Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lost internet after running combofix


  • Please log in to reply
46 replies to this topic

#1 ntorres45

ntorres45

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 17 December 2011 - 08:21 PM

Someone please help. I am using a borrowed computer to write this, and have already been moved to the wrong forum once. "This post has been edited by hamluis: Today, 04:18 PM Reason for edit: Moved from Malware Removal Logs to Am I Infected, no logs." **Moderators, please dont move my post again because all I am being told is that I am in the wrong forum.

I ran combofix, and after restart I lost all internet connectivity. Attached are my logs. I CANNOT restore, or repair LAN. Please help, I do not have another computer to use. Than you!

Attached Files



BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 17 December 2011 - 10:31 PM

Hello ntorres45,

I'll need to see the log produced by Combofix. You'll find it located at C:\ComboFix.txt. Copy/paste the log into your next reply.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 17 December 2011 - 11:01 PM

Hello,

Thank you so much for your reply, and hopefully your help! I understand that I should not have run combofix, and I apologize for the added work, but I found a post talking about it fixing a redirect virus and downloaded it from cnet.com, and I didn't understand the process/risks. Please try to help me, I cannot connect to internet, I just had to run to my friends house to send you this log.

Please let me know what I should do next. Thanks!

ComboFix 11-12-15.02 - Suzie 12/15/2011 23:47:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2070 [GMT -5:00]
Running from: c:\documents and settings\Suzie\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB2205$\3160035253
c:\windows\$NtUninstallKB2205$\3234646097\@
c:\windows\$NtUninstallKB2205$\3234646097\bckfg.tmp
c:\windows\$NtUninstallKB2205$\3234646097\cfg.ini
c:\windows\$NtUninstallKB2205$\3234646097\Desktop.ini
c:\windows\$NtUninstallKB2205$\3234646097\keywords
c:\windows\$NtUninstallKB2205$\3234646097\kwrd.dll
c:\windows\$NtUninstallKB2205$\3234646097\L\ixmmzpbu
c:\windows\$NtUninstallKB2205$\3234646097\lsflt7.ver
c:\windows\$NtUninstallKB2205$\3234646097\U\00000001.@
c:\windows\$NtUninstallKB2205$\3234646097\U\00000002.@
c:\windows\$NtUninstallKB2205$\3234646097\U\00000004.@
c:\windows\$NtUninstallKB2205$\3234646097\U\80000000.@
c:\windows\$NtUninstallKB2205$\3234646097\U\80000004.@
c:\windows\$NtUninstallKB2205$\3234646097\U\80000032.@
c:\windows\CSC\d6
c:\windows\system32\_004506_.tmp.dll
c:\windows\system32\_004507_.tmp.dll
c:\windows\system32\_004508_.tmp.dll
c:\windows\system32\_004509_.tmp.dll
c:\windows\system32\_004516_.tmp.dll
c:\windows\system32\_004517_.tmp.dll
c:\windows\system32\_004518_.tmp.dll
c:\windows\system32\_004519_.tmp.dll
c:\windows\system32\_004521_.tmp.dll
c:\windows\system32\_004522_.tmp.dll
c:\windows\system32\_004525_.tmp.dll
c:\windows\system32\_004526_.tmp.dll
c:\windows\system32\_004528_.tmp.dll
c:\windows\system32\_004529_.tmp.dll
c:\windows\system32\_004530_.tmp.dll
c:\windows\system32\_004532_.tmp.dll
c:\windows\system32\_004533_.tmp.dll
c:\windows\system32\_004535_.tmp.dll
c:\windows\system32\_004536_.tmp.dll
c:\windows\system32\_004540_.tmp.dll
c:\windows\system32\_004541_.tmp.dll
c:\windows\system32\_004543_.tmp.dll
c:\windows\system32\_004546_.tmp.dll
c:\windows\system32\_004548_.tmp.dll
c:\windows\system32\_004549_.tmp.dll
c:\windows\system32\_004550_.tmp.dll
c:\windows\system32\_004551_.tmp.dll
c:\windows\system32\_004552_.tmp.dll
c:\windows\system32\_004555_.tmp.dll
c:\windows\system32\_004556_.tmp.dll
c:\windows\system32\_004557_.tmp.dll
c:\windows\system32\_004558_.tmp.dll
c:\windows\system32\_004559_.tmp.dll
c:\windows\system32\_004564_.tmp.dll
c:\windows\system32\_004566_.tmp.dll
c:\windows\system32\_004567_.tmp.dll
c:\windows\system32\_004729_.tmp.dll
c:\windows\system32\_004730_.tmp.dll
c:\windows\system32\_004731_.tmp.dll
c:\windows\system32\_004732_.tmp.dll
c:\windows\system32\_004739_.tmp.dll
c:\windows\system32\_004740_.tmp.dll
c:\windows\system32\_004741_.tmp.dll
c:\windows\system32\_004743_.tmp.dll
c:\windows\system32\_004744_.tmp.dll
c:\windows\system32\_004747_.tmp.dll
c:\windows\system32\_004748_.tmp.dll
c:\windows\system32\_004750_.tmp.dll
c:\windows\system32\_004751_.tmp.dll
c:\windows\system32\_004752_.tmp.dll
c:\windows\system32\_004754_.tmp.dll
c:\windows\system32\_004755_.tmp.dll
c:\windows\system32\_004757_.tmp.dll
c:\windows\system32\_004758_.tmp.dll
c:\windows\system32\_004762_.tmp.dll
c:\windows\system32\_004763_.tmp.dll
c:\windows\system32\_004765_.tmp.dll
c:\windows\system32\_004768_.tmp.dll
c:\windows\system32\_004770_.tmp.dll
c:\windows\system32\_004771_.tmp.dll
c:\windows\system32\_004772_.tmp.dll
c:\windows\system32\_004773_.tmp.dll
c:\windows\system32\_004776_.tmp.dll
c:\windows\system32\_004777_.tmp.dll
c:\windows\system32\_004778_.tmp.dll
c:\windows\system32\_004779_.tmp.dll
c:\windows\system32\_004780_.tmp.dll
c:\windows\system32\_004785_.tmp.dll
c:\windows\system32\_004787_.tmp.dll
c:\windows\system32\_004788_.tmp.dll
c:\windows\system32\certstore.dat
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\srcr.dat
c:\windows\$NtUninstallKB2205$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-15 19:03 . 2011-12-15 19:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-04 10:59 . 2011-06-06 23:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
2011-08-03 11:31 89008 ----a-w- c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\imeshdtxmltbpi.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"= "c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\imeshdtxmltbpi.dll" [2011-08-03 89008]
.
[HKEY_CLASSES_ROOT\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\iMesh Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 3:32 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 248656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/18/2011 12:33 AM 7390560]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [3/30/2011 4:17 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 27216]
S0 fbxdd;fbxdd;c:\windows\system32\drivers\mkpvjug.sys --> c:\windows\system32\drivers\mkpvjug.sys [?]
S0 rvpr;rvpr;c:\windows\system32\drivers\hsnng.sys --> c:\windows\system32\drivers\hsnng.sys [?]
S0 sqke;sqke;c:\windows\system32\drivers\tdhaxan.sys --> c:\windows\system32\drivers\tdhaxan.sys [?]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 6:54 AM 297168]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 iPodDrv;iPodDrv;\??\c:\windows\system32\drivers\iPodDrv.sys --> c:\windows\system32\drivers\iPodDrv.sys [?]
S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [12/4/2009 5:27 PM 14336]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [12/13/2010 7:49 AM 25088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2011-12-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-12-16 c:\windows\Tasks\User_Feed_Synchronization-{6D7D0ABC-FD6C-474F-BF8D-58D5968A293F}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
2011-12-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-04 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
FF - ProfilePath - c:\documents and settings\Suzie\Application Data\Mozilla\Firefox\Profiles\wv6e6r69.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2828561&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2828561&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
Notify-dimsntfy - (no file)
MSConfigStartUp-Malware Defense - c:\program files\Malware Defense\mdefense.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\super.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-16 09:55
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3056)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
.
**************************************************************************
.
Completion time: 2011-12-16 10:02:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 15:02
.
Pre-Run: 1,371,099,136 bytes free
Post-Run: 5,835,288,576 bytes free
.
- - End Of File - - 8A129552D360B29979928647C239D2D9

#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 17 December 2011 - 11:28 PM

You're welcome. :)

Please, don't download anything from cnet. They bundle all kinds of stuff with any of the free software or tools you're wanting to get. It's always best to go to the author's site for a tool, or to the actual website of the software that you want, and download it from there. :)

Your machine is infected with a particularly nasty rootkit named ZAccess. I think the best course of action at this time, is to have you backtrack to before running ComboFix to see if that gets internet back. Don't worry about the infection being put back -- it's still there anyway.

If we can get internet back, we'll proceed with additional diagnostic scans so I can gather as much info as possible before we begin removal. If internet is not restored, then we will proceed with further diagnostics.

Click Start>My Computer and double click the C:\ drive to open Windows Explorer.

Navigate to the following folder:

C:\WINDOWS\ERDNT\Hiv-backup

Within that folder, you'll see a file named erdnt.exe

Double click that file, and click OK at the next prompt.
Another dialog box will open. Leave the settings as they are and click OK.
You'll see the Registry being restored. When it has completed, make sure you have any open programs closed, and click 'Yes' to reboot now.

Has the internet been restored?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 18 December 2011 - 07:40 AM

Thank you so much for your reply! I got so excited when I saw this and tried what you said, but unfortunately nothing much has changed except it seems to be running very slow. I still cannot get to internet, cannt repair LAN settings, cannot turn on windows firewall, etc.

Please send me the next steps I should try. Thanks again!

#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 18 December 2011 - 09:17 AM

You're welcome. :)

Since you have no internet and are using a friend's machine, I'm going to give you several sets of instructions to make things easier for you.

All these instructions may appear overwhelming, but just take them a step at a time, and you'll do just fine. :)


Please download the following tools to a usb stick in preparation for transferring them to your machine:


1. Download Farbar Service Scanner

2. Download SystemLook from one of the links below and save it to your desktop.

Download Mirror #1
Download Mirror #2


3. Your version of ComboFix is outdated. Delete your existing ComboFix.exe and download the latest version from here.

4. With malware infections being as they are today, iwe need for you to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us me to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Please carry out the instructions in the order given below:



Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


===========================================


If still no internet....


Double click FSS.exe (Farbar's Service Scanner) run it on the computer with the issue.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your reply.


Next, Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield:

:filefind
tcpip.sys
ipsec.sys
netbt.sys
afd.sys

Click the Look button to start the scan.[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.[/list]Note: The log can also be found at on your Desktop entitled SystemLook.txt

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 18 December 2011 - 06:35 PM

Thank you so much! I downloaded everything to a thumb drive - I'm just a little concerned about the XP bootable download. Am I at risk of losing data on my computer running any of this? I have tons of pictures of my kids and unfortunately I don't have an external drive to put in on now.

#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 18 December 2011 - 06:39 PM

I understand the confusion and concern. The Recovery Console is not the same as a Recovery Partition. All the Recovery Console does is give us the option to boot into a command console environment without Windows loading.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 18 December 2011 - 08:32 PM

Ok thanks for the clarification. I cannot download the recovery console because there is no internet connection. What should I do?

#10 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 18 December 2011 - 08:35 PM

Was that the file from the microsoft website ? It mentioned boot disks

#11 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 18 December 2011 - 08:37 PM

Yes, that's the one. You do not need to create any bootdisk. My fault for leaving out part of the instructions, I'm sorry. All you need to do is this to install it.

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#12 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 18 December 2011 - 09:09 PM

Great, thanks for the quick reply! I will try that now - I have to keep driving over to my friends house :-)

I'm so impressed with the help you are giving me - I am truly grateful. I'm so scared of losing my pictures, I hope this all turns out well.

#13 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 18 December 2011 - 10:26 PM

Thanks for all the steps but unfortunately they didn't work. Sending this email from my phone, I won't be able to send you the log files until tomorrow when I can get back over to my friends house. I hope you will be available.

#14 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 18 December 2011 - 10:43 PM

Yes, I'll be around tomorrow. :)

Remember, I'll need to see the following logs:

  • C:\ComboFix.txt
  • Results of Farbar's Service Scanner
  • Results of SystemLook

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#15 ntorres45

ntorres45
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 December 2011 - 12:34 PM

Hello,

Here are the logs.

combofix:
ComboFix 11-12-18.01 - Suzie 12/18/2011 22:01:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2024 [GMT -5:00]
Running from: c:\documents and settings\Suzie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Suzie\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 )))))))))))))))))))))))))))))))
.
.
2011-12-17 00:19 . 2011-12-17 00:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-16 15:06 . 2011-12-17 00:18 -------- d-----w- C:\RECYCLER(2)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-04 10:59 . 2011-06-06 23:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
2011-08-03 11:31 89008 ----a-w- c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\imeshdtxmltbpi.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"= "c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\imeshdtxmltbpi.dll" [2011-08-03 89008]
.
[HKEY_CLASSES_ROOT\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [BU]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malware Defense]
c:\program files\Malware Defense\mdefense.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
c:\program files\SUPERAntiSpyware\super.exe [BU]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\iMesh Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 3:32 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 248656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/18/2011 12:33 AM 7390560]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [3/30/2011 4:17 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 27216]
S0 fbxdd;fbxdd;c:\windows\system32\drivers\mkpvjug.sys --> c:\windows\system32\drivers\mkpvjug.sys [?]
S0 rvpr;rvpr;c:\windows\system32\drivers\hsnng.sys --> c:\windows\system32\drivers\hsnng.sys [?]
S0 sqke;sqke;c:\windows\system32\drivers\tdhaxan.sys --> c:\windows\system32\drivers\tdhaxan.sys [?]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 6:54 AM 297168]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 iPodDrv;iPodDrv;\??\c:\windows\system32\drivers\iPodDrv.sys --> c:\windows\system32\drivers\iPodDrv.sys [?]
S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [12/4/2009 5:27 PM 14336]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [12/13/2010 7:49 AM 25088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2011-12-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-12-19 c:\windows\Tasks\User_Feed_Synchronization-{6D7D0ABC-FD6C-474F-BF8D-58D5968A293F}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
2011-12-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-04 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
FF - ProfilePath - c:\documents and settings\Suzie\Application Data\Mozilla\Firefox\Profiles\wv6e6r69.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2828561&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2828561&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-18 22:14
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2011-12-18 22:20:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-19 03:19
ComboFix2.txt 2011-12-16 15:02
.
Pre-Run: 5,710,147,584 bytes free
Post-Run: 5,699,497,984 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6ED5B53C9088F44627556961396937BB

fss:
Farbar Service Scanner
Ran by Suzie (administrator) on 18-12-2011 at 22:21:36
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2009-12-04 17:27] - [2004-08-04 07:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2009-12-04 17:27] - [2009-02-09 05:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

C:\WINDOWS\system32\services.exe
[2011-04-11 20:13] - [2009-02-06 12:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2011-04-11 20:13] - [2008-08-14 04:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2011-04-11 20:13] - [2004-08-04 07:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2011-04-11 20:13] - [2008-06-20 05:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2011-04-11 20:13] - [2004-08-04 07:00] - 0074752 ____A () EF3EDDFFD3A79C98D666E601929A1985

C:\WINDOWS\system32\dnsrslvr.dll
[2009-12-04 17:27] - [2004-08-04 07:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

**** End of log ****

systemlook:
SystemLook 30.07.11 by jpshortstuff
Log created at 22:22 on 18/12/2011 by Suzie
Administrator - Elevation successful

========== filefind ==========

Searching for "tcpip.sys"
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys --a--c- 360960 bytes [10:44 20/06/2008] [10:44 20/06/2008] 744E57C99232201AE98C49168B918F48
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys --a--c- 361600 bytes [11:51 20/06/2008] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys --a--c- 361600 bytes [11:59 20/06/2008] [11:59 20/06/2008] AD978A1B783B5719720CFF204B666C8E
C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys -----c- 359040 bytes [18:47 27/12/2009] [12:00 04/08/2004] 9F4B36614A0FC234525BA224957DE55C
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys --a--c- 361344 bytes [19:20 13/04/2008] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733
C:\WINDOWS\system32\dllcache\tcpip.sys --a---- 360320 bytes [01:13 12/04/2011] [10:45 20/06/2008] 2A5554FC5B1E04E131230E3CE035C3F9
C:\WINDOWS\system32\drivers\tcpip.sys --a---- 360320 bytes [01:13 12/04/2011] [10:45 20/06/2008] 2A5554FC5B1E04E131230E3CE035C3F9

Searching for "ipsec.sys"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ipsec.sys --a--c- 75264 bytes [19:19 13/04/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\dllcache\ipsec.sys --a--c- 74752 bytes [01:13 12/04/2011] [12:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 74752 bytes [01:13 12/04/2011] [12:00 04/08/2004] EF3EDDFFD3A79C98D666E601929A1985

Searching for "netbt.sys"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbt.sys --a--c- 162816 bytes [19:21 13/04/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\dllcache\netbt.sys --a--c- 162816 bytes [01:13 12/04/2011] [12:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [01:13 12/04/2011] [12:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B

Searching for "afd.sys"
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a--c- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a--c- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a--c- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys --a--c- 138368 bytes [15:47 27/12/2009] [09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC
C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys --a--c- 138496 bytes [15:47 27/12/2009] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a--c- 138496 bytes [15:47 27/12/2009] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138496 bytes [18:47 27/12/2009] [12:00 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c- 138368 bytes [18:54 27/12/2009] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\afd.sys --a--c- 138112 bytes [19:19 13/04/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138368 bytes [01:13 12/04/2011] [09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\system32\drivers\afd.sys --a---- 138368 bytes [01:13 12/04/2011] [09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users