Another One of These Redirecting Issues

Thats fine.

This may be the culprit
C:\Windows\system32\Drivers\afd.sys

I have a fix for it but I need to check and see if it will work on Vista.

4Share <--File sharing of any kind is dangerous, your downloading that file from an unknown source and not all but a good percentage of of them are infected, this may be how you infected your computer.

Be back as soon as I can
 
Hi,

We need to find a replacement for this file as this one has been patched by malware

afd.sys <--put this in the search box

press the "Search Files" button, once done a log will open, post the content in the next reply
 
Farbar Service Scanner Version: 01-03-2012
Ran by user (administrator) on 02-04-2012 at 12:53:35
Microsoft� Windows Vista� Home Premium Service Pack 2 (X86)

************************************************
======== Search: "afd.sys" =========

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:28] - 0273920 ____N (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:58] - 0273408 ____A () 4043803174E2F007E60C28EA6BA1BA27

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2009-05-27 02:02] - [2009-04-10 21:47] - 0273920 ____A (Microsoft Corporation) A201207363AA900ABF1A388468688570

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:12] - 0273920 ____A (Microsoft Corporation) C8AF25017CECB75906A571AC70D2D306

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2008-01-20 19:24] - [2008-01-20 19:24] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

C:\Windows\System32\drivers\afd.sys
[2011-06-21 11:30] - [2011-04-21 06:58] - 0273408 ____A () 4043803174E2F007E60C28EA6BA1BA27

====== End Of Search ======
 
Lets try this

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::


Code: 
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
 
ComboFix 12-04-01.01 - user 04/02/2012 15:09:16.3.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2185 [GMT -7:00]
Running from: c:\users\user\Downloads\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wltrysvc.dll_old
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 22:16 . 2012-04-02 22:16 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-02 22:16 . 2012-04-02 22:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-01 23:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe
AddRemove-Teamspeak 2 RC2_is1 - c:\program files\Teamspeak2_RC2\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 15:16
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-02 15:18:34
ComboFix-quarantined-files.txt 2012-04-02 22:18
ComboFix2.txt 2012-04-01 21:01
.
Pre-Run: 114,140,114,944 bytes free
Post-Run: 114,108,682,240 bytes free
.
- - End Of File - - BE0132CC6133FDE730030F70E8591CE0
 
Is there more code than

FCopy:: C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22

?
I can't see any code after 6.002.22
 
Can you plug your computer directly into your cable or DSL modem and get internet access.


Run that scan again for FSS and plug the file in the search box
afd.sys
 
Yes, you missed all that was in the code box. Run Combofix again and copy and paste this in the script

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys | C:\Windows\System32\drivers\afd.sys
 
I'm running combofix again.
Also I am unable to directly connect to the source. I can only wirelessly connect to a network
 
ComboFix 12-04-01.01 - user 04/02/2012 16:14:34.4.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2220 [GMT -7:00]
Running from: c:\users\user\Downloads\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 23:22 . 2012-04-02 23:22 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-02 23:22 . 2012-04-02 23:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-02 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 16:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-02 16:24:22
ComboFix-quarantined-files.txt 2012-04-02 23:24
ComboFix2.txt 2012-04-02 22:18
ComboFix3.txt 2012-04-01 21:01
.
Pre-Run: 113,704,484,864 bytes free
Post-Run: 113,672,527,872 bytes free
.
- - End Of File - - D283021930EE9BB4CB2BA73CC6C2BB46
 
Still dont see the file copied.

I am a bit confused here
Also I am unable to directly connect to the source. I can only wirelessly connect to a network
Click to expand...

Explain in detail your internet access
 
ComboFix 12-04-01.01 - user 04/02/2012 19:14:50.5.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.2262 [GMT -7:00]
Running from: c:\users\user\Downloads\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
.
.
2012-04-03 02:22 . 2012-04-03 02:22 -------- d-----w- c:\users\user\AppData\Local\temp
2012-04-03 02:22 . 2012-04-03 02:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 22:07 . 2012-04-02 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-31 22:49 . 2012-03-31 22:49 -------- d-----w- c:\program files\ERUNT
2012-03-31 18:08 . 2012-03-31 18:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-30 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0DBED7F7-F371-4697-97C7-FF6D44AB1561}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-19 16:12 . 2012-03-19 16:12 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 16:12 . 2012-03-19 16:12 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 19:37 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:37 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-13 19:37 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-13 19:37 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:37 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-13 19:37 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-13 19:37 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-13 17:52 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-13 17:52 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 18:08 . 2011-06-21 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 16:18 . 2009-10-03 02:03 237072 ----a-w- c:\windows\system32\MpSigStub.exe
2012-03-19 16:12 . 2011-11-21 04:33 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-17 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-17 133656]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-20 102400]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2007-02-09 97072]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2008-02-01 88616]
"TvOutSwitch"="c:\program files\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2008-04-02 102400]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2007-12-14 193832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2008-04-24 268840]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2007-02-06 68400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-03 29744]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\updatenv.exe" [2007-02-05 167936]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-04 5218304]
"ALYac"="c:\program files\ESTsoft\ALYac\AYLaunch.exe" [2011-12-08 245048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootalyac.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ALYac_UpdSrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-11973858-2132917823-1409016719-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]
R3 ADVNTDRV;ADVNTDRV;c:\windows\System32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WaveFDE
w29n51
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 04:33]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-11973858-2132917823-1409016719-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-01 01:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\80fa4vep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-02 19:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_RTSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYRTSrv.aye\""
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ALYac_UpdSrv]
"ImagePath"="\"c:\program files\ESTsoft\ALYac\AYUpdSrv.aye\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-04-02 19:24:33
ComboFix-quarantined-files.txt 2012-04-03 02:24
ComboFix2.txt 2012-04-02 23:24
ComboFix3.txt 2012-04-02 22:18
ComboFix4.txt 2012-04-01 21:01
.
Pre-Run: 112,126,992,384 bytes free
Post-Run: 112,096,043,008 bytes free
.
- - End Of File - - 8CA036B0C39E990ABF1BEA90CB90008F
 
Good Morning,

So your using your Droid as basically your modem, I have not tried that so am a bit unfamiliar with it. But this lets your laptop access the internet ? I am thinking that your laptop could still not access the internet if it was damaged. Have you tried to pick up any other open connections that your laptop may find, like connections from a neighbor or free wifi from a local coffee shop?

We know that Zero Access is one nasty piece of garbage and removing it sometimes borks your internet.

Lets try something, do this in order, unteather your Droid ( you can redo this if needed ) shut down your laptop, pull the power cord out of your router, then pull the power cord out of your cable/dsl modem, wait 5 minutes, then plug your modem back in and wait for all the lights to come back on ( is the light for internet access flashing ) then plug your router back in and wait for the lights to come back on, then power up your laptop and try your internet again.


Run FSS once more , not to scan for files but like you did the first time and lets see if that driver is still borked
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
 
Last edited:
You must log in or register to reply here.
Back
Top