Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Urgent! Please Help. [Solved]

Hidden Program Unstoppable

  • This topic is locked This topic is locked

#1
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Member
  • Pip
  • 8 posts

Hey there! I would gladly appreciate if any of you could help me out. I am currently being troubled by

 

a virus/malware? Not sure. I looked it up in the Task Manager its image name is 

"winmgr.exe" /  "microsoft.com"(ms-dos file) and its description is "SCSI Pass though Direct Setup"

 

the image name somehow changes from time to time but the description doesn't. I googled the

"winmgr" and the results say it's a malware or something. They recommended that I destroy it through some 

programs. I tried most but failed.

 

(JRT = won't open | Rogue Killer = doesn't seem to see it | Spybot = didn't seem to see it | Unhackme = didn't seem to see it.). 

 

What troubles me most is that it doesn't let me use Microsoft Security Essentials and Malwarebytes

When I download other anti-virus programs and install it, it will say is not a valid Win 32 application.

Also, it fills up my memory drastically. From 184 GB free now I only have 9.99 GB. There's more! My

Administrator capabilities are being disregarded. Hope you guys could help.

 

Ran the "Silent Runners.vbs"

 

"Silent Runners.vbs", revision 69.2, http://www.silentrunners.org/
Operating System: Microsoft® Windows Vista™ Home Premium Service Pack 2 (32-bit)
Output limited to non-default values, except where indicated by "{++}"
 
 
Startup items buried in registry:
---------------------------------
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [TOSHIBA]
uTorrent = "C:\Users\Guest\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED [BitTorrent Inc.]
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
 
{326E768D-4182-46FD-9C16-1449A49795F4}\(Default) = Increase performance and video formats for your HTML5 <video>
  -> {HKLM...CLSID} = DivX Plus Web Player HTML5 <video>
                   \InProcServer32\(Default) = C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [DivX, LLC]
 
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = Java™ Plug-In SSV Helper
                   \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\ssv.dll [Oracle Corporation]
 
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
  -> {HKLM...CLSID} = Java™ Plug-In 2 SSV Helper
                   \InProcServer32\(Default) = C:\Program Files\Java\jre7\bin\jp2ssv.dll [Oracle Corporation]
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
 
{00020d75-0000-0000-c000-000000000046} = Microsoft Office Outlook Desktop Icon Handler
  -> {HKLM...CLSID} = Microsoft Office Outlook
                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL [MS]
 
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler
  -> {HKLM...CLSID} = Microsoft Office Metadata Handler
                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS]
 
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler
  -> {HKLM...CLSID} = Microsoft Office Thumbnail Handler
                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll [MS]
 
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} = Microsoft Office OneNote Namespace Extension for Windows Desktop Search
  -> {HKLM...CLSID} = Microsoft Office OneNote Namespace Extension for Windows Desktop Search
                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL [MS]
 
{42042206-2D85-11D3-8CFF-005004838597} = Microsoft Office HTML Icon Handler
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office\Office12\msohevi.dll [MS]
 
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR shell extension
  -> {HKLM...CLSID} = WinRAR
                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
 
{0006F045-0000-0000-C000-000000000046} = Microsoft Office Outlook Custom Icon Handler
  -> {HKLM...CLSID} = Outlook File Icon Extension
                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL [MS]
 
{AE424E85-F6DF-4910-A6A9-438797986431} = OpenOffice.org Property Handler
  -> {HKLM...CLSID} = OpenOffice.org Property Handler
                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\propertyhdl.dll [Apache Software Foundation]
 
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} = OpenOffice.org Column Handler
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
 
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} = OpenOffice.org Infotip Handler
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
 
{63542C48-9552-494A-84F7-73AA6A7C99C1} = OpenOffice.org Property Sheet Handler
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
 
{3B092F0C-7696-40E3-A80F-68D74DA84210} = OpenOffice.org Thumbnail Viewer
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
 
{09A47860-11B0-4DA5-AFA5-26D86198A780} = EPP
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]
 
{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} = Revo Uninstaller Pro Extension
  -> {HKLM...CLSID} = RUShellExt Class
                   \InProcServer32\(Default) = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [VS Revo Group]
 
{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = UnlockerShellExtension
  -> {HKLM...CLSID} = UnlockerShellExtension
                   \InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\
 
{B65F237C-AAFF-4df7-8872-91B65663E41F}\(Default) = SmartFaceVCP
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = SmartFaceVCP.dll [null data]
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
<<!>> AvastSvc.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> AvastUI.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avcenter.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avconfig.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgcsrvx.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgidsagent.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgnt.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgrsx.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avguard.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avgwdsvc.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avp.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> avscan.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> bdagent.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> ccuac.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> ComboFix.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> egui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> hijackthis.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> instup.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> keyscrambler.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbam.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbamgui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbampt.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbamscheduler.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> mbamservice.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> NisSrv.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> rstrui.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> spybotsd.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> wireshark.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
<<!>> zlclient.exe\Debugger = C:\Windows\system32\Microsoft.com [Duplex Secure Ltd.]
 
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
 
<<!>> text/xml\CLSID = {807563E5-5146-11D5-A672-00B0D022E945}
  -> {HKLM...CLSID} = Microsoft Office InfoPath XML Mime Filter
                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL [MS]
 
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
 
<<!>> ms-help\CLSID = {314111c7-a502-11d2-bbca-00c04f8ec294}
  -> {HKLM...CLSID} = HxProtocol Class
                   \InProcServer32\(Default) = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll [MS]
 
<<!>> ms-itss\CLSID = {0A9007C0-4076-11D3-8789-0000F8105754}
  -> {HKLM...CLSID} = Microsoft Infotech Storage Protocol for IE 4.0
                   \InProcServer32\(Default) = c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [MS]
 
<<!>> skype-ie-addon-data\CLSID = {91774881-D725-4E58-B298-07617B9B86A8}
  -> {HKLM...CLSID} = Skype IE add-on Pluggable Protocol
                   \InProcServer32\(Default) = C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [Skype Technologies S.A.]
 
<<!>> skype4com\CLSID = {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}
  -> {HKLM...CLSID} = IEProtocolHandler Class
                   \InProcServer32\(Default) = C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL [Skype Technologies]
 
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
 
EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]
 
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
  -> {HKLM...CLSID} = WinRAR
                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
 
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
 
UnlockerShellExtension\(Default) = {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
  -> {HKLM...CLSID} = UnlockerShellExtension
                   \InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]
 
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
 
EPP\(Default) = {09A47860-11B0-4DA5-AFA5-26D86198A780}
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = c:\PROGRA~1\MI239C~1\shellext.dll [MS]
 
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
  -> {HKLM...CLSID} = WinRAR
                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
 
HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\
 
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
  -> {HKLM...CLSID} = WinRAR
                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
 
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
 
igfxcui\(Default) = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}
  -> {HKLM...CLSID} = GraphicsShellExt Class
                   \InProcServer32\(Default) = C:\Windows\system32\igfxpph.dll [Intel Corporation]
 
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
 
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = OpenOffice.org Column Handler
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = C:\Program Files\Basis\program\shlxthdl\shlxthdl.dll [Apache Software Foundation]
 
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info
  -> {HKLM...CLSID} = PDF Shell Extension
                   \InProcServer32\(Default) = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll [Adobe Systems, Inc.]
 
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
 
RUShellExt\(Default) = {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}
  -> {HKLM...CLSID} = RUShellExt Class
                   \InProcServer32\(Default) = C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [VS Revo Group]
 
UnlockerShellExtension\(Default) = {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
  -> {HKLM...CLSID} = UnlockerShellExtension
                   \InProcServer32\(Default) = C:\Program Files\Unlocker\UnlockerCOM.dll [null data]
 
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
  -> {HKLM...CLSID} = WinRAR
                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
 
HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\
 
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
  -> {HKLM...CLSID} = WinRAR
                   \InProcServer32\(Default) = C:\Program Files\WinRAR\rarext.dll [Alexander Roshal]
 
 
Default executables:
--------------------
 
.hta
HKLM\SOFTWARE\Classes\htafile\(Default) = HTML Application
HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "%1" %* [file not found]
 
 
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
 
Note: detected settings may not have any effect.
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
NoViewContextMenu = (REG_DWORD) dword:0x00000000
{unrecognized setting}
 
NoRun = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Run menu from Start Menu}
 
NoFind = (REG_DWORD) dword:0x00000000
{unrecognized setting}
 
NoDesktop = (REG_DWORD) dword:0x00000000
{unrecognized setting}
 
HideClock = (REG_DWORD) dword:0x00000000
{unrecognized setting}
 
NoFolderOptions = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Removes the Folder Options menu item from the Tools menu}
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
 
DisableTaskMgr = (REG_DWORD) dword:0x00000000
{unrecognized setting}
 
DisableRegistryTools = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}
 
LogonHoursAction = (REG_DWORD) dword:0x00000002
{unrecognized setting}
 
DontDisplayLogonHoursWarnings = (REG_DWORD) dword:0x00000001
{unrecognized setting}
 
 
Active Desktop and Wallpaper:
-----------------------------
 
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
 
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
Wallpaper = C:\Windows\system32\config\systemprofile\Documents\toytoys\bohol\pics\DSCF2250.JPG
 
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
Wallpaper = C:\Users\roxio\Documents\toytoys\bohol\pics\DSCF2250.JPG
 
 
Enabled Screen Saver:
---------------------
 
HKCU\Control Panel\Desktop\
SCRNSAVE.EXE = C:\Windows\system32\logon.scr [MS]
 
 
Windows Portable Device AutoPlay Handlers
-----------------------------------------
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
 
BridgeCS6ImportMediaOnArrival\
Provider = Adobe Bridge CS6
InvokeProgID = Adobe.adobebridgeCS6
InvokeVerb = launch
HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS6\shell\launch\command\(Default) = C:\Program Files\Adobe\Adobe Bridge CS6\bridgeproxy.exe -v %1 [Adobe Systems, Inc.]
 
BridgeCS6NonVolumeHandler\
Provider = Adobe Bridge CS6
ProgID = Adobe.adobebridgeMTP_1
HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = {1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}
  -> {HKLM...CLSID} = Adobe Bridge CS6
                   \LocalServer32\(Default) = C:\Program Files\Adobe\Adobe Bridge CS6\bridgeproxy.exe -m [Adobe Systems, Inc.]
 
DMFMADFolder\
Provider = Ulead DVD MovieFactory 5
ProgID = Shell.HWEventHandlerShellExecute
InitCmdLine = C:\Program Files\Ulead Systems\DVD MovieFactory for TOSHIBA\Ulead DVD MovieFactory 5\MovieHunter.exe
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
  -> {HKLM...CLSID} = Shell Execute Hardware Event Handler
                   \LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]
 
MPCPlayCDAudioOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayCDAudio
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd [Gabest]
 
MPCPlayDVDMovieOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayDVDMovie
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd [Gabest]
 
MPCPlayMusicFilesOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayMusicFiles
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 [Gabest]
 
MPCPlayVideoFilesOnArrival\
Provider = Media Player Classic
InvokeProgID = MediaPlayerClassic.Autorun
InvokeVerb = PlayVideoFiles
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = "C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 [Gabest]
 
MSWMEncVCArrival\
Provider = Windows Media Encoder 9 Series
ProgID = Shell.HWEventHandlerShellExecute
InitCmdLine = C:\Program Files\Windows Media Components\Encoder\WMEnc.exe
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
  -> {HKLM...CLSID} = Shell Execute Hardware Event Handler
                   \LocalServer32\(Default) = C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]
 
Picasa2ImportPicturesOnArrival\
Provider = Picasa3
InvokeProgID = picasa2.autoplay
InvokeVerb = import
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Picasa2\Picasa3.exe" "%1" [Google Inc.]
 
TosDVDPlayHandler\
Provider = TOSHIBA DVD PLAYER
InvokeProgID = TosDvdPlayer
InvokeVerb = play
HKLM\SOFTWARE\Classes\TosDvdPlayer\shell\play\command\(Default) = "C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TosHDDVD.exe" [TOSHIBA Corporation]
 
VLCPlayCDAudioOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.CDAudio
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda:///%1 [VideoLAN]
 
VLCPlayDVDAudioOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.OPENFolder
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]
 
VLCPlayDVDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.DVDMovie
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd:///%1 [VideoLAN]
 
VLCPlayMusicFilesOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.OPENFolder
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]
 
VLCPlaySVCDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.SVCDMovie
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.SVCDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd:///%1 [VideoLAN]
 
VLCPlayVCDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.VCDMovie
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.VCDMovie\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd:///%1 [VideoLAN]
 
VLCPlayVideoFilesOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.OPENFolder
InvokeVerb = Open
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe" %1 [VideoLAN]
 
WIA_{C151276C-5528-48BE-9B23-3A667236B992}\
Provider = Picasa3
CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
InitCmdLine = /WiaCmd;C:\Program Files\Picasa2\Picasa3.exe /StiDevice:%1 /StiEvent:%2;
  -> {HKLM...CLSID} = WPDShextAutoplay
                   \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]
 
WIA_{EE918E8B-FA2D-476E-A091-6B543758EF7E}\
Provider = Picasa2
CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
InitCmdLine = /WiaCmd;C:\Program Files\Picasa2\PicasaMediaDetector.exe /StiDevice:%1 /StiEvent:%2;
  -> {HKLM...CLSID} = WPDShextAutoplay
                   \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]
 
 
Windows Sidebar Gadgets: {++}
------------------------
 
C:\Users\roxio\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
%PROGRAMFILES%\windows sidebar\gadgets\Clock.gadget
%PROGRAMFILES%\windows sidebar\gadgets\SlideShow.Gadget
%PROGRAMFILES%\windows sidebar\gadgets\RSSFeeds.Gadget
 
 
Winsock2 Service Provider DLLs:
-------------------------------
 
Namespace Service Providers
 
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
 
Transport Service Providers
 
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 34
 
 
Toolbars, Explorer Bars, Extensions:
------------------------------------
 
Explorer Bars
 
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = &Research
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL [MS]
 
Extensions (Tools menu items, main toolbar menu buttons)
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
ButtonText = Send to OneNote
MenuText = S&end to OneNote
CLSIDExtension = {48E73304-E1D6-4330-914C-F5F514E3486C}
  -> {HKLM...CLSID} = Send to OneNote from Internet Explorer button
                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll [MS]
 
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
ButtonText = Research
BandCLSID = {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
  -> {HKLM...CLSID} = &Research
                   \InProcServer32\(Default) = C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL [MS]
 
 
Miscellaneous IE Hijack Points
------------------------------
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> Tabs = http://www.google.com [file not found]
 
 
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
 
Adobe Acrobat Update Service, AdobeARMservice, "C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe" [Adobe Systems Incorporated]
Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [MS]
 
 
Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------
 
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\
 
<<!>> !SASCORE, 
<<!>> MsMpSvc, Service
 
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\
 
<<!>> !SASCORE, 
<<!>> MsMpSvc, Service
 
 
Print Monitors:
---------------
 
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = msonpmon.dll [MS]
 
 
---------- (launch time: 2014-04-30 22:28:33)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
 
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 573 seconds.
---------- (total run time: 1026 seconds)
 

 


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

I think I can see your problem but, I will need to confirm it

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.



  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select both shortcut  and additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from. 
  • Please attach all 3 logs generated.

 


  • 1

#3
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Thank you so much for replying. Really gave me hope! I followed your instructions. Here are the logs 

Attached Files


Edited by Joshua Mikhail C. Tumanda, 30 April 2014 - 10:53 AM.

  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
This may take several runs to resolve, so please be patient :)
 
Download the attached Fixlist.txt to the same location as FRST

Run FRST and press Fix
On completion a log will be generated please post that
 
THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    NSIS_disclaimer_ENG.png

    NSIS_extraction.png
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 1

#5
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Yup! Did exactly what you said, sorry for taking too long. :)

Attached Files


  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

OK how is the computer behaving now ?

 

Just some final things to check

 

  • Run OTL.

    OTL_Main_Tutorial.gif

  • Select All Users
  • Select LOP and Purity
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    c:\program files (x86)\Google\Desktop
    c:\program files\Google\Desktop
    dir "%systemdrive%\*" /S /A:L /C
    /md5start
    rpcss.dll
    /md5stop
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window.
  • Attach  that  log


  • 0

#7
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Yup! The process isn't showing up in the Task Manager anymore! will post the log after the scan complete :) 


Edited by Joshua Mikhail C. Tumanda, 30 April 2014 - 12:17 PM.

  • 0

#8
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Actually rather than one, there 2 log texts that popped out. I just attached both of them just to be sure.

Attached Files


  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looks good, combofix took out the IFEO's for me. I will tidy up Java in firefox

Anything unusual happening or is it now back to normal ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#10
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Sorry took so lone to post the log. It took more than 3 hours for the OTL to finish. 

Attached Files

  • Attached File  OTL.Txt   74.83KB   81 downloads

  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

All looks good, are you experiencing any further problems before I tidy up ?


  • 0

#12
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Nope, none so far! Thanks for the help! I really though the only option was to reboot the pc >_<. God Bless and More power!


  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
In that case methinks I will send you on your merry way :)

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:
  • 0

#14
Joshua Mikhail C. Tumanda

Joshua Mikhail C. Tumanda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

After finishing cleaning up with Delfix, I restarted my PC and I got this pop-up message. Will I be expexting that everytime I login?

Attached Thumbnails

  • 1.jpg

  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You should not get that .. Reboot again and see if it re-appears
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP