Jump to content

Recommended Posts

i recently got the svc host virus which had my cpu at 100%. The virus i think has been removed or quarantine and now everytime i run malware there are 2 registry errors call broken open commad and it never removes them. is there a way to fix this?

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Let's see if the infection has been cleared before repairing residual effects.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Let's see if the infection has been cleared before repairing residual effects.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 2:37:55.48 on Wed 06/23/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.831 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\dds.com

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb127\SearchSettings.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe

uRunOnce: [index Washer] c:\program files\webroot\washer\WashIdx.exe "Owner"

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Awevem] rundll32.exe "c:\windows\aquwuhuropifatu.dll",Startup

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRunOnce: [sMRequiresRestart]

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1271556074359

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227713167968

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227713210984

DPF: {819F8533-D935-4183-B692-587F8D56AC3C} - hxxp://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - hxxp://download.sopcast.cn/download/SOPCORE.CAB

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\5swmy8tr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\5swmy8tr.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {F822BCF4-E8CB-41DA-83D0-75C441822A62} - c:\documents and settings\owner\local settings\application data\{F822BCF4-E8CB-41DA-83D0-75C441822A62}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-3-7 128016]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-14 218592]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-7 317072]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-7 486280]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-14 112592]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-1-10 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-1-10 704432]

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]

R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-14 366840]

R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-14 1142224]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-1-8 598856]

R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]

S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-06-15 01:47:30 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-06-15 01:45:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-15 01:45:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-15 01:45:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-15 01:45:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-14 21:28:33 763832 ----a-w- c:\windows\BDTSupport.dll

2010-06-14 21:28:32 882 ----a-w- c:\windows\RegSDImport.xml

2010-06-14 21:28:32 879 ----a-w- c:\windows\RegISSImport.xml

2010-06-14 21:28:31 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-06-14 21:28:31 1652664 ----a-w- c:\windows\PCTBDCore.dll

2010-06-14 21:28:31 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-06-14 21:28:31 131 ----a-w- c:\windows\IDB.zip

2010-06-14 21:28:31 1152444 ----a-w- c:\windows\UDB.zip

2010-06-14 21:25:08 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2010-06-14 21:25:08 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-06-14 21:24:43 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-06-14 21:24:43 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-06-14 21:24:43 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-06-14 21:24:43 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-06-14 21:24:28 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2010-06-14 21:24:28 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-06-14 21:24:02 0 d-----w- c:\program files\common files\PC Tools

2010-06-14 21:24:01 0 d-----w- c:\program files\Spyware Doctor

2010-06-14 21:24:01 0 d-----w- c:\docume~1\owner\applic~1\PC Tools

2010-06-14 21:24:01 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-06-14 05:41:16 120 ----a-w- c:\windows\Rzoracupodovuj.dat

2010-06-14 05:41:16 0 ----a-w- c:\windows\Oyobazukohomal.bin

2010-06-10 02:29:18 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 19:07:25 719872 ----a-w- c:\windows\system32\devil.dll

2010-06-02 19:07:25 369152 ----a-w- c:\windows\system32\avisynth.dll

2010-06-02 19:07:23 70656 ----a-w- c:\windows\system32\yv12vfw.dll

2010-06-02 19:07:23 70656 ----a-w- c:\windows\system32\i420vfw.dll

2010-06-02 19:07:23 27648 ----a-w- c:\windows\system32\AVSredirect.dll

2010-06-02 19:07:23 0 d-----w- c:\program files\AviSynth 2.5

2010-06-02 19:06:45 0 d-----w- c:\program files\eRightSoft

2010-06-02 06:25:44 0 d--h--w- c:\windows\PIF

2010-06-02 05:41:17 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys

2010-06-02 05:41:17 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys

2010-06-02 05:41:17 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys

2010-06-02 05:41:17 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys

2010-06-02 05:41:17 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys

2010-06-02 05:41:17 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys

2010-06-02 05:41:17 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys

2010-06-02 05:41:17 100352 ----a-w- c:\windows\system32\drivers\sscdserd.sys

2010-06-02 05:39:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Samsung

2010-06-02 01:51:29 0 d-----w- c:\docume~1\owner\applic~1\Samsung

2010-06-02 01:45:09 174592 ----a-w- c:\windows\system32\framedyn.dll

2010-06-02 01:45:00 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-02 01:44:33 0 d-----w- c:\windows\system32\Samsung_USB_Drivers

2010-06-02 01:44:11 766 ----a-w- c:\windows\system32\Uninstall.ico

2010-06-02 01:43:54 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-06-02 01:43:23 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2010-06-22 21:47:42 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-21 19:46:38 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-04-21 19:46:28 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-31 05:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-03-31 05:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 2:41:07.43 ===============

Attach.txt

Link to post
Share on other sites

  • Staff

Hi,

There is malware still present here.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

ComboFix 10-06-23.03 - Owner 06/24/2010 2:09.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1077 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Application Data\{F822BCF4-E8CB-41DA-83D0-75C441822A62}

c:\documents and settings\Owner\Local Settings\Application Data\{F822BCF4-E8CB-41DA-83D0-75C441822A62}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{F822BCF4-E8CB-41DA-83D0-75C441822A62}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{F822BCF4-E8CB-41DA-83D0-75C441822A62}\chrome\content\overlay.xul

c:\documents and settings\Owner\Local Settings\Application Data\{F822BCF4-E8CB-41DA-83D0-75C441822A62}\install.rdf

c:\program files\Search Settings

c:\program files\Search Settings\kb127\SearchSettings.dll

c:\program files\Search Settings\kb127\SearchSettingsRes409.dll

c:\program files\Search Settings\SearchSettings.exe

c:\windows\aquwuhuropifatu.dll

c:\windows\system32\AVSredirect.dll

c:\windows\system32\drivers\etc\lmhosts

.

((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))

.

2010-06-15 01:47 . 2010-06-15 01:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-06-15 01:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-15 01:45 . 2010-06-15 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-15 01:45 . 2010-06-15 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-15 01:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-14 21:41 . 2010-06-14 21:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2010-06-14 21:28 . 2010-06-08 02:16 763832 ----a-w- c:\windows\BDTSupport.dll

2010-06-14 21:28 . 2010-06-08 00:21 1652664 ----a-w- c:\windows\PCTBDCore.dll

2010-06-14 21:28 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-06-14 21:28 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-06-14 21:28 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip

2010-06-14 21:28 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip

2010-06-14 21:25 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-06-14 21:24 . 2010-06-14 22:11 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-06-14 21:24 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-06-14 21:24 . 2010-06-14 22:11 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-06-14 21:24 . 2010-06-14 21:29 -------- d-----w- c:\program files\Common Files\PC Tools

2010-06-14 21:24 . 2010-06-24 06:44 -------- d-----w- c:\program files\Spyware Doctor

2010-06-14 21:24 . 2010-06-14 21:24 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools

2010-06-14 21:24 . 2010-06-14 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-06-14 05:41 . 2010-06-24 05:49 120 ----a-w- c:\windows\Rzoracupodovuj.dat

2010-06-14 05:41 . 2010-06-24 05:49 0 ----a-w- c:\windows\Oyobazukohomal.bin

2010-06-10 02:29 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 19:33 . 2010-06-02 19:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity

2010-06-02 19:07 . 2009-09-27 14:39 369152 ----a-w- c:\windows\system32\avisynth.dll

2010-06-02 19:07 . 2004-02-22 15:11 719872 ----a-w- c:\windows\system32\devil.dll

2010-06-02 19:07 . 2010-06-02 19:07 -------- d-----w- c:\program files\AviSynth 2.5

2010-06-02 19:07 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll

2010-06-02 19:07 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\i420vfw.dll

2010-06-02 19:06 . 2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll

2010-06-02 19:06 . 2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll

2010-06-02 19:06 . 2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2010-06-02 19:06 . 2010-06-02 19:06 -------- d-----w- c:\program files\eRightSoft

2010-06-02 06:25 . 2010-06-02 06:25 -------- d--h--w- c:\windows\PIF

2010-06-02 01:43 . 2010-06-02 01:49 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-06-02 01:43 . 2010-06-02 05:46 -------- d-----w- c:\program files\Samsung

2010-05-27 19:02 . 2010-05-27 20:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\uuqlglqch

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-24 07:05 . 2009-01-09 01:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-24 06:57 . 2010-03-08 03:25 144 ----a-w- c:\windows\system32\pdfl.dat

2010-06-23 16:12 . 2009-01-09 01:35 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-06-22 22:19 . 2009-01-11 02:19 1531 ----a-w- c:\documents and settings\Owner\Application Data\iolo\restore.bat

2010-06-22 21:29 . 2010-06-22 21:29 2592549 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-06-21 21:14 . 2010-04-08 20:57 -------- d-----w- c:\program files\World of Warcraft

2010-06-19 18:45 . 2009-01-10 21:06 -------- d-----w- c:\documents and settings\Owner\Application Data\iolo

2010-06-15 18:49 . 2010-06-15 18:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-14 05:39 . 2010-06-14 05:39 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\qcopjv.dat

2010-06-10 06:50 . 2009-01-08 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-05 18:56 . 2008-11-26 15:18 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-05 07:51 . 2009-03-29 03:49 -------- d-----w- c:\program files\Lexmark X1100 Series

2010-06-02 20:28 . 2009-02-05 02:59 -------- d-----w- c:\program files\OpenOffice.org 3

2010-06-02 19:01 . 2009-06-30 04:50 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU

2010-06-02 19:01 . 2009-06-30 04:47 -------- d-----w- c:\program files\AVS4YOU

2010-06-02 06:36 . 2008-11-26 16:19 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-02 05:47 . 2010-06-02 01:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Samsung

2010-06-02 05:39 . 2010-06-02 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung

2010-05-28 19:22 . 2009-01-08 03:18 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire

2010-05-21 03:44 . 2010-05-21 03:42 -------- d-----w- c:\program files\iTunes

2010-05-21 03:43 . 2010-05-21 03:43 -------- d-----w- c:\program files\iPod

2010-05-21 03:43 . 2009-01-09 23:53 -------- d-----w- c:\program files\Common Files\Apple

2010-05-21 03:37 . 2010-05-21 03:37 -------- d-----w- c:\program files\Bonjour

2010-05-21 03:34 . 2010-05-21 03:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-06 02:29 . 2009-02-05 03:04 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 21:11 . 2009-01-10 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2010-04-26 22:15 . 2010-04-26 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters Inc

2010-04-26 22:12 . 2010-04-26 22:12 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo

2010-04-26 21:31 . 2009-03-11 00:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-22 21:05 . 2010-04-22 21:05 98304 ----a-w- c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll

2010-04-21 19:46 . 2009-08-06 18:15 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-04-21 19:46 . 2009-01-09 03:02 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-18 02:01 . 2010-04-18 02:01 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe

2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-31 05:16 . 2010-03-31 05:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-03-31 05:10 . 2010-03-31 05:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2006-05-03 09:06 . 2010-06-02 19:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2010-06-02 19:06 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2010-06-02 19:06 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-03-11 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-03-11 114688]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Owner\Application Data\iolo"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/14/2010 4:24 PM 218592]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/14/2010 4:28 PM 112592]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [1/10/2009 4:09 PM 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [1/10/2009 4:09 PM 704432]

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 25208]

R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 8:30 AM 476528]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/14/2010 4:24 PM 366840]

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [1/8/2009 9:57 PM 598856]

S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [10/14/2009 8:29 AM 35448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1271556074359

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\5swmy8tr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/

FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll

FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\5swmy8tr.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

HKLM-Run-Awevem - c:\windows\aquwuhuropifatu.dll

AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe

AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe

AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe

AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe

AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe

AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe

AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe

AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe

AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe

AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe

AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe

AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe

AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe

AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe

AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe

AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe

AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@DACL=(02 0011)

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

@DACL=(02 0011)

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@DACL=(02 0011)

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@DACL=(02 0011)

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@DACL=(02 0011)

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@DACL=(02 0011)

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@DACL=(02 0011)

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-06-24 02:22:00

ComboFix-quarantined-files.txt 2010-06-24 07:21

Pre-Run: 1,439,473,664 bytes free

Post-Run: 1,444,827,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6FBED6D31F522B47F17BC454B4270035

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 2:26:21.29 on Thu 06/24/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.896 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File

uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1271556074359

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227713167968

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227713210984

DPF: {819F8533-D935-4183-B692-587F8D56AC3C} - hxxp://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - hxxp://download.sopcast.cn/download/SOPCORE.CAB

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\5swmy8tr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-3-7 128016]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-14 218592]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-7 317072]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-7 486280]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-14 112592]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-1-10 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-1-10 704432]

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]

R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-14 366840]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-1-8 598856]

R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]

S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-14 1142224]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-06-24 07:02:01 0 d-sha-r- C:\cmdcons

2010-06-24 06:59:22 98816 ----a-w- c:\windows\sed.exe

2010-06-24 06:59:22 77312 ----a-w- c:\windows\MBR.exe

2010-06-24 06:59:22 256512 ----a-w- c:\windows\PEV.exe

2010-06-24 06:59:22 161792 ----a-w- c:\windows\SWREG.exe

2010-06-15 01:47:30 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-06-15 01:45:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-15 01:45:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-15 01:45:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-15 01:45:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-14 21:28:33 763832 ----a-w- c:\windows\BDTSupport.dll

2010-06-14 21:28:32 882 ----a-w- c:\windows\RegSDImport.xml

2010-06-14 21:28:32 879 ----a-w- c:\windows\RegISSImport.xml

2010-06-14 21:28:31 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-06-14 21:28:31 1652664 ----a-w- c:\windows\PCTBDCore.dll

2010-06-14 21:28:31 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-06-14 21:28:31 131 ----a-w- c:\windows\IDB.zip

2010-06-14 21:28:31 1152444 ----a-w- c:\windows\UDB.zip

2010-06-14 21:25:08 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2010-06-14 21:25:08 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-06-14 21:24:43 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-06-14 21:24:43 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-06-14 21:24:43 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-06-14 21:24:43 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-06-14 21:24:28 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2010-06-14 21:24:28 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-06-14 21:24:02 0 d-----w- c:\program files\common files\PC Tools

2010-06-14 21:24:01 0 d-----w- c:\program files\Spyware Doctor

2010-06-14 21:24:01 0 d-----w- c:\docume~1\owner\applic~1\PC Tools

2010-06-14 21:24:01 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-06-14 05:41:16 120 ----a-w- c:\windows\Rzoracupodovuj.dat

2010-06-14 05:41:16 0 ----a-w- c:\windows\Oyobazukohomal.bin

2010-06-10 02:29:18 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 19:07:25 719872 ----a-w- c:\windows\system32\devil.dll

2010-06-02 19:07:25 369152 ----a-w- c:\windows\system32\avisynth.dll

2010-06-02 19:07:23 70656 ----a-w- c:\windows\system32\yv12vfw.dll

2010-06-02 19:07:23 70656 ----a-w- c:\windows\system32\i420vfw.dll

2010-06-02 19:07:23 0 d-----w- c:\program files\AviSynth 2.5

2010-06-02 19:06:45 0 d-----w- c:\program files\eRightSoft

2010-06-02 06:25:44 0 d--h--w- c:\windows\PIF

2010-06-02 05:41:17 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys

2010-06-02 05:41:17 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys

2010-06-02 05:41:17 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys

2010-06-02 05:41:17 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys

2010-06-02 05:41:17 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys

2010-06-02 05:41:17 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys

2010-06-02 05:41:17 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys

2010-06-02 05:41:17 100352 ----a-w- c:\windows\system32\drivers\sscdserd.sys

2010-06-02 05:39:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Samsung

2010-06-02 01:51:29 0 d-----w- c:\docume~1\owner\applic~1\Samsung

2010-06-02 01:45:09 174592 ----a-w- c:\windows\system32\framedyn.dll

2010-06-02 01:45:00 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-02 01:44:33 0 d-----w- c:\windows\system32\Samsung_USB_Drivers

2010-06-02 01:44:11 766 ----a-w- c:\windows\system32\Uninstall.ico

2010-06-02 01:43:54 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-06-02 01:43:23 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2010-06-23 16:12:23 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-21 19:46:38 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-04-21 19:46:28 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-31 05:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-03-31 05:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 2:29:04.26 ===============

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=54984
Collect::
c:\windows\Rzoracupodovuj.dat
c:\windows\Oyobazukohomal.bin
Dirlook::
c:\windows\system32\config\systemprofile\Application Data\qcopjv.dat

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

After that, update MBAM, run a Quick Scan, and post its log.

Link to post
Share on other sites

ComboFix 10-06-25.02 - Owner 06/25/2010 23:09:03.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1096 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Oyobazukohomal.bin

c:\windows\Rzoracupodovuj.dat

.

((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))

.

2010-06-15 01:47 . 2010-06-15 01:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-06-15 01:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-15 01:45 . 2010-06-15 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-15 01:45 . 2010-06-15 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-15 01:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-14 21:41 . 2010-06-14 21:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2010-06-14 21:28 . 2010-06-08 02:16 763832 ----a-w- c:\windows\BDTSupport.dll

2010-06-14 21:28 . 2010-06-08 00:21 1652664 ----a-w- c:\windows\PCTBDCore.dll

2010-06-14 21:28 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-06-14 21:28 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-06-14 21:28 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip

2010-06-14 21:28 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip

2010-06-14 21:25 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-06-14 21:24 . 2010-06-14 22:11 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-06-14 21:24 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-06-14 21:24 . 2010-06-14 22:11 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-06-14 21:24 . 2010-06-14 21:29 -------- d-----w- c:\program files\Common Files\PC Tools

2010-06-14 21:24 . 2010-06-24 06:44 -------- d-----w- c:\program files\Spyware Doctor

2010-06-14 21:24 . 2010-06-14 21:24 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools

2010-06-14 21:24 . 2010-06-14 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-06-10 02:29 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 19:33 . 2010-06-02 19:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity

2010-06-02 19:07 . 2009-09-27 14:39 369152 ----a-w- c:\windows\system32\avisynth.dll

2010-06-02 19:07 . 2004-02-22 15:11 719872 ----a-w- c:\windows\system32\devil.dll

2010-06-02 19:07 . 2010-06-02 19:07 -------- d-----w- c:\program files\AviSynth 2.5

2010-06-02 19:07 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll

2010-06-02 19:07 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\i420vfw.dll

2010-06-02 19:06 . 2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll

2010-06-02 19:06 . 2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll

2010-06-02 19:06 . 2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2010-06-02 19:06 . 2010-06-02 19:06 -------- d-----w- c:\program files\eRightSoft

2010-06-02 06:25 . 2010-06-02 06:25 -------- d--h--w- c:\windows\PIF

2010-06-02 01:43 . 2010-06-02 01:49 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-06-02 01:43 . 2010-06-02 05:46 -------- d-----w- c:\program files\Samsung

2010-05-27 19:02 . 2010-05-27 20:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\uuqlglqch

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-26 04:04 . 2009-01-09 01:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-26 03:54 . 2010-03-08 03:25 144 ----a-w- c:\windows\system32\pdfl.dat

2010-06-24 13:27 . 2009-01-09 01:35 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-06-22 22:19 . 2009-01-11 02:19 1531 ----a-w- c:\documents and settings\Owner\Application Data\iolo\restore.bat

2010-06-22 21:29 . 2010-06-22 21:29 2592549 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-06-21 21:14 . 2010-04-08 20:57 -------- d-----w- c:\program files\World of Warcraft

2010-06-19 18:45 . 2009-01-10 21:06 -------- d-----w- c:\documents and settings\Owner\Application Data\iolo

2010-06-15 18:49 . 2010-06-15 18:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-14 05:39 . 2010-06-14 05:39 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\qcopjv.dat

2010-06-10 06:50 . 2009-01-08 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-05 18:56 . 2008-11-26 15:18 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-05 07:51 . 2009-03-29 03:49 -------- d-----w- c:\program files\Lexmark X1100 Series

2010-06-02 20:28 . 2009-02-05 02:59 -------- d-----w- c:\program files\OpenOffice.org 3

2010-06-02 19:01 . 2009-06-30 04:50 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU

2010-06-02 19:01 . 2009-06-30 04:47 -------- d-----w- c:\program files\AVS4YOU

2010-06-02 06:36 . 2008-11-26 16:19 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-02 05:47 . 2010-06-02 01:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Samsung

2010-06-02 05:39 . 2010-06-02 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung

2010-05-28 19:22 . 2009-01-08 03:18 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire

2010-05-21 03:44 . 2010-05-21 03:42 -------- d-----w- c:\program files\iTunes

2010-05-21 03:43 . 2010-05-21 03:43 -------- d-----w- c:\program files\iPod

2010-05-21 03:43 . 2009-01-09 23:53 -------- d-----w- c:\program files\Common Files\Apple

2010-05-21 03:37 . 2010-05-21 03:37 -------- d-----w- c:\program files\Bonjour

2010-05-21 03:34 . 2010-05-21 03:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-06 02:29 . 2009-02-05 03:04 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 21:11 . 2009-01-10 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2010-04-26 21:31 . 2009-03-11 00:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-22 21:05 . 2010-04-22 21:05 98304 ----a-w- c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll

2010-04-21 19:46 . 2009-08-06 18:15 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-04-21 19:46 . 2009-01-09 03:02 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-18 02:01 . 2010-04-18 02:01 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe

2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-31 05:16 . 2010-03-31 05:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-03-31 05:10 . 2010-03-31 05:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2006-05-03 09:06 . 2010-06-02 19:06 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2010-06-02 19:06 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2010-06-02 19:06 216064 --sh--r- c:\windows\system32\nbDX.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\windows\system32\config\systemprofile\Application Data\qcopjv.dat ----

((((((((((((((((((((((((((((( SnapShot@2010-06-24_07.18.51 )))))))))))))))))))))))))))))))))))))))))

.

- 2010-04-28 21:25 . 2010-06-24 07:09 17920 c:\windows\system32\ZoneLabs\zlqrtdb.dat

+ 2010-04-28 21:25 . 2010-06-26 04:09 17920 c:\windows\system32\ZoneLabs\zlqrtdb.dat

+ 2010-06-25 01:21 . 2010-06-25 01:21 35973 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0004.dat

+ 2010-06-25 01:21 . 2010-06-25 01:21 89930 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0003.dat

+ 2010-06-25 01:21 . 2010-06-25 01:21 84490 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0002.dat

+ 2010-06-25 01:21 . 2010-06-25 01:21 65275 c:\windows\system32\ZoneLabs\avsys\temp\update\rollback\bases\apu\apu0001.dat

+ 2010-05-27 17:58 . 2010-06-24 22:24 42078 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0011.dat

+ 2010-03-08 03:45 . 2010-06-24 07:24 90114 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0009.dat

+ 2010-03-08 03:45 . 2010-06-24 22:24 90055 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0005.dat

- 2010-03-08 03:45 . 2010-06-24 04:00 90055 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0005.dat

+ 2010-03-08 03:45 . 2010-06-24 22:24 57297 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0003.dat

+ 2010-03-08 03:44 . 2010-06-24 22:24 54724 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0002.dat

+ 2010-03-08 03:44 . 2010-06-24 22:24 54857 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\wmuf\wmuf0001.dat

+ 2010-03-23 21:37 . 2010-06-24 13:17 48432 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\blst\bl0018.dat

+ 2010-05-06 20:25 . 2010-06-25 01:21 36001 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0004.dat

+ 2010-03-08 03:44 . 2010-06-25 01:21 89926 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0003.dat

+ 2010-03-08 03:44 . 2010-06-25 01:21 84488 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0002.dat

+ 2010-03-08 03:44 . 2010-06-25 01:21 65281 c:\windows\system32\ZoneLabs\avsys\temp\temporaryFolder\bases\apu\apu0001.dat

+ 2010-05-27 17:58 . 2010-06-24 22:24 42078 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0011.dat

+ 2010-03-08 03:46 . 2010-06-24 07:24 90114 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0009.dat

+ 2010-03-08 03:25 . 2010-06-24 22:24 90055 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0005.dat

- 2010-03-08 03:25 . 2010-06-24 04:00 90055 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0005.dat

+ 2010-03-08 03:25 . 2010-06-24 22:24 57297 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0003.dat

+ 2010-03-08 03:25 . 2010-06-24 22:24 54724 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0002.dat

+ 2010-03-08 03:25 . 2010-06-24 22:24 54857 c:\windows\system32\ZoneLabs\avsys\bases\wmuf0001.dat

+ 2010-03-23 21:37 . 2010-06-24 13:17 48432 c:\windows\system32\ZoneLabs\avsys\bases\bl0018.dat

+ 2010-05-06 20:25 . 2010-06-25 01:21 36001 c:\windows\system32\ZoneLabs\avsys\bases\apu0004.dat

+ 2010-03-08 03:24 . 2010-06-25 01:21 89926 c:\windows\system32\ZoneLabs\avsys\bases\apu0003.dat

+ 2010-03-08 03:24 . 2010-06-25 01:21 84488 c:\windows\system32\ZoneLabs\avsys\bases\apu0002.dat

+ 2010-03-08 03:24 . 2010-06-25 01:21 65281 c:\windows\system32\ZoneLabs\avsys\bases\apu0001.dat

- 2010-06-24 07:06 . 2010-06-24 07:06 196608 c:\windows\Temp\sfdb.dat

+ 2010-06-26 03:55 . 2010-06-26 03:55 196608 c:\windows\Temp\sfdb.dat

+ 2010-06-26 03:55 . 2010-06-26 03:55 262144 c:\windows\Temp\iswift.dat

- 2010-06-24 07:06 . 2010-06-24 07:06 262144 c:\windows\Temp\iswift.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-03-11 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-03-11 114688]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Owner\Application Data\iolo

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/14/2010 4:24 PM 218592]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/14/2010 4:28 PM 112592]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [1/10/2009 4:09 PM 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [1/10/2009 4:09 PM 704432]

R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 25208]

R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 8:30 AM 476528]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/14/2010 4:24 PM 366840]

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [1/8/2009 9:57 PM 598856]

S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [10/14/2009 8:29 AM 35448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1271556074359

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\5swmy8tr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/

FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll

FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@DACL=(02 0011)

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

@DACL=(02 0011)

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@DACL=(02 0011)

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@DACL=(02 0011)

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@DACL=(02 0011)

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@DACL=(02 0011)

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@DACL=(02 0011)

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-06-25 23:21:24

ComboFix-quarantined-files.txt 2010-06-26 04:21

ComboFix2.txt 2010-06-24 07:22

Pre-Run: 1,384,632,320 bytes free

Post-Run: 1,379,033,088 bytes free

- - End Of File - - 2049D54B5393782A32F0A13F1A29C804

mbam didnt find nething .... i never got that message i did drag the file on the exe so idk

Link to post
Share on other sites

  • Staff

Hi,

Delete this folder:

c:\windows\system32\config\systemprofile\Application Data\qcopjv.dat

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Scanning Report

Saturday, June 26, 2010 23:47:12 - 01:08:37

Computer name: OWNER-3920829

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

No malware found

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 53089

System: 3367

Not scanned: 11

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\HSPERFDATA_OWNER\2676

C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\HSPERFDATA_OWNER\2932

C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\CHECKPOINT\ZONEALARM FORCEFIELD\SITES

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

Link to post
Share on other sites

  • Staff

Great! ;)

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Restart your computer and let me know what issues remain.

Link to post
Share on other sites

i dont think theres a real noticable difference?? when i first got it it ate up my cpu then i got rid of the big problem but it still says that there a registry error. system mechanic says there are 2 dll errors but it never repairs it? i dont think im in any danger but it would be nice to get rid of the remnants of the virus

Link to post
Share on other sites

  • Staff

Hi,

First, please back your Registry with ERUNT.

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please open Notepad. Copy and paste the following text (starting with REGEDIT4) into the Notepad document.

Navigate to File --> Save As..., and save the file as Fix.reg (make sure the Save As Type is set to All Files).

Save it to your Desktop.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.scr]

@="scrfile"

[HKEY_CLASSES_ROOT\.scr\OpenWithList]

[HKEY_CLASSES_ROOT\.scr\OpenWithList\devenv.exe]

@=""

[HKEY_CLASSES_ROOT\scrfile]

@="Screen Saver"

[HKEY_CLASSES_ROOT\scrfile\shell]

[HKEY_CLASSES_ROOT\scrfile\shell\config]

@="C&onfigure"

[HKEY_CLASSES_ROOT\scrfile\shell\config\command]

@="\"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\install]

@="&Install"

[HKEY_CLASSES_ROOT\scrfile\shell\install\command]

@="rundll32.exe desk.cpl,InstallScreenSaver %l"

[HKEY_CLASSES_ROOT\scrfile\shell\open]

@="T&est"

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]

@="\"%1\" /S"

[HKEY_CLASSES_ROOT\scrfile\shellex]

[HKEY_CLASSES_ROOT\scrfile\shellex\DropHandler]

@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\.txt]

@="txtfile"

"PerceivedType"="text"

"Content Type"="text/plain"

[HKEY_CLASSES_ROOT\.txt\PersistentHandler]

@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.txt\ShellNew]

"NullFile"=""

[HKEY_CLASSES_ROOT\txtfile]

@="Text Document"

"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\

00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,\

32,00,5c,00,6e,00,6f,00,74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,\

00,2c,00,2d,00,34,00,36,00,39,00,00,00

"EditFlags"=dword:00010000

"BrowserFlags"=dword:00000008

[HKEY_CLASSES_ROOT\txtfile\DefaultIcon]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\

65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,35,\

00,32,00,00,00

[HKEY_CLASSES_ROOT\txtfile\shell]

@="open"

[HKEY_CLASSES_ROOT\txtfile\shell\open]

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,25,00,31,00,00,\

00

[HKEY_CLASSES_ROOT\txtfile\shell\print]

[HKEY_CLASSES_ROOT\txtfile\shell\print\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,2f,00,70,00,20,\

00,25,00,31,00,00,00

[HKEY_CLASSES_ROOT\txtfile\shell\printto]

[HKEY_CLASSES_ROOT\txtfile\shell\printto\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,00,6f,00,\

74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,70,00,74,\

00,20,00,22,00,25,00,31,00,22,00,20,00,22,00,25,00,32,00,22,00,20,00,22,00,\

25,00,33,00,22,00,20,00,22,00,25,00,34,00,22,00,00,00

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer, run a Quick Scan with MBAM, and see if the detections still occur.

Link to post
Share on other sites

still not gettin it this is the text i have in

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.scr]

@="scrfile"

[HKEY_CLASSES_ROOT\.scr\OpenWithList]

[HKEY_CLASSES_ROOT\.scr\OpenWithList\devenv.exe]

@=""

[HKEY_CLASSES_ROOT\scrfile]

@="Screen Saver"

[HKEY_CLASSES_ROOT\scrfile\shell]

[HKEY_CLASSES_ROOT\scrfile\shell\config]

@="C&onfigure"

[HKEY_CLASSES_ROOT\scrfile\shell\config\command]

@="\"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\install]

@="&Install"

[HKEY_CLASSES_ROOT\scrfile\shell\install\command]

@="rundll32.exe desk.cpl,InstallScreenSaver %l"

[HKEY_CLASSES_ROOT\scrfile\shell\open]

@="T&est"

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]

@="\"%1\" /S"

[HKEY_CLASSES_ROOT\scrfile\shellex]

[HKEY_CLASSES_ROOT\scrfile\shellex\DropHandler]

@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\.txt]

@="txtfile"

"PerceivedType"="text"

"Content Type"="text/plain"

[HKEY_CLASSES_ROOT\.txt\PersistentHandler]

@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.txt\ShellNew]

"NullFile"=""

[HKEY_CLASSES_ROOT\txtfile]

@="Text Document"

"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\

00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,\

32,00,5c,00,6e,00,6f,00,74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,\

00,2c,00,2d,00,34,00,36,00,39,00,00,00

"EditFlags"=dword:00010000

"BrowserFlags"=dword:00000008

[HKEY_CLASSES_ROOT\txtfile\DefaultIcon]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\

65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,35,\

00,32,00,00,00

[HKEY_CLASSES_ROOT\txtfile\shell]

@="open"

[HKEY_CLASSES_ROOT\txtfile\shell\open]

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,25,00,31,00,00,\

00

[HKEY_CLASSES_ROOT\txtfile\shell\print]

[HKEY_CLASSES_ROOT\txtfile\shell\print\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,4f,00,\

54,00,45,00,50,00,41,00,44,00,2e,00,45,00,58,00,45,00,20,00,2f,00,70,00,20,\

00,25,00,31,00,00,00

[HKEY_CLASSES_ROOT\txtfile\shell\printto]

[HKEY_CLASSES_ROOT\txtfile\shell\printto\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,00,6f,00,\

74,00,65,00,70,00,61,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,70,00,74,\

00,20,00,22,00,25,00,31,00,22,00,20,00,22,00,25,00,32,00,22,00,20,00,22,00,\

25,00,33,00,22,00,20,00,22,00,25,00,34,00,22,00,00,00

where does REDEDIT4 come in?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.