I am 99% certain that all bugs have been purged. I've ran everything (Malwarebytes, superantispyware, MS File Scanner, ComboFix, ...) multiple times until they came clean.
Well I've been able to copy AFD.sys from windows\winsxs subfolder and it remains in System32\drivers now. Been through takeown and setting administrator rights on entire Drivers folder. All in SAFE MODE.
BUT if I run SFC, it fails at 87% and reports that it cannot fix AFD.sys as the last line. There appears to be 4 copies of AFD.sys in winsxs "x86..." folders.
I've tried about every one of them but SFC still fails. I know it's failing on AFD but I have no idea why any more. It is also giving errors on two INF files that I edited to be able to remove then add TCP to the winsock stack but it continues past them. About to try and do a repair install but I haven't had a lot of luck doing this with Vista and Win7.
ComboFix 11-12-30.02 - Joe 01/01/2012 20:49:06.10.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2936.2143 [GMT -5:00]
Running from: c:\users\Joe\Desktop\Tool Box\AdvancedTools\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Joe\AppData\Local\temp
2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 01:58 . 2012-01-02 01:58 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-01-01 02:40 . 2008-01-21 02:23 118784 ----a-w- c:\windows\system32\drivers\E1G60I32.sys
2012-01-01 02:40 . 2006-11-02 08:51 79360 ----a-w- c:\windows\system32\drivers\parport.sys
2012-01-01 00:05 . 2009-04-11 04:47 273920 --s-a-r- c:\windows\system32\drivers\afd.sys
2011-12-31 21:25 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
2011-12-31 17:33 . 2011-12-31 17:33 956854 ----a-w- C:\protected.reg
2011-12-30 17:13 . 2011-12-30 17:13 90992 ----a-w- C:\safenetwork.reg
2011-12-30 16:35 . 2011-12-30 16:36 397188256 ----a-w- C:\safe4.reg
2011-12-29 22:42 . 2011-12-30 15:53 -------- d-----w- c:\users\JPS
2011-12-29 16:54 . 2011-12-29 16:54 397649062 ----a-w- C:\safe3.reg
2011-12-28 14:11 . 2011-12-28 14:11 -------- d-----w- c:\windows\OPTIONS
2011-12-28 14:11 . 2008-01-16 07:09 280576 ----a-w- c:\windows\system32\drivers\rtl8187Se.sys
2011-12-28 14:11 . 2011-12-28 14:11 -------- d-----w- c:\program files\REALTEK Wireless LAN Driver
2011-12-27 23:03 . 2011-12-27 23:03 -------- d-----w- c:\program files\Marvell
2011-12-27 22:56 . 2011-12-27 22:56 -------- d-----w- c:\windows\system32\safe
2011-12-27 22:38 . 2011-12-27 22:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-12-27 13:02 . 2011-12-27 19:08 -------- d-----w- c:\program files\CCleaner
2011-12-27 00:24 . 2011-12-31 22:19 -------- d-----w- c:\windows\system32\drivers\bad
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-30 14:40 . 2011-05-20 11:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-12 145944]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-12 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-12 170520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
2011-01-13 15:21 1111040 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-06-07 21:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 22:05 143360 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 19:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmAudio]
2008-08-05 15:22 2701880 ------w- c:\program files\CONEXANT\SmartAudio\SmAudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-11-11 17:35 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-06-07 21:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4176825988-320283645-1450970971-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R1 MpKsl2671112a;MpKsl2671112a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsl2671112a.sys [x]
R1 MpKsl50cb6b42;MpKsl50cb6b42;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsl50cb6b42.sys [x]
R1 MpKsl5ffb76fd;MpKsl5ffb76fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91C52F2C-DAE7-498A-B610-A3AD7A88B906}\MpKsl5ffb76fd.sys [x]
R1 MpKsla061a7a7;MpKsla061a7a7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsla061a7a7.sys [x]
R1 MpKslb158f7db;MpKslb158f7db;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslb158f7db.sys [x]
R1 MpKslb1622944;MpKslb1622944;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslb1622944.sys [x]
R1 MpKslbb6f469f;MpKslbb6f469f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslbb6f469f.sys [x]
R1 MpKslc381c061;MpKslc381c061;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslc381c061.sys [x]
R1 MpKsle70f5378;MpKsle70f5378;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKsle70f5378.sys [x]
R1 MpKslec8045aa;MpKslec8045aa;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE1AEE63-98EB-4D05-989B-82297C2D5ADF}\MpKslec8045aa.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MHIKEY10;MHIKEY10;c:\windows\system32\Drivers\MHIKEY10.sys [2008-05-27 50560]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 gupdate1ca58cafd5c48f1;Google Update Service (gupdate1ca58cafd5c48f1);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 133104]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 133104]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-10-27 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-30 112128]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-07-15 51288]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-06-12 43608]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 19:06]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 19:06]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4176825988-320283645-1450970971-1000Core.job
- c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-18 17:15]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4176825988-320283645-1450970971-1000UA.job
- c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-18 17:15]
.
2011-12-31 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-10-26 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: dishnetwork.com\retailer
.
.
------- File Associations -------
.
.txt=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-01-01 20:58
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Everyone)
@Denied: (A) (Users)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2324)
c:\program files\Palm\PqiIcon.dll
.
Completion time: 2012-01-01 21:00:57
ComboFix-quarantined-files.txt 2012-01-02 02:00
ComboFix2.txt 2012-01-01 23:45
ComboFix3.txt 2012-01-01 23:21
ComboFix4.txt 2012-01-01 22:32
ComboFix5.txt 2012-01-02 01:47
.
Pre-Run: 218,676,559,872 bytes free
Post-Run: 218,609,639,424 bytes free
.
- - End Of File - - CA0F583B051E8895185ADA42F4796CDD
--------------------------SFC /SCANNOW log --------------------------------------------
EDITED OUT EVERYTHING BUT ERRORS
2012-01-02 10:43:24, Info CSI 00000006 [SR] Verifying 100 (0x00000064) components
2012-01-02 10:43:24, Info CSI 00000007 [SR] Beginning Verify and Repair transaction
2012-01-02 10:43:31, Info CSI 00000009 [SR] Verify complete
2012-01-02 10:45:23, Info CSI 00000088 [SR] Beginning Verify and Repair transaction
2012-01-02 10:45:27, Info CSI 00000089 [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:28{14}]"cdosys.dll.mui" from store
2012-01-02 10:45:29, Info CSI 0000008c [SR] Verify complete
2012-01-02 10:45:35, Info CSI 00000093 [SR] Beginning Verify and Repair transaction
2012-01-02 10:45:42, Info CSI 0000009b [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:32{16}]"comdlg32.dll.mui" from store
2012-01-02 10:45:43, Info CSI 0000009e [SR] Verify complete
2012-01-02 10:47:04, Info CSI 000000ca [SR] Beginning Verify and Repair transaction
2012-01-02 10:47:12, Info CSI 000000d3 [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:28{14}]"msimsg.dll.mui" from store
2012-01-02 10:47:13, Info CSI 000000e0 [SR] Verify complete
2012-01-02 10:47:47, Info CSI 00000104 [SR] Beginning Verify and Repair transaction
2012-01-02 10:47:50, Info CSI 00000105 [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:30{15}]"msprivs.dll.mui" from store
2012-01-02 10:48:13, Info CSI 00000115 [SR] Beginning Verify and Repair transaction
2012-01-02 10:48:23, Info CSI 0000012f [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:26{13}]"mlang.dll.mui" from store
2012-01-02 10:50:38, Info CSI 00000178 [SR] Beginning Verify and Repair transaction
2012-01-02 10:50:43, Info CSI 0000017a [SR] Repairing corrupted file [ml:520{260},l:36{18}]"\??\C:\Windows\Inf"\[l:24{12}]"nettcpip.inf" from store
2012-01-02 10:50:43, Info CSI 0000017b [SR] Repairing corrupted file [ml:520{260},l:58{29}]"\??\C:\Windows\System32\cs-CZ"\[l:48{24}]"UIAutomationCore.dll.mui" from store
2012-01-02 10:50:43, Info CSI 0000017d [SR] Repairing corrupted file [ml:520{260},l:36{18}]"\??\C:\Windows\Inf"\[l:20{10}]"netip6.inf" from store
2012-01-02 10:50:43, Info CSI 0000017f [SR] Verify complete
2012-01-02 10:50:43, Info CSI 00000180 [SR] Verifying 100 (0x00000064) components
2012-01-02 10:50:43, Info CSI 00000181 [SR] Beginning Verify and Repair transaction
2012-01-02 10:50:50, Info CSI 00000183 [SR] Verify complete
2012-01-02 10:50:50, Info CSI 00000184 [SR] Verifying 100 (0x00000064) components
2012-01-02 10:50:50, Info CSI 00000185 [SR] Beginning Verify and Repair transaction
2012-01-02 10:50:56, Info CSI 00000187 [SR] Verify complete
2012-01-02 10:50:57, Info CSI 00000188 [SR] Verifying 100 (0x00000064) components
2012-01-02 10:50:57, Info CSI 00000189 [SR] Beginning Verify and Repair transaction
2012-01-02 10:51:04, Info CSI 0000018d [SR] Verify complete
2012-01-02 10:51:04, Info CSI 0000018e [SR] Verifying 100 (0x00000064) components
2012-01-02 10:51:04, Info CSI 0000018f [SR] Beginning Verify and Repair transaction
2012-01-02 10:51:06, Info CSI 00000190 [SR] Cannot repair member file [l:14{7}]"afd.sys" of Microsoft-Windows-Winsock-Core, Version = 6.0.6002.18457, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file cannot be checked