Jump to content

ramjet696

Honorary Members
  • Posts

    39
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Maniac, Here's my FSS file. Farbar Service Scanner Version: 01-03-2012 Ran by RAF (administrator) on 18-04-2012 at 18:18:16 Running from "C:\Documents and Settings\RAF\Desktop" Microsoft Windows XP Home Edition Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Attempt to access Google IP returned error: Google IP is offline Attempt to access Yahoo IP returend error: Yahoo IP is offline Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= fssfltr(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x09000000080000000500000001000000020000000300000004000000060000000700000009000000 **** End of log **** After not being able to connect to internet and getting some help from computer guru neighbor, I did a system restore (thinking that would help) and I think that brought everything back to square 1.
  2. Maniac, Winsock got my firewall and windows udate back but still no internet. Got new modem box today, set it up through phone company, and they said all was well with internet connection into my house, but my computer still can't connect to internet explorer. There's a bug in there that shut the door to the internet. Any suggestions? Thank you for all your help. .
  3. Maniac, Still don't have internet service, still have no firewall, and still get same message about firewall and internet as before "windows cannot start the windows firewall/ internet connection sharing (ICS) service" Other than that ok. thank you
  4. Maniac Here's my Combofix log and FSS log ComboFix 12-04-14.03 - RAF 04/15/2012 0:11.8.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1137 [GMT -4:00] Running from: c:\documents and settings\RAF\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\RAF\Desktop\CFScript.txt AV: Webroot SecureAnywhere *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D904} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\$NtUninstallKB27292$\2720975026\@ c:\windows\$NtUninstallKB27292$\2720975026\cfg.ini c:\windows\$NtUninstallKB27292$\2720975026\Desktop.ini c:\windows\$NtUninstallKB27292$\2720975026\L\cmafmbxw c:\windows\$NtUninstallKB27292$\2720975026\U\00000001.@ c:\windows\$NtUninstallKB27292$\2720975026\U\00000002.@ c:\windows\$NtUninstallKB27292$\2720975026\U\00000004.@ c:\windows\$NtUninstallKB27292$\2720975026\U\80000000.@ c:\windows\$NtUninstallKB27292$\2720975026\U\80000004.@ c:\windows\$NtUninstallKB27292$\2720975026\U\80000032.@ c:\windows\$NtUninstallKB27292$\2720975026\version c:\windows\$NtUninstallKB27292$\3513858959 c:\windows\system32\dds_trash_log.cmd c:\windows\system32\e1express.dll . . --------------- FCopy --------------- . c:\windows\ServicePackFiles\i386\afd.sys --> c:\windows\system32\drivers\afd.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_digisptiservice -------\Service_digisptiservice . . ((((((((((((((((((((((((( Files Created from 2012-03-15 to 2012-04-15 ))))))))))))))))))))))))))))))) . . 2012-04-15 04:07 . 2008-04-13 19:19 138112 ----a-w- c:\windows\system32\drivers\afd.sys 2012-04-07 07:16 . 2008-04-13 16:44 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll 2012-04-02 04:09 . 2012-04-02 04:09 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-03-21 03:19 . 2012-03-24 19:11 -------- d-----w- c:\documents and settings\RAF\Local Settings\Application Data\uTorrentControl 2012-03-19 04:15 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-04-15 03:56 . 2011-11-13 03:48 146040 ----a-w- c:\windows\system32\WRusr.dll 2012-04-05 15:37 . 2011-11-13 03:48 109520 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2012-04-04 19:56 . 2012-03-15 00:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-02 04:09 . 2011-10-05 03:54 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-02-28 06:44 . 2011-09-27 05:13 260 ----a-w- c:\windows\system32\cmdVBS.vbs 2012-02-28 06:44 . 2011-09-27 05:13 256 ----a-w- c:\windows\system32\MSIevent.bat 2012-02-25 21:43 . 2012-02-25 21:43 54016 ----a-w- c:\windows\system32\drivers\kbdwx.sys 2012-02-23 04:46 . 2012-02-23 04:46 109520 ----a-w- c:\windows\system32\drivers\aBLwsKmJ.sys 2012-02-03 09:22 . 2003-07-16 20:51 1860096 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((( SnapShot@2012-03-19_04.31.15 ))))))))))))))))))))))))))))))))))))))))) . + 2012-04-15 04:21 . 2012-04-15 04:21 16384 c:\windows\temp\Perflib_Perfdata_5ac.dat + 2003-07-16 20:44 . 2008-04-13 19:15 64512 c:\windows\system32\dllcache\serial.sys + 2012-03-22 22:51 . 2012-03-22 22:51 22016 c:\windows\Installer\333f69.msi + 2012-03-20 02:30 . 2012-03-20 02:30 41472 c:\windows\Installer\13a490.msi + 2012-03-06 02:42 . 2012-03-06 02:42 18432 c:\windows\Installer\13a3f5.msp + 2012-04-02 04:08 . 2012-04-02 04:08 353440 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.exe + 2012-04-02 04:09 . 2012-04-02 04:09 424608 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.dll + 2012-04-02 04:09 . 2012-04-02 04:09 253600 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe + 2012-03-27 06:18 . 2012-03-27 06:18 1291264 c:\windows\Installer\274a571.msi + 2012-03-20 02:34 . 2012-03-20 02:34 4506112 c:\windows\Installer\173ba5.msp + 2012-03-20 02:37 . 2012-03-20 02:37 3444224 c:\windows\Installer\173b10.msp + 2012-03-12 23:20 . 2012-03-12 23:20 4729344 c:\windows\Installer\13a489.msp + 2012-03-06 02:35 . 2012-03-06 02:35 3961344 c:\windows\Installer\13a3ec.msp + 2012-04-02 04:30 . 2012-04-02 04:30 1923920 c:\windows\Installer\{E463E171-4082-4744-A466-F7CBE8502789}\TurboTax.exe + 2012-01-03 17:58 . 2012-01-03 17:58 15929344 c:\windows\Installer\1341d3.msp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-06 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "P17Helper"="P17.dll" [2005-05-03 64512] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2012-04-05 660504] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoDevMgrUpdate"= 0 (0x0) "NoDFSTab"= 0 (0x0) "NoEncryptOnMove"= 0 (0x0) "NoResolveTrack"= 0 (0x0) "NoStartMenuSubFolders"= 0 (0x0) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDevMgrUpdate"= 0 (0x0) "NoDFSTab"= 0 (0x0) "NoEncryptOnMove"= 0 (0x0) "NoResolveTrack"= 0 (0x0) "NoStartMenuSubFolders"= 0 (0x0) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "DisableLocalMachineRun"= 0 (0x0) "DisableLocalMachineRunOnce"= 0 (0x0) "DisableCurrentUserRun"= 0 (0x0) "DisableCurrentUserRunOnce"= 0 (0x0) "NoFile"= 0 (0x0) "HideClock"= 0 (0x0) "NoDevMgrUpdate"= 0 (0x0) "NoDFSTab"= 0 (0x0) "NoEncryptOnMove"= 0 (0x0) "NoResolveTrack"= 0 (0x0) "NoStartMenuSubFolders"= 0 (0x0) . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2007-11-06 08:02 68856 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-05-12 15:11 198160 ------w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= . R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [11/12/2011 11:48 PM 109520] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672] R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [11/12/2011 11:48 PM 660504] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 5:52 PM 135664] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 12:09 AM 253600] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [8/3/2011 9:18 PM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [8/3/2011 9:18 PM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 5:52 PM 135664] S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 11:11 AM 10664] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/16/2003 4:47 PM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs NETw4v32 SNPSTD3 vpcbus mfeapfk Hardlock digisptiservice mwstick SrvcSSIOMngr backupexecalertserver cpntsrv DritekPortIO . Contents of the 'Scheduled Tasks' folder . 2012-04-15 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 04:09] . 2012-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50] . 2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:52] . 2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:52] . 2012-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-152049171-839522115-1004Core.job - c:\documents and settings\RAF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:40] . 2012-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-152049171-839522115-1004UA.job - c:\documents and settings\RAF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://msn.com/ uInternet Settings,ProxyOverride = <local> Trusted Zone: intuit.com\ttlc TCP: DhcpNameServer = 10.0.0.1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-04-15 00:22 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\windows\$NtUninstallKB27292$:SummaryInformation 0 bytes hidden from API . scan completed successfully hidden files: 1 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(3900) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\windows\System32\CTsvcCDA.EXE c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\windows\System32\MsPMSPSv.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Completion time: 2012-04-15 00:27:20 - machine was rebooted ComboFix-quarantined-files.txt 2012-04-15 04:27 ComboFix2.txt 2012-04-08 05:01 ComboFix3.txt 2012-03-20 01:56 ComboFix4.txt 2012-03-19 04:35 ComboFix5.txt 2012-04-15 04:05 . Pre-Run: 71,818,129,408 bytes free Post-Run: 71,932,067,840 bytes free . - - End Of File - - 3C662C7363446F0566F260B542CE5FB4 Farbar Service Scanner Version: 01-03-2012 Ran by RAF (administrator) on 15-04-2012 at 00:31:49 Running from "C:\Documents and Settings\RAF\Desktop" Microsoft Windows XP Home Edition Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Attempt to access Google IP returned error: Google IP is offline Attempt to access Yahoo IP returend error: Yahoo IP is offline Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= fssfltr(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x09000000080000000500000001000000020000000300000004000000060000000700000009000000 **** End of log ****
  5. Maniac Here's the FSS log txt file Didn't tell me to click other than internet. Below the 1st log is the result of FSS log with those checked as requested in the last log Thanks Farbar Service Scanner Version: 01-03-2012 Ran by RAF (administrator) on 12-04-2012 at 20:31:09 Microsoft Windows XP Home Edition Service Pack 3 (X86) ************************************************ ======== Search: "afd.sys" ========= C:\WINDOWS\system32\drivers\afd.sys [2003-07-16 16:23] - [2011-08-17 09:49] - 0138496 ____A () 2D74D48BBB1868F745166C5DC8BCFBB4 C:\WINDOWS\system32\dllcache\afd.sys [2008-06-20 07:40] - [2011-08-17 09:49] - 0138496 ____C (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9 C:\WINDOWS\ServicePackFiles\i386\afd.sys [2004-08-04 02:14] - [2008-04-13 15:19] - 0138112 ____N (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD C:\WINDOWS\$NtUninstallKB956803$\afd.sys [2008-10-15 04:23] - [2008-06-20 07:40] - 0138496 ____C (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C C:\WINDOWS\$NtUninstallKB951748$\afd.sys [2008-07-08 23:00] - [2008-04-13 15:19] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD C:\WINDOWS\$NtUninstallKB2592799$\afd.sys [2011-10-12 04:15] - [2011-02-16 09:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89 C:\WINDOWS\$NtUninstallKB2509553$\afd.sys [2011-04-14 19:53] - [2008-08-14 06:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7 C:\WINDOWS\$NtUninstallKB2503665$\afd.sys [2011-06-17 23:04] - [2008-10-16 10:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37 C:\WINDOWS\$NtServicePackUninstall$\afd.sys [2008-06-25 02:19] - [2004-08-04 02:14] - 0138496 ____C (Microsoft Corporation) 5AC495F4CB807B2B98AD2AD591E6D92E C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys [2008-10-15 01:15] - [2008-08-14 06:34] - 0138496 ____A (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys [2008-06-20 07:48] - [2008-06-20 07:48] - 0138496 ____A (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys [2011-10-12 01:34] - [2011-08-17 09:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79 C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys [2008-10-16 11:07] - [2008-10-16 11:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099 C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys [2011-06-17 00:42] - [2011-02-16 09:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4 ====== End Of Search ====== Farbar Service Scanner Version: 01-03-2012 Ran by RAF (administrator) on 12-04-2012 at 20:35:51 Microsoft Windows XP Home Edition Service Pack 3 (X86) ************************************************ ======== Search: "afd.sys" ========= C:\WINDOWS\system32\drivers\afd.sys [2003-07-16 16:23] - [2011-08-17 09:49] - 0138496 ____A () 2D74D48BBB1868F745166C5DC8BCFBB4 C:\WINDOWS\system32\dllcache\afd.sys [2008-06-20 07:40] - [2011-08-17 09:49] - 0138496 ____C (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9 C:\WINDOWS\ServicePackFiles\i386\afd.sys [2004-08-04 02:14] - [2008-04-13 15:19] - 0138112 ____N (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD C:\WINDOWS\$NtUninstallKB956803$\afd.sys [2008-10-15 04:23] - [2008-06-20 07:40] - 0138496 ____C (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C C:\WINDOWS\$NtUninstallKB951748$\afd.sys [2008-07-08 23:00] - [2008-04-13 15:19] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD C:\WINDOWS\$NtUninstallKB2592799$\afd.sys [2011-10-12 04:15] - [2011-02-16 09:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89 C:\WINDOWS\$NtUninstallKB2509553$\afd.sys [2011-04-14 19:53] - [2008-08-14 06:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7 C:\WINDOWS\$NtUninstallKB2503665$\afd.sys [2011-06-17 23:04] - [2008-10-16 10:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37 C:\WINDOWS\$NtServicePackUninstall$\afd.sys [2008-06-25 02:19] - [2004-08-04 02:14] - 0138496 ____C (Microsoft Corporation) 5AC495F4CB807B2B98AD2AD591E6D92E C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys [2008-10-15 01:15] - [2008-08-14 06:34] - 0138496 ____A (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys [2008-06-20 07:48] - [2008-06-20 07:48] - 0138496 ____A (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys [2011-10-12 01:34] - [2011-08-17 09:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79 C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys [2008-10-16 11:07] - [2008-10-16 11:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099 C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys [2011-06-17 00:42] - [2011-02-16 09:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4 ====== End Of Search ======
  6. Maniac, Here's the FSS log you requested. Below them are 2 MBAM logs I ran showing that I was still infected then cleaned it up Thanks Farbar Service Scanner Version: 01-03-2012 Ran by RAF (administrator) on 12-04-2012 at 00:09:46 Running from "C:\Documents and Settings\RAF\Desktop" Microsoft Windows XP Home Edition Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Dhcp Service is not running. Checking service configuration: The start type of Dhcp service is OK. The ImagePath of Dhcp service is OK. The ServiceDll of Dhcp service is OK. afd Service is not running. Checking service configuration: The start type of afd service is OK. The ImagePath of afd: "System32\drivers\DYxkHDDG.sys". Connection Status: ============== Localhost is accessible. There is no connection to network. Attempt to access Google IP returned error: Google IP is unreachable Attempt to access Yahoo IP returend error: Yahoo IP is unreachable Windows Firewall: ============= sharedaccess Service is not running. Checking service configuration: The start type of sharedaccess service is OK. The ImagePath of sharedaccess service is OK. The ServiceDll of sharedaccess service is OK. Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ wscsvc Service is not running. Checking service configuration: Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist. Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist. Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist. Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist. Windows Update: ============ wuauserv Service is not running. Checking service configuration: The start type of wuauserv service is OK. The ImagePath of wuauserv service is OK. The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll". BITS Service is not running. Checking service configuration: The start type of BITS service is set to Demand. The default start type is Auto. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys [2003-07-16 16:23] - [2011-08-17 09:49] - 0138496 ____A () 2D74D48BBB1868F745166C5DC8BCFBB4 C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= fssfltr(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 0x09000000080000000500000001000000020000000300000004000000060000000700000009000000 **** End of log **** Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.04.10.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 7.0.5730.11 RAF :: ROGER [administrator] 4/10/2012 3:16:48 AM mbam-log-2012-04-10 (03-16-48).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 274779 Time elapsed: 53 minute(s), 34 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Documents and Settings\NetworkService\Application Data\Adobe\sp.DLL (TrojanProxy.Agent) -> Delete on reboot. Registry Keys Detected: 4 HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully. HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully. HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully. Registry Values Detected: 3 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: sp -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^w^ -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Documents and Settings\NetworkService\Application Data\Adobe\sp.DLL (TrojanProxy.Agent) -> Delete on reboot. (end) Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.04.10.01 Windows XP Service Pack 3 x86 NTFS Internet Explorer 7.0.5730.11 RAF :: ROGER [administrator] 4/10/2012 7:25:26 PM mbam-log-2012-04-10 (19-25-26).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 206125 Time elapsed: 4 minute(s), 51 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  7. ok will do Also, somehow lost internet and firewall Tried to open internet and error came up saying "windows cannot start the windows firewall/internet connection sharing (ICS) service" Thanks will run quick mbam and post log
  8. Maniac, Seems like that rootkit is still there. Ran Malware last night and few things came up.
  9. Maniac, Seems to be running alot better. Did we remove the rootkit or other issues causing the problems? Thanks
  10. Maniac, Sorry for the long time Here's my ComboFix log Thank you for your help ComboFix 12-04-05.06 - RAF 04/08/2012 0:48.7.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1124 [GMT -4:00] Running from: c:\documents and settings\RAF\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\RAF\Desktop\CFScript.txt . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . --------------- FCopy --------------- . c:\windows\ServicePackFiles\i386\serial.sys --> c:\windows\system32\drivers\serial.sys . ((((((((((((((((((((((((( Files Created from 2012-03-08 to 2012-04-08 ))))))))))))))))))))))))))))))) . . 2012-04-07 07:16 . 2008-04-13 16:44 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll 2012-04-02 04:09 . 2012-04-02 04:09 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-03-21 03:19 . 2012-03-24 19:11 -------- d-----w- c:\documents and settings\RAF\Local Settings\Application Data\uTorrentControl 2012-03-19 04:15 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys 2012-03-15 18:21 . 2012-03-15 18:21 -------- d-----w- c:\program files\uTorrentControl 2012-03-15 00:23 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-04-05 15:37 . 2011-11-13 03:48 109520 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2012-04-05 15:37 . 2011-11-13 03:48 146040 ----a-w- c:\windows\system32\WRusr.dll 2012-04-02 04:09 . 2011-10-05 03:54 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-02-28 06:44 . 2011-09-27 05:13 260 ----a-w- c:\windows\system32\cmdVBS.vbs 2012-02-28 06:44 . 2011-09-27 05:13 256 ----a-w- c:\windows\system32\MSIevent.bat 2012-02-25 21:43 . 2012-02-25 21:43 54016 ----a-w- c:\windows\system32\drivers\kbdwx.sys 2012-02-23 04:46 . 2012-02-23 04:46 109520 ----a-w- c:\windows\system32\drivers\aBLwsKmJ.sys 2012-02-03 09:22 . 2003-07-16 20:51 1860096 ----a-w- c:\windows\system32\win32k.sys 2012-01-11 19:06 . 2012-02-16 00:56 3072 ------w- c:\windows\system32\iacenc.dll 2012-01-09 16:20 . 2007-06-15 06:20 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys . . ((((((((((((((((((((((((((((( SnapShot@2012-03-19_04.31.15 ))))))))))))))))))))))))))))))))))))))))) . + 2012-04-08 04:56 . 2012-04-08 04:56 16384 c:\windows\temp\Perflib_Perfdata_c0.dat + 2003-07-16 20:44 . 2008-04-13 19:15 64512 c:\windows\system32\dllcache\serial.sys + 2012-03-22 22:51 . 2012-03-22 22:51 22016 c:\windows\Installer\333f69.msi + 2012-03-20 02:30 . 2012-03-20 02:30 41472 c:\windows\Installer\13a490.msi + 2012-03-06 02:42 . 2012-03-06 02:42 18432 c:\windows\Installer\13a3f5.msp + 2012-04-02 04:08 . 2012-04-02 04:08 353440 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.exe + 2012-04-02 04:09 . 2012-04-02 04:09 424608 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.dll + 2012-04-02 04:09 . 2012-04-02 04:09 253600 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe + 2012-03-27 06:18 . 2012-03-27 06:18 1291264 c:\windows\Installer\274a571.msi + 2012-03-20 02:34 . 2012-03-20 02:34 4506112 c:\windows\Installer\173ba5.msp + 2012-03-20 02:37 . 2012-03-20 02:37 3444224 c:\windows\Installer\173b10.msp + 2012-03-12 23:20 . 2012-03-12 23:20 4729344 c:\windows\Installer\13a489.msp + 2012-03-06 02:35 . 2012-03-06 02:35 3961344 c:\windows\Installer\13a3ec.msp + 2012-04-02 04:30 . 2012-04-02 04:30 1923920 c:\windows\Installer\{E463E171-4082-4744-A466-F7CBE8502789}\TurboTax.exe + 2012-01-03 17:58 . 2012-01-03 17:58 15929344 c:\windows\Installer\1341d3.msp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5C66DD8-308B-4a4f-AF0A-3D04F25B5343}] 2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-06 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "P17Helper"="P17.dll" [2005-05-03 64512] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2012-04-05 660504] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoDevMgrUpdate"= 0 (0x0) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDevMgrUpdate"= 0 (0x0) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDevMgrUpdate"= 0 (0x0) . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2007-11-06 08:02 68856 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-05-12 15:11 198160 ------w- c:\program files\Common Files\Real\Update_OB\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= . R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [11/12/2011 11:48 PM 109520] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672] R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [11/12/2011 11:48 PM 660504] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 5:52 PM 135664] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 12:09 AM 253600] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [8/3/2011 9:18 PM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [8/3/2011 9:18 PM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 5:52 PM 135664] S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 11:11 AM 10664] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/16/2003 4:47 PM 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs NETw4v32 SNPSTD3 vpcbus mfeapfk SrvcSSIOMngr backupexecalertserver cpntsrv DritekPortIO . Contents of the 'Scheduled Tasks' folder . 2012-04-07 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 04:09] . 2012-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50] . 2012-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:52] . 2012-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:52] . 2012-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-152049171-839522115-1004Core.job - c:\documents and settings\RAF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:40] . 2012-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-152049171-839522115-1004UA.job - c:\documents and settings\RAF\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://msn.com/ uInternet Settings,ProxyOverride = <local> Trusted Zone: intuit.com\ttlc TCP: DhcpNameServer = 10.0.0.1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-04-08 00:56 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(3096) c:\windows\system32\WRusr.dll c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\windows\System32\CTsvcCDA.EXE c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\windows\System32\MsPMSPSv.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Completion time: 2012-04-08 01:01:33 - machine was rebooted ComboFix-quarantined-files.txt 2012-04-08 05:01 ComboFix2.txt 2012-03-20 01:56 ComboFix3.txt 2012-03-19 04:35 ComboFix4.txt 2011-02-01 04:03 . Pre-Run: 71,773,224,960 bytes free Post-Run: 71,826,587,648 bytes free . - - End Of File - - A52363BC9FBF3BAF253B6CD0DB62ADE8
  11. Maniac, Just got back in town. Added your text to combofix (on my desktop) and combofix did something then disapeared from desktop with no log. Also shut off internet. Will download exe file and try again. Will get back to you soon. thanks
  12. Here's my SystemLook.txt file thanks for your help SystemLook 30.07.11 by jpshortstuff Log created at 00:53 on 31/03/2012 by RAF Administrator - Elevation successful ========== filefind ========== Searching for "*serial.sys*" C:\WINDOWS\$NtServicePackUninstall$\grserial.sys -----c- 28288 bytes [06:22 25/06/2008] [05:59 04/08/2004] 9B6DC04FB5391F670D3E7755382F54A3 C:\WINDOWS\$NtServicePackUninstall$\serial.sys -----c- 64896 bytes [06:19 25/06/2008] [06:15 04/08/2004] CD9404D115A00D249F70A371B46D5A26 C:\WINDOWS\ServicePackFiles\i386\grserial.sys ------- 28288 bytes [05:59 04/08/2004] [18:40 13/04/2008] 826BDEEF30E4392F5F868ECDF606C29F C:\WINDOWS\ServicePackFiles\i386\serial.sys ------- 64512 bytes [06:15 04/08/2004] [19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7 C:\WINDOWS\system32\drivers\serial.sys --a---- 64512 bytes [20:44 16/07/2003] [19:15 13/04/2008] 2E2FC3A9D9F5F9A938CF3E1AF52CE8F2 -= EOF =-
  13. Maniac, Here's my ESET log file Thank you ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.17108 (vista_gdr.111215-0007) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=64bc6de56a627e41b041bb1ffd3139ed # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-03-29 03:14:59 # local_time=2012-03-28 11:14:59 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 35352434 35352434 0 0 # scanned=91002 # found=21 # cleaned=20 # scan_time=3135 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\a1fd50\676.mof.vir Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\ati2mpaa.dll.vir probably a variant of Win32/Sirefef.ER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\NxNetMon.dll.vir probably a variant of Win32/Sirefef.ER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP341\A0059752.dll a variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP341\A0059753.dll Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP341\A0059754.exe probably a variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP341\A0059755.dll Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP341\A0059756.dll Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073758.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073770.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073786.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073800.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073813.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073824.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073856.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073890.mof Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073895.dll probably a variant of Win32/Sirefef.ER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{AE8E4C01-CC97-47F2-BB70-F87A8DC6E024}\RP373\A0073898.dll probably a variant of Win32/Sirefef.ER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\drivers\serial.sys a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I H:\Downloads\cnet_cdbxp_setup_4_3_8_2631_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.