Jump to content

Recommended Posts

Hi,

I realized that something is wrong with my office computer. I cannot access to microsoft update webpage, then I tried to access to the spybot webpage, no access. I did some research and find that malwarebytes is one of the best, this website is also blocked...

When i google something and click the links, i am redirected to something different, ads, google, firefox, chrome all have the same problem...

I have run the full scan with symantec endpoint several times, it says it removed 2-3 trojan but still the problem exists.

The symptoms started with ntload.dll windows image is not valid message, i thought it is a windows error, but then after i see that my symantec is not working, i uninstalled and reinstalled and scan the computer, i found viruses...

Also, I tried to run the windows in safe mode, but did not work... One of the important symptom regarding this problem is network problem. When I right click on the local network connection, it gives an error. I can not access to the network properties. I can not update my windows, I can not access to the download.microsoft.com website etc...

I also tried to use the system restore, it did not work too... I am still trying to reach the network properties, but still getting errors...

HERE IS My hijack report, i will also do combofix as i ve spent time on the forum and see that it;s been asked to do combofix, or tdss, i will do both of them...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:37:37 PM, on 2/13/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe

C:\Program Files\Sunbelt Software\CounterSpy\sbamui.exe

C:\Documents and Settings\gdemirka\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usf.edu

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usf.edu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Information Technology

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Java

Link to post
Share on other sites

This malwarebytes result,

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/14/2010 7:15:11 AM

mbam-log-2010-02-14 (07-15-11).txt

Scan type: Full Scan (C:\|)

Objects scanned: 576374

Time elapsed: 5 hour(s), 5 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Veusz\POWRPROF.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\00003b07.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.

I am waiting your directions, i really appreciate your help guys...

Hi,

I realized that something is wrong with my office computer. I cannot access to microsoft update webpage, then I tried to access to the spybot webpage, no access. I did some research and find that malwarebytes is one of the best, this website is also blocked...

When i google something and click the links, i am redirected to something different, ads, google, firefox, chrome all have the same problem...

I have run the full scan with symantec endpoint several times, it says it removed 2-3 trojan but still the problem exists.

The symptoms started with ntload.dll windows image is not valid message, i thought it is a windows error, but then after i see that my symantec is not working, i uninstalled and reinstalled and scan the computer, i found viruses...

Also, I tried to run the windows in safe mode, but did not work... One of the important symptom regarding this problem is network problem. When I right click on the local network connection, it gives an error. I can not access to the network properties. I can not update my windows, I can not access to the download.microsoft.com website etc...

I also tried to use the system restore, it did not work too... I am still trying to reach the network properties, but still getting errors...

HERE IS My hijack report, i will also do combofix as i ve spent time on the forum and see that it;s been asked to do combofix, or tdss, i will do both of them...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:37:37 PM, on 2/13/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe

C:\Program Files\Sunbelt Software\CounterSpy\sbamui.exe

C:\Documents and Settings\gdemirka\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usf.edu

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usf.edu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Information Technology

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Java

Link to post
Share on other sites

I copied the combofix result here, i also did tdss, and found no problem... However, I cannot still access to the windows update page...

ComboFix 10-02-12.01 - gdemirka 02/14/2010 12:28:48.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2689 [GMT -5:00]

Running from: c:\documents and settings\gdemirka\My Documents\Downloads\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\recycler\S-1-5-21-1644491937-746137067-1606980848-18130

c:\windows\system32\ssprs.dll

----- BITS: Possible infected sites -----

hxxp://sccm4.forest.usf.edu:2712

.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))

.

2010-02-14 04:11 . 2010-02-14 04:11 -------- d-----w- c:\documents and settings\gdemirka\Application Data\Malwarebytes

2010-02-14 04:11 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-14 04:11 . 2010-02-14 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-14 04:11 . 2010-02-14 04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-14 04:11 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-13 23:48 . 2010-02-13 23:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-02-13 21:27 . 2010-02-13 21:27 -------- d-sh--w- c:\documents and settings\gdemirka\IECompatCache

2010-02-13 21:13 . 2010-02-13 21:13 -------- d-----w- c:\documents and settings\gdemirka\Local Settings\Application Data\Western Digital

2010-02-13 00:15 . 2010-02-13 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-01-28 14:15 . 2010-01-28 14:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-01-22 18:35 . 2010-01-22 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-14 12:21 . 2009-07-07 03:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-12 18:07 . 2009-06-02 19:05 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-12 18:05 . 2009-06-02 19:05 -------- d-----w- c:\program files\Symantec

2010-02-12 18:05 . 2009-06-02 19:06 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-02-12 18:05 . 2009-06-02 19:06 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-02-12 18:05 . 2009-06-02 19:06 60808 -c--a-w- c:\windows\system32\S32EVNT1.DLL

2010-02-12 18:05 . 2009-06-02 19:06 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-02-12 00:46 . 2009-06-30 16:17 88296 ----a-w- c:\documents and settings\gdemirka\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-11 21:16 . 2009-06-30 23:31 -------- d-----w- c:\documents and settings\gdemirka\Application Data\FileZilla

2010-02-10 06:19 . 2009-09-25 22:11 242064 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-10 06:01 . 2009-04-07 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-05 00:27 . 2009-08-04 21:40 61966 ----a-w- c:\documents and settings\All Users\Application Data\Aspell\Uninstall-AspellData.exe

2010-02-05 00:27 . 2009-11-04 14:45 -------- d-----w- c:\program files\LyX16

2010-02-03 18:39 . 2009-07-07 03:16 -------- d-----w- c:\documents and settings\gdemirka\Application Data\SolidWorks

2010-01-29 18:40 . 2009-11-06 19:52 -------- d-----w- c:\program files\Veetle

2010-01-21 01:06 . 2009-04-07 18:33 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-12 14:13 . 2010-01-11 15:36 -------- d-----r- c:\program files\Skype

2010-01-11 23:06 . 2010-01-11 15:36 -------- d-----w- c:\documents and settings\gdemirka\Application Data\Skype

2010-01-11 21:08 . 2010-01-11 15:38 -------- d-----w- c:\documents and settings\gdemirka\Application Data\skypePM

2010-01-11 15:38 . 2010-01-11 15:38 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-01-11 15:36 . 2010-01-11 15:36 -------- d-----w- c:\program files\Common Files\Skype

2010-01-11 15:36 . 2010-01-11 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-01-11 15:30 . 2010-01-11 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications

2010-01-11 02:21 . 2010-01-11 02:21 -------- d-----w- c:\documents and settings\gdemirka\Application Data\SAMEXE

2010-01-06 21:24 . 2009-09-07 13:40 -------- d-----w- c:\documents and settings\gdemirka\Application Data\vlc

2010-01-04 19:51 . 2009-09-16 22:38 -------- d-----w- c:\program files\Paint.NET

2010-01-04 18:17 . 2009-06-30 23:31 -------- d-----w- c:\program files\FileZilla FTP Client

2009-12-31 16:50 . 2009-04-07 20:39 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2009-04-07 20:39 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-04-07 16:43 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2009-04-07 20:39 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-11 22:50 . 2009-04-07 20:39 328728 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-08 19:26 . 2008-04-14 00:54 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2009-04-07 20:39 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2009-04-07 20:39 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2009-04-07 20:39 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2009-04-07 20:39 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2009-04-07 20:39 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-21 15:51 . 2009-04-07 20:39 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-30 115560]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-03-05 1044480]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-08 13529088]

c:\documents and settings\gdemirka\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-150927795-2069884688-1238954376-16344\Scripts\Logon\0\0]

"Script"=Coll and Dept User Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-150927795-2069884688-1238954376-16344\Scripts\Logon\1\0]

"Script"=ENG Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-746137067-1606980848-12813\Scripts\Logon\0\0]

"Script"=che logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-746137067-1606980848-12813\Scripts\Logon\1\0]

"Script"=Main ENG.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^gdemirka^Start Menu^Programs^Startup^..]

path=c:\documents and settings\gdemirka\Start Menu\Programs\Startup\..

backup=c:\windows\pss\..Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-09-01 00:27 1658592 ----a-w- c:\program files\Messenger\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\windows\\pchealth\\helpctr\\binaries\\HelpSvc.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"135:TCP"= 135:TCP:WINS

"2568:TCP"= 2568:TCP:SMS-HEALTH

"8081:TCP"= 8081:TCP:EPO-Agent

"6129:TCP"= 6129:TCP:DWRC

"2701:TCP"= 2701:TCP:SMS-RC

"2701:UDP"= 2701:UDP:SMS-RC

"2702:TCP"= 2702:TCP:SMS-RC

"2702:UDP"= 2702:UDP:SMS-RC

"2703:TCP"= 2703:TCP:SMS-CHAT

"2703:UDP"= 2703:UDP:SMS-CHAT

"2704:TCP"= 2704:TCP:SMS-XFER

"2704:UDP"= 2704:UDP:SMS-XFER

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]

"Enabled"= 1 (0x1)

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [4/7/2009 3:37 PM 24064]

R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 12:00 AM 316992]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [4/7/2009 3:37 PM 144480]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 11:56 AM 102448]

S2 gupdate1ca4dcda1776a65;Google Update Service (gupdate1ca4dcda1776a65);c:\program files\Google\Update\GoogleUpdate.exe [10/15/2009 2:28 PM 133104]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/2/2009 6:44 AM 23888]

S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks 2009\swScheduler\DTSCoordinatorService.exe [1/31/2009 5:01 AM 83240]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 19:28]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-15 19:28]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.usf.edu

uInternet Settings,ProxyOverride = <local>

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Trusted Zone: usf.edu

TCP: {1F8CFB5D-E2F6-473C-B0DF-8502262DEFCB} = 93.188.165.187,93.188.161.76

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}

FF - ProfilePath - c:\documents and settings\gdemirka\Application Data\Mozilla\Firefox\Profiles\3ogvtral.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.usf.edu/

FF - plugin: c:\documents and settings\gdemirka\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\gdemirka\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13122.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-Lavasoft Ad-Aware Service

SafeBoot-Symantec Antvirus

MSConfigStartUp-F5JMWNZTHI - c:\docume~1\gdemirka\LOCALS~1\Temp\Rhk.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-14 12:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys iaStor.sys >>UNKNOWN [0x8A8C58C8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba17cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e1f852

\Driver\iaStor -> iaStor.sys @ 0xb9e7ac0c

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® 82567LM-3 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9cd3bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9ce0a21

SendHandler -> NDIS.sys @ 0xb9cbe87b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1256)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-02-14 12:39:42

ComboFix-quarantined-files.txt 2010-02-14 17:39

Pre-Run: 129,622,921,216 bytes free

Post-Run: 130,165,514,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 71508DDAD2B64CFEB18AFCC44BC27B7F

Link to post
Share on other sites

no help? guys please, I need to clean up my office computer as i am also working on my dissertation, i really appreciate if you can help me out on this...

after i did full scan and quick scan with malware, i still have no access to windows update.

i also updated my network driver, still can not see the properties.

i was unable to reach malwarebytes website, after i tried one hour, now i can access, i do not know how i get the access, but still i can not reach windows update.

i also run tdss and combofix... i did combofix twice, the second one log says nothing is wrong, but the problems are still existing...

thanks...

I copied the combofix result here, i also did tdss, and found no problem... However, I cannot still access to the windows update page...

ComboFix 10-02-12.01 - gdemirka 02/14/2010 12:28:48.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2689 [GMT -5:00]

Running from: c:\documents and settings\gdemirka\My Documents\Downloads\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\recycler\S-1-5-21-1644491937-746137067-1606980848-18130

c:\windows\system32\ssprs.dll

----- BITS: Possible infected sites -----

hxxp://sccm4.forest.usf.edu:2712

.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))

.

2010-02-14 04:11 . 2010-02-14 04:11 -------- d-----w- c:\documents and settings\gdemirka\Application Data\Malwarebytes

2010-02-14 04:11 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-14 04:11 . 2010-02-14 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-14 04:11 . 2010-02-14 04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-14 04:11 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-13 23:48 . 2010-02-13 23:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-02-13 21:27 . 2010-02-13 21:27 -------- d-sh--w- c:\documents and settings\gdemirka\IECompatCache

2010-02-13 21:13 . 2010-02-13 21:13 -------- d-----w- c:\documents and settings\gdemirka\Local Settings\Application Data\Western Digital

2010-02-13 00:15 . 2010-02-13 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-01-28 14:15 . 2010-01-28 14:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-01-22 18:35 . 2010-01-22 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-14 12:21 . 2009-07-07 03:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-12 18:07 . 2009-06-02 19:05 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-12 18:05 . 2009-06-02 19:05 -------- d-----w- c:\program files\Symantec

2010-02-12 18:05 . 2009-06-02 19:06 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-02-12 18:05 . 2009-06-02 19:06 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-02-12 18:05 . 2009-06-02 19:06 60808 -c--a-w- c:\windows\system32\S32EVNT1.DLL

2010-02-12 18:05 . 2009-06-02 19:06 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-02-12 00:46 . 2009-06-30 16:17 88296 ----a-w- c:\documents and settings\gdemirka\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-11 21:16 . 2009-06-30 23:31 -------- d-----w- c:\documents and settings\gdemirka\Application Data\FileZilla

2010-02-10 06:19 . 2009-09-25 22:11 242064 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-10 06:01 . 2009-04-07 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-05 00:27 . 2009-08-04 21:40 61966 ----a-w- c:\documents and settings\All Users\Application Data\Aspell\Uninstall-AspellData.exe

2010-02-05 00:27 . 2009-11-04 14:45 -------- d-----w- c:\program files\LyX16

2010-02-03 18:39 . 2009-07-07 03:16 -------- d-----w- c:\documents and settings\gdemirka\Application Data\SolidWorks

2010-01-29 18:40 . 2009-11-06 19:52 -------- d-----w- c:\program files\Veetle

2010-01-21 01:06 . 2009-04-07 18:33 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-12 14:13 . 2010-01-11 15:36 -------- d-----r- c:\program files\Skype

2010-01-11 23:06 . 2010-01-11 15:36 -------- d-----w- c:\documents and settings\gdemirka\Application Data\Skype

2010-01-11 21:08 . 2010-01-11 15:38 -------- d-----w- c:\documents and settings\gdemirka\Application Data\skypePM

2010-01-11 15:38 . 2010-01-11 15:38 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-01-11 15:36 . 2010-01-11 15:36 -------- d-----w- c:\program files\Common Files\Skype

2010-01-11 15:36 . 2010-01-11 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-01-11 15:30 . 2010-01-11 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications

2010-01-11 02:21 . 2010-01-11 02:21 -------- d-----w- c:\documents and settings\gdemirka\Application Data\SAMEXE

2010-01-06 21:24 . 2009-09-07 13:40 -------- d-----w- c:\documents and settings\gdemirka\Application Data\vlc

2010-01-04 19:51 . 2009-09-16 22:38 -------- d-----w- c:\program files\Paint.NET

2010-01-04 18:17 . 2009-06-30 23:31 -------- d-----w- c:\program files\FileZilla FTP Client

2009-12-31 16:50 . 2009-04-07 20:39 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2009-04-07 20:39 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-04-07 16:43 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2009-04-07 20:39 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-11 22:50 . 2009-04-07 20:39 328728 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-08 19:26 . 2008-04-14 00:54 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2009-04-07 20:39 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2009-04-07 20:39 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2009-04-07 20:39 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2009-04-07 20:39 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2009-04-07 20:39 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-21 15:51 . 2009-04-07 20:39 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-30 115560]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-03-05 1044480]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-08 13529088]

c:\documents and settings\gdemirka\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-150927795-2069884688-1238954376-16344\Scripts\Logon\0\0]

"Script"=Coll and Dept User Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-150927795-2069884688-1238954376-16344\Scripts\Logon\1\0]

"Script"=ENG Logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-746137067-1606980848-12813\Scripts\Logon\0\0]

"Script"=che logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-746137067-1606980848-12813\Scripts\Logon\1\0]

"Script"=Main ENG.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^gdemirka^Start Menu^Programs^Startup^..]

path=c:\documents and settings\gdemirka\Start Menu\Programs\Startup\..

backup=c:\windows\pss\..Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2005-09-01 00:27 1658592 ----a-w- c:\program files\Messenger\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\windows\\pchealth\\helpctr\\binaries\\HelpSvc.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"135:TCP"= 135:TCP:WINS

"2568:TCP"= 2568:TCP:SMS-HEALTH

"8081:TCP"= 8081:TCP:EPO-Agent

"6129:TCP"= 6129:TCP:DWRC

"2701:TCP"= 2701:TCP:SMS-RC

"2701:UDP"= 2701:UDP:SMS-RC

"2702:TCP"= 2702:TCP:SMS-RC

"2702:UDP"= 2702:UDP:SMS-RC

"2703:TCP"= 2703:TCP:SMS-CHAT

"2703:UDP"= 2703:UDP:SMS-CHAT

"2704:TCP"= 2704:TCP:SMS-XFER

"2704:UDP"= 2704:UDP:SMS-XFER

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]

"Enabled"= 1 (0x1)

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [4/7/2009 3:37 PM 24064]

R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 12:00 AM 316992]

R3 e1kexpress;Intel

Link to post
Share on other sites

I read another topic here at this link, http://forums.malwarebytes.org/index.php?showtopic=39831, and I did the OTL run as kahdah suggested on that topic....

I still have no access to win update and some websites like http://www.safer-networking.org/en/home/index.html

OTL report,

OTL logfile created on: 2/14/2010 4:54:05 PM - Run 1

OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\gdemirka\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 72.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.83 Gb Total Space | 121.08 Gb Free Space | 52.00% Space Free | Partition Type: NTFS

Unable to calculate disk information.

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive P: | 1740.80 Gb Total Space | 548.78 Gb Free Space | 31.52% Space Free | Partition Type: NTFS

Drive U: | 1740.80 Gb Total Space | 1174.38 Gb Free Space | 67.46% Space Free | Partition Type: NTFS

Drive Z: | 136.48 Gb Total Space | 74.95 Gb Free Space | 54.92% Space Free | Partition Type: NTFS

Computer Name: C004155

Current User Name: gdemirka

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\gdemirka\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc.)

PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)

PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)

PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpmup091.bin (Hewlett-Packard)

PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - C:\WINDOWS\system32\ASTSRV.EXE (Nalpeiron Ltd.)

PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

PRC - C:\Program Files\SolidWorks Corp\SolidWorks 2009\sldShellExtServer.exe (Dassault Syst

Link to post
Share on other sites

OTL Extras logfile created on: 2/14/2010 4:54:05 PM - Run 1

OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\gdemirka\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 72.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.83 Gb Total Space | 121.08 Gb Free Space | 52.00% Space Free | Partition Type: NTFS

Unable to calculate disk information.

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive P: | 1740.80 Gb Total Space | 548.78 Gb Free Space | 31.52% Space Free | Partition Type: NTFS

Drive U: | 1740.80 Gb Total Space | 1174.38 Gb Free Space | 67.46% Space Free | Partition Type: NTFS

Drive Z: | 136.48 Gb Total Space | 74.95 Gb Free Space | 54.92% Space Free | Partition Type: NTFS

Computer Name: C004155

Current User Name: gdemirka

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"135:TCP" = 135:TCP:*:Enabled:WINS

"2568:TCP" = 2568:TCP:*:Enabled:SMS-HEALTH

"8081:TCP" = 8081:TCP:*:Enabled:EPO-Agent

"6129:TCP" = 6129:TCP:*:Enabled:DWRC

"2701:TCP" = 2701:TCP:*:Enabled:SMS-RC

"2701:UDP" = 2701:UDP:*:Enabled:SMS-RC

"2702:TCP" = 2702:TCP:*:Enabled:SMS-RC

"2702:UDP" = 2702:UDP:*:Enabled:SMS-RC

"2703:TCP" = 2703:TCP:*:Enabled:SMS-CHAT

"2703:UDP" = 2703:UDP:*:Enabled:SMS-CHAT

"2704:TCP" = 2704:TCP:*:Enabled:SMS-XFER

"2704:UDP" = 2704:UDP:*:Enabled:SMS-XFER

"4500:UDP" = 4500:UDP:LocalSubNet:Enabled:IPsec (IKE NAT-T)

"500:UDP" = 500:UDP:LocalSubNet:Enabled:IPsec (IKE)

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

"135:TCP" = 135:TCP:*:Enabled:WINS

"2568:TCP" = 2568:TCP:*:Enabled:SMS-HEALTH

"8081:TCP" = 8081:TCP:*:Enabled:EPO-Agent

"6129:TCP" = 6129:TCP:*:Enabled:DWRC

"2701:TCP" = 2701:TCP:*:Enabled:SMS-RC

"2701:UDP" = 2701:UDP:*:Enabled:SMS-RC

"2702:TCP" = 2702:TCP:*:Enabled:SMS-RC

"2702:UDP" = 2702:UDP:*:Enabled:SMS-RC

"2703:TCP" = 2703:TCP:*:Enabled:SMS-CHAT

"2703:UDP" = 2703:UDP:*:Enabled:SMS-CHAT

"2704:TCP" = 2704:TCP:*:Enabled:SMS-XFER

"2704:UDP" = 2704:UDP:*:Enabled:SMS-XFER

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)

"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" = C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe:LocalSubNet:Enabled:Visual Studio Remote Debugging Monitor -- (Microsoft Corporation)

"C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PreEngine.exe" = C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PreEngine.exe:*:Enabled:PreEngine -- ()

"C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PreGui_ogl.exe" = C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PreGui_ogl.exe:*:Enabled:PreGui_ogl -- ()

"C:\Program Files\ANSYS Inc\v110\AISOL\CommonFiles\intel\AnsysWBU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CommonFiles\intel\AnsysWBU.exe:*:Enabled:AnsysWBU.exe -- File not found

"C:\Program Files\ANSYS Inc\v110\ANSYS\bin\intel\ANSYS.exe" = C:\Program Files\ANSYS Inc\v110\ANSYS\bin\intel\ANSYS.exe:*:Enabled:ANSYS.exe -- File not found

"C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ActivePIMgrU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ActivePIMgrU.exe:*:Enabled:ActivePIMgrU.exe -- File not found

"C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ReaderHostU.exe" = C:\Program Files\ANSYS Inc\v110\AISOL\CAD Integration\intel\ReaderHostU.exe:*:Enabled:ReaderHostU.exe -- File not found

"C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\tclsh.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\tclsh.exe:*:Enabled:AWP tclsh.exe -- File not found

"C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\wish.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\TCL\bin\intel\wish.exe:*:Enabled:AWP wish.exe -- File not found

"C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\intel\code\bin\ReaderHostCAT5U.exe" = C:\Program Files\ANSYS Inc\v110\CommonFiles\CATIAV5\intel\code\bin\ReaderHostCAT5U.exe:*:Enabled:ReaderHostCAT5U.exe -- File not found

"C:\Program Files\Messenger\Msmsgs.exe" = C:\Program Files\Messenger\Msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)

"C:\Program Files\ANSYS Inc\Shared Files\Licensing\win32\ansysli_client.exe" = C:\Program Files\ANSYS Inc\Shared Files\Licensing\win32\ansysli_client.exe:*:Enabled:ANSYS Licensing Interconnect Application -- (ANSYS, Inc.)

"C:\Program Files\ANSYS Inc\v120\Framework\bin\Win32\AnsysFWW.exe" = C:\Program Files\ANSYS Inc\v120\Framework\bin\Win32\AnsysFWW.exe:*:Enabled: -- (ANSYS, Inc.)

"C:\Program Files\ANSYS Inc\v120\AISOL\Bin\intel\Ansys.SolverManager.exe" = C:\Program Files\ANSYS Inc\v120\AISOL\Bin\intel\Ansys.SolverManager.exe:*:Enabled:Ansys.SolverManager -- (ANSYS, Inc.)

"C:\Program Files\ANSYS Inc\v120\AISOL\Bin\intel\AnsysWBU.exe" = C:\Program Files\ANSYS Inc\v120\AISOL\Bin\intel\AnsysWBU.exe:*:Enabled:AnsysWB Module -- (Ansys, Inc.)

"C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PostGui_ogl.exe" = C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PostGui_ogl.exe:*:Enabled:PostGui_ogl -- ()

"C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PostEngine.exe" = C:\Program Files\ANSYS Inc\v120\CFX\bin\winnt\PostEngine.exe:*:Enabled:PostEngine -- ()

"C:\Documents and Settings\gdemirka\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\gdemirka\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player -- (Octoshape ApS)

"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)

"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)

"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)

"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)

"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)

"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)

"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)

"c:\windows\pchealth\helpctr\binaries\HelpSvc.exe" = c:\windows\pchealth\helpctr\binaries\HelpSvc.exe:*:Enabled:HelpSrvc.exe -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR

"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools

"{03CAB33F-D1C2-48C6-8766-DAE84DFC25FE}" = Microsoft Sync Framework Services v1.0 (x86)

"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module

"{0868BB9D-5EA0-40AF-A1CC-A38ED4E5BC67}" = 32 Bit HP CIO Components Installer

"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data

"{0E552834-2E82-4D73-88E6-2482D98FE0C9}_is1" = SAM 2009.10.13

"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP

"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime

"{23170F69-40C1-2701-0465-000001000000}" = 7-Zip 4.65

"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 15

"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection

"{2FBF04DC-404C-4FA4-BA28-99903080D2B9}" = Magnifier Powertoy for Windows XP

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3EB83282-A67B-426A-B496-DA3317BA815B}" = DWGeditor

"{43A44D58-022D-466B-B379-FA548155A619}" = XtenderSolutions Adobe Component

"{4E475FD4-4513-4B1D-8DDA-43912B068C99}" = HTML Slideshow Powertoy for Windows XP

"{4F77F6EE-2C99-49F7-940A-2E9C208C3BE1}" = Paint.NET v3.5.2

"{5D346AB1-7910-4115-B61B-468237D86C6B}" = Adobe Setup

"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{62074DBE-E855-481F-8E43-144BE4702BF4}" = CHEMCAD Suite

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{6B55DE85-2861-4332-9A10-875FF1E69993}" = VBA for CHEMCAD

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus

"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio

"{8882ED04-FE2B-478C-AF10-E7BE2A3C7AD4}" = Intel® Network Connections 15.0.4.0

"{89D04C29-88C9-4C82-951D-36DB23409073}" = SolidWorks 2009 SP02.1

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007

"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)

"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007

"{90120000-0054-0409-0000-0000000FF1CE}_VISPRO_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-0054-0409-0000-0000000FF1CE}_VISPRO_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{17600687-EE98-4BAD-A8AD-AF4D1DED7D4A}" =

"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A4-0409-0000-0000000FF1CE}" = Microsoft Office 2003 Web Components

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3

"{90F50409-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications ® Core

"{90F60409-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications ® Core - English

"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies

"{9D1C26BD-E792-4159-9D16-07EA222D8EF0}" = Windows Messenger 5.1

"{A159EAD0-07CC-4ABB-BD89-0028E5B0AF29}" = XtenderSolutions KeyView Component

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A7050037-F0EA-4BAB-BCD5-FC05507D6147}" = Alt-Tab Task Switcher Powertoy for Windows XP

"{A898D8E8-9DF3-4536-9A0F-37C6ED2479EA}" = XtenderSolutions Scanning Component

"{A8BD5A60-E843-46DC-8271-ABF20756BE0F}" = Microsoft Sync Framework Runtime v1.0 (x86)

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-1033-0000-7760-000000000004}" = Adobe Acrobat 9 Pro

"{AC76BA86-1033-0000-7760-000000000004}_930" = Adobe Acrobat 9.3.0 - CPSID_52073

"{AC76BA86-1033-0000-7760-000000000004}{AC76BA86-1033-0000-7760-000000000004}" = Adobe Acrobat 9 Pro

"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2

"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player

"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser

"{AFDFC350-C142-4790-BE12-8357AECD028F}" = SyncToy 2.0 (x86)

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP

"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX

"{BE66348A-E83F-4982-941F-DFF2F742B851}" = Microsoft Office Live Meeting 2007

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C614ED97-4594-4BE7-B6A4-471CDB77E8E0}" = Adobe Flash CS3

"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE

"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet

"{CAFECAFE-0013-0001-0122-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.22

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE6A85D8-D6B9-479A-9FE9-A06E56881E61}" = Configuration Manager Client

"{CE9EAC77-2D52-447D-A87A-52CB20A46E13}" = SolidWorks Simulation 2009 SP02.1

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype

Link to post
Share on other sites

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 17:23 on 14/02/2010 by gdemirka (Administrator - Elevation successful)

========== filefind ==========

Searching for "termsrv.dll"

C:\WINDOWS\ERDNT\cache\termsrv.dll --a--- 295424 bytes [17:35 14/02/2010] [10:42 14/04/2008] FF3477C03BE7201C294C35F684B3479F

C:\WINDOWS\system32\dllcache\termsrv.dll --a--c 295424 bytes [16:43 07/04/2009] [10:42 14/04/2008] FF3477C03BE7201C294C35F684B3479F

C:\WINDOWS\system32\termsrv.dll ------ 295424 bytes [16:43 07/04/2009] [10:42 14/04/2008] FF3477C03BE7201C294C35F684B3479F

-=End Of File=-

Link to post
Share on other sites

This is the last scan from Malwarebytes' run, i was able to access to this website but something happened and i can not reach now... i am writing from other computers in the lab...

here is the report,

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/15/2010 12:23:29 AM

mbam-log-2010-02-15 (00-23-29).txt

Scan type: Full Scan (C:\|U:\|)

Objects scanned: 424226

Time elapsed: 2 hour(s), 28 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{1752EAB1-9F9F-424A-A7B6-828FCDEDA708}\RP450\A0080672.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1752EAB1-9F9F-424A-A7B6-828FCDEDA708}\RP452\A0081893.sys (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • 1 month later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.