Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ping.exe and now no internet


  • This topic is locked This topic is locked
24 replies to this topic

#1 jmfs21

jmfs21

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 28 December 2011 - 03:19 PM

I have been reading through some of the problems here today and realize I probrably shouldnt of run combofix (my friend said he could fix this) and came directly to you guys first. I have windows xp pro, service pack 3. If you need more info let me know. I have the antivirus 2012 bug and got rid of that using malwarebytes. It found a few things and I still had the ping.exe using up most of my memory. So I used combofix and Bam no internet connection. I am a little frustrated and would really appreciate some help. Thanks John

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:39 PM

Posted 28 December 2011 - 04:02 PM

Hello John,
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS and Gmer log and post it in this topic
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jmfs21

jmfs21
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 29 December 2011 - 01:13 PM

So I ran the tests step 6-9 and am listing them here. Thanks again for the help.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by TJ at 16:21:00 on 2011-12-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1466 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3106777
uInternet Settings,ProxyOverride = 192.168.*.*
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: WinZipBar Toolbar: {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - c:\program files\winzipbar\prxtbWinZ.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: WinZipBar Toolbar: {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - c:\program files\winzipbar\prxtbWinZ.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANAAxADkAMAA3ADIAOQA1ADEALQBGAFAAOQArADYALQBTAFQAMQArADIALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgAtAEYAOQBNADEAKwAxAC0AWABPADkAKwAxAC0ARABEAFQAKwA0ADIAOQA0ADkAMQAwADEAMAA2AC0ARABEADkAMABGACsAMQAtAFMAVAA5ADAARgBBAFAAUAArADEALQBGADkAMABNADEAMgBBAFQAKwAxAC0ARgA5ADAATQAxADIAQQArADEALQBGADkAMABNADEAMgBBAEIAKwAxAC0AVQA5ADUAKwAxAC0ARgA5ADAATQAxADIAQQBUAEIAKwAxAC0ARgA5ADAAVABCACsAMgA"&"prod=90"&"ver=9.0.894
StartupFolder: c:\docume~1\tj\startm~1\programs\startup\_unins~1.lnk - c:\documents and settings\tj\local settings\temp\_uninst_65274993.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3553FF81-A19A-4486-873E-3105287E6975} - file:///E:/WebPlayer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tj\application data\mozilla\firefox\profiles\invmdwei.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\tj\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\tj\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/12/15 14:18:17];c:\program files\cyberlink\powerdvd9\000.fcl [2009-9-1 87536]
R2 LANPkt;Linksys LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-10-27 8568]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-6 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-26 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-26 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-21 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2001-8-23 14336]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-24 2253120]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys --> c:\windows\system32\drivers\motfilt.sys [?]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-10-27 11351]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-21 136176]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\motousbnet.sys --> c:\windows\system32\drivers\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys --> c:\windows\system32\drivers\motusbdevice.sys [?]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-5-12 722432]
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLANXP.SYS [2009-10-27 15360]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-12-28 02:00:01 -------- d-sha-r- C:\cmdcons
2011-12-28 01:56:48 98816 ----a-w- c:\windows\sed.exe
2011-12-28 01:56:48 518144 ----a-w- c:\windows\SWREG.exe
2011-12-28 01:56:48 256000 ----a-w- c:\windows\PEV.exe
2011-12-28 01:56:48 208896 ----a-w- c:\windows\MBR.exe
2011-12-27 19:33:27 -------- d-----w- c:\documents and settings\tj\application data\SUPERAntiSpyware.com
2011-12-27 19:33:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-27 19:33:02 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-26 20:18:16 -------- d-----w- c:\documents and settings\tj\application data\Malwarebytes
2011-12-26 20:16:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-26 20:16:47 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-26 20:16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-20 00:48:58 -------- d-----w- c:\documents and settings\tj\local settings\application data\WinZip
2011-12-20 00:48:38 -------- d-----w- c:\documents and settings\tj\local settings\application data\WinZipBar
2011-12-20 00:48:35 -------- d-----w- c:\program files\WinZipBar
2011-12-14 18:32:44 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-12-14 18:32:44 877376 ----a-w- c:\windows\system32\nvgenco32.dll
.
==================== Find3M ====================
.
2011-12-14 20:42:26 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-12-14 20:42:26 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-12-14 20:42:23 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 16:21:56.14 ===============

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:39 PM

Posted 03 January 2012 - 09:31 AM

Hi,

could you please provide the log from when ComboFix ran and removed your internet connection. It should be under C:\combofix.txt.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check "Include All Files" option.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 jmfs21

jmfs21
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 03 January 2012 - 11:24 AM

Combo fix file

ComboFix 11-12-28.03 - TJ 12/28/2011 16:03:09.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1690 [GMT -5:00]
Running from: F:\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-27 19:33 . 2011-12-27 19:33 -------- d-----w- c:\documents and settings\TJ\Application Data\SUPERAntiSpyware.com
2011-12-27 19:33 . 2011-12-27 19:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-27 19:33 . 2011-12-27 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-26 20:18 . 2011-12-26 20:18 -------- d-----w- c:\documents and settings\TJ\Application Data\Malwarebytes
2011-12-26 20:16 . 2011-12-26 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-26 20:16 . 2011-12-26 20:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-26 20:16 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-26 20:08 . 2011-12-26 20:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-21 01:55 . 2011-12-21 01:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\WinZipBar
2011-12-20 00:48 . 2011-12-20 00:48 -------- d-----w- c:\documents and settings\TJ\Local Settings\Application Data\WinZip
2011-12-20 00:47 . 2011-12-20 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-12-14 18:32 . 2011-10-08 04:50 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-12-14 18:32 . 2011-10-08 04:50 877376 ----a-w- c:\windows\system32\nvgenco32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2002-08-29 06:14 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2002-08-29 07:41 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2002-08-29 07:41 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 07:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2002-08-29 07:41 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2002-08-29 07:40 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2002-08-29 05:04 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2002-08-29 07:40 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-10-27 06:35 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 04:50 . 2011-04-08 02:15 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-10-08 04:50 . 2011-04-08 02:15 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-10-08 04:50 . 2011-04-08 02:15 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-08 04:50 . 2011-04-08 02:15 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-08 04:50 . 2011-04-08 02:15 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-08 04:50 . 2011-04-08 02:15 220992 ----a-w- c:\windows\system32\nvcolor.exe
2011-10-08 04:50 . 2011-02-23 06:57 65536 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-08 04:50 . 2011-02-23 06:57 17240064 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-08 04:50 . 2009-09-28 00:12 5595136 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-08 04:50 . 2009-09-28 00:12 4226688 ----a-w- c:\windows\system32\nv4_disp.dll
2011-10-08 04:50 . 2009-09-28 00:12 2449408 ----a-w- c:\windows\system32\nvapi.dll
2011-10-08 04:50 . 2009-09-28 00:12 2398016 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-08 04:50 . 2009-09-28 00:12 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-08 04:50 . 2009-09-28 00:12 17956864 ----a-w- c:\windows\system32\nvoglnt.dll
2011-10-08 04:50 . 2009-09-28 00:12 12791488 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-11-10 19:12 . 2011-05-09 13:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-28_02.17.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 21:02 . 2011-12-28 21:02 16384 c:\windows\Temp\Perflib_Perfdata_b8.dat
+ 2001-08-23 12:00 . 2011-12-28 20:31 78542 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2011-11-09 22:08 78542 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-12-28 20:31 462596 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2011-11-09 22:08 462596 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
2011-05-09 08:49 176936 ----a-w- c:\program files\WinZipBar\prxtbWinZ.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}"= "c:\program files\WinZipBar\prxtbWinZ.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{50FAFAF0-70A9-419D-A109-FA4B4FFD4E37}"= "c:\program files\WinZipBar\prxtbWinZ.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-09-01 75048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA&inst=NwA3AC0ANAAxADkAMAA3ADIAOQA1ADEALQBGAFAAOQArADYALQBTAFQAMQArADIALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgAtAEYAOQBNADEAKwAxAC0AWABPADkAKwAxAC0ARABEAFQAKwA0ADIAOQA0ADkAMQAwADEAMAA2AC0ARABEADkAMABGACsAMQAtAFMAVAA5ADAARgBBAFAAUAArADEALQBGADkAMABNADEAMgBBAFQAKwAxAC0ARgA5ADAATQAxADIAQQArADEALQBGADkAMABNADEAMgBBAEIAKwAxAC0AVQA5ADUAKwAxAC0ARgA5ADAATQAxADIAQQBUAEIAKwAxAC0ARgA5ADAAVABCACsAMgA&prod=90&ver=9.0.894" [?]
.
c:\documents and settings\TJ\Start Menu\Programs\Startup\
_uninst_65274993.lnk - c:\documents and settings\TJ\Local Settings\Temp\_uninst_65274993.bat [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-6-22 984936]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-11-17 611144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-02 20:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/12/15 14:18];c:\program files\CyberLink\PowerDVD9\000.fcl [9/1/2009 4:59 PM 87536]
R2 LANPkt;Linksys LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [10/27/2009 7:17 PM 8568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/26/2011 3:16 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/26/2011 3:16 PM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2011 7:59 PM 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [8/23/2001 7:00 AM 14336]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [5/24/2011 4:11 PM 2253120]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [10/27/2009 7:17 PM 11351]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2011 7:59 PM 136176]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLANXP.SYS [10/27/2009 7:17 PM 15360]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/23/2001 7:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-22 00:59]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-22 00:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3106777
uInternet Settings,ProxyOverride = 192.168.*.*
FF - ProfilePath - c:\documents and settings\TJ\Application Data\Mozilla\Firefox\Profiles\invmdwei.default\
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 16:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-12-28 16:13:34
ComboFix-quarantined-files.txt 2011-12-28 21:13
ComboFix2.txt 2011-12-28 20:49
ComboFix3.txt 2011-12-28 20:23
ComboFix4.txt 2011-12-28 19:59
ComboFix5.txt 2011-12-28 20:57
.
Pre-Run: 93,128,998,912 bytes free
Post-Run: 93,129,703,424 bytes free
.
- - End Of File - - 90AE103551233CFE700818FFEC2AA0B9




Farbar file

Farbar Service Scanner
Ran by TJ (administrator) on 03-01-2012 at 11:22:03
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2002-08-29 01:01] - [2011-08-17 08:49] - 0138496 ____A () 8E1525B090D8CB5427042AB21202196C

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(11) Gpc(3) IPSec(5) LANPkt(9) MDC8021X(8) NetBT(6) PSched(7) RTLVLANXP(10) Tcpip(4) Tcpip6(12)
0x0C0000000500000001000000020000000300000004000000060000000700000008000000090000000A0000000B0000000C000000
IpSec Tag value is correct.

**** End of log ****


this is the quarantine file for combofix in case u need it

2011-12-28 19:49:24 . 2011-12-28 19:49:24 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-12-28 02:21:42 . 2011-12-28 02:21:42 153 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-LogMeIn GUI.reg.dat
2011-12-28 02:21:42 . 2011-12-28 02:21:42 145 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-PRISMSVR.EXE.reg.dat
2011-12-28 02:21:41 . 2011-12-28 02:21:41 179 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-HLBackupScheduler.reg.dat
2011-12-28 02:21:40 . 2011-12-28 02:21:40 249 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}.reg.dat
2011-12-28 02:21:40 . 2011-12-28 02:21:40 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-12-28 02:21:40 . 2011-12-28 02:21:40 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-12-28 02:21:39 . 2011-12-28 02:21:39 213 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-12-28 02:21:39 . 2011-12-28 19:58:41 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2011-12-28 02:12:59 . 2011-12-28 02:12:59 222 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\_1968158018_.zip
2011-12-28 02:11:30 . 2011-12-28 02:11:30 3,292 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
2011-12-28 02:11:30 . 2011-12-28 02:11:30 990 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
2011-12-28 02:11:22 . 2011-12-28 21:10:12 7,362 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-12-28 01:56:35 . 2011-12-28 21:02:14 1,224 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-12-27 13:42:14 . 2011-12-27 13:49:30 77,312 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\U\80000032.@.vir
2011-12-26 19:33:57 . 2011-12-27 15:43:51 5,176 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\lsflt7.ver.vir
2011-12-26 19:19:02 . 2011-12-28 01:50:43 216 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\keywords.vir
2011-12-26 19:18:59 . 2011-12-28 01:40:07 223,744 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\kwrd.dll.vir
2011-12-26 19:18:59 . 2011-12-28 01:50:08 845 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\bckfg.tmp.vir
2011-12-26 19:17:21 . 2011-12-26 19:17:21 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\@.vir
2011-12-26 19:17:21 . 2011-12-28 01:40:06 207 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\cfg.ini.vir
2011-12-26 19:17:21 . 2011-12-26 19:17:21 138,496 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\L\ttnynoqb.vir
2011-12-26 19:17:21 . 2011-12-28 01:39:56 4,608 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\Desktop.ini.vir
2011-12-26 07:52:15 . 2011-12-26 19:18:56 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\U\00000001.@.vir
2011-12-20 12:33:56 . 2011-12-26 19:18:57 11,264 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\U\80000000.@.vir
2011-12-02 12:07:49 . 2011-12-26 19:18:59 224,768 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\U\00000002.@.vir
2011-11-29 13:10:08 . 2011-12-26 19:18:57 12,800 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\U\80000004.@.vir
2011-11-02 17:48:14 . 2011-12-26 19:18:57 1,024 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB22215$\3119050543\U\00000004.@.vir
2011-08-10 21:28:56 . 2011-06-23 18:36:30 602,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET75C.tmp.vir
2011-08-10 21:28:55 . 2011-06-23 18:36:30 55,296 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET75B.tmp.vir
2011-08-10 21:28:54 . 2011-06-23 18:36:30 105,984 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET756.tmp.vir
2011-08-10 21:28:54 . 2011-06-23 18:36:30 916,480 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET754.tmp.vir
2011-08-10 21:28:53 . 2011-06-23 18:36:30 1,991,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET760.tmp.vir
2011-08-10 21:28:52 . 2011-06-23 18:36:30 1,212,416 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET755.tmp.vir
2011-08-10 21:28:51 . 2011-07-25 15:17:44 5,969,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET75A.tmp.vir
2011-08-10 21:28:50 . 2011-06-23 18:36:29 11,081,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET762.tmp.vir
2011-08-04 20:59:46 . 2011-06-28 22:40:02 524,288 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\Local Settings\Temporary Internet Files\cookies.sqlite.vir
2011-06-20 17:44:52 . 2011-06-20 17:44:52 293,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SET79D.tmp.vir
2011-06-10 21:02:24 . 2011-06-10 21:02:24 22,528 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\My Documents\~WRL1800.tmp.vir
2011-06-10 21:02:24 . 2011-06-10 21:14:56 23,040 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\My Documents\~WRL2275.tmp.vir
2010-11-18 19:40:34 . 2010-11-18 19:40:34 299 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\Recent\1 MI EFT Tax Payments(5).url.vir
2010-11-18 19:40:24 . 2010-11-18 19:40:24 299 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\Recent\1 MI EFT Tax Payments(4).url.vir
2010-11-18 19:40:08 . 2010-11-18 19:40:08 299 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\Recent\1 MI EFT Tax Payments(3).url.vir
2010-11-18 19:18:44 . 2010-11-18 19:18:44 299 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\Recent\1 MI EFT Tax Payments(2).url.vir
2010-11-18 19:17:27 . 2010-11-18 19:17:27 299 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\TJ\Recent\1 MI EFT Tax Payments.url.vir
2010-05-13 16:08:58 . 2010-05-13 16:08:58 0 ----a-w- C:\Qoobox\Quarantine\C\Bro432.tmp.vir
2010-05-13 16:08:49 . 2010-05-13 16:08:49 0 ----a-w- C:\Qoobox\Quarantine\C\Bro42F.tmp.vir
2010-05-13 16:08:31 . 2010-05-13 16:08:31 0 ----a-w- C:\Qoobox\Quarantine\C\Bro42C.tmp.vir
2010-05-12 20:10:19 . 2010-05-12 20:10:19 0 ----a-w- C:\Qoobox\Quarantine\C\Bro3A0.tmp.vir
2009-12-15 19:16:58 . 2009-12-15 19:16:52 53,319 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Temp\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe.vir
2009-10-27 20:11:55 . 2009-10-28 00:13:14 5 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\1028_DELL_XPS_Dell DXP051 .MRK.vir
2009-10-27 20:11:55 . 2009-10-28 00:13:14 5 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\DELL_XPS_Dell DXP051 .MRK.vir
2007-11-07 12:03:18 . 2007-11-07 12:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\Install.exe.vir





Thanks again for the help. John

Edited by jmfs21, 03 January 2012 - 11:30 AM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:39 PM

Posted 03 January 2012 - 11:28 AM

Hi,

could you please upload the following site to virustotal:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.


C:\WINDOWS\system32\Drivers\afd.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 jmfs21

jmfs21
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 03 January 2012 - 11:34 AM

Hi,

could you please upload the following site to virustotal:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.


C:\WINDOWS\system32\Drivers\afd.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti





??
I cannot get online to this sight on the infected computer. Is there another way to do this? thanks john

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:39 PM

Posted 03 January 2012 - 11:58 AM

Hi,

yes could you copy the file onto a flash drive and upload it from your other PC?

regardxs myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 jmfs21

jmfs21
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 03 January 2012 - 12:05 PM

2012-01-03 Found nothing

2012-01-03 Found nothing

2012-01-03 Win32:Aluroot-B

2012-01-03 Trojan.Generic.KDV.498995

2012-01-03 Agent_r.AWW

2012-01-03 Trojan.Generic.KDV.498995

2012-01-03 TR/Aluroot.B.27

2012-01-03 Trojan.Crypt

2012-01-03 Trojan.Generic.KDV.498995

2012-01-03 Found nothing

2012-01-03 Found nothing

2012-01-03 Generic

2012-01-03 Found nothing

2012-01-02 Found nothing

2012-01-03 Found nothing

2012-01-03 Found nothing

2012-01-03 Trojan.Crypt!IK

2012-01-03 Found nothing

2012-01-03 Win32/Rootkit.Kryptik.HB

2012-01-03 Rootkit.Kryptik!9QFviRnpR5M



Thanks JOhn

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:39 PM

Posted 03 January 2012 - 01:21 PM

Hi,

well that doesn't look the way it should.

Please download SystemLook from jpshortstuff and transfer it to your disconnected PC onto the Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    afd.sys
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 jmfs21

jmfs21
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 03 January 2012 - 01:31 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 13:29 on 03/01/2012 by TJ
Administrator - Elevation successful

No Context: :filefind

No Context: afd.sys

-= EOF =-

thanks john

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:39 PM

Posted 03 January 2012 - 02:13 PM

Hi,

could you try that without the blank before :filefind. I don't know how that got there. :whistle:

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 jmfs21

jmfs21
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 03 January 2012 - 02:17 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 14:15 on 03/01/2012 by TJ
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys "
C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys --a---- 138496 bytes [07:54 15/06/2011] [13:25 16/02/2011] 8D499B1276012EB907E7A9E0F4D8FDA4
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys --a---- 138496 bytes [11:02 12/10/2011] [13:41 17/08/2011] F6B7B1ECD7B41736BDB6FF4B092BCB79
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a---- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a---- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a---- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys --a---- 138368 bytes [17:10 03/11/2009] [09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC
C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys --a---- 138496 bytes [17:10 03/11/2009] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a---- 138496 bytes [17:10 03/11/2009] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\$NtServicePackUninstall$\afd.sys -----c- 138368 bytes [01:27 14/12/2009] [09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\$NtUninstallKB2503665$\afd.sys -----c- 138496 bytes [07:01 16/06/2011] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\$NtUninstallKB2509553$\afd.sys -----c- 138496 bytes [07:00 14/04/2011] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$NtUninstallKB2592799$\afd.sys -----c- 138496 bytes [07:03 13/10/2011] [13:22 16/02/2011] 355556D9E580915118CD7EF736653A89
C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138112 bytes [01:38 14/12/2009] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys -----c- 138496 bytes [11:03 04/11/2009] [06:14 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c- 138496 bytes [01:38 14/12/2009] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$NtUninstallKB956803_0$\afd.sys -----c- 138368 bytes [11:05 04/11/2009] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9
C:\WINDOWS\ServicePackFiles\i386\afd.sys ------- 138112 bytes [06:14 04/08/2004] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138496 bytes [06:01 29/08/2002] [13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9
C:\WINDOWS\system32\drivers\afd.sys --a---- 138496 bytes [06:01 29/08/2002] [13:49 17/08/2011] 8E1525B090D8CB5427042AB21202196C

-= EOF =-



here ya go :)

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:39 PM

Posted 03 January 2012 - 02:44 PM

Ah, yes that looks more like it.

How savy are you with the PC? Do you think you can rename the file C:\windows\system32\drivers\afd.sys to afd.sys.bak and copy the file from C:\WINDOWS\system32\dllcache\afd.sys to C:\windows\system32\drivers or would you prefer to have a batch that does this?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 jmfs21

jmfs21
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 03 January 2012 - 02:50 PM

Not quite that savy lol. If their is another way would work much better. Thanks John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users