Another One of These Redirecting Issues

Good morning! I do not see an include all files option for FSS.

I am basically using my droid as an internet network hotspot. All I do is turn on the wifi teathering and anyone with the password can connect to the network.

My laptop will not connect to any network after I ran combofix the first time.
Zeroaccess is in the AFD service. As reported by tdsskiller.
For some reason my PS/2 Pointing Device Driver is not functioning so my scroll buttons left click. This is after running combofix.
Diagnostics policy service is not running and refuses to run after starting by automatically stopping right away

I ran FSS with the option internet services selected. There are 5 other options unselected that do not say 'include all files'
 
Farbar Service Scanner Version: 01-03-2012
Ran by user (administrator) on 03-04-2012 at 08:53:17
Running from "C:\Users\user\Desktop"
Microsoft� Windows Vista� Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:58] - 0273408 ____A () 4043803174E2F007E60C28EA6BA1BA27

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
 
That file has still not been copied over to replace the infected one.

Lets try a different program



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
afd.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
========== filefind ========== Searching for "afd.sys" C:\Windows\System32\drivers\afd.sys --a----273408 bytes [18:30 21/06/2011] [13:58 21/ 04/2011] 4043803174E2F007E60C28EA6BA1BA27 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys --a----273920 bytes [02:24 21/01/2008] [02:24 21/01/2008] 763E172A55177E478CB419F88FD0BA03 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys --a----273408 bytes [18:30 21/06/2011] [13:16 21/04/2011] 48EB99503533C27AC6135648E5474457 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys --a----273920 bytes [18:30 21/06/2011] [13:12 21/04/2011] C8AF25017CECB75906A571AC70D2D306 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys --a----273920 bytes [09:02 27/05/2009] [04:47 11/04/2009] A201207363AA900ABF1A388468688570 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys --a----273408 bytes [18:30 21/06/2011] [13:58 21/04/2011] 4043803174E2F007E60C28EA6BA1BA27 C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys -------273920 bytes [18:30 21/06/2011] [13:28 21/04/2011] 70EE0FC7A0F384DBD929A01384AEEB4B -= EOF =-
 
Same results.

Drag your copy of Combofix to the trash and redownload a fresh copy to your DESKTOP <--Important


Make sure all your AV and Spyware programs are closed and lets run the script one more time.


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop






Make sure you move the slider in the code box and copy and paste the whole thing.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::


Code: 
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
 
If this does not work than you may have to beg borrow a friends computer, you have some serious issues and where trying to solve them via phone, it may not work


FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys
 
ComboFix 12-04-03.02 - user 04/03/2012 14:12:30.6.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2228 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
.
.
2012-04-03 21:19 . 2012-04-03 21:20 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-03 21:19 . 2012-04-03 21:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-03 16:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 14:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-03 14:22:05
ComboFix-quarantined-files.txt 2012-04-03 21:22
ComboFix2.txt 2012-04-03 02:24
ComboFix3.txt 2012-04-02 23:24
ComboFix4.txt 2012-04-02 22:18
ComboFix5.txt 2012-04-03 21:02
.
Pre-Run: 112,030,806,016 bytes free
Post-Run: 111,998,873,600 bytes free
.
- - End Of File - - C5F7579A86FC05F3CEB8F7645AEFD0FB
 
I still dont see the file transfered to replace the infected one.

Can you get access to another computer
 
ComboFix 12-04-03.02 - user 04/04/2012 12:45:36.7.2 - x86
Microsoft?Windows Vista?Home Premium 6.0.6002.2.1252.1.1033.18.3062.2211 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys --> c:\windows\System32\drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-04-04 19:54 . 2012-04-04 19:54 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-04 19:54 . 2012-04-04 19:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-03 21:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-04 12:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-04 12:56:24
ComboFix-quarantined-files.txt 2012-04-04 19:56
ComboFix2.txt 2012-04-03 21:22
ComboFix3.txt 2012-04-03 02:24
ComboFix4.txt 2012-04-02 23:24
ComboFix5.txt 2012-04-04 19:33
.
Pre-Run: 109,960,060,928 bytes free
Post-Run: 109,927,485,440 bytes free
.
- - End Of File - - 808204D3FB0BF3F1138595AD22854310
 
I can now connect to networks however I can not connect to the internet.

Network Diagnostics cannot run because the Diagnostics Policy Service is not running.When I manually start the Diagnostis Policy Service it automatically stops
 
Go to Start > Run and type in services.msc > Enter

Look for Diagnostics Policy Service, right click on it and go to Properties and on the Start Up tab, change it to Automatic. Close it all out

If you dont have a run box you can add it
Right-click the Start button, Properties, Customise - set the checkbox next to Run [it's near the end of the list].
 
It is already set as automatic. Also when i run Combofix it says I still have rootkit zeroaccess infecting my tcp/ip

TDSSKilelr says there is no malware.
 
Ok, lets go back to square one, drag Combofix to the trash and download a fresh copy, run it and post the log please


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop
 
ComboFix 12-04-04.02 - user 04/04/2012 15:18:04.9.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.1886 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-04-04 22:24 . 2012-04-04 22:24 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-04 22:24 . 2012-04-04 22:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-03 21:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-04 15:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3140)
c:\progra~1\COMMON~1\ArcSoft\MPEGEN~1\mpgaudio.ax
c:\progra~1\COMMON~1\ArcSoft\MPEGEN~1\AdavAudioDec.dll
c:\program files\CyberLink\PowerDVD\NavFilter\clm4splt.ax
.
Completion time: 2012-04-04 15:26:34
ComboFix-quarantined-files.txt 2012-04-04 22:26
ComboFix2.txt 2012-04-04 22:02
ComboFix3.txt 2012-04-04 19:56
ComboFix4.txt 2012-04-03 21:22
ComboFix5.txt 2012-04-04 22:16
.
Pre-Run: 111,221,497,856 bytes free
Post-Run: 111,181,742,080 bytes free
.
- - End Of File - - 5A03B8E8AC0238CDCAA66F418CCEB287
 
Good Morning,

Go ahead and run FSS scan one more time to check your internet connection. When you ran CF with the script it finally copied the file over that we needed, when you ran it last time without a script, did it give you a rootkit warning ? I see you have Firefox installed, are you using Internet Explorer as well to access the internet ?
 
Last edited:
Good morning.
When I ran combofix again I did not receive a rootkit warning.

I am currently unable to connect to any network.
Diagnostics policy service still refuses to run.

It's not the browser, I just can't connect to the internet at all :/
 
You must log in or register to reply here.
Back
Top