BleepingComputer.com: afd.sys file missing after removal of Trojan Dropper

malware log file after virus removal

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.28.01

Windows 7 Service Pack 1 x86
Internet Explorer 8.0.7601.17514
Kelly :: KELLY-PC [administrator]

1/27/2012 10:14:10 PM
mbam-log-2012-01-27 (22-14-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 165092
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{09971cee-01b8-42bc-9d91-456b1faad6be} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{09971cee-01b8-42bc-9d91-456b1faad6be} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3462C343-BE19-4143-AF70-CEFB56F46FC6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3462C343-BE19-4143-AF70-CEFB56F46FC6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3A421C8F-E238-4AEB-8874-B8B5F2CC4772} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3A421C8F-E238-4AEB-8874-B8B5F2CC4772} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{60E91567-EF8A-4520-BCE2-83ABA5256799} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{60E91567-EF8A-4520-BCE2-83ABA5256799} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{23B38049-323F-443D-9732-F454E5B15B72} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Detected: 7
C:\Program Files\2pres.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Kelly\AppData\Local\Temp\iix.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Kelly\AppData\Local\Temp\fka0.3281151857858424.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Kelly\AppData\Local\Temp\sgrodzzjcb (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Kelly\AppData\Local\Temp\mos0.8638792475705129.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Kelly\AppData\Local\Temp\ICReinstall\DownloadManagerSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Users\Kelly\Downloads\DownloadManagerSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.

(end)

...and aswMBR....

aswmbr log file - has fixmbr button available:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-27 22:33:14
-----------------------------
22:33:14.942 OS Version: Windows 6.1.7601 Service Pack 1
22:33:14.942 Number of processors: 1 586 0xF0D
22:33:14.942 ComputerName: KELLY-PC UserName: Kelly
22:33:16.002 Initialize success
22:33:57.784 AVAST engine defs: 12012701
22:36:10.649 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
22:36:10.649 Disk 0 Vendor: FUJITSU_MHZ2160BH_G1 0040020C Size: 152627MB BusType: 11
22:36:10.665 Disk 0 MBR read successfully
22:36:10.681 Disk 0 MBR scan
22:36:10.681 Disk 0 Windows 7 default MBR code
22:36:10.696 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
22:36:10.727 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 143737 MB offset 3074048
22:36:10.790 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 7389 MB offset 297447424
22:36:10.805 Disk 0 scanning sectors +312580096
22:36:10.915 Disk 0 scanning C:\Windows\system32\drivers
22:36:28.480 Service scanning
22:36:31.366 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
22:36:32.021 Modules scanning
22:36:44.283 Disk 0 trace - called modules:
22:36:44.657 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
22:36:44.673 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x849c30a0]
22:36:44.673 3 CLASSPNP.SYS[88c6259e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x852ca908]
22:36:45.531 AVAST engine scan C:\Windows
22:36:49.447 AVAST engine scan C:\Windows\system32
22:41:30.167 AVAST engine scan C:\Windows\system32\drivers
22:41:52.897 AVAST engine scan C:\Users\Kelly
22:42:11.929 Disk 0 MBR has been saved successfully to "F:\Denise\MBR.dat"
22:42:11.944 The log file has been saved successfully to "F:\Denise\aswMBR.txt"

Is your Windows firewall turned on?

Windows Security Essentials is functioning - where do i find the windows firewall? sorry to be stupid but Windows 7 is new to me.

google is my friend, I found the MS Firewall - it is on but is not using the recommended settings. when i click use recommended settings it errors out and says windows firewall can't change some of your settings error code 0x8007042c

Download following firewall fix: http://download.bleepingcomputer.com/sUBs/MiniFixes/RestoreBFE.exe
Double click on downloaded file to run the fix.

See if the above fixes firewall issue.

That fixed the firewall issue. Next steps?

Good

Any current issues?

Last checks....

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
  
• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• Accept any security warnings from your browser.
  
• Check Scan archives
  
• Click Start
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, click on List of found threats
  
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  NOTE. If Eset doesn't find any threats it'll NOT produce any log.

excellent!! will report in as soon as TFC finishes.

Looks to be all cleaned up. I'll run the Windows Security Scan just because I'm paranoid. I noticed that Java and IE 8 have security updates too, so I'll update them also.

Hat tip to you sir! I am in awe of your skill and expertise.

What about Eset scan?