[bhzendner]

I does not seem to want to upload after I select the file it just sits there?

[Advertisements]

Please wait, do not close the window until the upload ends.

The time required for this operation depends on the file size, the net load and your connection speed.

Computing hash...

 

[bhzendner]

Please wait, do not close the window until the upload ends.

The time required for this operation depends on the file size, the net load and your connection speed.

Computing hash...

 

[bhzendner]

Still not done....

[Machiavelli]

• OK, then open Explorer and go to C:\WINDOWS\system32\Drivers\afd.sys 
• Do a Right click on afd.sys - then click on Send To - and then select Compressed (zipped) folder
• Please send me that zip folder via PM (attach it to the PM or upload it somewhere) (How to send a PM: Go to my profile (http://www.geekstogo...19-machiavelli/) and click on "Send me a message")

[bhzendner]

AFD

Attached Files

•  afd.zip   78.48KB   104 downloads

[bhzendner]

Got it. Do your magic. LOL

[Machiavelli]

 Hey,
I have no idea what's going on here. The logs says "INFECTED" , I say "CLEAN" (AFD.sys) ... I have the feeling there's something very , very deep in the system. I will use for now a powerful tool ....

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

Please download Combofix from one of the following locations:
 

Download Mirror #1
Download Mirror #2
Download Mirror #3

Note: You must save this directly to your Desktop.

• Save any open documents, then close any open programs.
• Disable all anti-virus and anti-malware software to prevent them inhibiting Combofix in any way. If you are unsure how to do this, see THIS
• Double-click on combofix.exe then follow the on screen prompts
• When Combofix finishes, it will open the log. Please Copy (Ctrl + C) and Paste (Ctrl + V) all of this text into your next post.

If, for whatever reason, the log does not open, it can be found in this location: [b]C:\combofix.txt[/b

[bhzendner]

ComboFix 14-04-08.01 - Subash 04/08/2014   8:28.1.2 - x86 NETWORK

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2426 [GMT -7:00]

Running from: c:\documents and settings\Subash\Desktop\ComboFix.exe

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\administrator.AEROPRODUCTS\g2mdlhlpx.exe

c:\documents and settings\administrator.AEROPRODUCTS\GoToAssistDownloadHelper.exe

c:\documents and settings\administrator.AEROPRODUCTS\WINDOWS

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Subash.AEROPRODUCTS\g2mdlhlpx.exe

c:\documents and settings\Subash.AEROPRODUCTS\GoToAssistDownloadHelper.exe

c:\documents and settings\Subash\WINDOWS

c:\windows\system32\drivers\48e909b1a349b297.sys

.

c:\windows\system32\drivers\i8042prt.sys . . . is missing!!

.

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_48e909b1a349b297

-------\Service_48e909b1a349b297

.

.

(((((((((((((((((((((((((   Files Created from 2014-03-08 to 2014-04-08  )))))))))))))))))))))))))))))))

.

.

2014-04-07 19:42 . 2014-04-07 19:42 -------- d-----w- c:\windows\ULQ634KLMCS89LMR

2014-04-07 15:21 . 2014-04-07 15:21 -------- d-----w- c:\windows\ERUNT

2014-04-07 15:18 . 2014-04-07 16:02 -------- d-----w- C:\AdwCleaner

2014-04-07 15:10 . 2014-04-07 15:10 -------- d-----w- C:\_OTL

2014-04-04 21:27 . 2014-04-08 14:07 30976 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

2014-04-04 21:26 . 2014-04-04 21:26 -------- d-----w- c:\program files\HitmanPro

2014-04-04 21:26 . 2014-04-04 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- C:\SUPERDelete

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- c:\documents and settings\Subash\Application Data\SUPERAntiSpyware.com

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- c:\program files\SUPERAntiSpyware

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2014-04-04 20:37 . 2014-04-08 20:54 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-04-04 20:36 . 2014-04-05 00:54 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2014-04-04 20:36 . 2014-04-04 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2014-04-04 20:36 . 2014-04-03 16:51 50648 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-04-04 20:36 . 2014-04-03 16:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-04-04 20:35 . 2014-04-04 20:35 -------- d-----w- c:\program files\CCleaner

2014-04-04 20:27 . 2014-04-04 20:27 -------- d-----w- c:\program files\CleanUp!

2014-03-26 22:55 . 2014-02-26 01:59 13312 -c----w- c:\windows\system32\dllcache\xp_eos.exe

2014-03-17 20:34 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2014-03-17 20:34 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-03-12 15:54 . 2012-04-03 21:30 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2014-03-12 15:54 . 2011-07-19 15:23 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2014-02-24 11:46 . 2008-04-25 16:16 920064 ----a-w- c:\windows\system32\wininet.dll

2014-02-24 11:45 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2014-02-24 11:45 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl

2014-02-24 11:45 . 2008-04-25 16:16 18944 ----a-w- c:\windows\system32\corpol.dll

2014-02-24 10:54 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec

2014-02-07 02:01 . 2008-04-25 16:16 1879040 ----a-w- c:\windows\system32\win32k.sys

2014-02-05 08:55 . 2008-04-25 16:16 562688 ----a-w- c:\windows\system32\qedit.dll

2014-01-22 14:19 . 2012-01-18 21:18 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2014-01-22 14:19 . 2012-01-18 21:18 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2014-01-22 14:19 . 2012-01-18 21:18 31560 ----a-w- c:\windows\system32\LMIport.dll

2014-01-22 14:19 . 2012-01-18 21:18 85832 ----a-w- c:\windows\system32\LMIinit.dll

2012-10-24 17:50 . 2012-11-20 00:09 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-09-17 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]

"tvncontrol"="c:\program files\ShowMyPCService\tvnserver.exe" [2010-07-08 815704]

"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2013-03-07 30744]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

"FAXPrint"="c:\windows\system32\awadpr32.exe" [1996-08-24 9728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n [2005-5-3 81920]

UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2012-12-5 415328]

UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2013-3-7 40472]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2014-01-29 21:20 14232 ----a-w- c:\program files\Citrix\GoToAssist\896\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2014-01-22 14:19 85832 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-08-18 22:19 57344 ----a-w- c:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 16:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

2011-09-16 22:10 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2009-02-05 01:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-08-18 22:20 16806912 ----a-w- c:\windows\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"stllssvr"=3 (0x3)

"SQLWriter"=2 (0x2)

"WSearch"=2 (0x2)

"YahooAUService"=2 (0x2)

"wlidsvc"=2 (0x2)

"sprtsvc_dellsupportcenter"=2 (0x2)

"MSSQLServerADHelper"=3 (0x3)

"LogMeIn"=2 (0x2)

"BBSvc"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [10/10/2013 3:54 PM 120088]

R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [4/4/2014 2:26 PM 106248]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/31/2012 10:30 PM 375120]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/16/2011 3:10 PM 13624]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [4/4/2014 1:36 PM 1809720]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [4/4/2014 1:36 PM 857912]

R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]

R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [1/3/2014 12:29 PM 5341536]

R2 tvnserver;TightVNC Server;c:\program files\ShowMyPCService\tvnserver.exe [7/8/2010 6:28 AM 815704]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/4/2014 1:36 PM 23256]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [4/4/2014 1:37 PM 107736]

S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]

S3 Diag69xp;Diag69xp;c:\windows\system32\Drivers\Diag69xp.sys --> c:\windows\system32\Drivers\Diag69xp.sys [?]

S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [4/4/2014 2:27 PM 30976]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/13/2013 3:06 PM 27064]

S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - IPFILTERDRIVER

*NewlyCreated* - MBAMSWISSARMY

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-03-17 14:06 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-04-08 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 15:54]

.

2014-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-17 13:13]

.

2014-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-17 13:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com...rch/search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: Interfaces\{14C44912-03C0-4394-8874-C95241E87D13}: NameServer = 8.8.8.8

FF - ProfilePath - c:\documents and settings\Subash\Application Data\Mozilla\Firefox\Profiles\xsxu6q43.default\

FF - prefs.js: network.proxy.type - 0

FF - ExtSQL: !HIDDEN! 2009-07-20 18:48; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-8169Diag - c:\program files\Realtek\Diagnostics Utility\8169Diag.exe

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2014-04-08 13:55

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...  

.

scanning hidden autostart entries ... 

.

scanning hidden files ...  

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(796)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\896\G2AWinLogon.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(596)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\Malwarebytes Anti-Malware\mbam.exe

c:\program files\HitmanPro\HitmanPro.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.EXE

c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

c:\program files\ATI Technologies\ATI.ACE\cli.exe

.

**************************************************************************

.

Completion time: 2014-04-08  13:58:24 - machine was rebooted

ComboFix-quarantined-files.txt  2014-04-08 20:58

.

Pre-Run: 127,888,941,056 bytes free

Post-Run: 124,873,285,632 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 0962B1823171CD39DAD600BC40DB95CA

5C616939100B85E558DA92B899A0FC36

[bhzendner]

What do you think am I clean? It boots in normal mode now.

[Machiavelli]

Hello,

What do you think am I clean? It boots in normal mode now.

No, there are still some things to do.

Step 1: ComboFix Fix

• Close all open Windows and disable all anti-virus and anti-malware software to prevent them inhibiting Combofix in any way. If you are unsure how to do this, see THIS
• Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad
  
  

  KillAll::
  
  Folder::
  c:\windows\ULQ634KLMCS89LMR
  
  DDS::
  mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com...rch/search.html
  

• Go to File > Save As... and save it to your Desktop named CFScript.txt.
  
  
• Referring to the picture above, drag CFScript.txt into ComboFix.exe
• When finished, it will produce a log that can be found at C:\ComboFix.txt. Copy and paste the contents of this into your next post please.

Step 2: Fixing Service

• Download SharedAccess.Reg and save it on your Desktop
• Locate SharedAccess.reg on your Desktop and double-click on it to merge it with your registry
• Answer Yes when prompted about merging with the registry

Step 3: Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FSS icon and select Run as Administrator)
Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center
• Windows Update

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

[bhzendner]

ComboFix 14-04-09.02 - Subash 04/09/2014  12:20:41.2.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2111 [GMT -7:00]

Running from: c:\documents and settings\Subash\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Subash\Desktop\CFScript.txt

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\ULQ634KLMCS89LMR

.

c:\windows\system32\drivers\i8042prt.sys . . . is missing!!

.

.

(((((((((((((((((((((((((   Files Created from 2014-03-09 to 2014-04-09  )))))))))))))))))))))))))))))))

.

.

2014-04-09 01:47 . 2014-04-09 01:47 -------- d-----w- c:\documents and settings\Subash\Application Data\Roxio

2014-04-09 01:04 . 2014-04-09 01:04 -------- d-----w- c:\program files\Microsoft Download Manager

2014-04-09 01:02 . 2014-04-09 01:02 57344 ----a-r- c:\documents and settings\Subash\Application Data\Microsoft\Installer\{3E9F3D5C-8B49-5854-ACF6-75EE3C96A6CC}\NewShortcut1_F3FECDDB618046699EBFBFAD3F0D5BC9.exe

2014-04-09 01:01 . 2014-04-09 01:01 -------- d-----w- c:\program files\Paragon Software

2014-04-09 01:01 . 2014-04-09 01:01 -------- d-----w- C:\ImageStorage

2014-04-09 00:59 . 2014-04-09 00:59 -------- d-----w- c:\documents and settings\Subash\Local Settings\Application Data\Downloaded Installations

2014-04-08 15:37 . 2014-02-26 01:59 13312 ------w- c:\windows\system32\xp_eos.exe

2014-04-07 15:21 . 2014-04-07 15:21 -------- d-----w- c:\windows\ERUNT

2014-04-07 15:18 . 2014-04-07 16:02 -------- d-----w- C:\AdwCleaner

2014-04-07 15:10 . 2014-04-07 15:10 -------- d-----w- C:\_OTL

2014-04-04 21:26 . 2014-04-04 21:26 -------- d-----w- c:\program files\HitmanPro

2014-04-04 21:26 . 2014-04-04 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- C:\SUPERDelete

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- c:\documents and settings\Subash\Application Data\SUPERAntiSpyware.com

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- c:\program files\SUPERAntiSpyware

2014-04-04 20:37 . 2014-04-04 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2014-04-04 20:37 . 2014-04-09 19:09 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-04-04 20:36 . 2014-04-05 00:54 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2014-04-04 20:36 . 2014-04-04 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2014-04-04 20:36 . 2014-04-03 16:51 50648 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-04-04 20:36 . 2014-04-03 16:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-04-04 20:35 . 2014-04-04 20:35 -------- d-----w- c:\program files\CCleaner

2014-04-04 20:27 . 2014-04-04 20:27 -------- d-----w- c:\program files\CleanUp!

2014-03-26 22:55 . 2014-02-26 01:59 13312 -c----w- c:\windows\system32\dllcache\xp_eos.exe

2014-03-17 20:34 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2014-03-17 20:34 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-03-12 15:54 . 2012-04-03 21:30 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2014-03-12 15:54 . 2011-07-19 15:23 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2014-02-24 11:46 . 2008-04-25 16:16 920064 ----a-w- c:\windows\system32\wininet.dll

2014-02-24 11:45 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2014-02-24 11:45 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl

2014-02-24 11:45 . 2008-04-25 16:16 18944 ----a-w- c:\windows\system32\corpol.dll

2014-02-24 10:54 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec

2014-02-07 02:01 . 2008-04-25 16:16 1879040 ----a-w- c:\windows\system32\win32k.sys

2014-02-05 08:55 . 2008-04-25 16:16 562688 ----a-w- c:\windows\system32\qedit.dll

2014-01-22 14:19 . 2012-01-18 21:18 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2014-01-22 14:19 . 2012-01-18 21:18 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2014-01-22 14:19 . 2012-01-18 21:18 31560 ----a-w- c:\windows\system32\LMIport.dll

2014-01-22 14:19 . 2012-01-18 21:18 85832 ----a-w- c:\windows\system32\LMIinit.dll

2012-10-24 17:50 . 2012-11-20 00:09 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-09-17 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]

"tvncontrol"="c:\program files\ShowMyPCService\tvnserver.exe" [2010-07-08 815704]

"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2013-03-07 30744]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

"FAXPrint"="c:\windows\system32\awadpr32.exe" [1996-08-24 9728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n [2005-5-3 81920]

UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2012-12-5 415328]

UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2013-3-7 40472]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2014-01-29 21:20 14232 ----a-w- c:\program files\Citrix\GoToAssist\896\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2014-01-22 14:19 85832 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-08-18 22:19 57344 ----a-w- c:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 16:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

2011-09-16 22:10 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2009-02-05 01:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-08-18 22:20 16806912 ----a-w- c:\windows\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"stllssvr"=3 (0x3)

"SQLWriter"=2 (0x2)

"WSearch"=2 (0x2)

"YahooAUService"=2 (0x2)

"wlidsvc"=2 (0x2)

"sprtsvc_dellsupportcenter"=2 (0x2)

"MSSQLServerADHelper"=3 (0x3)

"LogMeIn"=2 (0x2)

"BBSvc"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [10/10/2013 3:54 PM 120088]

R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [4/4/2014 2:26 PM 106248]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/31/2012 10:30 PM 375120]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/16/2011 3:10 PM 13624]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [4/4/2014 1:36 PM 1809720]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [4/4/2014 1:36 PM 857912]

R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]

R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [1/3/2014 12:29 PM 5341536]

R2 tvnserver;TightVNC Server;c:\program files\ShowMyPCService\tvnserver.exe [7/8/2010 6:28 AM 815704]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/4/2014 1:36 PM 23256]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [4/4/2014 1:37 PM 107736]

S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]

S3 Diag69xp;Diag69xp;c:\windows\system32\Drivers\Diag69xp.sys --> c:\windows\system32\Drivers\Diag69xp.sys [?]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/13/2013 3:06 PM 27064]

S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-03-17 14:06 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-04-09 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 15:54]

.

2014-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-17 13:13]

.

2014-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-17 13:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 66.75.164.89 66.75.164.90 10.10.1.1 10.10.1.2

TCP: Interfaces\{14C44912-03C0-4394-8874-C95241E87D13}: NameServer = 10.10.1.1

FF - ProfilePath - c:\documents and settings\Subash\Application Data\Mozilla\Firefox\Profiles\xsxu6q43.default\

FF - prefs.js: network.proxy.type - 0

FF - ExtSQL: !HIDDEN! 2009-07-20 18:48; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2014-04-09 12:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...  

.

scanning hidden autostart entries ... 

.

scanning hidden files ...  

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(772)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\896\G2AWinLogon.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(3588)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\Malwarebytes Anti-Malware\mbam.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.EXE

c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

c:\program files\ATI Technologies\ATI.ACE\cli.exe

.

**************************************************************************

.

Completion time: 2014-04-09  12:31:58 - machine was rebooted

ComboFix-quarantined-files.txt  2014-04-09 19:31

ComboFix2.txt  2014-04-08 20:58

.

Pre-Run: 123,081,940,992 bytes free

Post-Run: 123,060,572,160 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 85A80EF1345C1B03E4FF3B45080CC211

5C616939100B85E558DA92B899A0FC36

 

Farbar Service Scanner Version: 25-02-2014

Ran by Subash (administrator) on 09-04-2014 at 12:33:05

Running from "C:\Documents and Settings\Subash\Desktop"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy: 

==================

"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.

 

 

System Restore:

============

 

System Restore Disabled Policy: 

========================

 

 

Security Center:

============

 

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy: 

============================

 

 

Other Services:

==============

 

 

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

 

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 

0x09000000040000000100000002000000030000000500000006000000070000000800000009000000

IpSec Tag value is correct.

 

**** End of log ****

[Machiavelli]

Hey,
looks better.

Step 1: Fixing a Service

• Download LEGACY_wscsvc.reg and save it on your Desktop
• Locate LEGACY_wscsvc.reg on your Desktop and double-click on it to merge it with your registry
• Answer Yes when prompted about merging with the registry

Step 2: Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FSS icon and select Run as Administrator)

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

Step 3: TDSS Killer

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
• Put a checkmark beside loaded modules.
  
• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.
• Click the Start Scan button.
  
• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• 
  Please download the latest version of TDSSKiller from here and save it to your Desktop.

Step 4: Question

How is your PC running?

[Machiavelli]

Sorry , I forgot to say (additional to Step 3):

Please download the latest version of TDSSKiller from here and save it to your Desktop.

[bhzendner]

Was unable to merge with the registry. Error accesssing the registry.

 

=========

 

Farbar Service Scanner Version: 25-02-2014

Ran by Subash (administrator) on 09-04-2014 at 14:35:11

Running from "C:\Documents and Settings\Subash\Desktop"

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy: 

==================

"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.

 

 

System Restore:

============

 

System Restore Disabled Policy: 

========================

 

 

Security Center:

============

 

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy: 

============================

 

 

Other Services:

==============

 

 

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

 

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 

0x09000000040000000100000002000000030000000500000006000000070000000800000009000000

IpSec Tag value is correct.

 

**** End of log ****

[Machiavelli]

OK forget this step for now and proceed with step 3.