Jump to content


Photo
- - - - -

cannot remove malware


  • This topic is locked This topic is locked
51 replies to this topic

#21 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 14 March 2012 - 07:57 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *afd.sys*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#22 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 14 March 2012 - 10:13 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 19:54 on 14/03/2012 by Rebekah
Administrator - Elevation successful

========== filefind ==========

Searching for "*afd.sys*"
C:\Windows\System32\drivers\afd.sys --a---- 338944 bytes [00:41 16/06/2011] [04:18 04/03/2012] 8FC69A5AA8A9FECC7F18A3ADDAA3AB7E
C:\Windows\System32\drivers\en-US\afd.sys.mui --a---- 14848 bytes [04:55 14/07/2009] [02:08 14/07/2009] 2F1E1E5CE5927E156F0B30163119960D
C:\Windows\winsxs\Backup\x86_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4bbf167edfba3058_afd.sys.mui_ff192075 --a---- 14848 bytes [04:56 14/07/2009] [04:56 14/07/2009] 2F1E1E5CE5927E156F0B30163119960D
C:\Windows\winsxs\Backup\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a_afd.sys_084af4a8 --a---- 338944 bytes [00:48 16/06/2011] [00:41 16/06/2011] 9EBBBA55060F786F0FCAA3893BFA2806
C:\Windows\winsxs\x86_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4bbf167edfba3058\afd.sys.mui --a---- 14848 bytes [04:55 14/07/2009] [02:08 14/07/2009] 2F1E1E5CE5927E156F0B30163119960D
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [22:51 26/03/2011] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --a---- 338944 bytes [00:41 16/06/2011] [04:18 04/03/2012] 8FC69A5AA8A9FECC7F18A3ADDAA3AB7E
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys --a---- 338944 bytes [00:41 16/06/2011] [03:24 25/04/2011] C427F91A748CD342A2B3F9278D9FD6A5

-= EOF =-

#23 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 15 March 2012 - 06:53 AM

Please visit www.virustotal.com and upload the following file:
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys

Wait until scan is completed and copy/paste the link here.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#24 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 16 March 2012 - 07:04 AM

It has been scanning for hours now. I have a highspeed connection. file size- 331kb


After letting it sit for 5 hours. next I tried deleting the file and then reloading it again which is where I am at now started scanning at 5am my time.

Is the problem because I am having to upload it from a flash drive. Reason being I dont have internet connection on other computer and this computer will not allow me to copy it anywhere.

And, Really want to thank you for your help. Will definitely be donating when this is all finished.

#25 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 16 March 2012 - 07:43 AM

It is okay.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys | C:\Windows\System32\drivers\afd.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#26 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 17 March 2012 - 12:13 AM

Ok, so I followed your directions but when I dragged CFScript.txt into ComboFix.exe, ComboFix said that it was outdated and asked if it should run a reduced scan.

I may have messed up here but I figured the only way to update ComboFix since there is no internet connection on that computer was to delete then re-install it.

When I did this it automatically ran a full scan and created a log. The next step I was going to do was drag CFScript.txt into ComboFix like you asked but I can't find it.. Thinking ComboFix deleted it during the system scan.

So I tried following your instructions again thinking that now ComboFix is surely up to date, but when I try to drag CFScript.txt into ComboFix it says that this is a illegal operation on the registry.

Here is the log from the accidental full scan I hope it is helpful-


ComboFix 12-03-16.05 - Rebekah 03/16/2012 20:31:03.3.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3502.2535 [GMT -7:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\users\Rebekah\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --> c:\windows\System32\drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2012-02-17 to 2012-03-17 )))))))))))))))))))))))))))))))
.
.
2012-03-11 04:55 . 2012-03-11 04:55 -------- d-----w- c:\program files\ESET
2012-03-11 04:00 . 2012-03-11 04:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-11 04:00 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 13:32 . 2012-03-17 03:38 -------- d-----w- c:\users\Rebekah\AppData\Local\temp
2012-03-07 15:55 . 2010-11-20 08:42 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-03-03 01:39 . 2012-03-03 01:39 -------- d-----w- c:\users\Benny\AppData\Local\Mozilla
2012-03-01 08:20 . 2012-03-01 08:20 -------- d-----w- c:\users\Benny\AppData\Roaming\Malwarebytes
2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\users\Rebekah\AppData\Roaming\Malwarebytes
2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\programdata\Malwarebytes
2012-02-29 09:17 . 2012-03-04 04:17 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-04 04:18 . 2011-06-16 00:41 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-03 03:09 . 2011-09-04 07:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 09:23 . 2011-03-26 22:51 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-03 05:20 . 2011-01-28 10:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-02-03 05:19 . 2011-02-15 05:58 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-02-03 05:19 . 2011-01-28 10:35 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-02-16 14:40 . 2012-03-03 01:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-02 7596576]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-05 2072576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe" [2011-11-21 247968]
.
c:\users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Rebekah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PHOTOfunSTUDIO 6.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2011-11-25 174064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp wsauth
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2009-12-05 82128]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-19 494192]
S2 wsnm_usbctrl;VMware View USB Control;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-19 793200]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 17408]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 209920]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-19 39984]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
NecUsbSevice REG_MULTI_SZ NecUsb
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NICM
EUSBMSD
spcflt
yukonwxp
GameConsoleService
z525mdfl
PTproct
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msi.msn.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\wsauth.DLL
.
Completion time: 2012-03-16 20:39:47
ComboFix-quarantined-files.txt 2012-03-17 03:39
ComboFix2.txt 2012-03-10 13:32
ComboFix3.txt 2012-03-07 16:17
.
Pre-Run: 68,640,759,808 bytes free
Post-Run: 68,580,175,872 bytes free
.
- - End Of File - - B05579510DFDAEEF218E6042AE80F79B

#27 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 17 March 2012 - 04:49 AM

How are things now?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#28 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 17 March 2012 - 01:17 PM

still no internet. other than that things look good

#29 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 17 March 2012 - 02:44 PM

Please post a new fresh log from Farbar Service Scanner.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#30 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 17 March 2012 - 08:30 PM

New FSS Log-



Farbar Service Scanner Version: 01-03-2012
Ran by Rebekah (administrator) on 17-03-2012 at 18:20:58
Running from "C:\Users\Rebekah\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys
[2011-06-15 17:41] - [2012-03-03 21:18] - 0338944 ____A () 8FC69A5AA8A9FECC7F18A3ADDAA3AB7E

C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#31 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 18 March 2012 - 04:12 AM

Delete your copy of ComboFix, download a new fresh one and then:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys | C:\windows\system32\Drivers\afd.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#32 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 18 March 2012 - 04:43 AM

Internet is Working! Awesome. I haven't tried to open a browser or do anything.


LOG-


ComboFix 12-03-16.05 - Rebekah 03/18/2012 2:25.4.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3502.2643 [GMT -7:00]
Running from: C:\ComboFix.exe
Command switches used :: c:\users\Rebekah\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --> c:\windows\system32\Drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2012-02-18 to 2012-03-18 )))))))))))))))))))))))))))))))
.
.
2012-03-18 09:33 . 2012-03-18 09:33 -------- d-----w- c:\users\Mcx1-REBEKAHS-LAPTOP\AppData\Local\temp
2012-03-18 09:33 . 2012-03-18 09:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-18 09:33 . 2012-03-18 09:33 -------- d-----w- c:\users\Benny\AppData\Local\temp
2012-03-11 04:55 . 2012-03-11 04:55 -------- d-----w- c:\program files\ESET
2012-03-11 04:00 . 2012-03-11 04:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-11 04:00 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 13:32 . 2012-03-18 09:35 -------- d-----w- c:\users\Rebekah\AppData\Local\temp
2012-03-07 15:55 . 2010-11-20 08:42 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-03-03 01:39 . 2012-03-03 01:39 -------- d-----w- c:\users\Benny\AppData\Local\Mozilla
2012-03-01 08:20 . 2012-03-01 08:20 -------- d-----w- c:\users\Benny\AppData\Roaming\Malwarebytes
2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\users\Rebekah\AppData\Roaming\Malwarebytes
2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\programdata\Malwarebytes
2012-02-29 09:17 . 2012-03-04 04:17 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-03 03:09 . 2011-09-04 07:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 09:23 . 2011-03-26 22:51 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-03 05:20 . 2011-01-28 10:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-02-03 05:19 . 2011-02-15 05:58 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-02-03 05:19 . 2011-01-28 10:35 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-01-14 03:35 . 2012-02-16 04:10 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-01-04 08:58 . 2012-02-16 04:10 442880 ----a-w- c:\windows\system32\ntshrui.dll
2011-12-30 05:27 . 2012-02-16 04:10 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 14:40 . 2012-03-03 01:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-02 7596576]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-05 2072576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe" [2011-11-21 247968]
.
c:\users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Rebekah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PHOTOfunSTUDIO 6.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2011-11-25 174064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp wsauth
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2009-12-05 82128]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-19 494192]
S2 wsnm_usbctrl;VMware View USB Control;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-19 793200]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 17408]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 209920]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-19 39984]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
NecUsbSevice REG_MULTI_SZ NecUsb
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NICM
EUSBMSD
spcflt
yukonwxp
GameConsoleService
z525mdfl
PTproct
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msi.msn.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath -
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\wsauth.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-03-18 02:38:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-18 09:38
ComboFix2.txt 2012-03-17 03:39
ComboFix3.txt 2012-03-10 13:32
ComboFix4.txt 2012-03-07 16:17
.
Pre-Run: 68,500,701,184 bytes free
Post-Run: 68,222,197,760 bytes free
.
- - End Of File - - F498AA6143E1A303C1EA657E93C464B2

#33 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 18 March 2012 - 06:19 AM

That is really awesome! huh... :)

How are things running now? Open Google, see how are things there.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#34 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 18 March 2012 - 02:35 PM

I assume trurn firewalls, malwarebytes on. Any suggestions on anti-virus programs or anything else

#35 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 18 March 2012 - 02:41 PM

so far no commercials. everything running smoothly. your lucky your on the other side of the world cause you would be getting a big hug.

Can you provide me any links to torturials that can show me what I need to do to avoid these problems in the future?

#36 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 18 March 2012 - 02:45 PM

Absolutely. :)

Please uninstall ComboFix:
www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, uninstall ESET Online Scanner and then manually delete DDS, TDSSKiller, Farbar Service Scanner and SystemLook.

Everything you need to know is here:
http://forums.malwar...=0


Safe surfing! :)
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#37 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 18 March 2012 - 02:51 PM

Again, thanks for your time. donation incoming.

#38 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 18 March 2012 - 03:11 PM

Sorry last question, Do you need the Uninstall Log? Is AVG anti-virus good or should I go with something else?

#39 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,410 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 18 March 2012 - 03:18 PM

No, I don't need it. It is a good free choice too.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#40 cunfused

cunfused

    New Member

  • Members
  • Pip
  • 28 posts

Posted 18 March 2012 - 04:54 PM

Computer just said that it is not running genuine windows ?? Windows directs me to their website to download Windows Activation Update, I download the program and ran it but it can't finish.

Says "Update installation failed. Error information -0x80096001"

Advice?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users