View Full Version : Another One of These Redirecting Issues
sjkimber
2012-04-01, 07:24
Spybot S&D found a trojan and got rid of it however the redirecting is still here :sad:
It's been a long time since I've come to this forumboard for help! Last time was great and fast :]
Thank you for whomever helps me out in advance!
-=-=-=-
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_14
Run by user at 15:52:06 on 2012-03-31
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1355 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\o2flash.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k netsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Fujitsu\fjdvrupd\updnvsrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\VM331_STI.EXE
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHndHkb.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.computers.us.fujitsu.com/
mDefault_Page_URL = hxxp://www.computers.us.fujitsu.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [TvOutSwitch] c:\program files\fujitsu\dispswitch\DispSwitchLauncher.exe
mRun: [SSUtility] c:\program files\fujitsu\ssutility\FJSSDMN.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [331BigDog] c:\windows\VM331_STI.EXE
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\updatenv.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ALYac] "c:\program files\estsoft\alyac\AYLaunch.exe" /run
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gamers~1.lnk - c:\program files\gamersfirst\live!\Live.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 66.174.92.14 69.78.96.14
TCP: Interfaces\{3E08BE9E-8A02-4B6F-8E33-3FE83DF4B1B7} : DhcpNameServer = 192.168.1.1 68.238.64.12
TCP: Interfaces\{9214A25E-1694-4A5F-9B1E-8288C4CDBCC3} : DhcpNameServer = 66.174.92.14 69.78.96.14
TCP: Interfaces\{C54CBBED-933E-4699-8920-484E3020F4D7} : DhcpNameServer = 192.168.42.129
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\common files\gretech\npgomtvx_nie.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\user\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\80fa4vep.default\extensions\{f8cc37c3-cbeb-4a00-8cbf-26a88693f0c5}\plugins\npagent.dll
.
============= SERVICES / DRIVERS ===============
.
R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2008-5-13 8960]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2008-5-13 12712]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2008-1-20 21504]
R2 UpdateNaviInstallService;UpdateNaviInstallService;c:\program files\fujitsu\fjdvrupd\updnvsrv.exe [2007-1-27 11776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-5 24652]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2008-5-13 5632]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-2-4 47448]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-1-21 41560]
R3 vm331avs;VC0334 USB2.0 Digital Camera;c:\windows\system32\drivers\vm331avs.sys [2011-7-28 972032]
S1 EstRtwIFDrv;EstRtwIFDrv;c:\windows\system32\drivers\EstRtw.sys [2011-12-16 256312]
S2 ALYac_RTSrv;ALYac RealTime Service;c:\program files\estsoft\alyac\AYRTSrv.aye [2011-10-24 380728]
S2 ALYac_UpdSrv;ALYac Update Service;c:\program files\estsoft\alyac\AYUpdSrv.aye [2011-10-24 658744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-3-5 1153368]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 253600]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [2009-3-5 3872]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-12-1 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-7-24 9472]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2008-5-13 829696]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-31 18:08:54 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-31 17:57:45 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-30 22:25:44 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0dbed7f7-f371-4697-97c7-ff6d44ab1561}\mpengine.dll
2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12:25 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-19 16:12:25 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-13 19:37:36 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37:29 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37:29 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37:29 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37:28 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37:25 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-13 17:52:45 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52:45 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
==================== Find3M ====================
.
2012-03-31 18:08:54 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18:36 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-01-03 03:09:01 256312 ----a-w- c:\windows\system32\drivers\EstRtw.sys
.
============= FINISH: 15:53:03.87 ===============
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
sjkimber
2012-04-01, 22:01
well this is a first... Which volunteers instructions do I follow? :D
Yep, we both crossed posted, not a problem, go ahead and run aswMBR and lets go from there
sjkimber
2012-04-01, 22:51
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-01 12:49:30
-----------------------------
12:49:30.875 OS Version: Windows 6.0.6002 Service Pack 2
12:49:30.876 Number of processors: 2 586 0xF0D
12:49:30.876 ComputerName: KOTARO UserName: user
12:49:34.485 Initialize success
12:49:47.832 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
12:49:47.834 Disk 0 Vendor: FUJITSU_ 0000 Size: 238475MB BusType: 3
12:49:47.850 Disk 0 MBR read successfully
12:49:47.853 Disk 0 MBR scan
12:49:47.855 Disk 0 Windows VISTA default MBR code
12:49:47.868 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1536 MB offset 2048
12:49:47.883 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 235901 MB offset 3147776
12:49:47.916 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 1036 MB offset 486273024
12:49:47.921 Disk 0 scanning sectors +488394752
12:49:47.966 Disk 0 scanning C:\Windows\system32\drivers
12:49:56.787 Service scanning
12:50:17.803 Modules scanning
12:50:22.111 Module: C:\Windows\system32\drivers\afd.sys **SUSPICIOUS**
12:50:25.418 Disk 0 trace - called modules:
12:50:25.788 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87f11fd0]<<
12:50:25.794 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86cbaac8]
12:50:25.799 3 CLASSPNP.SYS[8ad9f8b3] -> nt!IofCallDriver -> [0x87e959a0]
12:50:25.804 \Driver\00001158[0x87d44880] -> IRP_MJ_CREATE -> 0x87f11fd0
12:50:25.810 Scan finished successfully
12:50:54.022 Disk 0 MBR has been saved successfully to "C:\Users\user\Documents\MBR.dat"
12:50:54.027 The log file has been saved successfully to "C:\Users\user\Documents\aswMBR.txt"
You can use Blades instructions and go ahead and run Combofix
sjkimber
2012-04-02, 00:51
I ran combofix and I had rootkit in my system. After combofix finished I couldn't connect to the internet. I rebooted the computer and still would not connect. Ran combofix again and rootkit was still detected. After combofix finished I still could not connect to the internet.
I cannot copy and paste or attach the log
-from droid phone
Your going to have to download this program to another clean computer and transfer by disk to the infected one.
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
sjkimber
2012-04-02, 01:11
Virus.Win32.ZAccess.k
Was found. Selected cure and pressed continue
Came to screen there are unprocessed malware objects.
Found 1 threat
Neutralized 0
Quarantined 1
Did not ask for a reboot
sjkimber
2012-04-02, 01:17
Manually rebooted and found log. Still cannot connect to internet.. ):
Go ahead and post the log if you can. You where infected with the ZeroAccess Rootkit and sometime this infections plays around with your internet connection
Try this:
Please copy the entire contents of the codebox below into Notepad:
Open Notepad
Copy the contents of the codebox below using CTRL C
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]
Now return to Notepad and use CTRL V to paste the script
Verify that you have pasted the complete script
Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
Locate FixReg.reg on your desktop
Double click to run, and when prompted Allow the file to merge with your registry
OK your way out.
After that, Reboot your computer.
After the reboot, we will reinstall TCP/IP
Go to Start the Settings and choose Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box
After that, Reboot your computer and see if you have regained your connection.
sjkimber
2012-04-02, 01:58
Still unable to connect and I can not attach the logs.
sjkimber
2012-04-02, 02:00
To be more precise I can not connect to the network at all.
Also network diagnostics can not run
Diagnostics policy service is not running and when I try to manually start it the service stops automatically
sjkimber
2012-04-02, 02:39
I finally uploaded the logs onto a website
http://www.4shared.com/zip/yFdpAEXs/3logs.html?
Total of 3 .txt documents in a zip file.
The link you posted was blocked by my AV.
It looks like there is a required service missing, need you to do this, you may need to reply from another computer with internet access
Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) and run it on the computer with the issue.
Make sure "Include All Files" option remains checked.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
sjkimber
2012-04-02, 03:16
The issue is I do not have access to another computer.
I will run the program
sjkimber
2012-04-02, 03:40
ComboFix 12-04-01.01 - user 04/01/2012 14:25:56.2.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2222 [GMT -7:00]
Running from: c:\users\user\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-01 to 2012-04-01 )))))))))))))))))))))))))))))))
.
.
2012-04-01 21:35 . 2012-04-01 21:36 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-01 21:35 . 2012-04-01 21:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-01-03 03:09 . 2011-12-16 23:44 256312 ----a-w- c:\windows\system32\drivers\EstRtw.sys
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - c:\program files\GamersFirst\LIVE!\Live.exe [2011-8-15 2589808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-01 14:36
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-01 14:38:08
ComboFix-quarantined-files.txt 2012-04-01 21:38
ComboFix2.txt 2012-04-01 21:01
.
Pre-Run: 114,819,280,896 bytes free
Post-Run: 114,787,569,664 bytes free
.
- - End Of File - - 54CAECE206807821094299C5D3592BB6
sjkimber
2012-04-02, 04:23
Farbar Service Scanner Version: 01-03-2012
Ran by user (administrator) on 01-04-2012 at 17:18:51
Running from "C:\Users\user\Desktop"
Microsoft� Windows Vista� Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:58] - 0273408 ____A () 4043803174E2F007E60C28EA6BA1BA27
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
sjkimber
2012-04-02, 04:33
I can't post the tdsskiller log...
Thats fine.
This may be the culprit
C:\Windows\system32\Drivers\afd.sys
I have a fix for it but I need to check and see if it will work on Vista.
4Share <--File sharing of any kind is dangerous, your downloading that file from an unknown source and not all but a good percentage of of them are infected, this may be how you infected your computer.
Be back as soon as I can
Hi,
We need to find a replacement for this file as this one has been patched by malware
afd.sys <--put this in the search box
press the "Search Files" button, once done a log will open, post the content in the next reply
sjkimber
2012-04-02, 22:53
I do not comprehend which search box I am to put afd.sys
sjkimber
2012-04-02, 22:54
I figured you meant FSS. Currently searching
sjkimber
2012-04-02, 22:58
Farbar Service Scanner Version: 01-03-2012
Ran by user (administrator) on 02-04-2012 at 12:53:35
Microsoft� Windows Vista� Home Premium Service Pack 2 (X86)
************************************************
======== Search: "afd.sys" =========
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:28] - 0273920 ____N (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:58] - 0273408 ____A () 4043803174E2F007E60C28EA6BA1BA27
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2009-05-27 02:02] - [2009-04-10 21:47] - 0273920 ____A (Microsoft Corporation) A201207363AA900ABF1A388468688570
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:12] - 0273920 ____A (Microsoft Corporation) C8AF25017CECB75906A571AC70D2D306
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2008-01-20 19:24] - [2008-01-20 19:24] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03
C:\Windows\System32\drivers\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:58] - 0273408 ____A () 4043803174E2F007E60C28EA6BA1BA27
====== End Of Search ======
Lets try this
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
sjkimber
2012-04-03, 01:24
ComboFix 12-04-01.01 - user 04/02/2012 15:09:16.3.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2185 [GMT -7:00]
Running from: c:\users\user\Downloads\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wltrysvc.dll_old
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 22:16 . 2012-04-02 22:16 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-02 22:16 . 2012-04-02 22:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-01 23:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe
AddRemove-Teamspeak 2 RC2_is1 - c:\program files\Teamspeak2_RC2\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 15:16
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-02 15:18:34
ComboFix-quarantined-files.txt 2012-04-02 22:18
ComboFix2.txt 2012-04-01 21:01
.
Pre-Run: 114,140,114,944 bytes free
Post-Run: 114,108,682,240 bytes free
.
- - End Of File - - BE0132CC6133FDE730030F70E8591CE0
I dont see where the file was copied, any internet access ?
sjkimber
2012-04-03, 01:53
Still unable to connect to any network.
sjkimber
2012-04-03, 01:55
Is there more code than
FCopy:: C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22
?
I can't see any code after 6.002.22
Can you plug your computer directly into your cable or DSL modem and get internet access.
Run that scan again for FSS and plug the file in the search box
afd.sys
Yes, you missed all that was in the code box. Run Combofix again and copy and paste this in the script
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys
sjkimber
2012-04-03, 02:06
I'm running combofix again.
Also I am unable to directly connect to the source. I can only wirelessly connect to a network
sjkimber
2012-04-03, 02:38
ComboFix 12-04-01.01 - user 04/02/2012 16:14:34.4.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2220 [GMT -7:00]
Running from: c:\users\user\Downloads\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 23:22 . 2012-04-02 23:22 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-02 23:22 . 2012-04-02 23:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-02 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 16:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-02 16:24:22
ComboFix-quarantined-files.txt 2012-04-02 23:24
ComboFix2.txt 2012-04-02 22:18
ComboFix3.txt 2012-04-01 21:01
.
Pre-Run: 113,704,484,864 bytes free
Post-Run: 113,672,527,872 bytes free
.
- - End Of File - - D283021930EE9BB4CB2BA73CC6C2BB46
Still dont see the file copied.
I am a bit confused here
Also I am unable to directly connect to the source. I can only wirelessly connect to a network
Explain in detail your internet access
sjkimber
2012-04-03, 04:30
Tethered (rooted) android phone
sjkimber
2012-04-03, 05:07
I'm going to attempt to run the script again.
sjkimber
2012-04-03, 06:27
ComboFix 12-04-01.01 - user 04/02/2012 19:14:50.5.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2262 [GMT -7:00]
Running from: c:\users\user\Downloads\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
.
.
2012-04-03 02:22 . 2012-04-03 02:22 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-03 02:22 . 2012-04-03 02:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-02 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 19:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-02 19:24:33
ComboFix-quarantined-files.txt 2012-04-03 02:24
ComboFix2.txt 2012-04-02 23:24
ComboFix3.txt 2012-04-02 22:18
ComboFix4.txt 2012-04-01 21:01
.
Pre-Run: 112,126,992,384 bytes free
Post-Run: 112,096,043,008 bytes free
.
- - End Of File - - 8CA036B0C39E990ABF1BEA90CB90008F
Good Morning,
So your using your Droid as basically your modem, I have not tried that so am a bit unfamiliar with it. But this lets your laptop access the internet ? I am thinking that your laptop could still not access the internet if it was damaged. Have you tried to pick up any other open connections that your laptop may find, like connections from a neighbor or free wifi from a local coffee shop?
We know that Zero Access is one nasty piece of garbage and removing it sometimes borks your internet.
Lets try something, do this in order, unteather your Droid ( you can redo this if needed ) shut down your laptop, pull the power cord out of your router, then pull the power cord out of your cable/dsl modem, wait 5 minutes, then plug your modem back in and wait for all the lights to come back on ( is the light for internet access flashing ) then plug your router back in and wait for the lights to come back on, then power up your laptop and try your internet again.
Run FSS once more , not to scan for files but like you did the first time and lets see if that driver is still borked
Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) and run it on the computer with the issue.
Make sure "Include All Files" option remains checked.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
sjkimber
2012-04-03, 19:04
Good morning! I do not see an include all files option for FSS.
I am basically using my droid as an internet network hotspot. All I do is turn on the wifi teathering and anyone with the password can connect to the network.
My laptop will not connect to any network after I ran combofix the first time.
Zeroaccess is in the AFD service. As reported by tdsskiller.
For some reason my PS/2 Pointing Device Driver is not functioning so my scroll buttons left click. This is after running combofix.
Diagnostics policy service is not running and refuses to run after starting by automatically stopping right away
I ran FSS with the option internet services selected. There are 5 other options unselected that do not say 'include all files'
Just run it with Internet Services checked, you can uncheck all the rest
sjkimber
2012-04-03, 19:21
Farbar Service Scanner Version: 01-03-2012
Ran by user (administrator) on 03-04-2012 at 08:53:17
Running from "C:\Users\user\Desktop"
Microsoft� Windows Vista� Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:58] - 0273408 ____A () 4043803174E2F007E60C28EA6BA1BA27
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
That file has still not been copied over to replace the infected one.
Lets try a different program
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
afd.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
sjkimber
2012-04-03, 23:05
========== filefind ========== Searching for "afd.sys" C:\Windows\System32\drivers\afd.sys --a----273408 bytes [18:30 21/06/2011] [13:58 21/ 04/2011] 4043803174E2F007E60C28EA6BA1BA27 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys --a----273920 bytes [02:24 21/01/2008] [02:24 21/01/2008] 763E172A55177E478CB419F88FD0BA03 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys --a----273408 bytes [18:30 21/06/2011] [13:16 21/04/2011] 48EB99503533C27AC6135648E5474457 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys --a----273920 bytes [18:30 21/06/2011] [13:12 21/04/2011] C8AF25017CECB75906A571AC70D2D306 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys --a----273920 bytes [09:02 27/05/2009] [04:47 11/04/2009] A201207363AA900ABF1A388468688570 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys --a----273408 bytes [18:30 21/06/2011] [13:58 21/04/2011] 4043803174E2F007E60C28EA6BA1BA27 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys -------273920 bytes [18:30 21/06/2011] [13:28 21/04/2011] 70EE0FC7A0F384DBD929A01384AEEB4B -= EOF =-
Same results.
Drag your copy of Combofix to the trash and redownload a fresh copy to your DESKTOP <--Important
Make sure all your AV and Spyware programs are closed and lets run the script one more time.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Make sure you move the slider in the code box and copy and paste the whole thing.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
sjkimber
2012-04-03, 23:48
I can not copy everything in the code box since I am on the droid.
If this does not work than you may have to beg borrow a friends computer, you have some serious issues and where trying to solve them via phone, it may not work
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys
sjkimber
2012-04-04, 00:35
ComboFix 12-04-03.02 - user 04/03/2012 14:12:30.6.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2228 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
.
.
2012-04-03 21:19 . 2012-04-03 21:20 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-03 21:19 . 2012-04-03 21:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-03 16:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 14:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-03 14:22:05
ComboFix-quarantined-files.txt 2012-04-03 21:22
ComboFix2.txt 2012-04-03 02:24
ComboFix3.txt 2012-04-02 23:24
ComboFix4.txt 2012-04-02 22:18
ComboFix5.txt 2012-04-03 21:02
.
Pre-Run: 112,030,806,016 bytes free
Post-Run: 111,998,873,600 bytes free
.
- - End Of File - - C5F7579A86FC05F3CEB8F7645AEFD0FB
I still dont see the file transfered to replace the infected one.
Can you get access to another computer
sjkimber
2012-04-04, 21:14
Hi ken, ill try to get access to another computer today.
sjkimber
2012-04-04, 21:32
Do you want me to follow the same instructions on the previous post?
sjkimber
2012-04-04, 23:03
ComboFix 12-04-03.02 - user 04/04/2012 12:45:36.7.2 - x86
Microsoft?Windows Vista?Home Premium 6.0.6002.2.1252.1.1033.18.3062.2211 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys --> c:\windows\System32\drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-04-04 19:54 . 2012-04-04 19:54 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-04 19:54 . 2012-04-04 19:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-03 21:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-04 12:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-04 12:56:24
ComboFix-quarantined-files.txt 2012-04-04 19:56
ComboFix2.txt 2012-04-03 21:22
ComboFix3.txt 2012-04-03 02:24
ComboFix4.txt 2012-04-02 23:24
ComboFix5.txt 2012-04-04 19:33
.
Pre-Run: 109,960,060,928 bytes free
Post-Run: 109,927,485,440 bytes free
.
- - End Of File - - 808204D3FB0BF3F1138595AD22854310
sjkimber
2012-04-04, 23:33
I can now connect to networks however I can not connect to the internet.
Network Diagnostics cannot run because the Diagnostics Policy Service is not running.When I manually start the Diagnostis Policy Service it automatically stops
Go to Start > Run and type in services.msc > Enter
Look for Diagnostics Policy Service, right click on it and go to Properties and on the Start Up tab, change it to Automatic. Close it all out
If you dont have a run box you can add it
Right-click the Start button, Properties, Customise - set the checkbox next to Run [it's near the end of the list].
sjkimber
2012-04-05, 00:04
It is already set as automatic. Also when i run Combofix it says I still have rootkit zeroaccess infecting my tcp/ip
TDSSKilelr says there is no malware.
Ok, lets go back to square one, drag Combofix to the trash and download a fresh copy, run it and post the log please
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
sjkimber
2012-04-05, 03:15
ComboFix 12-04-04.02 - user 04/04/2012 15:18:04.9.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.1886 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-04-04 22:24 . 2012-04-04 22:24 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-04 22:24 . 2012-04-04 22:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-03 21:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-04 15:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3140)
c:\progra~1\COMMON~1\ArcSoft\MPEGEN~1\mpgaudio.ax
c:\progra~1\COMMON~1\ArcSoft\MPEGEN~1\AdavAudioDec.dll
c:\program files\CyberLink\PowerDVD\NavFilter\clm4splt.ax
.
Completion time: 2012-04-04 15:26:34
ComboFix-quarantined-files.txt 2012-04-04 22:26
ComboFix2.txt 2012-04-04 22:02
ComboFix3.txt 2012-04-04 19:56
ComboFix4.txt 2012-04-03 21:22
ComboFix5.txt 2012-04-04 22:16
.
Pre-Run: 111,221,497,856 bytes free
Post-Run: 111,181,742,080 bytes free
.
- - End Of File - - 5A03B8E8AC0238CDCAA66F418CCEB287
Good Morning,
Go ahead and run FSS scan one more time to check your internet connection. When you ran CF with the script it finally copied the file over that we needed, when you ran it last time without a script, did it give you a rootkit warning ? I see you have Firefox installed, are you using Internet Explorer as well to access the internet ?
sjkimber
2012-04-05, 19:44
Good morning.
When I ran combofix again I did not receive a rootkit warning.
I am currently unable to connect to any network.
Diagnostics policy service still refuses to run.
It's not the browser, I just can't connect to the internet at all :/
Go ahead and run FSS scan one more time to check your internet connection
sjkimber
2012-04-05, 20:13
Local host is blocked.
No connection to network.
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.