Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Trojan.sirefef removal?

  1. #1
    Junior Member
    Join Date
    Mar 2012
    Posts
    11

    Default Trojan.sirefef removal?

    Hi,

    I have a trojan.sirefef.bv virus on my computer. As the FAQ suggested I have now run the ERUNT program and afterwards did the DDS which made my computer freeze completely.

    The virus has been detected mostly in c:/windows/system32 and and it has now disabled my internet connection and sound system from working.

    I tried earlier system restoring without succeeding and downloaded another anti-virus program that did not clear the virus either.

    I would be grateful for any help in this matter. Please let me know what information you need in order for you to understand more of the problem.


  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please download and run this. Check "attach.txt" and uncheck mbr setting let the other settings be as default and run. Post back the logs it creates.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Mar 2012
    Posts
    11

    Default

    Hi,

    Here are the logs. Hope this helps!!

    DDS (Ver_2011-09-30.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Sacha J at 19:43:33 on 2012-03-13
    #Option MBR scan is disabled.
    Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1033.18.2046.1486 [GMT 2:00]
    .
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    AV: F-Secure Internet Security 2011 10.51 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
    FW: F-Secure Internet Security 2011 10.51 *Enabled*
    FW: *Disabled*
    .
    ============== Running Processes ================
    .
    C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\Fujitsu HandyDrive\Password\F3EJTHDD.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
    C:\WINDOWS\tsnp2std.exe
    C:\WINDOWS\vsnp2std.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.hs.fi/
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mDefault_Page_URL = hxxp://www.yahoo.com
    uInternet Connection Wizard,ShellNext = iexplore
    uProxyServer = wtcproxy:8080
    uProxyOverride = wtc.msk.ru;<local>;*.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
    BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Browsing Protection Class: {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - c:\program files\f-secure internet security\nrs\iescript\baselitmus.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Browsing Protection Toolbar: {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - c:\program files\f-secure internet security\nrs\iescript\baselitmus.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
    mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
    mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [sclauncher] c:\program files\simplecenter\bin\win\sclauncher.exe
    mRun: [tsnp2std] c:\windows\tsnp2std.exe
    mRun: [snp2std] c:\windows\vsnp2std.exe
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [IETI] c:\program files\skype\phone\ieplugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
    StartupFolder: c:\docume~1\sachaj~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\movesl~1.lnk - c:\windows\installer\{0ed016b2-c009-4253-9ddd-bdb8da9ce181}\_E02D80CCF13FCD5A87F526.exe
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: Vie Microsoft E&xceliin - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 62.241.198.245 62.241.198.246
    TCP: Interfaces\{D341B0D7-9D2D-4FD8-AF2F-215D247C5F86} : DHCPNameServer = 192.168.100.1
    TCP: Interfaces\{E9468BC1-4EBC-4A21-9C40-EFD4779510AF} : DHCPNameServer = 62.241.198.245 62.241.198.246
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-3-17 42672]
    R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2006-8-4 82824]
    R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure internet security\hips\drivers\fshs.sys [2009-3-17 72520]
    R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-2-24 185472]
    R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-3-6 497496]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-3-12 21992]
    R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure internet security\anti-virus\fsgk32st.exe [2006-8-4 221864]
    R2 F3EJTHDD;HandyDrive Password Lock Tool Service;c:\program files\fujitsu handydrive\password\F3EJTHDD.EXE [2008-3-8 45056]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2006-8-4 148632]
    R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure internet security\orsp client\fsorsp.exe [2009-3-17 61088]
    S2 gupdate1c9b61d11a26d5d;Google Update Service (gupdate1c9b61d11a26d5d);c:\program files\google\update\GoogleUpdate.exe [2009-4-5 133104]
    S3 avera800;AVerMedia DVB-T BDA Video Capture(A800);c:\windows\system32\drivers\avera800.sys [2006-8-4 41600]
    S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-5-14 20704]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-5 133104]
    .
    =============== Created Last 30 ================
    .
    2012-03-12 10:14:26 -------- d-----w- C:\SWTOOLS
    2012-03-12 10:01:45 -------- d-----w- c:\documents and settings\all users\application data\SUPERSetup
    2012-03-12 08:42:57 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2012-03-12 08:42:56 -------- d-----w- c:\program files\CPUID
    2012-03-06 14:22:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-03-06 11:36:28 -------- d-sh--w- C:\found.002
    2012-03-06 10:14:51 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-03-06 09:40:10 -------- d-----w- c:\documents and settings\all users\application data\IObit
    2012-03-06 09:39:55 -------- d-----w- c:\documents and settings\sacha jurva\application data\IObit
    2012-03-06 09:39:37 -------- d-----w- c:\program files\IObit
    2012-03-05 10:46:30 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-02-15 11:33:14 3072 ------w- c:\windows\system32\iacenc.dll
    2012-02-15 11:33:14 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
    .
    ==================== Find3M ====================
    .
    2012-01-17 19:00:22 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2012-01-17 19:00:20 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
    2006-11-19 20:20:10 909312 ----a-w- c:\program files\GSpot.exe
    2004-08-04 04:00:00 94784 -csh--w- c:\windows\twain.dll
    2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll
    2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
    2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
    2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
    2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .
    ============= FINISH: 19:45:26.90 ===============

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Mar 2012
    Posts
    11

    Default

    Hi again,

    Installed combofix.exe, it installed the recovery console that i downloaded, whereafter it started scanning. Then two popups came where it said that the computer is infected with Rootkit.ZeroAccess and it is inserted into the tcp/ip stack. The second popup informed that the rootkit is detected and be patient this may take some moments.

    After that the computer freezes (i did it three times) and I waited almost two hours but nothing happened and i couldnīt do anything.

    Is there something else that I could try or did I do something wrong?

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Make sure you have ComboFix on your desktop and then do the following:
    click start->run->type cmd.exe and press enter.
    In command prompt window type the following (quotes included) command: "%userprofile%\desktop\ComboFix.exe" /nombr
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Mar 2012
    Posts
    11

    Default

    It worked!! Im posting first the combofix log and then the dds log.


    ComboFix 12-03-13.01 - Sacha J 03/14/2012 16:41:50.1.2 - x86
    Running from: c:\documents and settings\Sacha Jurva\desktop\ComboFix.exe
    Command switches used :: /nombr
    AV: F-Secure Internet Security 2011 10.51 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    FW: F-Secure Internet Security 2011 10.51 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Sacha Jurva\Local Settings\Application Data\assembly\tmp
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\SET20D.tmp
    c:\windows\system32\Settings
    c:\windows\system32\Settings\Settings.ini
    c:\windows\system32\setup.ini
    c:\windows\system32\Thumbs.db
    c:\windows\WindowsXP-KB822603-x86.exe
    .
    c:\windows\system32\drivers\ipsec.sys was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\ipsec.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_FAD
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-14 14:55 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2012-03-14 14:55 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
    2012-03-12 17:13 . 2012-03-12 17:14 -------- d-----w- c:\program files\ERUNT
    2012-03-12 10:14 . 2012-03-12 10:14 -------- d-----w- C:\SWTOOLS
    2012-03-12 10:01 . 2012-03-12 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
    2012-03-12 08:42 . 2011-09-21 08:25 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2012-03-12 08:42 . 2012-03-12 08:42 -------- d-----w- c:\program files\CPUID
    2012-03-06 14:22 . 2012-03-06 14:22 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-03-06 11:39 . 2012-03-06 11:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
    2012-03-06 11:36 . 2012-03-06 11:36 -------- d-----w- C:\found.002
    2012-03-06 10:14 . 2011-12-30 15:03 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-03-06 09:40 . 2012-03-06 09:40 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
    2012-03-06 09:39 . 2012-03-06 09:40 -------- d-----w- c:\documents and settings\Sacha Jurva\Application Data\IObit
    2012-03-06 09:39 . 2012-03-06 09:39 -------- d-----w- c:\program files\IObit
    2012-02-15 11:33 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    2012-02-15 11:33 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-17 19:00 . 2012-01-17 19:00 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2012-01-17 19:00 . 2012-01-17 19:00 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2012-01-12 16:53 . 2004-08-10 11:51 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-17 19:46 . 2004-08-10 11:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46 . 2004-08-10 11:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46 . 2004-08-10 11:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22 . 2004-08-10 11:51 385024 ----a-w- c:\windows\system32\html.iec
    2006-11-19 20:20 . 2006-11-28 19:03 909312 ----a-w- c:\program files\GSpot.exe
    2004-08-04 04:00 94784 -csh--w- c:\windows\twain.dll
    2008-04-14 00:12 50688 -csh--w- c:\windows\twain_32.dll
    2011-02-08 13:33 978944 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
    2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll
    2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12 84992 --sha-w- c:\windows\system32\olepro32.dll
    2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-30 39408]
    "Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-29 620376]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
    "nwiz"="nwiz.exe" [2008-02-22 1626112]
    "NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
    "F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2010-10-29 201384]
    "F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2010-10-29 1655464]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
    "sclauncher"="c:\program files\SimpleCenter\bin\win\sclauncher.exe" [2007-01-30 94208]
    "tsnp2std"="c:\windows\tsnp2std.exe" [2006-06-19 262144]
    "snp2std"="c:\windows\vsnp2std.exe" [2006-05-15 675840]
    "NvMediaCenter"="NvMCTray.dll" [2008-02-22 86016]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-04 202256]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Sacha Jurva\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-29 24576]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Moveslink.lnk - c:\windows\Installer\{0ED016B2-C009-4253-9DDD-BDB8DA9CE181}\_E02D80CCF13FCD5A87F526.exe [2011-7-19 15086]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^F-Secure 2006.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\F-Secure 2006.lnk
    backup=c:\windows\pss\F-Secure 2006.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "21157:TCP"= 21157:TCP:BitComet 21157 TCP
    "21157:UDP"= 21157:UDP:BitComet 21157 UDP
    .
    R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [3/17/2009 8:14 PM 42672]
    R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [8/4/2006 10:09 AM 82824]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/22/2007 8:17 PM 646392]
    R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [3/17/2009 8:05 PM 72520]
    R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2/24/2010 12:22 PM 185472]
    R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [3/6/2012 11:39 AM 497496]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [3/12/2012 10:42 AM 21992]
    R2 F3EJTHDD;HandyDrive Password Lock Tool Service;c:\program files\Fujitsu HandyDrive\Password\F3EJTHDD.EXE [3/8/2008 9:18 AM 45056]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [8/4/2006 10:09 AM 148632]
    S2 gupdate1c9b61d11a26d5d;Google Update Service (gupdate1c9b61d11a26d5d);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 8:33 PM 133104]
    S3 avera800;AVerMedia DVB-T BDA Video Capture(A800);c:\windows\system32\drivers\avera800.sys [8/4/2006 7:11 PM 41600]
    S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 11:58 PM 20704]
    S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [3/17/2009 8:05 PM 61088]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 8:33 PM 133104]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ose
    isamsmt
    carboncopy32
    Ld51ocnucsnp
    oracleorahome811cmadmin
    websensewfreportserver
    com4qlb
    swmsflt
    se58mdm
    CoachAud
    backupexecnamingservice
    snac
    sqlagent$pinnaclesys
    s3psddr
    pcdrndisuio
    DivisCTP
    hidbatt
    k750bus
    efs
    alcaudsl
    vmm
    spupdsvc
    KMW_KBD
    RTL8169
    TMBUS
    wintab32
    ireike
    sysdown
    slapd-data52
    pnmsrv
    was
    mssqlserveradhelper
    uhcd
    vpctcom
    uiusys
    mwspollserver
    caboagp
    z525mdfl
    szkg
    UsbserFilt
    transactional
    msftpsvc
    zenos1
    msftesql
    backuplauncher
    ikhlayer
    atikmdag
    rnadiagreceiver
    DELTA
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 12:57]
    .
    2012-03-13 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 13:22]
    .
    2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 18:33]
    .
    2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 18:33]
    .
    2012-03-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3338972828-3241488432-1645712057-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 18:09]
    .
    2012-02-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3338972828-3241488432-1645712057-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 18:09]
    .
    2012-03-14 c:\windows\Tasks\Scheduled scanning task.job
    - c:\progra~1\F-SECU~1\ANTI-V~1\fsav.exe [2006-08-04 19:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.hs.fi/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = wtcproxy:8080
    uInternet Settings,ProxyOverride = wtc.msk.ru;<local>;*.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Vie Microsoft E&xceliin - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 62.241.198.245 62.241.198.246
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKU-Default-RunOnce-IETI - c:\program files\Skype\Phone\IEPlugin\unins000.exe
    AddRemove-Elecard MPEG-2 Decoder&Streaming Plug-in for WMP 3.3.60526 - c:\program files\Elecard\Elecard MPEG-2 Decoder&Streaming Plug-in for WMP\Uninstall.exe
    AddRemove-SUUVCOMM&10C4&80F6 - c:\program files\Suunto\SuuntoUSB\DriverUninstaller.exe VCP CP210x Cardinal\SUUVCOMM&10C4&80F6
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-14 16:58
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3338972828-3241488432-1645712057-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_USERS\S-1-5-21-3338972828-3241488432-1645712057-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_USERS\S-1-5-21-3338972828-3241488432-1645712057-1006\Software\SecuROM\License information*]
    "datasecu"=hex:6d,c4,7e,b1,b0,34,ce,8a,f8,02,2f,17,07,d7,a2,89,46,16,6f,2f,7e,
    41,bb,35,34,d9,f1,56,33,ce,05,18,8f,ee,15,0f,b8,79,50,8f,0d,e9,a5,98,5c,63,\
    "rkeysecu"=hex:77,df,be,8a,dc,f5,e8,06,b5,be,d3,b7,93,95,3e,ec
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(888)
    c:\program files\f-secure internet security\hips\fshook32.dll
    c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll
    .
    - - - - - - - > 'lsass.exe'(944)
    c:\program files\f-secure internet security\hips\fshook32.dll
    c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll
    .
    - - - - - - - > 'explorer.exe'(3736)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    - - - - - - - > 'csrss.exe'(856)
    c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    c:\program files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\System32\snmp.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\rundll32.exe
    c:\windows\stsystra.exe
    c:\windows\system32\RunDLL32.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\F-Secure Internet Security\Common\FSLAUNCHER1.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-03-14 17:05:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-14 15:05
    .
    Pre-Run: 26,877,853,696 bytes free
    Post-Run: 27,339,816,960 bytes free
    .
    - - End Of File - - 1A069FD0BC2DF4E43D698381B41AC386


    DDS LOG:


    DDS (Ver_2011-09-30.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Sacha J at 17:08:51 on 2012-03-14
    #Option MBR scan is disabled.
    Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1033.18.2046.1465 [GMT 2:00]
    .
    AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    AV: F-Secure Internet Security 2011 10.51 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
    FW: F-Secure Internet Security 2011 10.51 *Disabled*
    FW: *Disabled*
    .
    ============== Running Processes ================
    .
    C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\Fujitsu HandyDrive\Password\F3EJTHDD.EXE
    C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
    C:\WINDOWS\tsnp2std.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\F-Secure Internet Security\Common\FSLAUNCHER1.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.hs.fi/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uProxyServer = wtcproxy:8080
    uProxyOverride = wtc.msk.ru;<local>;*.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
    BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Browsing Protection Class: {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - c:\program files\f-secure internet security\nrs\iescript\baselitmus.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Browsing Protection Toolbar: {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - c:\program files\f-secure internet security\nrs\iescript\baselitmus.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
    mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
    mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [sclauncher] c:\program files\simplecenter\bin\win\sclauncher.exe
    mRun: [tsnp2std] c:\windows\tsnp2std.exe
    mRun: [snp2std] c:\windows\vsnp2std.exe
    mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\sachaj~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\movesl~1.lnk - c:\windows\installer\{0ed016b2-c009-4253-9ddd-bdb8da9ce181}\_E02D80CCF13FCD5A87F526.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    uPolicies-Explorer: NoDriveAutoRun = dword:67108863
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: Vie Microsoft E&xceliin - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 62.241.198.245 62.241.198.246
    TCP: Interfaces\{D341B0D7-9D2D-4FD8-AF2F-215D247C5F86} : DHCPNameServer = 192.168.100.1
    TCP: Interfaces\{E9468BC1-4EBC-4A21-9C40-EFD4779510AF} : DHCPNameServer = 62.241.198.245 62.241.198.246
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-3-17 42672]
    R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2006-8-4 82824]
    R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure internet security\hips\drivers\fshs.sys [2009-3-17 72520]
    R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-2-24 185472]
    R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-3-6 497496]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-3-12 21992]
    R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure internet security\anti-virus\fsgk32st.exe [2006-8-4 221864]
    R2 F3EJTHDD;HandyDrive Password Lock Tool Service;c:\program files\fujitsu handydrive\password\F3EJTHDD.EXE [2008-3-8 45056]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2006-8-4 148632]
    S2 gupdate1c9b61d11a26d5d;Google Update Service (gupdate1c9b61d11a26d5d);c:\program files\google\update\GoogleUpdate.exe [2009-4-5 133104]
    S3 avera800;AVerMedia DVB-T BDA Video Capture(A800);c:\windows\system32\drivers\avera800.sys [2006-8-4 41600]
    S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-5-14 20704]
    S3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure internet security\orsp client\fsorsp.exe [2009-3-17 61088]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-5 133104]
    .
    =============== Created Last 30 ================
    .
    2012-03-14 14:55:21 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
    2012-03-14 14:55:21 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
    2012-03-14 12:03:36 -------- d-sha-r- C:\cmdcons
    2012-03-14 08:56:21 98816 ----a-w- c:\windows\sed.exe
    2012-03-14 08:56:21 256000 ----a-w- c:\windows\PEV.exe
    2012-03-14 08:56:21 208896 ----a-w- c:\windows\MBR.exe
    2012-03-12 10:14:26 -------- d-----w- C:\SWTOOLS
    2012-03-12 10:01:45 -------- d-----w- c:\documents and settings\all users\application data\SUPERSetup
    2012-03-12 08:42:57 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
    2012-03-12 08:42:56 -------- d-----w- c:\program files\CPUID
    2012-03-06 14:22:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-03-06 11:36:28 -------- d-----w- C:\found.002
    2012-03-06 10:14:51 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-03-06 09:40:10 -------- d-----w- c:\documents and settings\all users\application data\IObit
    2012-03-06 09:39:55 -------- d-----w- c:\documents and settings\sacha jurva\application data\IObit
    2012-03-06 09:39:37 -------- d-----w- c:\program files\IObit
    2012-02-15 11:33:14 3072 ------w- c:\windows\system32\iacenc.dll
    2012-02-15 11:33:14 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
    .
    ==================== Find3M ====================
    .
    2012-01-17 19:00:22 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2012-01-17 19:00:20 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
    2006-11-19 20:20:10 909312 ----a-w- c:\program files\GSpot.exe
    2004-08-04 04:00:00 94784 -csh--w- c:\windows\twain.dll
    2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll
    2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
    2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .
    ============= FINISH: 17:08:58.96 ===============

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
    @ECHO OFF
    SWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\oracleorahome811cmadmin" /s >Logit.txt
    SWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\backupexecnamingservice" /s >>Logit.txt
    SWREG QUERY "HKLM\SYSTEM\CurrentControlSet\Services\alcaudsl" /s >>Logit.txt
    START Logit.txt
    DEL %0


    Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Mar 2012
    Posts
    11

    Default

    Here are the results:


    SteelWerX Registry Console Tool 2.0
    Written by Bobbi Flekman 2006 (C)

    Error: Key: system\currentcontrolset\services\oracleorahome811cmadmin does not exist!


    SteelWerX Registry Console Tool 2.0
    Written by Bobbi Flekman 2006 (C)

    Error: Key: system\currentcontrolset\services\backupexecnamingservice does not exist!


    SteelWerX Registry Console Tool 2.0
    Written by Bobbi Flekman 2006 (C)

    Error: Key: system\currentcontrolset\services\alcaudsl does not exist!

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
    @ECHO OFF
    REGEDIT /E "%USERPROFILE%\Desktop\regExp.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
    DEL %0


    Double-click on fixes.bat file to execute it. regExp.txt file should appear to your desktop. Attach it to your post.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •