Wireshark virus

**Broni** · August 16th, 2010, 10:35 PM

Very good

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**timmyb74** · August 16th, 2010, 10:38 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4437

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18372

8/16/2010 4:55:04 PM
mbam-log-2010-08-16 (16-55-04).txt

Scan type: Quick scan
Objects scanned: 152612
Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{19090308-636d-4e9b-a1ce-a647b6f794bf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{19090308-636d-4e9b-a1ce-a647b6f794bf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Documents and Settings\Pam\Application Data\PCenter\sp.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\scdata (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pam\Start Menu\Programs\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\scdata\wispex.html (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\wskinn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\pix.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\t1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\t2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\Thumbs.db (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\up1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\up2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w11.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w3.jpg (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\word.doc (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\Wireshark Antivirus\Wireshark Antivirus.lnk (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pam\Start Menu\Programs\Wireshark Antivirus\Wireshark Antivirus.lnk (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.

**timmyb74** · August 16th, 2010, 10:45 PM

Do I need to disable before I download Combofix?

**Broni** · August 16th, 2010, 10:45 PM

Did you read my previous reply?

**Broni** · August 16th, 2010, 10:46 PM

Do I need to disable before I download Combofix?

No, just before running it.

**timmyb74** · August 17th, 2010, 06:14 PM

Attempting to run ComboFix. Received the following message:
"This machine does not have the Microsoft Windows recovery console installed. Alternately, an existing installation of the recovery console may be present but requires updating.

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click yes to have ComboFix download/install it.

Note: this requires an active internet connection."

I'm guessing it would be OK to proceede with a YES, but I will wait for your instructions

Never mind....

**Broni** · August 17th, 2010, 06:17 PM

Yes, as my instructions say.

**timmyb74** · August 17th, 2010, 06:41 PM

ComboFix log:
ComboFix 10-08-17.02 - Pam 08/17/2010 20:18:12.1.2 - x86
Running from: c:\documents and settings\Pam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Toolbar4
C:\NetworkControl
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\tbcore3.dll
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\uninstall.exe
c:\program files\Search Toolbar\update.exe
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\program files\SGPSA
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\system32\BSTIEPrintCtl1.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

**Broni** · August 17th, 2010, 06:55 PM

Go on....

**timmyb74** · August 17th, 2010, 06:56 PM

?

**Broni** · August 17th, 2010, 07:08 PM

It's not a full Combofix log.
Open this file: C:\ComboFix.txt
If it's as short, as the one, you just posted, re-run Combofix.

**timmyb74** · August 17th, 2010, 07:21 PM

Try this. I don't know what I did wrong (again!)

**Broni** · August 17th, 2010, 07:32 PM

ComboFix 10-08-17.02 - Pam 08/17/2010 20:18:12.1.2 - x86
Running from: c:\documents and settings\Pam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Toolbar4
C:\NetworkControl
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\tbcore3.dll
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\uninstall.exe
c:\program files\Search Toolbar\update.exe
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\program files\SGPSA
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\system32\BSTIEPrintCtl1.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-16 04:19 . 2010-08-16 04:19 -------- d-----w- C:\_OTL
2010-08-14 19:07 . 2010-08-14 19:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-08-14 19:05 . 2010-08-14 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2010-08-12 03:04 . 2010-08-12 09:05 -------- d-----w- c:\windows\BDOSCAN8
2010-08-06 14:10 . 2010-08-02 23:44 225416 ----a-w- c:\documents and settings\Pam\Application Data\Mozilla\Firefox\Profiles\yxmwz5bx.default\extensions\[email protected]\lib\WINNT\ff3\AbineComponent.dll
2010-08-04 20:18 . 2010-08-04 20:18 967 ----a-w- c:\windows\ScUnin.pif
2010-08-04 20:18 . 2010-08-04 20:18 94208 ----a-w- c:\windows\ScUnin.exe
2010-08-04 20:18 . 2010-08-04 20:18 13044 ----a-w- c:\windows\scunin.dat
2010-07-23 00:57 . 2010-07-23 00:57 -------- d-----w- c:\documents and settings\Pam\Application Data\KodakCredentialStore
2010-07-22 04:00 . 2010-07-22 04:00 -------- d-----w- c:\documents and settings\Pam\Application Data\Red Kawa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 00:16 . 2008-10-13 00:11 -------- d-----w- c:\documents and settings\Pam\Application Data\DNA
2010-08-17 19:36 . 2008-10-13 00:11 -------- d-----w- c:\program files\DNA
2010-08-17 18:15 . 2009-12-30 20:36 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-08-17 04:51 . 2010-03-16 01:34 -------- d-----w- c:\documents and settings\Pam\Application Data\NBC Direct
2010-08-16 20:46 . 2010-07-08 13:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 04:27 . 2010-07-08 13:26 -------- d-----w- c:\documents and settings\Pam\Application Data\Abine
2010-08-13 01:10 . 2008-10-24 01:54 -------- d-----w- c:\program files\Cheat Engine
2010-08-12 22:26 . 2009-02-08 17:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-12 22:25 . 2010-07-01 00:35 63488 ----a-w- c:\documents and settings\Pam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-12 22:25 . 2010-03-04 21:03 117760 ----a-w- c:\documents and settings\Pam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-11 12:47 . 2008-10-13 00:11 -------- d-----w- c:\documents and settings\Pam\Application Data\BitTorrent
2010-08-09 02:44 . 2008-09-23 23:08 -------- d-----w- c:\program files\Starcraft
2010-08-08 16:26 . 2009-03-07 01:11 -------- d-----w- c:\documents and settings\Tim\Application Data\U3
2010-08-07 01:25 . 2008-09-29 03:29 -------- d-----w- c:\documents and settings\Pam\Application Data\U3
2010-08-02 16:36 . 2008-11-16 03:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-22 12:16 . 2010-07-01 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-22 02:06 . 2008-09-11 19:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-15 13:59 . 2008-09-05 00:14 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:59 . 2010-07-15 13:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 13:59 . 2008-09-05 00:14 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-13 00:12 . 2008-10-23 02:38 -------- d-----w- c:\program files\Roxio
2010-07-13 00:10 . 2009-09-23 01:01 -------- d-----w- c:\program files\NCH Software
2010-07-13 00:10 . 2008-10-05 19:05 -------- d-----w- c:\documents and settings\Pam\Application Data\Move Networks
2010-07-13 00:09 . 2008-09-03 14:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-13 00:07 . 2009-05-20 20:40 -------- d-----w- c:\program files\BitComet
2010-07-10 12:04 . 2010-05-07 21:59 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-10 12:04 . 2010-05-07 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-10 12:04 . 2010-07-10 12:04 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-10 12:04 . 2008-11-16 03:50 -------- d-----w- c:\program files\DivX
2010-07-10 12:04 . 2010-07-10 12:04 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-10 12:03 . 2010-07-10 12:03 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-07-10 11:15 . 2010-07-10 11:15 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-07-10 11:15 . 2010-05-07 21:58 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-10 11:15 . 2010-05-07 21:58 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-08 13:24 . 2010-07-08 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-08 02:21 . 2009-01-10 17:23 -------- d-----w- c:\documents and settings\Pam\Application Data\Azureus
2010-07-08 02:21 . 2008-10-13 01:29 -------- d-----w- c:\documents and settings\Pam\Application Data\Media Player Classic
2010-07-08 02:15 . 2008-10-12 18:27 -------- d-----w- c:\program files\Yahoo!
2010-07-08 02:15 . 2009-02-13 00:13 -------- d-----w- c:\program files\CCleaner
2010-07-07 19:26 . 2010-06-30 12:06 63488 ----a-w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-07 19:26 . 2009-03-17 19:20 117760 ----a-w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-06 11:20 . 2009-01-02 04:36 -------- d-----w- c:\program files\Red Kawa
2010-07-06 11:18 . 2009-08-18 23:29 -------- d-----w- c:\program files\Free FLV Converter
2010-07-01 23:56 . 2010-07-01 23:56 2605008 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-07-01 16:24 . 2010-07-01 16:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-01 16:23 . 2010-07-01 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-01 16:23 . 2010-07-01 16:23 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-30 17:38 . 2008-09-06 12:41 -------- d-----w- c:\program files\Google
2010-06-30 17:30 . 2008-09-06 02:30 -------- d-----w- c:\program files\Windows Live
2010-06-30 01:52 . 2010-06-30 01:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-06-28 14:22 . 2010-06-28 14:22 -------- d-----w- c:\program files\SanDisk
2010-06-28 09:17 . 2010-06-28 09:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-06-22 21:35 . 2010-06-22 21:35 -------- d-----w- c:\program files\iTunes
2010-06-22 21:35 . 2010-06-22 21:35 -------- d-----w- c:\program files\iPod
2010-06-22 21:35 . 2008-09-17 20:31 -------- d-----w- c:\program files\Common Files\Apple
2010-06-22 21:31 . 2010-06-22 21:31 -------- d-----w- c:\program files\Bonjour
2010-06-22 21:27 . 2010-06-22 21:27 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 11:58 . 2009-06-26 02:06 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-21 11:58 . 2010-06-21 11:58 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-21 11:58 . 2010-06-21 11:58 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-21 11:58 . 2010-06-21 11:58 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-21 11:57 . 2010-06-21 11:57 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-21 11:57 . 2010-06-21 11:57 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-20 10:36 . 2009-02-13 22:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-20 01:13 . 2009-08-09 21:42 -------- d-----w- c:\documents and settings\Tim\Application Data\Media Player Classic
2010-06-02 13:31 . 2008-09-05 00:14 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-31 21:03 . 2008-09-09 20:38 103511 ----a-w- c:\windows\hpoins04.dat
2009-03-12 09:38 . 2009-03-12 09:38 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2009-03-12 09:36 . 2009-03-12 09:34 21011904 ----a-w- c:\program files\FLV PlayerRCSetup.exe
.

------- Sigcheck -------

[-] 2009-02-12 22:09 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2009-02-12 22:09 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[-] 2003-03-31 . 414DE7CF9D3F19C3EA902F1BB38EC116 . 13312 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

**Broni** · August 17th, 2010, 07:33 PM

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-11-11 1150016]
"Google Update"="c:\documents and settings\Pam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-01 133104]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2010-06-23 1699128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"EnGraph QuickTimeKiller"="c:\program files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe" [2005-03-20 45056]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-28 09:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:59 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Red Kawa\\Video Converter App\\VideoConverterApp.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Diagnostic Assistant\\bin\\hprbevwr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\SanDisk\\Sansa Media Converter 2\\Sansa Media Converter.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20247:TCP"= 20247:TCP:BitCometLite 20247 TCP
"20247:UDP"= 20247:UDP:BitCometLite 20247 UDP
"57790:TCP"= 57790:TCP:Pando Media Booster
"57790:UDP"= 57790:UDP:Pando Media Booster
"20347:TCP"= 20347:TCP:BitComet 20347 TCP
"20347:UDP"= 20347:UDP:BitComet 20347 UDP
"50000:TCP"= 50000:TCP:BitComet 50000 TCP
"50000:UDP"= 50000:UDP:BitComet 50000 UDP
"57594:TCP"= 57594:TCP:Pando Media Booster
"57594:UDP"= 57594:UDP:Pando Media Booster
"58248:TCP"= 58248:TCP:Pando Media Booster
"58248:UDP"= 58248:UDP:Pando Media Booster

R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-06 15:59]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-06 15:59]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-926492609-725345543-1003Core.job
- c:\documents and settings\Pam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-01 19:27]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-926492609-725345543-1003UA.job
- c:\documents and settings\Pam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-01 19:27]

2010-06-01 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-05-19 02:31]

2010-08-09 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-05-15 04:08]

2010-08-09 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-05-15 04:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.11\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.11\MediaManager\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Pam\Application Data\Mozilla\Firefox\Profiles\yxmwz5bx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: c:\documents and settings\Pam\Application Data\Mozilla\Firefox\Profiles\yxmwz5bx.default\extensions\{896642E4-C556-4ED3-85D1-9AC431603E7D}\components\Engine.dll
FF - component: c:\documents and settings\Pam\Application Data\Mozilla\Firefox\Profiles\yxmwz5bx.default\extensions\[email protected]\lib\WINNT\ff3\AbineComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Pam\Application Data\IDM\bin\flash\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\Pam\Application Data\Mozilla\Firefox\Profiles\yxmwz5bx.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\documents and settings\Pam\Application Data\Mozilla\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\Pam\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\NBC Direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-Wdf01000.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 20:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-926492609-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{24C89A95-60BF-84DC-D242-DFFFC6B72E2E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaafnhhakgnkonakhbah"=hex:62,61,65,6f,00,00
"jaafnhhakgnkonakhbeh"=hex:62,61,6e,6c,00,00
"iaakjgbojpcennekgk"=hex:6b,61,66,6f,64,61,65,6c,63,69,69,6e,66,6f,6f,66,61,6a,
6f,62,63,69,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs]
@DACL=(02 0000)
@="{571715D7-3395-4DF0-B43C-784836209E60}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-17 20:23:59
ComboFix-quarantined-files.txt 2010-08-18 00:23

Pre-Run: 40,385,626,112 bytes free
Post-Run: 40,339,906,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - A96B7F00BB381430657A5765E281DB53

**Broni** · August 17th, 2010, 07:38 PM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

RegNull::
[HKEY_USERS\S-1-5-21-1644491937-926492609-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{24C89A95-60BF-84DC-D242-DFFFC6B72E2E}*]

Registry::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Thread: Wireshark virus

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Posting Permissions