Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Continuous virus warnigs, error messages....

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 22nd, 2009, 1:44 pm

Is this rootkit something very serious ? Will we be able to recover from it completely ? I am scared because there are very strange things happening on my laptop these days.

I was not able to start combofix.txt until I renamed it. It worked after renaming and it detected "Presence of rootkit activity" and then re started my machine. On reboting it deleted a bunch of files all starting with UAC* and then continued with its scan. Pls see below its log report. Please let me know what is the next step and thank you for your help.


ComboFix 09-05-21.08 - Narwal 05/22/2009 13:26.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.166 [GMT -4:00]
Running from: c:\users\Narwal\Pictures\Desktop\IBNT.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACwgeuoinwmqcitfg.sys
c:\windows\system32\UACfwdsisvoxxhnmga.dll
c:\windows\system32\UAChieqrljcpposafo.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkgudkysnhxbovym.dat
c:\windows\system32\UACphijboophyvpmyp.log
c:\windows\system32\UACqbvrvnxvuegjuog.log
c:\windows\system32\UACrhtvurpepilfvhv.dll
c:\windows\system32\UACtidvlqjvoqtryqh.dll
c:\windows\system32\UACtjinjvwspdehwsm.log
c:\windows\system32\UACtsbicajbbnwdbhd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 17:33 . 2009-05-22 17:36 -------- d-----w c:\users\Narwal\AppData\Local\temp
2009-05-22 00:29 . 2009-05-06 18:06 4784464 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{5FD376B0-56D7-488F-99BC-B731F7603876}\mpengine.dll
2009-05-21 12:01 . 2009-05-21 12:44 -------- d-----w C:\rsit
2009-05-19 23:11 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 23:11 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 23:11 . 2009-05-19 23:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 23:11 . 2009-05-19 23:11 -------- d-----w c:\programdata\Malwarebytes
2009-05-19 04:33 . 2009-05-19 04:33 -------- d-----w c:\windows\McAfee.com
2009-05-18 23:17 . 2009-05-18 23:19 -------- d-----w c:\windows\BDOSCAN8
2009-05-16 19:42 . 2009-05-16 19:42 -------- d-----w c:\program files\Trend Micro
2009-05-15 23:37 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-15 23:37 . 2009-05-15 23:37 -------- d-----w c:\program files\Panda Security
2009-05-09 15:44 . 2009-05-09 15:44 -------- d-----w c:\windows\Sun
2009-05-05 12:15 . 2009-05-05 12:21 3584 ----a-w C:\Hello.exe
2009-05-05 03:06 . 2009-05-05 03:06 -------- d-----w c:\program files\Microsoft SDKs
2009-05-05 02:58 . 2009-05-05 02:58 -------- d-----w c:\program files\Debugging Tools for Windows
2009-05-05 02:46 . 2009-05-05 02:46 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-05-04 01:31 . 2009-05-06 00:20 -------- d-----w C:\Test
2009-05-02 19:06 . 2009-03-08 11:33 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-05-02 17:24 . 2009-05-02 17:24 -------- d-----w C:\perflogs
2009-05-02 17:01 . 2009-05-02 17:01 -------- d-----w C:\Downloads
2009-05-02 14:15 . 2009-05-02 14:15 -------- d-----w c:\users\Narwal\AppData\Roaming\MusicNet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 13:49 . 2007-09-23 21:15 -------- d-----w c:\users\Narwal\AppData\Roaming\SiteAdvisor
2009-05-21 22:40 . 2008-11-15 22:03 1 ----a-w c:\users\Narwal\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-21 12:42 . 2008-08-01 22:36 -------- d-----w c:\program files\LimeWire
2009-05-19 12:31 . 2007-09-30 06:48 680 ----a-w c:\users\Narwal\AppData\Local\d3d9caps.dat
2009-05-17 00:24 . 2008-08-01 22:38 -------- d-----w c:\users\Narwal\AppData\Roaming\LimeWire
2009-05-14 07:02 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-05 03:28 . 2007-06-07 22:23 -------- d-----w c:\programdata\Microsoft Help
2009-05-02 18:57 . 2007-05-22 22:39 -------- d-----w c:\program files\Google
2009-05-02 18:36 . 2007-05-22 22:36 -------- d-----w c:\program files\TOSHIBA Games
2009-05-02 18:33 . 2007-05-22 22:14 -------- d-----w c:\program files\InterVideo
2009-05-02 18:33 . 2007-05-22 22:11 -------- d-----w c:\programdata\Ulead Systems
2009-05-02 18:33 . 2007-05-22 22:11 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-05-02 18:30 . 2007-05-22 21:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-02 18:22 . 2007-05-22 22:33 -------- d-----w c:\programdata\Napster
2009-05-02 18:15 . 2009-02-05 02:10 -------- d-----w c:\program files\TotalImageConverter
2009-05-02 18:15 . 2007-08-30 03:38 -------- d-----w c:\users\Narwal\AppData\Roaming\yahoo!
2009-05-02 18:15 . 2007-08-29 20:13 -------- d-----w c:\programdata\Yahoo!
2009-03-20 01:03 . 2009-03-20 01:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-17 03:16 . 2009-04-14 20:39 14848 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-14 20:39 25600 ----a-w c:\windows\system32\amxread.dll
2009-03-08 11:34 . 2009-05-02 19:06 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-02 19:07 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-02 19:07 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-02 19:06 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-02 19:06 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-02 19:06 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-02 19:06 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-02 19:07 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-02 19:07 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-02 19:07 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-02 19:07 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-02 19:06 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-02 19:07 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-02 19:07 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-02 19:06 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-02 19:07 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:24 . 2009-04-14 20:39 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:24 . 2009-04-14 20:39 3469280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:19 . 2009-04-14 20:39 158720 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:19 . 2009-04-14 20:40 549888 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:19 . 2009-04-14 20:39 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-14 20:39 97280 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:16 . 2009-04-14 20:39 53248 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:16 . 2009-04-14 20:39 37888 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 02:40 . 2009-04-14 20:39 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-07 14:20 . 2007-08-30 03:42 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-07 14:20 . 2007-08-30 03:42 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-07 14:20 . 2007-08-30 03:42 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-07 14:20 . 2007-08-30 03:42 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-07 14:20 . 2007-08-30 03:42 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-27 4670704]
"Google Update"="c:\users\Narwal\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-10-19 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-29 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-29 81920]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-20 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EC6D873D-C5A2-408C-B890-BA0759BD77A5}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{F77D8236-E1E7-44A4-8538-8A51B97A209A}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{A128CD60-A295-4083-AE9E-A518E58012BD}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{01069126-3EC4-4B6A-83FA-65AF7223E68A}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{0FB45AC3-AA99-477A-A388-D1E2BB47BCC7}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{70F80FBA-B2E6-44FD-B1F2-A0CE3FA5D84C}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C21DFE4B-B7C4-4383-83A7-18BF1AACE400}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{149DFD65-B62B-4D53-8614-6F17971CEAED}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{46AEFF78-1986-40CB-A22E-9E49D98FE82C}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{7904F69F-94AC-4BDE-91D3-D66CBFE2D84D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3B62BEB7-2683-48AA-8DC2-4B184A1C6480}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8EA75245-EC49-4C99-94D6-38A5EB59D300}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{444D6893-1902-4708-85CC-E2E9A5BA76F3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{0C762571-4458-4CBA-BF48-2BD78747981D}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{127D8293-7E47-45D6-BEA8-CEA7AE9794F7}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{75E52C50-FEDB-44DA-90DF-FBF895DF4D0F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{92ECA8B8-C8DA-4F1A-B641-6DD560235E25}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{C87C6BB0-BCED-4F1B-B5CA-A40D28B393E1}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{F06CD406-BF0B-449A-B2B5-11ECEA41CD61}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{91EB9F6E-1FE4-4FC8-8D04-399C7710C061}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [5/15/2009 7:37 PM 28544]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\System32\drivers\V0250Dev.sys [11/10/2007 12:58 PM 169696]
S3 V0250Vfx;V0250Vfx;c:\windows\System32\drivers\V0250Vfx.sys [11/10/2007 12:58 PM 6272]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2307070536-2186033536-3377706424-1000.job
- c:\users\Narwal\AppData\Local\Google\Update\GoogleUpdate.exe [2008-10-19 03:00]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-01 17:32]

2008-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-01 17:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: tdameritrade.com
DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://aolsvc.aol.com/onlinegames/ghadv ... /abxgh.cab
FF - ProfilePath - c:\users\Narwal\AppData\Roaming\Mozilla\Firefox\Profiles\613cgtrm.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 13:36
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????Z#6_??????U?8?U?p?U???U???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-05-22 13:38
ComboFix-quarantined-files.txt 2009-05-22 17:38

Pre-Run: 13,673,578,496 bytes free
Post-Run: 14,218,256,384 bytes free

276 --- E O F --- 2009-05-22 00:30
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm
Advertisement
Register to Remove

Re: Continuous virus warnigs, error messages....

Unread postby Shaba » May 22nd, 2009, 1:47 pm

Not very serious but very annoying.

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 22nd, 2009, 6:46 pm

Here you go :

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
Citrix Presentation Server Client
Creative Live! Cam Notebook Pro Driver (1.04.02.0000)
Debugging Tools for Windows
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 12
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Software Development Kit for Windows Vista Update (6000.16384.10)
Microsoft Works
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
oggcodecs 0.71.0946
OpenOffice.org 3.0
Panda ActiveScan 2.0
PDF-XChange 3
Picasa 3
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Super DX-Ball v1.1
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Game Console
TOSHIBA Hardware Setup
TOSHIBA Media Center Game Console
TOSHIBA Music
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
VideoLAN VLC media player 0.8.6c
Windows Live Messenger
WinDVD for TOSHIBA
WinRAR archiver
Yahoo! Messenger
Yahoo! Music Jukebox
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Re: Continuous virus warnigs, error messages....

Unread postby Shaba » May 23rd, 2009, 3:15 am

Do you recognize this file?

C:\Hello.exe
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 23rd, 2009, 7:44 am

Yes please leave that one alone.
but I dont recognize oggcodecs 0.71.0946. Also I dont kno why my IE home page has changed to http://partnerpage.google.com/toshibadirect.com. It used to be simpy www.google.com.

Are there any other scans I need to run. I still think I might have some viruses.
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Re: Continuous virus warnigs, error messages....

Unread postby Shaba » May 23rd, 2009, 8:52 am

"Also I dont kno why my IE home page has changed to http://partnerpage.google.com/toshibadirect.com. It used to be simpy www.google.com.

Well does it stay as google.com if you change it back?

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Folder::
c:\program files\LimeWire
c:\users\Narwal\AppData\Roaming\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0C762571-4458-4CBA-BF48-2BD78747981D}"=-
"{127D8293-7E47-45D6-BEA8-CEA7AE9794F7}"=-
"{F06CD406-BF0B-449A-B2B5-11ECEA41CD61}"=- 
"{91EB9F6E-1FE4-4FC8-8D04-399C7710C061}"=-




Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 23rd, 2009, 9:30 am

Hi - I followed your instructions and re ran combofix. Before starting it popped up a message like " A newer version is available. Do you want to update" and I said NO to that.
Also I do not know if it matters but I must let you know that
1. I use Wireless router to connect to the internet
2. I also use Firefox and Google Chrome sometimes. Do I need additional clean up for that?

ComboFix Log is below :

ComboFix 09-05-21.08 - Narwal 05/23/2009 9:17.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.552 [GMT -4:00]
Running from: c:\users\Narwal\Pictures\Desktop\COMBOFIX.exe
Command switches used :: c:\users\Narwal\Pictures\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
PEV Error: LocalSettingsFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid4072.log
c:\users\Narwal\AppData\Local\Temp\ppcrlui_2004_2
c:\users\Narwal\AppData\Roaming\LimeWire
c:\users\Narwal\AppData\Roaming\LimeWire\active.mojito
c:\users\Narwal\AppData\Roaming\LimeWire\certificate\limewire.keystore
c:\users\Narwal\AppData\Roaming\LimeWire\createtimes.cache
c:\users\Narwal\AppData\Roaming\LimeWire\downloads.dat
c:\users\Narwal\AppData\Roaming\LimeWire\fileurns.bak
c:\users\Narwal\AppData\Roaming\LimeWire\fileurns.cache
c:\users\Narwal\AppData\Roaming\LimeWire\filters.props
c:\users\Narwal\AppData\Roaming\LimeWire\installation.props
c:\users\Narwal\AppData\Roaming\LimeWire\library.dat
c:\users\Narwal\AppData\Roaming\LimeWire\limewire.props
c:\users\Narwal\AppData\Roaming\LimeWire\mojito.props
c:\users\Narwal\AppData\Roaming\LimeWire\passive.mojito
c:\users\Narwal\AppData\Roaming\LimeWire\promotion\promodb.backup
c:\users\Narwal\AppData\Roaming\LimeWire\promotion\promodb.data
c:\users\Narwal\AppData\Roaming\LimeWire\promotion\promodb.lck
c:\users\Narwal\AppData\Roaming\LimeWire\promotion\promodb.log
c:\users\Narwal\AppData\Roaming\LimeWire\promotion\promodb.properties
c:\users\Narwal\AppData\Roaming\LimeWire\promotion\promodb.script
c:\users\Narwal\AppData\Roaming\LimeWire\questions.props
c:\users\Narwal\AppData\Roaming\LimeWire\simpp.xml
c:\users\Narwal\AppData\Roaming\LimeWire\spam.dat
c:\users\Narwal\AppData\Roaming\LimeWire\tables.props
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme.lwtp
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\01_star.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\02_star.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\03_star.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\04_star.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\05_star.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\chat.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\forward_dn.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\forward_up.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\kill.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\kill_on.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\pause_dn.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\pause_up.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\play_dn.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\play_up.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\question.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\rewind_dn.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\rewind_up.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\stop_dn.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\stop_up.gif
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\theme.txt
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\version.txt
c:\users\Narwal\AppData\Roaming\LimeWire\themes\windows_theme\warning.gif
c:\users\Narwal\AppData\Roaming\LimeWire\version.xml
c:\users\Narwal\AppData\Roaming\LimeWire\versions.props
c:\users\Narwal\AppData\Roaming\LimeWire\xml\data\audio.sxml2
c:\users\Narwal\AppData\Roaming\LimeWire\xml\data\video.sxml2

.
((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-23 12:21 . 2009-05-23 12:21 -------- d-----w c:\users\Narwal\AppData\Roaming\Malwarebytes
2009-05-22 17:38 . 2009-05-23 13:21 -------- d-----w c:\users\Narwal\AppData\Local\temp
2009-05-22 17:20 . 2009-05-22 17:38 -------- d-s---w C:\IBNT
2009-05-22 00:29 . 2009-05-06 18:06 4784464 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{5FD376B0-56D7-488F-99BC-B731F7603876}\mpengine.dll
2009-05-21 12:01 . 2009-05-21 12:44 -------- d-----w C:\rsit
2009-05-19 23:11 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 23:11 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 23:11 . 2009-05-19 23:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 23:11 . 2009-05-19 23:11 -------- d-----w c:\programdata\Malwarebytes
2009-05-19 04:33 . 2009-05-19 04:33 -------- d-----w c:\windows\McAfee.com
2009-05-18 23:17 . 2009-05-18 23:19 -------- d-----w c:\windows\BDOSCAN8
2009-05-16 19:42 . 2009-05-16 19:42 -------- d-----w c:\program files\Trend Micro
2009-05-15 23:37 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-15 23:37 . 2009-05-15 23:37 -------- d-----w c:\program files\Panda Security
2009-05-09 15:44 . 2009-05-09 15:44 -------- d-----w c:\windows\Sun
2009-05-05 12:15 . 2009-05-05 12:21 3584 ----a-w C:\Hello.exe
2009-05-05 03:06 . 2009-05-05 03:06 -------- d-----w c:\program files\Microsoft SDKs
2009-05-05 02:58 . 2009-05-05 02:58 -------- d-----w c:\program files\Debugging Tools for Windows
2009-05-05 02:46 . 2009-05-05 02:46 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-05-04 01:31 . 2009-05-06 00:20 -------- d-----w C:\Test
2009-05-02 19:06 . 2009-03-08 11:33 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-05-02 17:24 . 2009-05-02 17:24 -------- d-----w C:\perflogs
2009-05-02 17:01 . 2009-05-02 17:01 -------- d-----w C:\Downloads
2009-05-02 14:15 . 2009-05-02 14:15 -------- d-----w c:\users\Narwal\AppData\Roaming\MusicNet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 17:43 . 2008-11-15 22:03 1 ----a-w c:\users\Narwal\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-22 13:49 . 2007-09-23 21:15 -------- d-----w c:\users\Narwal\AppData\Roaming\SiteAdvisor
2009-05-19 12:31 . 2007-09-30 06:48 680 ----a-w c:\users\Narwal\AppData\Local\d3d9caps.dat
2009-05-14 07:02 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-05 03:28 . 2007-06-07 22:23 -------- d-----w c:\programdata\Microsoft Help
2009-05-02 18:57 . 2007-05-22 22:39 -------- d-----w c:\program files\Google
2009-05-02 18:36 . 2007-05-22 22:36 -------- d-----w c:\program files\TOSHIBA Games
2009-05-02 18:33 . 2007-05-22 22:14 -------- d-----w c:\program files\InterVideo
2009-05-02 18:33 . 2007-05-22 22:11 -------- d-----w c:\programdata\Ulead Systems
2009-05-02 18:33 . 2007-05-22 22:11 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-05-02 18:30 . 2007-05-22 21:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-02 18:22 . 2007-05-22 22:33 -------- d-----w c:\programdata\Napster
2009-05-02 18:15 . 2009-02-05 02:10 -------- d-----w c:\program files\TotalImageConverter
2009-05-02 18:15 . 2007-08-30 03:38 -------- d-----w c:\users\Narwal\AppData\Roaming\yahoo!
2009-05-02 18:15 . 2007-08-29 20:13 -------- d-----w c:\programdata\Yahoo!
2009-03-20 01:03 . 2009-03-20 01:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-17 03:16 . 2009-04-14 20:39 14848 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-14 20:39 25600 ----a-w c:\windows\system32\amxread.dll
2009-03-08 11:34 . 2009-05-02 19:06 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-02 19:07 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-02 19:07 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-02 19:06 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-02 19:06 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-02 19:06 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-02 19:06 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-02 19:07 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-02 19:07 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-02 19:07 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-02 19:07 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-02 19:06 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-02 19:07 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-02 19:07 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-02 19:06 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-02 19:07 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:24 . 2009-04-14 20:39 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:24 . 2009-04-14 20:39 3469280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:19 . 2009-04-14 20:39 158720 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:19 . 2009-04-14 20:40 549888 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:19 . 2009-04-14 20:39 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-14 20:39 97280 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:16 . 2009-04-14 20:39 53248 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:16 . 2009-04-14 20:39 37888 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 02:40 . 2009-04-14 20:39 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-07 14:20 . 2007-08-30 03:42 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-07 14:20 . 2007-08-30 03:42 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-07 14:20 . 2007-08-30 03:42 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-07 14:20 . 2007-08-30 03:42 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-07 14:20 . 2007-08-30 03:42 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-22_17.36.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-22 17:55 . 2009-04-11 06:28 51712 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wrpint.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 83968 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wmiutils.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 30208 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wbemprox.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 35328 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\mspatcha.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 22016 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\CbsMsg.dll
+ 2007-05-22 21:27 . 2009-05-23 11:40 59776 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-23 11:40 58566 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-06-07 22:14 . 2009-05-23 11:39 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-07 22:14 . 2009-05-22 17:17 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-07 22:14 . 2009-05-23 11:39 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-07 22:14 . 2009-05-22 17:17 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-07 22:14 . 2009-05-22 17:17 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-06-07 22:14 . 2009-05-23 11:39 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-08-29 15:58 . 2009-05-23 11:40 8442 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2307070536-2186033536-3377706424-1000_UserData.bin
- 2009-05-22 17:25 . 2009-05-22 17:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-23 11:38 . 2009-05-23 11:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-22 17:25 . 2009-05-22 17:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-23 11:38 . 2009-05-23 11:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-22 17:55 . 2009-04-11 06:28 182784 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\xmllite.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 218624 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wdscore.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 744448 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wbemcore.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 357888 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wbemcomn.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 116736 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\smipi.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 139264 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\SmiInstaller.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 705536 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\smiengine.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 126464 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\rescinst.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 265728 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\repdrvfs.dll
+ 2009-05-22 17:55 . 2009-04-11 06:27 119296 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe
+ 2009-05-22 17:55 . 2009-04-11 06:27 130560 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\PkgMgr.exe
+ 2009-05-22 17:55 . 2009-04-11 06:28 146432 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\OEMHelpIns.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 305152 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\msdelta.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 102400 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\mofinstall.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 189440 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\mofd.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 222720 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\locdrv.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 100352 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\helpcins.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 614912 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\fastprox.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 265728 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\esscli.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 247808 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\drvstore.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 100352 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\DrUpdate.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 258048 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\dpx.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 243712 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\CntrtextInstaller.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 271360 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cmitrust.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 119808 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cmiadapter.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 535040 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\CbsCore.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 199168 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\apss.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 222208 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\apircl.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 1835520 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\wcp.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 2032640 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cmiv2.dll
+ 2009-05-22 17:55 . 2009-04-11 06:28 1744384 c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\apds.dll
+ 2006-11-02 10:22 . 2009-05-23 11:44 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-05-15 16:02 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-05-23 13:16 . 2009-05-23 13:16 6295552 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2008-02-16 08:04 . 2009-05-22 17:55 206791774 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-27 4670704]
"Google Update"="c:\users\Narwal\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-10-19 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-29 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-29 81920]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-20 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EC6D873D-C5A2-408C-B890-BA0759BD77A5}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{F77D8236-E1E7-44A4-8538-8A51B97A209A}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{A128CD60-A295-4083-AE9E-A518E58012BD}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{01069126-3EC4-4B6A-83FA-65AF7223E68A}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{0FB45AC3-AA99-477A-A388-D1E2BB47BCC7}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{70F80FBA-B2E6-44FD-B1F2-A0CE3FA5D84C}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C21DFE4B-B7C4-4383-83A7-18BF1AACE400}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{149DFD65-B62B-4D53-8614-6F17971CEAED}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{46AEFF78-1986-40CB-A22E-9E49D98FE82C}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{7904F69F-94AC-4BDE-91D3-D66CBFE2D84D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3B62BEB7-2683-48AA-8DC2-4B184A1C6480}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8EA75245-EC49-4C99-94D6-38A5EB59D300}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{444D6893-1902-4708-85CC-E2E9A5BA76F3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{75E52C50-FEDB-44DA-90DF-FBF895DF4D0F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{92ECA8B8-C8DA-4F1A-B641-6DD560235E25}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{C87C6BB0-BCED-4F1B-B5CA-A40D28B393E1}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [5/15/2009 7:37 PM 28544]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\System32\drivers\V0250Dev.sys [11/10/2007 12:58 PM 169696]
S3 V0250Vfx;V0250Vfx;c:\windows\System32\drivers\V0250Vfx.sys [11/10/2007 12:58 PM 6272]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2307070536-2186033536-3377706424-1000.job
- c:\users\Narwal\AppData\Local\Google\Update\GoogleUpdate.exe [2008-10-19 03:00]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-01 17:32]

2008-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-01 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: tdameritrade.com
DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://aolsvc.aol.com/onlinegames/ghadv ... /abxgh.cab
FF - ProfilePath - c:\users\Narwal\AppData\Roaming\Mozilla\Firefox\Profiles\613cgtrm.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 09:21
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????Z#6_??????U?8?U?p?U???U???

scanning hidden files ...


c:\users\Narwal\AppData\Local\Temp\catchme.dll

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-05-23 9:23
ComboFix-quarantined-files.txt 2009-05-23 13:23
ComboFix2.txt 2009-05-22 17:38

Pre-Run: 15,190,306,816 bytes free
Post-Run: 15,249,375,232 bytes free

371 --- E O F --- 2009-05-23 11:44
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 23rd, 2009, 9:31 am

Pls see below the Hijack this log :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:04 AM, on 5/23/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Users\Narwal\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Users\Narwal\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/29.55/uploader2.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} (Abx(gh) Control) - http://aolsvc.aol.com/onlinegames/ghadv ... /abxgh.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 7271 bytes
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Re: Continuous virus warnigs, error messages....

Unread postby Shaba » May 23rd, 2009, 9:50 am

You can just clear cache of those browsers :)

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 23rd, 2009, 9:56 am

WHen I go to the Kaspersky website, the tool is giving me a java security warning - "The application requires an earlier vesion of java. Do you want to continue ?"
What should I do ?
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Re: Continuous virus warnigs, error messages....

Unread postby Shaba » May 23rd, 2009, 10:20 am

You can accept it.

If it doesn't work, let me know.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 23rd, 2009, 2:25 pm

Please see the Kaspersky log below :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 23, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 23, 2009 14:58:51
Records in database: 2226468
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 140800
Threat name: 6
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 02:55:40


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\drivers\UACwgeuoinwmqcitfg.sys.vir Infected: Trojan.Win32.Agent.chly 1
C:\Qoobox\Quarantine\C\Windows\System32\UACfwdsisvoxxhnmga.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\Windows\System32\UAChieqrljcpposafo.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\Windows\System32\UACrhtvurpepilfvhv.dll.vir Infected: Trojan.Win32.TDSS.acbv 1
C:\Qoobox\Quarantine\C\Windows\System32\UACtidvlqjvoqtryqh.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Qoobox\Quarantine\C\Windows\System32\UACtsbicajbbnwdbhd.dll.vir Infected: Packed.Win32.Tdss.f 1
C:\Users\Narwal\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\1806e5cd-5743c26d Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Users\Narwal\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\342f02e7-6cbe462f Infected: Exploit.Java.ByteVerify 1
C:\Users\Narwal\Documents\DownloadsLS\Saved\zindagi de rang [extended concert version].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1

The selected area was scanned.
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Re: Continuous virus warnigs, error messages....

Unread postby Shaba » May 23rd, 2009, 2:28 pm

Empty these folders:

C:\Qoobox\Quarantine
C:\Users\Narwal\AppData\LocalLow\Sun\Java\Deployment\cache

Delete this:

C:\Users\Narwal\Documents\DownloadsLS\Saved\zindagi de rang [extended concert version].mp3

Empty Recycle Bin.

Still problems?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Continuous virus warnigs, error messages....

Unread postby GeniusMagic » May 23rd, 2009, 3:46 pm

Problems have decreased. Haven't got any pop ups now but the computer is still running slow. Are there other temp files / clean up that I need to do ?

I emptied the folders you mentioned but it does not let me delete this file :
C:\Qoobox\Quarantine\C\Users\Narwal\AppData\Local\temp\ppcrlui_2004_2.vir

Also deleted this file :
C:\Users\Narwal\Documents\DownloadsLS\Saved\zindagi de rang [extended concert version].mp3
(This was an mp3 file I had downloaded but it seemed to be infected by a Trojan >?)

Thanks for your help.
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Re: Continuous virus warnigs, error messages....

Unread postby Shaba » May 23rd, 2009, 3:50 pm

"Haven't got any pop ups now but the computer is still running slow. Are there other temp files / clean up that I need to do ?"

Please then see this and post back if it helped.

"I emptied the folders you mentioned but it does not let me delete this file :
C:\Qoobox\Quarantine\C\Users\Narwal\AppData\Local\temp\ppcrlui_2004_2.vir"

That is fine, it will get deleted later.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware