Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit - Cannot connect to internet

Started by MaxMurder , Dec 05 2011 10:39 PM

  • Please log in to reply

#16
RKinner
Posted 10 December 2011 - 11:17 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
I may have a fix for the Device Manager not showing Non-Plug and Play.

Download the attached file: nopandp.txt

Right click on it and rename to nopandp.reg

Now right click on nopandp.reg and select MERGE

Reboot and try it now.

The exit code says: A device attached to the system is not functioning.


When you downloaded the first two attachments did you copy the fileafd.txt which you renamed to afd.sys to c:\windows\system32\drivers\ ?

I think I told you if there was already a file there that we didn't need to overwrite it. If that was the case then I think replacing the file with the downloaded version would be the next thing to try.
  • 0

Advertisements

#17
MaxMurder
Posted 10 December 2011 - 11:37 PM

MaxMurder

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 164 posts
Yes, that worked! Here's what I got:
no listing under afd;
TCP/IP is listed and appears functioning;
same with NetBios over TCPIP

I have 'yellow !' symbols in front of mrtRATE, nVIDIA WDM A/V Crossbar and nVIDIA WDM Video Capture
Don't know if this is related...

Oh, and the afd.sys file was in my drivers folder but I replaced it earlier.

Edited by MaxMurder, 11 December 2011 - 12:03 AM.

  • 0

#18
RKinner
Posted 11 December 2011 - 01:06 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
I think HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD is not correct. Probably a permissions issue if you merged the afd.reg file as you said you did.

Start, Run, regedit, OK

Find
HKEY_LOCAL_MACHINE and click on the + in front of it.

Find SYSTEM and click on the +

Find CurrentControlSet

and click on the +


Find Services and click on the +

Click on AFD.

Right click on AFD and select Delete.

Does it let you delete the key? If so close regedit. Right click on afd.reg and MERGE.

If it doesn't let you delete the AFD key then right click on AFD and select Permissions.

Administrators should have Full Control. If not click on Advanced, then Owner. Normally the owner should be Administrators. If not click on Administrators in the Change Owner to: box and check the Replace Owner on subcontainers and objects then OK. Close the permissions window. Right click on AFD and select Permissions then Advanced. On the Permissions, select Administrators, check the Replace Permissions... box and uncheck the Inherit from... box. Copy. Edit. check Full Control OK. Now close the permissions boxes. Right click on AFD and Delete it then close regedit. Right click on afd.reg and MERGE. Reboot and see if afd is now in the device manager list.
  • 0

#19
MaxMurder
Posted 11 December 2011 - 01:49 AM

MaxMurder

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 164 posts
Done.
It did let me delete the afd. Merged, however after reboot, still not in the Device Manager.

I checked the permission in regedit after reboot and found under owner of afd it was back to 'owner' again instead of administrators.

Edited by MaxMurder, 11 December 2011 - 01:57 AM.

  • 0

#20
RKinner
Posted 11 December 2011 - 03:06 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
The infection is still active. I suppose you could take ownership again and then change it so no one can write but all can read but your best bet is to kill the infection with combofix.

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply
  • 0

#21
MaxMurder
Posted 11 December 2011 - 12:54 PM

MaxMurder

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 164 posts
ComboFix 11-12-10.01 - Owner 12/11/2011 13:05:28.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.138 [GMT -5:00]
Running from: L:\ComboFix.exe
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-11 to 2011-12-11 )))))))))))))))))))))))))))))))
.
.
2011-12-07 04:35 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 04:35 . 2011-12-07 04:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-07 04:06 . 2011-12-07 04:06 -------- d-----w- C:\Combo-Fix
2011-12-04 09:15 . 2011-12-04 11:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-11 08:02 . 2003-12-08 21:17 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-30 19:37 . 2003-02-21 18:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-10-30 19:37 . 2003-03-19 10:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-10-10 14:22 . 2003-03-04 05:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-09-24 05:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2003-12-08 21:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2003-12-08 21:20 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2006-08-15 09:03 . 2006-08-15 09:03 7033856 ----a-w- c:\program files\ptlibrarian.msi
2006-04-12 12:09 . 2006-04-12 12:09 11817800 ----a-w- c:\program files\GoogleEarth.exe
2006-03-18 00:39 . 2006-03-18 00:39 147456 ----a-w- c:\program files\BURNCDCC.EXE
2001-09-25 19:05 . 2001-09-25 19:05 1707856 ----a-w- c:\program files\InstMsiA.Exe
2001-09-11 22:04 . 2001-09-11 22:04 1821008 ----a-w- c:\program files\InstMsiW.Exe
2011-11-26 05:20 . 2011-03-28 01:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-08-19 852038]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-04 45056]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-15 139264]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-11-04 6615752]
"TkBellExe"="c:\program files\real\realone player\update\realsched.exe" [2011-10-30 273528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-11-04 923336]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@OnlineArmor GUI]
2009-11-04 10:39 6615752 ----a-w- c:\program files\Tall Emu\Online Armor\oaui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 17:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-08-13 01:10 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 14:23 90112 ----a-w- c:\program files\HP\Digital Imaging\Unload\HpqCmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileHippo.com]
2009-09-28 09:49 155648 ----a-w- c:\program files\FileHippo.com\UpdateChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 14:07 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 05:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-19 21:27 5248312 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMBVolumeWatcher]
2010-03-24 19:42 599328 ----a-w- c:\program files\Sony\PMB\PMBVolumeWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 20:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [11/12/2009 11:03 PM 219728]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [11/12/2009 11:03 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [11/12/2009 11:03 PM 29776]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [11/12/2009 11:03 PM 1282248]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 2:18 AM 360224]
R3 PaeFireStudio;PreSonus FireStudio;c:\windows\system32\drivers\PaeFireStudio.sys [11/8/2009 8:27 PM 121984]
R3 PaeFireStudioAudio;PreSonus FireStudio Audio;c:\windows\system32\drivers\PaeFireStudioAudio.sys [11/8/2009 8:27 PM 21632]
R3 PaeFireStudioMidi;PreSonus FireStudio MIDI;c:\windows\system32\drivers\PaeFireStudioMidi.sys [11/8/2009 8:27 PM 26240]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/27/2010 6:49 AM 47360]
S2 AviraUpgradeService;Avira Upgrade Service;"c:\windows\TEMP\AVSETUP_4eaa1076\avupgsvc.exe" /TEMPSTART:""c:\windows\TEMP\AVSETUP_4eaa1076\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\windows\TEMP\AVSETUP_4eaa1076\avupgsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/7/2010 6:52 AM 136176]
S2 mrtRate;mrtRate; [x]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [11/12/2009 11:03 PM 3282120]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [8/8/2010 7:40 PM 16512]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/7/2010 6:52 AM 136176]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-23 02:59]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 11:52]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 11:52]
.
2011-12-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2945407104-2445688501-1626213492-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
2011-12-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2945407104-2445688501-1626213492-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 17:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
mStart Page = hxxp://us10.hpwis.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 204.186.110.76 216.144.187.37 216.144.187.199
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gfy51tgg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Universal Control - c:\documents and settings\Owner\Desktop\UniversalControl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-11 13:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-11 13:26:19
ComboFix-quarantined-files.txt 2011-12-11 18:26
ComboFix2.txt 2011-12-06 05:59
.
Pre-Run: 16,069,791,744 bytes free
Post-Run: 16,055,607,296 bytes free
.
- - End Of File - - 3B8AC2BEE32B9BF28509F5A8AB19BE1E


13:44:01.0937 3296 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
13:44:02.0078 3296 ============================================================
13:44:02.0078 3296 Current date / time: 2011/12/11 13:44:02.0078
13:44:02.0078 3296 SystemInfo:
13:44:02.0078 3296
13:44:02.0078 3296 OS Version: 5.1.2600 ServicePack: 3.0
13:44:02.0078 3296 Product type: Workstation
13:44:02.0078 3296 ComputerName: HPSTUDIO
13:44:02.0078 3296 UserName: Owner
13:44:02.0078 3296 Windows directory: C:\WINDOWS
13:44:02.0078 3296 System windows directory: C:\WINDOWS
13:44:02.0078 3296 Processor architecture: Intel x86
13:44:02.0078 3296 Number of processors: 2
13:44:02.0078 3296 Page size: 0x1000
13:44:02.0078 3296 Boot type: Normal boot
13:44:02.0078 3296 ============================================================
13:44:03.0140 3296 Initialize success
13:44:25.0484 3320 ============================================================
13:44:25.0484 3320 Scan started
13:44:25.0484 3320 Mode: Manual;
13:44:25.0484 3320 ============================================================
13:44:26.0203 3320 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
13:44:26.0203 3320 61883 - ok
13:44:26.0312 3320 Abiosdsk - ok
13:44:26.0453 3320 abp480n5 - ok
13:44:26.0625 3320 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:44:26.0625 3320 ACPI - ok
13:44:26.0781 3320 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:44:26.0781 3320 ACPIEC - ok
13:44:26.0890 3320 adpu160m - ok
13:44:27.0062 3320 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:44:27.0062 3320 aec - ok
13:44:27.0203 3320 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:44:27.0203 3320 AFD - ok
13:44:27.0359 3320 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
13:44:27.0359 3320 AFS2K - ok
13:44:27.0500 3320 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
13:44:27.0500 3320 agp440 - ok
13:44:27.0625 3320 Aha154x - ok
13:44:27.0750 3320 aic78u2 - ok
13:44:27.0875 3320 aic78xx - ok
13:44:28.0156 3320 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
13:44:28.0265 3320 ALCXWDM - ok
13:44:28.0406 3320 AliIde - ok
13:44:28.0578 3320 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
13:44:28.0578 3320 AmdK7 - ok
13:44:28.0687 3320 amsint - ok
13:44:28.0859 3320 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
13:44:28.0859 3320 Arp1394 - ok
13:44:28.0984 3320 asc - ok
13:44:29.0109 3320 asc3350p - ok
13:44:29.0265 3320 asc3550 - ok
13:44:29.0421 3320 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys
13:44:29.0421 3320 ASPI - ok
13:44:29.0593 3320 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:44:29.0593 3320 AsyncMac - ok
13:44:29.0734 3320 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:44:29.0734 3320 atapi - ok
13:44:29.0843 3320 Atdisk - ok
13:44:30.0031 3320 ati2mtag (7182bf0f2a392d48e4aa732b970aac9c) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
13:44:30.0046 3320 ati2mtag - ok
13:44:30.0203 3320 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:44:30.0203 3320 Atmarpc - ok
13:44:30.0343 3320 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:44:30.0343 3320 audstub - ok
13:44:30.0484 3320 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
13:44:30.0484 3320 Avc - ok
13:44:30.0687 3320 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:44:30.0687 3320 Beep - ok
13:44:30.0781 3320 catchme - ok
13:44:30.0937 3320 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:44:30.0937 3320 cbidf2k - ok
13:44:31.0078 3320 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
13:44:31.0078 3320 CCDECODE - ok
13:44:31.0187 3320 cd20xrnt - ok
13:44:31.0343 3320 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:44:31.0343 3320 Cdaudio - ok
13:44:31.0484 3320 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:44:31.0500 3320 Cdfs - ok
13:44:31.0640 3320 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:44:31.0640 3320 Cdrom - ok
13:44:31.0750 3320 Changer - ok
13:44:31.0890 3320 CmdIde - ok
13:44:32.0031 3320 Cpqarray - ok
13:44:32.0171 3320 cpuz132 (097a0a4899b759a4f032bd464963b4be) C:\WINDOWS\system32\drivers\cpuz132_x32.sys
13:44:32.0171 3320 cpuz132 - ok
13:44:32.0312 3320 dac2w2k - ok
13:44:32.0437 3320 dac960nt - ok
13:44:32.0609 3320 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:44:32.0609 3320 Disk - ok
13:44:32.0796 3320 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:44:32.0843 3320 dmboot - ok
13:44:33.0000 3320 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:44:33.0000 3320 dmio - ok
13:44:33.0171 3320 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:44:33.0171 3320 dmload - ok
13:44:33.0343 3320 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:44:33.0359 3320 DMusic - ok
13:44:33.0484 3320 dpti2o - ok
13:44:33.0640 3320 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:44:33.0640 3320 drmkaud - ok
13:44:33.0812 3320 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:44:33.0812 3320 Fastfat - ok
13:44:33.0968 3320 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:44:33.0968 3320 Fdc - ok
13:44:34.0125 3320 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:44:34.0125 3320 Fips - ok
13:44:34.0281 3320 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:44:34.0281 3320 Flpydisk - ok
13:44:34.0421 3320 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:44:34.0421 3320 FltMgr - ok
13:44:34.0593 3320 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:44:34.0593 3320 Fs_Rec - ok
13:44:34.0734 3320 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:44:34.0750 3320 Ftdisk - ok
13:44:34.0875 3320 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:44:34.0875 3320 GEARAspiWDM - ok
13:44:35.0031 3320 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:44:35.0031 3320 Gpc - ok
13:44:35.0203 3320 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:44:35.0203 3320 HidUsb - ok
13:44:35.0312 3320 hpn - ok
13:44:35.0468 3320 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
13:44:35.0468 3320 HPZid412 - ok
13:44:35.0609 3320 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
13:44:35.0609 3320 HPZipr12 - ok
13:44:35.0750 3320 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
13:44:35.0750 3320 HPZius12 - ok
13:44:35.0890 3320 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:44:35.0906 3320 HTTP - ok
13:44:36.0015 3320 i2omgmt - ok
13:44:36.0140 3320 i2omp - ok
13:44:36.0296 3320 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:44:36.0296 3320 i8042prt - ok
13:44:36.0437 3320 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
13:44:36.0437 3320 ialm - ok
13:44:36.0593 3320 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:44:36.0593 3320 Imapi - ok
13:44:36.0718 3320 ini910u - ok
13:44:36.0875 3320 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
13:44:36.0875 3320 IntelIde - ok
13:44:37.0015 3320 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:44:37.0015 3320 intelppm - ok
13:44:37.0156 3320 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:44:37.0156 3320 ip6fw - ok
13:44:37.0296 3320 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:44:37.0296 3320 IpFilterDriver - ok
13:44:37.0437 3320 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:44:37.0453 3320 IpInIp - ok
13:44:37.0593 3320 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:44:37.0609 3320 IpNat - ok
13:44:37.0750 3320 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:44:37.0765 3320 IPSec - ok
13:44:37.0906 3320 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:44:37.0906 3320 IRENUM - ok
13:44:38.0046 3320 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:44:38.0046 3320 isapnp - ok
13:44:38.0203 3320 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:44:38.0203 3320 Kbdclass - ok
13:44:38.0328 3320 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:44:38.0343 3320 kbdhid - ok
13:44:38.0484 3320 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:44:38.0484 3320 kmixer - ok
13:44:38.0625 3320 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:44:38.0625 3320 KSecDD - ok
13:44:38.0750 3320 lbrtfdc - ok
13:44:38.0937 3320 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
13:44:38.0953 3320 ltmodem5 - ok
13:44:39.0109 3320 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:44:39.0109 3320 mnmdd - ok
13:44:39.0281 3320 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:44:39.0281 3320 Modem - ok
13:44:39.0421 3320 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:44:39.0421 3320 Mouclass - ok
13:44:39.0546 3320 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:44:39.0562 3320 mouhid - ok
13:44:39.0687 3320 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:44:39.0687 3320 MountMgr - ok
13:44:39.0812 3320 mraid35x - ok
13:44:39.0937 3320 mrtRate - ok
13:44:40.0093 3320 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:44:40.0093 3320 MRxDAV - ok
13:44:40.0250 3320 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:44:40.0265 3320 MRxSmb - ok
13:44:40.0421 3320 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
13:44:40.0421 3320 MSDV - ok
13:44:40.0562 3320 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:44:40.0578 3320 Msfs - ok
13:44:40.0718 3320 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:44:40.0734 3320 MSKSSRV - ok
13:44:40.0890 3320 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:44:40.0890 3320 MSPCLOCK - ok
13:44:41.0031 3320 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:44:41.0031 3320 MSPQM - ok
13:44:41.0171 3320 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:44:41.0171 3320 mssmbios - ok
13:44:41.0312 3320 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
13:44:41.0312 3320 MSTEE - ok
13:44:41.0437 3320 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:44:41.0437 3320 Mup - ok
13:44:41.0593 3320 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
13:44:41.0593 3320 NABTSFEC - ok
13:44:41.0750 3320 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:44:41.0750 3320 NDIS - ok
13:44:41.0906 3320 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
13:44:41.0906 3320 NdisIP - ok
13:44:42.0046 3320 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:44:42.0046 3320 NdisTapi - ok
13:44:42.0187 3320 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:44:42.0187 3320 Ndisuio - ok
13:44:42.0328 3320 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:44:42.0328 3320 NdisWan - ok
13:44:42.0453 3320 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:44:42.0453 3320 NDProxy - ok
13:44:42.0593 3320 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:44:42.0593 3320 NetBIOS - ok
13:44:42.0734 3320 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:44:42.0750 3320 NetBT - ok
13:44:42.0921 3320 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
13:44:42.0921 3320 NIC1394 - ok
13:44:43.0093 3320 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:44:43.0093 3320 Npfs - ok
13:44:43.0250 3320 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:44:43.0281 3320 Ntfs - ok
13:44:43.0437 3320 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:44:43.0437 3320 Null - ok
13:44:43.0625 3320 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:44:43.0671 3320 nv - ok
13:44:43.0812 3320 nvcap (9b7accfac9b19b98d54f45a9cf61ca39) C:\WINDOWS\system32\DRIVERS\nvcap.sys
13:44:43.0812 3320 nvcap - ok
13:44:43.0968 3320 NVXBAR (bef79a5b5a01bb749afbed27837e6311) C:\WINDOWS\system32\DRIVERS\NVxbar.sys
13:44:43.0968 3320 NVXBAR - ok
13:44:44.0093 3320 nv_agp (01621905ae34bc24aaa2fddb93977299) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
13:44:44.0093 3320 nv_agp - ok
13:44:44.0234 3320 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:44:44.0234 3320 NwlnkFlt - ok
13:44:44.0375 3320 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:44:44.0375 3320 NwlnkFwd - ok
13:44:44.0531 3320 OADevice (8e7eea4b67e1c85bb785351963657fca) C:\WINDOWS\system32\drivers\OADriver.sys
13:44:44.0531 3320 OADevice - ok
13:44:44.0671 3320 OAmon (a5d3f08fab30018c0c4d9cfb3dec1d12) C:\WINDOWS\system32\drivers\OAmon.sys
13:44:44.0671 3320 OAmon - ok
13:44:44.0812 3320 OAnet (9269da4b5e9340852e12b0f0a0a4b57b) C:\WINDOWS\system32\drivers\OAnet.sys
13:44:44.0812 3320 OAnet - ok
13:44:44.0953 3320 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
13:44:44.0953 3320 ohci1394 - ok
13:44:45.0125 3320 PaeFireStudio (f5ac1bb38c09545dcd75b48a94c8417b) C:\WINDOWS\system32\Drivers\PaeFireStudio.sys
13:44:45.0125 3320 PaeFireStudio - ok
13:44:45.0281 3320 PaeFireStudioAudio (a0bbc90b769dbeacffb017143ccb0023) C:\WINDOWS\system32\drivers\PaeFireStudioAudio.sys
13:44:45.0281 3320 PaeFireStudioAudio - ok
13:44:45.0406 3320 PaeFireStudioMidi (8024e0a6ab8a87040c6b1cc368dbca22) C:\WINDOWS\system32\drivers\PaeFireStudioMidi.sys
13:44:45.0406 3320 PaeFireStudioMidi - ok
13:44:45.0546 3320 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:44:45.0546 3320 Parport - ok
13:44:45.0703 3320 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:44:45.0703 3320 PartMgr - ok
13:44:45.0890 3320 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:44:45.0890 3320 ParVdm - ok
13:44:46.0046 3320 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:44:46.0046 3320 PCI - ok
13:44:46.0171 3320 PCIDump - ok
13:44:46.0328 3320 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:44:46.0328 3320 PCIIde - ok
13:44:46.0484 3320 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:44:46.0484 3320 Pcmcia - ok
13:44:46.0625 3320 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
13:44:46.0640 3320 pcouffin - ok
13:44:46.0750 3320 PDCOMP - ok
13:44:46.0859 3320 PDFRAME - ok
13:44:46.0984 3320 PDRELI - ok
13:44:47.0109 3320 PDRFRAME - ok
13:44:47.0234 3320 perc2 - ok
13:44:47.0359 3320 perc2hib - ok
13:44:47.0515 3320 pfc (e5ac9f8c128b597dd7919af96b84172e) C:\WINDOWS\system32\drivers\pfc.sys
13:44:47.0515 3320 pfc - ok
13:44:47.0687 3320 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:44:47.0687 3320 PptpMiniport - ok
13:44:47.0843 3320 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
13:44:47.0843 3320 Processor - ok
13:44:47.0984 3320 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys
13:44:47.0984 3320 Ps2 - ok
13:44:48.0125 3320 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:44:48.0125 3320 Ptilink - ok
13:44:48.0265 3320 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
13:44:48.0265 3320 PxHelp20 - ok
13:44:48.0375 3320 ql1080 - ok
13:44:48.0484 3320 Ql10wnt - ok
13:44:48.0609 3320 ql12160 - ok
13:44:48.0750 3320 ql1240 - ok
13:44:48.0921 3320 ql1280 - ok
13:44:49.0078 3320 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:44:49.0078 3320 RasAcd - ok
13:44:49.0265 3320 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:44:49.0281 3320 Rasl2tp - ok
13:44:49.0437 3320 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:44:49.0437 3320 RasPppoe - ok
13:44:49.0609 3320 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:44:49.0609 3320 Raspti - ok
13:44:49.0750 3320 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:44:49.0750 3320 Rdbss - ok
13:44:49.0906 3320 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:44:49.0906 3320 RDPCDD - ok
13:44:50.0078 3320 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
13:44:50.0078 3320 RDPWD - ok
13:44:50.0234 3320 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:44:50.0234 3320 redbook - ok
13:44:50.0406 3320 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
13:44:50.0406 3320 rtl8139 - ok
13:44:50.0562 3320 S3Psddr (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
13:44:50.0578 3320 S3Psddr - ok
13:44:50.0750 3320 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:44:50.0750 3320 Secdrv - ok
13:44:50.0906 3320 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:44:50.0906 3320 Serenum - ok
13:44:51.0046 3320 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:44:51.0046 3320 Serial - ok
13:44:51.0218 3320 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:44:51.0218 3320 Sfloppy - ok
13:44:51.0359 3320 Simbad - ok
13:44:51.0515 3320 SiS315 (bdfef5c5d41ba377852389e8f07104ea) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
13:44:51.0531 3320 SiS315 - ok
13:44:51.0656 3320 SISAGP (923d23638c616eecb0d811461161d0b8) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
13:44:51.0656 3320 SISAGP - ok
13:44:51.0812 3320 SiSkp (7e9e5823afbb5af2851abb1659ff627d) C:\WINDOWS\system32\DRIVERS\srvkp.sys
13:44:51.0812 3320 SiSkp - ok
13:44:51.0968 3320 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
13:44:51.0968 3320 SLIP - ok
13:44:52.0078 3320 Sparrow - ok
13:44:52.0234 3320 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:44:52.0234 3320 splitter - ok
13:44:52.0406 3320 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:44:52.0406 3320 sr - ok
13:44:52.0562 3320 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:44:52.0578 3320 Srv - ok
13:44:52.0750 3320 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
13:44:52.0750 3320 streamip - ok
13:44:52.0875 3320 SunkFilt (2087b202cfe8a2f8a59cecfffbec58d5) C:\WINDOWS\System32\Drivers\sunkfilt.sys
13:44:52.0875 3320 SunkFilt - ok
13:44:52.0984 3320 Sunkfiltp - ok
13:44:53.0140 3320 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:44:53.0140 3320 swenum - ok
13:44:53.0296 3320 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:44:53.0296 3320 swmidi - ok
13:44:53.0437 3320 symc810 - ok
13:44:53.0562 3320 symc8xx - ok
13:44:53.0687 3320 sym_hi - ok
13:44:53.0812 3320 sym_u3 - ok
13:44:53.0921 3320 SynasUSB - ok
13:44:54.0078 3320 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:44:54.0078 3320 sysaudio - ok
13:44:54.0250 3320 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:44:54.0281 3320 Tcpip - ok
13:44:54.0406 3320 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:44:54.0406 3320 TDPIPE - ok
13:44:54.0562 3320 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:44:54.0562 3320 TDTCP - ok
13:44:54.0703 3320 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:44:54.0703 3320 TermDD - ok
13:44:54.0843 3320 TosIde - ok
13:44:55.0015 3320 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:44:55.0015 3320 Udfs - ok
13:44:55.0156 3320 ultra - ok
13:44:55.0312 3320 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:44:55.0328 3320 Update - ok
13:44:55.0484 3320 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
13:44:55.0484 3320 USBAAPL - ok
13:44:55.0640 3320 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:44:55.0640 3320 usbccgp - ok
13:44:55.0796 3320 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:44:55.0796 3320 usbehci - ok
13:44:55.0953 3320 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:44:55.0953 3320 usbhub - ok
13:44:56.0109 3320 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
13:44:56.0109 3320 usbohci - ok
13:44:56.0234 3320 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:44:56.0234 3320 usbprint - ok
13:44:56.0406 3320 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:44:56.0406 3320 usbscan - ok
13:44:56.0562 3320 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:44:56.0562 3320 USBSTOR - ok
13:44:56.0718 3320 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:44:56.0718 3320 usbuhci - ok
13:44:56.0859 3320 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:44:56.0875 3320 VgaSave - ok
13:44:57.0000 3320 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
13:44:57.0000 3320 viaagp1 - ok
13:44:57.0140 3320 viagfx (e8c619c6c6bde90d130dda87150e1944) C:\WINDOWS\system32\DRIVERS\vtmini.sys
13:44:57.0156 3320 viagfx - ok
13:44:57.0296 3320 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
13:44:57.0296 3320 ViaIde - ok
13:44:57.0437 3320 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:44:57.0437 3320 VolSnap - ok
13:44:57.0609 3320 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:44:57.0625 3320 Wanarp - ok
13:44:57.0734 3320 WDICA - ok
13:44:57.0890 3320 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:44:57.0890 3320 wdmaud - ok
13:44:58.0140 3320 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
13:44:58.0156 3320 WS2IFSL - ok
13:44:58.0296 3320 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
13:44:58.0296 3320 WSTCODEC - ok
13:44:58.0437 3320 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:44:58.0437 3320 WudfPf - ok
13:44:58.0578 3320 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:44:58.0578 3320 WudfRd - ok
13:44:58.0781 3320 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
13:44:58.0781 3320 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
13:44:58.0937 3320 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
13:44:58.0937 3320 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
13:44:58.0968 3320 MBR (0x1B8) (8cc68602644010dfdb2a22cb60ddf258) \Device\Harddisk0\DR0
13:44:58.0984 3320 \Device\Harddisk0\DR0 - ok
13:44:58.0984 3320 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk5\DR13
13:44:59.0000 3320 \Device\Harddisk5\DR13 - ok
13:44:59.0015 3320 Boot (0x1200) (40342ae4342afb0cea36e38772c45e6a) \Device\Harddisk0\DR0\Partition0
13:44:59.0015 3320 \Device\Harddisk0\DR0\Partition0 - ok
13:44:59.0031 3320 Boot (0x1200) (cc9422ee90fbd5c4ae4d9f58eb388855) \Device\Harddisk0\DR0\Partition1
13:44:59.0031 3320 \Device\Harddisk0\DR0\Partition1 - ok
13:44:59.0046 3320 Boot (0x1200) (75f101ac9276556adb7c6eca800e2fff) \Device\Harddisk5\DR13\Partition0
13:44:59.0046 3320 \Device\Harddisk5\DR13\Partition0 - ok
13:44:59.0046 3320 ============================================================
13:44:59.0046 3320 Scan finished
13:44:59.0046 3320 ============================================================
13:44:59.0078 3212 Detected object count: 0
13:44:59.0078 3212 Actual detected object count: 0


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-11 13:45:53
-----------------------------
13:45:53.062 OS Version: Windows 5.1.2600 Service Pack 3
13:45:53.062 Number of processors: 2 586 0x303
13:45:53.062 ComputerName: HPSTUDIO UserName: Owner
13:45:53.500 Initialize success
13:46:11.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:46:11.421 Disk 0 Vendor: ST380011A 3.08 Size: 76319MB BusType: 3
13:46:11.421 Disk 5 \Device\Harddisk5\DR13 -> \Device\00000083
13:46:11.421 Disk 5 Vendor: Size: 76319MB BusType: 0
13:46:13.437 Disk 0 MBR read successfully
13:46:13.437 Disk 0 MBR scan
13:46:13.437 Disk 0 unknown MBR code
13:46:13.437 Disk 0 scanning sectors +156280320
13:46:13.484 Disk 0 scanning C:\WINDOWS\system32\drivers
13:46:22.140 Service scanning
13:46:23.250 Modules scanning
13:46:36.468 Scan finished successfully
13:47:21.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
13:47:21.453 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

The 'Fix' button was not enabled after the aswMBR scan.
  • 0

#22
RKinner
Posted 11 December 2011 - 01:15 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.


Copy the next line:

reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD L:\afd.txt

(I am assuming your usb drive is in the same place as it was when you ran Combofix. If not change the L: to the correct drive letter everywhere it appears.)
Start, Run, cmd, OK
Right click and select Paste or Edit then Paste and the copied line should appear. Hit Enter. Now type:
sc  query  afd  >>  L:\afd.txt
sc  start  afd  >>  L:\afd.txt
This should create a file afd.txt on your usb drive. Copy and paste the text or attach it to your next post.

Ron
  • 0

#23
MaxMurder
Posted 11 December 2011 - 01:59 PM

MaxMurder

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 164 posts
[SC] StartService FAILED 1058:

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

And no TDSS hits with the second scan.

Attached Thumbnails

  • diskmgmt.jpg

Edited by MaxMurder, 11 December 2011 - 02:00 PM.

  • 0

#24
RKinner
Posted 11 December 2011 - 02:13 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Did you not get an afd.txt file?
  • 0

#25
MaxMurder
Posted 11 December 2011 - 02:55 PM

MaxMurder

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 164 posts
Yes, the StartService Failed 1058...was the file it produced

I just retried it and got this:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,66,00,64,00,2e,00,73,00,79,00,\
73,00,00,00
"DisplayName"="AFD Networking Support Environment"
"Group"="TDI"
"Description"="AFD Networking Support Environment"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

਍䕓噒䍉彅䅎䕍›晡൤ †††吠偙⁅†††††††›‱䬠剅䕎彌剄噉剅ഠ †††匠䅔䕔†††††††›‱匠佔偐䑅ഠ †††††††††††††††⠠低彔呓偏䅐䱂ⱅ低彔䅐单䉁䕌䤬乇剏卅卟啈䑔坏⥎਍††††䥗㍎弲塅呉䍟䑏⁅†㨠㌠ऱ〨ㅸ⥦਍††††䕓噒䍉彅塅呉䍟䑏⁅㨠〠⠉砰⤰਍††††䡃䍅偋䥏呎††††㨠〠へ਍††††䅗呉䡟义⁔††††㨠〠へ਍卛嵃匠慴瑲敓癲捩⁥䅆䱉䑅ㄠ㔰㨸਍਍桔⁥敳癲捩⁥慣湮瑯戠⁥瑳牡整Ɽ攠瑩敨⁲敢慣獵⁥瑩椠⁳楤慳汢摥漠⁲敢慣獵⁥瑩栠獡渠湥扡敬⁤敤楶散⁳獡潳楣瑡摥眠瑩⁨瑩മ਍਍

Edited by MaxMurder, 11 December 2011 - 03:00 PM.

  • 0

Advertisements

#26
RKinner
Posted 11 December 2011 - 04:14 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,66,00,64,00,2e,00,73,00,79,00,\
73,00,00,00
"DisplayName"="AFD Networking Support Environment"
"Group"="TDI"
"Description"="AFD Networking Support Environment"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log. See AFD will run now.

Ron
  • 0

#27
MaxMurder
Posted 11 December 2011 - 07:41 PM

MaxMurder

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 164 posts
No luck.
This is all the report says:

ComboFix 11-12-10.01 - Owner 12/11/2011 20:11:42.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.135 [GMT -5:00]
Running from: N:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

btw Ron, thanks for taking your time to help me out. I really appreciate it!
  • 0

#28
RKinner
Posted 11 December 2011 - 07:59 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Did you remember to pause your antivirus before running Combofix?

Start, Run, cmd, OK. Type with an Enter after the line.

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum

(Do you see Chinese or do you see:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

or what?)

sc query afd

(does it still not say running?)
  • 0

#29
MaxMurder
Posted 11 December 2011 - 08:15 PM

MaxMurder

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 164 posts
My Antivirus was disabled.
I did not get any Chinese. It said pretty much what you posted with the exception of the last line saying:
INITSTARTFAILED REG_DWORD 0x1

sc query afd:
STATE :1 STOPPED
  • 0

#30
RKinner
Posted 11 December 2011 - 08:47 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
(Start) Right click on My Computer, select Manage then Device Manager. Find the Network Adapters and click on the + in front to open up the sub entries. Right click on each sub-entry under Network Adapters and Uninstall. (Doesn't hurt to write down the names in case you need to download the drivers from the PC Maker's website. Normally you don't but with malware you never know.) Reboot and test.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP