 

WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}

  -> {HKLM...CLSID} = WinRAR

                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]

 

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

 

WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}

  -> {HKLM...CLSID} = WinRAR

                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]

 

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

 

igfxcui\(Default) = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}

  -> {HKLM...CLSID} = GraphicsShellExt Class

                   \InProcServer32\(Default) = C:\Windows\system32\igfxpph.dll [Intel Corporation]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

 

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = OpenOffice.org Column Handler

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]

 

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info

  -> {HKLM...CLSID} = PDF Shell Extension

                   \InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll [Adobe Systems, Inc.]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

 

RUShellExt\(Default) = {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}

  -> {HKLM...CLSID} = RUShellExt Class

                   \InProcServer32\(Default) = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [VS Revo Group]

 

UnlockerShellExtension\(Default) = {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}

  -> {HKLM...CLSID} = UnlockerShellExtension

                   \InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]

 

WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}

  -> {HKLM...CLSID} = WinRAR

                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]

 

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

 

WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}

  -> {HKLM...CLSID} = WinRAR

                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]

 

 

Default executables:

--------------------

 

.hta

HKLM\SOFTWARE\Classes\htafile\(Default) = HTML Application

HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "%1" %* [file not found]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

NoViewContextMenu = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

NoRun = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Run menu from Start Menu}

 

NoFind = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

NoDesktop = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HideClock = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

NoFolderOptions = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|Windows Components|Windows Explorer|

Removes the Folder Options menu item from the Tools menu}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

DisableTaskMgr = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

DisableRegistryTools = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}

 

LogonHoursAction = (REG_DWORD) dword:0x00000002

{unrecognized setting}

 

DontDisplayLogonHoursWarnings = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

Wallpaper = C:\Windows\system32\config\systemprofile\Documents\toytoys\bohol\pics\DSCF2250.JPG

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

Wallpaper = C:\Users\roxio\Documents\toytoys\bohol\pics\DSCF2250.JPG

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

SCRNSAVE.EXE = C:\Windows\system32\logon.scr [MS]

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

BridgeCS6ImportMediaOnArrival\

Provider = Adobe Bridge CS6

InvokeProgID = Adobe.adobebridgeCS6

InvokeVerb = launch

HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS6\shell\launch\command\(Default) = C:\Program Files\Adobe\Adobe Bridge CS6\bridgeproxy.exe -v %1 [Adobe Systems, Inc.]

 

BridgeCS6NonVolumeHandler\

Provider = Adobe Bridge CS6

ProgID = Adobe.adobebridgeMTP_1

HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = {1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}

  -> {HKLM...CLSID} = Adobe Bridge CS6

                   \LocalServer32\(Default) = C:\Program Files\Adobe\Adobe Bridge CS6\bridgeproxy.exe -m [Adobe Systems, Inc.]

 

DMFMADFolder\

Provider = Ulead DVD MovieFactory 5

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = C:\Program Files\Ulead Systems\DVD MovieFactory for TOSHIBA\Ulead DVD MovieFactory 5\MovieHunter.exe

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

  -> {HKLM...CLSID} = Shell Execute Hardware Event Handler

                   \LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

 

MPCPlayCDAudioOnArrival\

Provider = Media Player Classic

InvokeProgID = MediaPlayerClassic.Autorun

InvokeVerb = PlayCDAudio

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd [Gabest]

 

MPCPlayDVDMovieOnArrival\

Provider = Media Player Classic

InvokeProgID = MediaPlayerClassic.Autorun

InvokeVerb = PlayDVDMovie

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd [Gabest]

 

MPCPlayMusicFilesOnArrival\

Provider = Media Player Classic

InvokeProgID = MediaPlayerClassic.Autorun

InvokeVerb = PlayMusicFiles

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 [Gabest]

 

MPCPlayVideoFilesOnArrival\

Provider = Media Player Classic

InvokeProgID = MediaPlayerClassic.Autorun

InvokeVerb = PlayVideoFiles

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 [Gabest]

 

MSWMEncVCArrival\

Provider = Windows Media Encoder 9 Series

ProgID = Shell.HWEventHandlerShellExecute

InitCmdLine = C:\Program Files\Windows Media Components\Encoder\WMEnc.exe

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

  -> {HKLM...CLSID} = Shell Execute Hardware Event Handler

                   \LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]

 

Picasa2ImportPicturesOnArrival\

Provider = Picasa3

InvokeProgID = picasa2.autoplay

InvokeVerb = import

HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Picasa2\Picasa3.exe" "%1" [Google Inc.]

 

TosDVDPlayHandler\

Provider = TOSHIBA DVD PLAYER

InvokeProgID = TosDvdPlayer

InvokeVerb = play

HKLM\SOFTWARE\Classes\TosDvdPlayer\shell\play\command\(Default) = "C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TosHDDVD.exe" [TOSHIBA Corporation]

 

VLCPlayCDAudioOnArrival\

Provider = VideoLAN VLC media player

InvokeProgID = VLC.CDAudio

InvokeVerb = Open

HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda:///%1 [VideoLAN]

 

VLCPlayDVDAudioOnArrival\

Provider = VideoLAN VLC media player

InvokeProgID = VLC.OPENFolder

InvokeVerb = Open

HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]

 

VLCPlayDVDMovieOnArrival\

Provider = VideoLAN VLC media player

InvokeProgID = VLC.DVDMovie

InvokeVerb = Open

HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd:///%1 [VideoLAN]

 

VLCPlayMusicFilesOnArrival\

Provider = VideoLAN VLC media player

InvokeProgID = VLC.OPENFolder

InvokeVerb = Open

HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]

 

VLCPlaySVCDMovieOnArrival\

Provider = VideoLAN VLC media player

InvokeProgID = VLC.SVCDMovie

InvokeVerb = Open

HKLM\SOFTWARE\Classes\VLC.SVCDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd:///%1 [VideoLAN]

 

VLCPlayVCDMovieOnArrival\

Provider = VideoLAN VLC media player

InvokeProgID = VLC.VCDMovie

InvokeVerb = Open

HKLM\SOFTWARE\Classes\VLC.VCDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd:///%1 [VideoLAN]

 

VLCPlayVideoFilesOnArrival\

Provider = VideoLAN VLC media player

InvokeProgID = VLC.OPENFolder

InvokeVerb = Open

HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]

 

WIA_{C151276C-5528-48BE-9B23-3A667236B992}\

Provider = Picasa3

CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}

InitCmdLine = /WiaCmd;C:\Program Files\Picasa2\Picasa3.exe /StiDevice:%1 /StiEvent:%2;

  -> {HKLM...CLSID} = WPDShextAutoplay

                   \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]

 

WIA_{EE918E8B-FA2D-476E-A091-6B543758EF7E}\

Provider = Picasa2

CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}

InitCmdLine = /WiaCmd;C:\Program Files\Picasa2\PicasaMediaDetector.exe /StiDevice:%1 /StiEvent:%2;

  -> {HKLM...CLSID} = WPDShextAutoplay

                   \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]

 

 

Windows Sidebar Gadgets: {++}

------------------------

 

C:\Users\roxio\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

%PROGRAMFILES%\windows sidebar\gadgets\Clock.gadget

%PROGRAMFILES%\windows sidebar\gadgets\SlideShow.Gadget

%PROGRAMFILES%\windows sidebar\gadgets\RSSFeeds.Gadget

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]

000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]

000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]

000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]

000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]

000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 34

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = &Research

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

ButtonText = Send to OneNote

MenuText = S&end to OneNote

CLSIDExtension = {48E73304-E1D6-4330-914C-F5F514E3486C}

  -> {HKLM...CLSID} = Send to OneNote from Internet Explorer button

                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll [MS]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

ButtonText = Research

BandCLSID = {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

  -> {HKLM...CLSID} = &Research

                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> Tabs = http://www.google.com [file not found]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Adobe Acrobat Update Service, AdobeARMservice, "C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe" [Adobe Systems Incorporated]

Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS]

Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [MS]

 

 

Safe Mode Drivers & Services (subkey name, subkey default value):

-----------------------------------------------------------------

 

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

 

<<!>> !SASCORE, 

<<!>> MsMpSvc, Service

 

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

 

<<!>> !SASCORE, 

<<!>> MsMpSvc, Service

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Send To Microsoft OneNote Monitor\Driver = msonpmon.dll [MS]

 

 

---------- (launch time: 2014-04-30 22:28:33)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 573 seconds.

---------- (total run time: 1026 seconds)

 

 

[Advertisements]

I think I can see your problem but, I will need to confirm it

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select both shortcut  and additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
• Please attach all 3 logs generated.

 

[Essexboy]

I think I can see your problem but, I will need to confirm it

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select both shortcut  and additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
• Please attach all 3 logs generated.

 

[Joshua Mikhail C. Tumanda]

Thank you so much for replying. Really gave me hope! I followed your instructions. Here are the logs 

Attached Files

•  Addition.txt   45.83KB   307 downloads
•  FRST.txt   44.05KB   213 downloads
•  Shortcut.txt   79.52KB   177 downloads

Edited by Joshua Mikhail C. Tumanda, 30 April 2014 - 10:53 AM.

[Essexboy]

This may take several runs to resolve, so please be patient
 
Download the attached Fixlist.txt to the same location as FRST

Run FRST and press Fix
On completion a log will be generated please post that
 
THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Joshua Mikhail C. Tumanda]

Yup! Did exactly what you said, sorry for taking too long.

Attached Files

•  ComboFix.txt   17.94KB   199 downloads

[Essexboy]

OK how is the computer behaving now ?

 

Just some final things to check

 

• Run OTL.

  

• Select All Users
• Select LOP and Purity
• Under the Custom Scan box paste this in

  netsvcs
  BASESERVICES
  %SYSTEMDRIVE%\*.exe
  c:\program files (x86)\Google\Desktop
  c:\program files\Google\Desktop
  dir "%systemdrive%\*" /S /A:L /C
  /md5start
  rpcss.dll
  /md5stop
  CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open one notepad window.
• Attach  that  log

[Joshua Mikhail C. Tumanda]

Yup! The process isn't showing up in the Task Manager anymore! will post the log after the scan complete  

Edited by Joshua Mikhail C. Tumanda, 30 April 2014 - 12:17 PM.

[Joshua Mikhail C. Tumanda]

Actually rather than one, there 2 log texts that popped out. I just attached both of them just to be sure.

Attached Files

•  Extras.Txt   98.73KB   195 downloads
•  OTL.Txt   128.47KB   255 downloads

[Essexboy]

Looks good, combofix took out the IFEO's for me. I will tidy up Java in firefox

Anything unusual happening or is it now back to normal ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Joshua Mikhail C. Tumanda]

Sorry took so lone to post the log. It took more than 3 hours for the OTL to finish. 

Attached Files

•  OTL.Txt   74.83KB   200 downloads

[Essexboy]

All looks good, are you experiencing any further problems before I tidy up ?

[Joshua Mikhail C. Tumanda]

Nope, none so far! Thanks for the help! I really though the only option was to reboot the pc >_<. God Bless and More power!

[Essexboy]

In that case methinks I will send you on your merry way

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

[Joshua Mikhail C. Tumanda]

After finishing cleaning up with Delfix, I restarted my PC and I got this pop-up message. Will I be expexting that everytime I login?

Attached Thumbnails

• 

[Essexboy]

You should not get that .. Reboot again and see if it re-appears