Tech Support Forum banner
Not open for further replies.
1 - 8 of 8 Posts

· Registered
23 Posts
Hello everyone! I'm Sam, and my parents computer is acting up, I figured out the problem, but I don't know how to fix it. There is a virus that won't allow their computer to connect to the internet, well it connects just won't go to any websites. The virus protection program on their computer is going crazy cause it's trying to delete the virus but the computer won't let it delete it. You get the problem. There is a 'virus' of sorts in C:\Windows\System32\Drivers - 11th file down 'afd.sys' Any fixes or files you guys need let me know! Any help is welcome!
Also Adaware's 'name' for it is Lookslike.win32.sirefef.ud (v)

Attached at the DDS files, and Attach file, and ARK file. Help ASAP I will be on later tonight to check for any help.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19393 BrowserJavaVersion: 1.6.0_39
Run by BMN at 9:41:28 on 2013-02-16
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1918.980 [GMT -5:00]
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
============== Running Processes ================
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Ad-Aware Antivirus\Engine\SBAMSvc.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
============== Pseudo HJT Report ===============
uStart Page = hxxp://
uSearch Bar = Preserve
mStart Page = hxxp://{F0A33C4C-131B-40AE-9A8F-F00422BFBE86}
uSearchURL,(Default) = hxxp://
mSearchAssistant = hxxp://
mCustomizeSearch = hxxp://
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngin0.dll
TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngin0.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [SystemMonit] <no file>
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [SetRefresh] c:\program files\hp\setrefresh\SetRefresh.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SystemMonit] <no file>
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
StartupFolder: c:\users\bmn\appdata\roaming\microsoft\windows\start menu\programs\startup\winmpa.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Peggle/Images/armhelper.ocx
TCP: NameServer =
TCP: Interfaces\{506CF40D-7F51-4C3D-8A59-F080A517EC8A} : DHCPNameServer =
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
STS: ObjectDockShlExt Class - {1984D045-52CF-49cd-DB77-08F378FEA4DB} -
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {233807B5-2H70-13D0-A31Q-00BB00B32C03} - c:\windows\fonts\winlgoon.exe
================= FIREFOX ===================
FF - ProfilePath - c:\users\bmn\appdata\roaming\mozilla\firefox\profiles\d4tamaem.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\bmn\appdata\locallow\sony online entertainment\npsoe.dll
FF - plugin: c:\users\bmn\appdata\locallow\sony online entertainment\npsoeact.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - ExtSQL: 2013-02-15 16:33; {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2010-03-02 12:43; [email protected]; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
============= SERVICES / DRIVERS ===============
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-4-30 221784]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2012-3-18 101720]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-3-29 1161072]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-5-11 74968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 fioo32;fioo32;c:\windows\system32\SvchOst.eXE -k fioo32 [2008-1-20 21504]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
S3 AirDisplay;Air Display Support;c:\windows\system32\drivers\AVVideoCard.sys [2010-9-7 6656]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2010-6-3 13112]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-11-19 9472]
=============== File Associations ===============
FileExt: .chm: Mega Zipper.CHM="c:\program files\mega zipper\MegaZipper.exe" "%1" [UserChoice]
=============== Created Last 30 ================
2013-02-16 03:24:59 -------- d-sh--w- C:\found.000
2013-02-15 23:02:21 -------- d-----w- c:\windows\system32\SPReview
2013-02-15 23:01:25 215475 ----a-w- c:\windows\oem_uninst.exe
2013-02-15 21:32:59 477616 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-15 21:14:41 -------- d-----w- c:\program files\Mozilla Maintenance Service
==================== Find3M ====================
2013-02-15 21:32:20 473520 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-11-23 01:35:53 2048000 ----a-w- c:\windows\system32\win32k.sys
2012-11-20 04:22:50 204288 ----a-w- c:\windows\system32\ncrypt.dll
2010-01-29 02:45:51 306840 --sh--w- c:\windows\fonts\hid.exe
2010-01-29 02:38:55 863448 --sh--w- c:\windows\fonts\winlgoon.exe
============= FINISH: 9:50:09.31 ===============


· Registered
754 Posts
Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

· Registered
754 Posts
Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Malwarebytes Anti-rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

· Registered
754 Posts
Run MBAR again. If anything suspicious is found, select Cure and reboot your machine. Repeat this procedure until no more detections are reported by the tool.

When finished, navigate to the dirctory where you unzipped mbar to and run fixdamage.exe by right click-->Run as administrator. Reboot your machine.

Create a new dds log (like the one you reported when starting the topic) and post its contents in here.

Also do the following:

Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

· Registered
23 Posts
Discussion Starter · #7 ·
Yeah, I have been under the weather, Sick, and very busy. I'll do all that tonight. I was hoping you were still here I was getting worried cause I hadn't responded. Thanks :)

· TSF Security Manager, Emeritus
42,952 Posts
Due to lack of response, this thread has been closed.

If you still require assistance, please send me a PM (Personal Message)

1 - 8 of 8 Posts
Not open for further replies.