[MalwareBytes doesn't delete it on reboot!]

If you're up for it, take it out of quarantine, then rename the file to edS.xxx; that way, it wont be able to execute. You can upload it then.

Hi Screen,

I was wondering, if I decided to reinstall XP, can you recommend a good, easy guide online that will explain what I should do in order to partition my hard drive, and reinstall XP?

Thanks again for everything.

[MalwareBytes doesn't delete it on reboot!]

To confirm what it is, please upload it to VirusTotal and copy the results here for me.

Hi Screen,

At the moment, it's in my quarantine. Should I actually restore it? Is it safe for me to do so?

Thanks again for all of your help!

[sed.exe (Trojan.Agent) fp?]

Hi compueterisbusted,

Yes it is ok to restore from quarantine since it was wrongly detected.

Thanks, Fatdcuk.

[MalwareBytes doesn't delete it on reboot!]

Let me know if/when you hear something. It'll be good to know for the future.

Hi Screen,

I forgot to mention, but MBAB did end up picking up some infected files (not just registry values). In particular,

C:\Documents and Settings\user\Local Settings\Temp\D.tmp\edS.exe (Trojan.Agent)

seemed like it could be something. It's sitting in my quarantine at the moment. My internet still has a tendency to drop out and the problems with the network are still intermittent.

Is there any additional action I should take, in light of the edS.exe file?

I've posted the relevant MBAM logfile below.

Thanks for everything.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4009

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

20/04/2010 11:23:56 AM

mbam-log-2010-04-20 (11-23-56).txt

Scan type: Quick scan

Objects scanned: 132787

Time elapsed: 12 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\user\Desktop\Defogger.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\user\Local Settings\Temp\D.tmp\edS.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\sed.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[sed.exe (Trojan.Agent) fp?]

Thanks Kpgumbo,

It was a false positive on our behalf so the fiile is not malware related.

However if its not malware then it will belong to something on your computer so no need to remove it

I quarantined my sed.exe when it scanned positive; should I restore it?

[MalwareBytes doesn't delete it on reboot!]

Hi,

Do these folders exist still?

c:\program files\novell

c:\program files\griffith

Hi Screen,

Thanks again for everything.

Yes, those folders are still there. Looks like I should see if anyone from the uni can help.

Thanks again!

[MalwareBytes doesn't delete it on reboot!]

Uninstall these from Add or Remove Programs:

Restart your computer. Get the latest version of Java.

Update MBAM, run a Quick Scan, and post its log.

After that, run DDS again, except this time post both DDS.txt and attach.txt

Hi Screen,

1. I uninstalled the programs you recommended, but when I went to uninstall

* Lotus Notes

The uninstaller said something like "gathering required information" and the progress bar came to a standstill. After about an hour, I ended the unistall process, to try it again, but now there is no longer an option in Add/Remove Programs to remove Lotus Notes.

There are still lots of files and sub-directories in c:\IBM\Lotus\Notes

** Should I delete those files?

Also, while I was trying to install, Comodo Firewall kept telling me that notes2w.exe was trying to connect to something. This is was it said:

"C:\Program files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.6.0.20080709-200808010926\jre\bin\notes2w.exe

was trying to access:

RPC Control\DNSResolver"

2. After installing the latest Java, I updated and ran MBAM. I've posted the log below.

3. I've run DDS again, and posted DDS.txt beneath the MBAM log, and I've attached the attach.txt

Thanks again so much for all of your help!

Attach_15_April_2010.txt

***********

MBAM Log

***********

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3989

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

15/04/2010 3:55:12 PM

mbam-log-2010-04-15 (15-55-12).txt

Scan type: Quick scan

Objects scanned: 131612

Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1

(Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrol

panel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig

(Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp

(Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********

DDS Log

***********

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 16:04:09.34 on Thu 15/04/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.205 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)

{FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Griffith University

uStart Page = hxxp://www.griffith.edu.au/

uDefault_Page_URL = hxxp://www.griffith.edu.au/

uSearch Bar = hxxp://www.griffith.edu.au/find

mDefault_Page_URL = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program

files\orbitdownloader\orbitcth.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai

roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai

roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program

files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [NDPS] c:\windows\system32\dpmw32.exe

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe"

/runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program

files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program

files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk -

c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = wbsamp.exe

uPolicies-disallowrun: 2 = webshots.exe

uPolicies-disallowrun: 3 = webshots.scr

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai

roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai

roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai

roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai

roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai

roboform\RoboFormComShowToolbar.html

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -

hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?119196

5776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?119196

5762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: {04D21817-5A95-4A14-BFB8-4E3CF8EAE221} = 156.154.70.22,156.154.71.22

TCP: {DB161889-6A3F-40F8-9996-42E96BD5D24A} = 156.154.70.22,156.154.71.22

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program

files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha",

true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys

[2010-3-23 224808]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3

25160]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe

[2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe

[2008-10-7 108392]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet

security\cmdagent.exe [2010-3-23 967888]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program

files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1265264]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint

protection\Rtvscan.exe [2008-10-7 2436536]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common

files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec

shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-12 38224]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVENG.SYS [2010-3-25 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVEX15.SYS [2010-3-25

1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-04-15 05:55:15 54016 ----a-w- c:\windows\system32\drivers\emaqwpbm.sys

2010-04-15 05:34:17 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-04-15 05:34:17 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-13 10:32:48 0 d-----w- c:\program files\DVDFab 7

2010-04-11 14:52:44 0 d-----w- c:\program files\MediaMonkey

2010-04-11 14:49:32 0 d-----w- c:\program files\Windows Installer Clean Up

2010-04-10 07:55:13 54016 ----a-w- c:\windows\system32\drivers\oflpdnps.sys

2010-04-09 14:39:48 0 d-----w- C:\laserjet 6l pro SureSupply

2010-04-07 10:04:10 0 d-----w- c:\documents and settings\user\DoctorWeb

2010-04-06 07:26:28 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-04-06 07:26:28 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2010-04-06 07:24:41 0 d-----w- c:\program files\iPod

2010-04-06 07:23:52 0 d-----w-

c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-04-03 06:24:17 54016 ----a-w- c:\windows\system32\drivers\nqfdl.sys

2010-04-03 03:50:02 54016 ----a-w- c:\windows\system32\drivers\ojmatk.sys

2010-04-03 03:25:17 54016 ----a-w- c:\windows\system32\drivers\ksprl.sys

2010-04-03 01:40:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader

2010-04-03 01:36:03 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO

2010-04-03 01:32:19 0 d-----w- c:\program files\COMODO

2010-03-25 23:15:17 0 d-----w- c:\program files\ESET

2010-03-25 10:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure

2010-03-24 17:34:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-24 17:34:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-24 17:30:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:30:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search &

Destroy

2010-03-24 17:29:52 0 dc-h--w-

c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29:19 0 d-----w- c:\program files\Lavasoft

2010-03-24 17:03:30 0 d--h--w- c:\windows\PIF

2010-03-24 16:38:15 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36:56 0 d-----w- c:\windows\ERUNT

2010-03-24 16:36:14 0 d-----w- C:\SDFix

2010-03-23 08:40:00 224808 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2010-03-23 01:58:24 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58:24 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58:17 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58:13 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58:11 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58:02 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57:32 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57:22 1024 ----a-w- C:\.rnd

2010-03-23 01:57:02 0 d-----w- c:\program files\common files\VMware

2010-03-23 01:56:34 0 d-----w- c:\program files\VMware

2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

==================== Find3M ====================

2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-12 08:02:38 261632 ----a-w- c:\windows\PEV.exe

2010-03-03 07:54:42 276648 ----a-w- c:\windows\system32\guard32.dll

2010-03-03 07:54:14 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2010-03-03 07:54:12 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys

2010-01-22 11:58:02 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 10:34:24 252464 ----a-w- c:\windows\system32\vmnc.dll

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 16:04:48.71 ===============

Attach_15_April_2010.txt

[MalwareBytes doesn't delete it on reboot!]

Griffith Lotus Setup

Can you open this program and see what functions it has? I want to understand what it's doing before we remove it.

Can you tell me the contents of this folder:

c:\program files\griffith

These programs may also be contributing; do you use them?

ZENworks Asset Management - Client Apps

ZENworks Desktop Management Agent

Hi Screen,

My adorable girlfriend is grumpy, because according to her, I'm more excited about getting a message from you than from her! Thank you for all of your help. I sure do appreciate it.

1. Screen, I couldn't find the program Griffith Lotus Setup. I've:

a. Gone to Start>Programs, but there is nothing listed that looks like Griffith Lotus Setup. The closest is Lotus Applications>Lotus Notes.

b. Used Windows Explorer to look at c:\program files. There was no Lotus, and the closest was the Griffith directory that you asked about, but I didn't see a Griffith Lotus Setup inside those subdirectories. I've pasted a listing of the c:\program files subdirectories below, after the contents of the folder you asked about.

c. Used the Windows Explorer search function to find Griffith Lotus, but it found nothing.

d. Went in to Control Panel>Add Remove Programs, and was given the option of repairing or removing Griffith Lotus Setup. It has a size of 0.54MB, and is apparently used rarely. If I click repair, it moves me to a screen that says "Welcome to the Griffith Lotus Setup Setup Wizard" (it repeats the word Setup, just as I've typed), and there is no information other than that I can choose to repair or remove.

2. I do not use Lotus Notes on this computer, and I am happy to completely uninstall Lotus and anything related to Lotus.

3. The contents of c:\Program Files\Griffith are listed below. This computer is no longer a work computer, so I can uninstall anything to do with my university.

4. I've never used:

ZENworks Asset Management - Client Apps

ZENworks Desktop Management Agent

and am happy to disable or remove them.

Thanks again for everything.

*********************************

Contents of C:\Program Files\Griffith

*********************************

Volume in drive C has no label.

Volume Serial Number is A870-94C2

Directory of C:\Program Files\Griffith

14/04/2010 06:44 PM <DIR> .

14/04/2010 06:44 PM <DIR> ..

15/10/2009 08:06 PM <DIR> First Profile

02/07/2009 02:28 PM <DIR> Griffith Entitled Software

14/04/2010 06:40 PM <DIR> LotusSync

08/12/2008 05:30 PM <DIR> MessageWriter

02/07/2009 02:40 PM <DIR> My IP Address

02/07/2009 02:28 PM <DIR> SOEFixer

08/12/2008 05:30 PM <DIR> SOETools

14/04/2010 06:44 PM 0 dirscreen.txt

1 File(s) 0 bytes

Directory of C:\Program Files\Griffith\First Profile

15/10/2009 08:06 PM <DIR> .

15/10/2009 08:06 PM <DIR> ..

02/07/2009 02:24 PM <DIR> FinishedDeploy_630

04/08/2008 02:29 PM 98,304 FinishedDeployment.exe

04/08/2008 02:29 PM 42,496 FinishedDeployment.pdb

04/08/2008 02:29 PM 704 FinishedDeployment.xml

30/07/2007 08:46 AM 28,672 Runner.exe

30/07/2007 08:46 AM 34,304 Runner.pdb

30/07/2007 08:46 AM 114 Runner.xml

14/07/2008 09:00 AM 94,208 SOESetup.exe

14/07/2008 09:00 AM 42,496 SOESetup.pdb

14/07/2008 09:00 AM 664 SOESetup.xml

9 File(s) 341,962 bytes

Directory of C:\Program Files\Griffith\First Profile\FinishedDeploy_630

02/07/2009 02:24 PM <DIR> .

02/07/2009 02:24 PM <DIR> ..

04/08/2008 02:29 PM 98,304 FinishedDeployment.exe

04/08/2008 02:29 PM 42,496 FinishedDeployment.pdb

04/08/2008 02:29 PM 704 FinishedDeployment.xml

3 File(s) 141,504 bytes

Directory of C:\Program Files\Griffith\Griffith Entitled Software

02/07/2009 02:28 PM <DIR> .

02/07/2009 02:28 PM <DIR> ..

24/07/2007 03:52 PM 28,672 Griffith Entitled Software.exe

24/07/2007 03:52 PM 36,352 Griffith Entitled Software.pdb

24/07/2007 03:52 PM 138 Griffith Entitled Software.xml

23/07/2007 12:37 PM 4,122 icon.ico

4 File(s) 69,284 bytes

Directory of C:\Program Files\Griffith\LotusSync

14/04/2010 06:40 PM <DIR> .

14/04/2010 06:40 PM <DIR> ..

22/05/2008 11:07 AM 188,416 ICSharpCode.SharpZipLib.dll

07/01/2009 04:08 PM 348,160 LotusStarter.exe

14/05/2008 12:15 PM 2,084 LotusStarter.exe.config

19/05/2008 03:55 PM 42,166 notes.ico

4 File(s) 580,826 bytes

Directory of C:\Program Files\Griffith\MessageWriter

08/12/2008 05:30 PM <DIR> .

08/12/2008 05:30 PM <DIR> ..

26/07/2007 07:40 AM 28,672 MessageWriter.exe

26/07/2007 07:40 AM 36,352 MessageWriter.pdb

26/07/2007 07:40 AM 121 MessageWriter.xml

3 File(s) 65,145 bytes

Directory of C:\Program Files\Griffith\My IP Address

02/07/2009 02:40 PM <DIR> .

02/07/2009 02:40 PM <DIR> ..

31/07/2007 07:58 AM 237,568 myIP.exe

20/07/2007 11:02 AM 1,078 myIP.ico

31/07/2007 07:58 AM 40,448 myIP.pdb

31/07/2007 07:58 AM 648 myIP.xml

4 File(s) 279,742 bytes

Directory of C:\Program Files\Griffith\SOEFixer

02/07/2009 02:28 PM <DIR> .

02/07/2009 02:28 PM <DIR> ..

16/07/2008 08:47 AM 32,768 SOEFixer.exe

16/07/2008 08:47 AM 40,448 SOEFixer.pdb

16/07/2008 08:47 AM 116 SOEFixer.xml

3 File(s) 73,332 bytes

Directory of C:\Program Files\Griffith\SOETools

08/12/2008 05:30 PM <DIR> .

08/12/2008 05:30 PM <DIR> ..

08/12/2008 11:08 AM 140,800 AuditTool.exe

18/11/2008 12:16 PM 2,646 AuditTool.exe.config

25/11/2008 03:20 PM 24,629 AuditTool.log

08/12/2008 11:08 AM 175,616 AuditTool.pdb

25/11/2008 03:20 PM 14,328 AuditTool.vshost.exe

18/11/2008 12:16 PM 2,646 AuditTool.vshost.exe.config

14/07/2008 12:46 PM 1,235 AuditTool.vshost.exe.manifest

08/12/2008 11:08 AM 31,164 AuditTool.xml

27/08/2008 03:36 PM 110,592 AuditTool.XmlSerializers.dll

23/04/2007 02:34 PM 457 Divisions.xml

27/02/2008 04:22 PM 8,928 Elements.xml

25/11/2008 08:19 AM 82,432 GUS_Gobal.dll

25/11/2008 08:19 AM 151,040 GUS_Gobal.pdb

25/11/2008 08:19 AM 25,493 GUS_Gobal.xml

22/07/2008 09:53 AM 110,592 GUS_Gobal.XmlSerializers.dll

01/11/2005 05:28 PM 884,736 Microsoft.Web.Services3.dll

16/07/2008 03:28 PM 12,800 ResetPassword.exe

16/07/2008 03:28 PM 30,208 ResetPassword.pdb

18 File(s) 1,810,342 bytes

Total Files Listed:

49 File(s) 3,362,137 bytes

26 Dir(s) 23,727,116,288 bytes free

*****************************************

Subdirectories of c:\Program Files\

*****************************************

Directory of C:\Program Files

14/04/2010 07:04 PM <DIR> .

14/04/2010 07:04 PM <DIR> ..

02/07/2009 02:24 PM <DIR> Adobe

05/09/2009 05:04 PM <DIR> Alwil Software

06/04/2010 05:20 PM <DIR> Apple Software Update

02/07/2009 02:26 PM <DIR> aShampoo

02/07/2009 03:43 PM <DIR> ATI Technologies

02/07/2009 03:58 PM <DIR> Broadcom

02/07/2009 02:26 PM <DIR> Business Objects

20/10/2009 11:57 PM <DIR> Carmen Sandiego

02/07/2009 02:49 PM <DIR> Cassetica

05/02/2010 12:16 AM <DIR> CCleaner

02/07/2009 02:47 PM <DIR> Cisco Systems

04/02/2010 02:09 PM <DIR> Comical

06/04/2010 05:19 PM <DIR> Common Files

03/04/2010 11:32 AM <DIR> COMODO

05/07/2007 01:05 PM <DIR> ComPlus Applications

02/07/2009 03:50 PM <DIR> CONEXANT

02/07/2009 02:21 PM <DIR> CUAgent

02/07/2009 02:40 PM <DIR> CyberLink

22/07/2009 06:09 PM <DIR> DVD Decrypter

22/07/2009 11:05 AM <DIR> DVD Shrink

10/10/2009 02:54 PM <DIR> DVDFab 6

13/04/2010 08:33 PM <DIR> DVDFab 7

06/04/2010 10:31 AM <DIR> ERUNT

26/03/2010 09:15 AM <DIR> ESET

21/10/2009 06:14 PM <DIR> FLV Player

15/01/2010 10:30 PM <DIR> Foxit Software

14/04/2010 06:44 PM <DIR> Griffith

02/07/2009 02:28 PM <DIR> GU Tools

02/07/2009 02:28 PM <DIR> IBM

22/07/2009 12:29 PM <DIR> ImgBurn

02/07/2009 03:55 PM <DIR> Intel

22/05/2009 10:31 AM <DIR> Internet Explorer

06/04/2010 05:24 PM <DIR> iPod

22/03/2010 02:40 AM <DIR> Java

25/03/2010 03:30 AM <DIR> Lavasoft

03/02/2010 01:53 AM <DIR> MAKEMSI Package Documentation

31/03/2010 09:43 AM <DIR> Malwarebytes' Anti-Malware

12/04/2010 12:52 AM <DIR> MediaMonkey

01/11/2008 01:08 PM <DIR> Messenger

02/07/2009 02:35 PM <DIR> Microsoft ActiveSync

05/07/2007 01:12 PM <DIR> microsoft frontpage

02/07/2009 02:39 PM <DIR> Microsoft Office

22/05/2009 10:34 AM <DIR> Microsoft Silverlight

02/07/2009 02:34 PM <DIR> Microsoft Visual Studio

02/07/2009 02:34 PM <DIR> Microsoft Works

02/07/2009 02:34 PM <DIR> Microsoft.NET

13/05/2008 03:53 PM <DIR> Movie Maker

14/04/2010 11:43 AM <DIR> Mozilla Firefox

05/07/2007 06:58 PM <DIR> MSBuild

12/04/2010 12:49 AM <DIR> MSECache

05/07/2007 01:03 PM <DIR> MSN

05/07/2007 01:04 PM <DIR> MSN Gaming Zone

05/07/2007 07:51 PM <DIR> MSXML 6.0

13/05/2008 03:50 PM <DIR> NetMeeting

02/07/2009 02:22 PM <DIR> Novell

05/07/2007 05:29 PM <DIR> Online Services

14/04/2010 03:07 AM <DIR> Orbitdownloader

13/05/2008 03:50 PM <DIR> Outlook Express

25/03/2010 10:48 PM <DIR> Oxford Dictonary With Sound Portable

15/01/2010 10:27 PM <DIR> PeaZip

05/07/2007 06:48 PM <DIR> Reference Assemblies

03/02/2010 01:53 AM <DIR> RSIGuard

02/07/2009 03:20 PM <DIR> SecureW2

23/07/2009 12:13 AM <DIR> Siber Systems

02/07/2009 03:49 PM <DIR> SigmaTel

25/03/2010 03:54 AM <DIR> Spybot - Search & Destroy

07/04/2010 01:27 PM <DIR> SUPERAntiSpyware

02/07/2009 02:45 PM <DIR> Symantec

14/03/2010 07:38 PM <DIR> Trend Micro

19/03/2010 02:39 PM <DIR> uTorrent

17/03/2010 12:48 AM <DIR> VideoLAN

23/03/2010 11:56 AM <DIR> VMware

12/04/2010 12:49 AM <DIR> Windows Installer Clean Up

05/07/2007 06:44 PM <DIR> Windows Media Connect 2

13/05/2008 03:50 PM <DIR> Windows Media Player

13/05/2008 03:50 PM <DIR> Windows NT

05/11/2009 09:51 PM <DIR> WinZip

05/07/2007 01:12 PM <DIR> xerox

14/04/2010 07:04 PM 0 programs.txt

1 File(s) 0 bytes

80 Dir(s) 23,725,703,168 bytes free

[MalwareBytes doesn't delete it on reboot!]

Please run DDS again, except this time, post attach.txt instead of DDS.txt . We'll take it from there.

Hi Screen,

Thanks for everything! Here's my attach.txt, below and as an attachment:

Attach_14_April_2010.txt

***************************************************

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 2/07/2009 2:16:47 PM

System Uptime: 14/04/2010 9:52:46 AM (1 hours ago)

Motherboard: Dell Inc. | |

Processor: Intel® Pentium® M processor 1.86GHz | Microprocessor | 1861/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 22.209 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

[MalwareBytes doesn't delete it on reboot!]

Please go to VirusTotal, and upload the following files for analysis (if present):

c:\windows\tag.vbs

c:\windows\nc-off.exe

Post the results in your reply.

Hi Screen,

You're underage in the US? You must hear this all the time, but you've got a bright future ahead of you! I figure if you're old enough to rescue thousands of people from tearing their hair out, and yelling incoherently at their monitors, a beer won't do you any harm...

I went to Virus Total and ran one of the scans you asked for (the other file I couldn't find):

* c:\windows\tag.vbs -- Seemed to be clean (I've pasted the scan results below).

* c:\windows\nc-off.exe -- I couldn't find this one.

Once more, thank you so much for all of your help, Screen!

File tag.vbs received on 2010.04.12 21:27:56 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/40 (0%)

Loading server information...

Your file is queued in position: 2.

Estimated start time is between 49 and 70 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.04.12 -

AhnLab-V3 5.0.0.2 2010.04.12 -

AntiVir 7.10.6.64 2010.04.12 -

Antiy-AVL 2.0.3.7 2010.04.12 -

Authentium 5.2.0.5 2010.04.12 -

Avast 4.8.1351.0 2010.04.12 -

Avast5 5.0.332.0 2010.04.12 -

AVG 9.0.0.787 2010.04.12 -

BitDefender 7.2 2010.04.12 -

CAT-QuickHeal 10.00 2010.04.12 -

ClamAV 0.96.0.3-git 2010.04.12 -

Comodo 4580 2010.04.12 -

DrWeb 5.0.2.03300 2010.04.12 -

eSafe 7.0.17.0 2010.04.12 -

eTrust-Vet 35.2.7421 2010.04.12 -

F-Prot 4.5.1.85 2010.04.12 -

F-Secure 9.0.15370.0 2010.04.12 -

Fortinet 4.0.14.0 2010.04.12 -

GData 19 2010.04.12 -

Ikarus T3.1.1.80.0 2010.04.12 -

Jiangmin 13.0.900 2010.04.12 -

Kaspersky 7.0.0.125 2010.04.12 -

McAfee 5.400.0.1158 2010.04.12 -

McAfee-GW-Edition 6.8.5 2010.04.12 -

Microsoft 1.5605 2010.04.12 -

NOD32 5023 2010.04.12 -

Norman 6.04.11 2010.04.12 -

nProtect 2009.1.8.0 2010.04.06 -

Panda 10.0.2.2 2010.04.12 -

PCTools 7.0.3.5 2010.04.12 -

Prevx 3.0 2010.04.12 -

Rising 22.43.00.04 2010.04.12 -

Sophos 4.52.0 2010.04.12 -

Sunbelt 6167 2010.04.12 -

Symantec 20091.2.0.41 2010.04.12 -

TheHacker 6.5.2.0.259 2010.04.12 -

TrendMicro 9.120.0.1004 2010.04.12 -

VBA32 3.12.12.4 2010.04.09 -

ViRobot 2010.4.12.2272 2010.04.12 -

VirusBuster 5.0.27.0 2010.04.12 -

Additional information

File size: 232 bytes

MD5...: 572da92cc36c8936d13e18ddf4624ae6

SHA1..: 09a039597d534982e2392b7a4040f21914b93c20

SHA256: b6e94fd41a0a34413a979ef1b0598e78148a04176edc9412bcfac2a697ef7ca5

ssdeep: 3:jaPcYonhwvGKQq5IGMLDzCwzjH1jz+CvFtQq5IGMLDzCWAIz9BH1jz+Cvn:jk+

hDuM3z1zjVjz+wM3zBhVjz+s

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Unknown!

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

[MalwareBytes doesn't delete it on reboot!]

Just trying to upload the GMER log again...gmer_log_10_April_2010.txt

Hi Screen,

In the replies above, I posted the GMER logs as you asked, and also mentioned some error messages I've been getting, and a file that Virus Total picked up on.

Just in case you were looking for a shorter GMER log, I ran GMER after unchecking:

* Sections

* IAT/EAT

* Drives/Partition other than Systemdrive (typically only C:\ should be checked)

* Show All (don't miss this one)

and I've posted the resulting log below.

Thanks again for everything. You really have to come to Australia and let me buy you a beer one day.

**********************

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-10 19:15:38

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\fwloapog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF2631212]

SSDT 86D94F68 ZwAlertResumeThread

SSDT 86D7EF00 ZwAlertThread

SSDT 86E040C0 ZwAllocateVirtualMemory

SSDT 86D4B340 ZwConnectPort

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF2630E78]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xF2631A66]

SSDT 86D7EB08 ZwCreateMutant

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF26306A6]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF26337A6]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF2633A44]

SSDT 86D1DB68 ZwCreateThread

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xF26313FE]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xF26315F2]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF263001C]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xF2632118]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xF2632356]

SSDT 86BABB78 ZwFreeVirtualMemory

SSDT 86C02B58 ZwImpersonateAnonymousToken

SSDT 86B5BB58 ZwImpersonateThread

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF26333E2]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF2630A66]

SSDT 86D1EBB8 ZwMapViewOfSection

SSDT 86B6AB58 ZwOpenEvent

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF2631054]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenKey [0xF2631A56]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xF262FD00]

SSDT 86D4EBF8 ZwOpenProcessToken

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF2630D02]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xF262FE98]

SSDT 86F3A908 ZwOpenThreadToken

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF75F06A0]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryKey [0xF263253E]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryMultipleValueKey [0xF2632902]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryValueKey [0xF263271A]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF2631F30]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF2632E76]

SSDT 869FAA78 ZwResumeThread

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF263312A]

SSDT 86D40F30 ZwSetContextThread

SSDT 86D05340 ZwSetInformationProcess

SSDT 86E7D798 ZwSetInformationThread

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xF263182E]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF26335AE]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xF2631CB8]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF2630A00]

SSDT 86E060D8 ZwSuspendProcess

SSDT 86DA2710 ZwSuspendThread

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF2630BEE]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF2290320]

SSDT 86DA2A78 ZwTerminateThread

SSDT 86D410B8 ZwUnmapViewOfSection

SSDT 86E0A0C0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\usbhub \Device\000000dc hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\usbhub \Device\000000de hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbehci \Device\USBPDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

Device \Driver\usbhub \Device\000000e0 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

Device \Driver\usbhub \Device\000000e2 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbhub \Device\000000e4 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

---- EOF - GMER 1.0.15 ----

[MalwareBytes doesn't delete it on reboot!]

Just trying to upload the GMER log again...gmer_log_10_April_2010.txt

[MalwareBytes doesn't delete it on reboot!]

Please run a GMER Rootkit scan:

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Hi Screen,

Thank you for giving me hope. I'll be so glad when this gets fixed.

I followed your instructions and ran the GMER scan as you recommended. I tried to paste the results as you suggested, but I think there was too much text. I've attached the GMER log. Should I have unchecked some of the check boxes? I was sure to make sure that "show all" wasn't checked.

While I was running the scan, this error kept popping up in Windows:

*************************

wuauclt.exe - Application error

The instruction at "0x00009900" referenced memory at "0x00009900". The memory could not be "written".

Click on OK to terminate the program

Click on CANCEL to debug the program

*************************

It won't stop popping up, even now, regardless of whether I click OK or CANCEL. It's every five minutes or so.

I also got this error message:

**************************

Dr Watson Postmortem Debugger has

encountered a problem and needs to close.

**************************

There were just another thing that I wanted to mention that may or may not be relevant:

A friend took a quick look at my HJT log and mentioned that I might want to disable ctfmon.exe. I have scanned ctfmon.exe at Virus Total and eSafe thinks that it is the Win32.Banker virus. I haven't taken any action, because I wanted to ask you about it first. Should I do anything about it? What would you recommend? I've included the Virus Total log at the end, after the GMER scan.

As I said, I don't know that's relevant.

Thanks again for all of your help, Screen!

**********************

Virus Total Log

**********************

File ctfmon.exe received on 2010.04.08 18:49:59 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/39 (2.57%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment,

we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned

(position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in

the form below and click "request" so the system sends you a

notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.04.08 -

AhnLab-V3 5.0.0.2 2010.04.08 -

AntiVir 7.10.6.49 2010.04.08 -

Antiy-AVL 2.0.3.7 2010.04.08 -

Authentium 5.2.0.5 2010.04.08 -

Avast 4.8.1351.0 2010.04.08 -

Avast5 5.0.332.0 2010.04.08 -

AVG 9.0.0.787 2010.04.08 -

BitDefender 7.2 2010.04.08 -

CAT-QuickHeal 10.00 2010.04.08 -

ClamAV 0.96.0.3-git 2010.04.08 -

Comodo 4540 2010.04.08 -

DrWeb 5.0.2.03300 2010.04.08 -

eSafe 7.0.17.0 2010.04.08 Win32.Banker

eTrust-Vet 35.2.7414 2010.04.08 -

F-Prot 4.5.1.85 2010.04.07 -

F-Secure 9.0.15370.0 2010.04.08 -

Fortinet 4.0.14.0 2010.04.08 -

GData 19 2010.04.08 -

Ikarus T3.1.1.80.0 2010.04.08 -

Jiangmin 13.0.900 2010.04.08 -

Kaspersky 7.0.0.125 2010.04.08 -

McAfee-GW-Edition 6.8.5 2010.04.08 -

Microsoft 1.5605 2010.04.08 -

NOD32 5011 2010.04.08 -

Norman 6.04.11 2010.04.08 -

nProtect 2009.1.8.0 2010.04.06 -

Panda 10.0.2.2 2010.04.08 -

PCTools 7.0.3.5 2010.04.08 -

Prevx 3.0 2010.04.08 -

Rising 22.42.03.03 2010.04.08 -

Sophos 4.52.0 2010.04.08 -

Sunbelt 6152 2010.04.08 -

Symantec 20091.2.0.41 2010.04.08 -

TheHacker 6.5.2.0.258 2010.04.08 -

TrendMicro 9.120.0.1004 2010.04.08 -

VBA32 3.12.12.4 2010.04.05 -

ViRobot 2010.4.8.2267 2010.04.08 -

VirusBuster 5.0.27.0 2010.04.08 -

[MalwareBytes doesn't delete it on reboot!]

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Try deleting the values from Safe Mode, reboot, and see if System Restore will work.

Hi Screen,

Thank you so much for all of your help. I hope you know how much people appreciate you rescuing their computers.

Screen, I wasn't sure exactly how I should delete the registry values (i.e. whether to use regedit or not), so I

1. Booted to Safe Mode.

2. Re-ran the Fix.reg that you gave me.

3. Rebooted in Safe Mode.

When I rebooted in Safe Mode, the System Restore option was there!

When I booted back into Normal Model, though, System Restore was gone again...

Also, I don't know if this is relevant, but when I went to shut down, before Step 1 above (before I'd booted into Safe Mode), as Windows was shutting down, a window popped up briefly, saying something about:

*ccApp.exe

not being able to shutdown normally, or something like that.

Thanks again, Screen. That was the first time I'd seen the System Restore option in like a month, so I'm pretty excited that we must be getting somewhere!

[MalwareBytes doesn't delete it on reboot!]

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer and see if System Restore is functional now.

Hi Screen,

I ran the fix.reg you provided, but unfortunately when I reboot and right click on My Computer>Properties, there is no System Restore tab.

I know that if I go into regedit, and delete "SystemRestore\DisableSR" and "SystemRestore\DisableConfig" then I temporarily have access to the System Restore tab, but as soon as I reboot, those two registry keys are back, and System Restore is gone.

Once again, thank you for your help, Screen!

[MalwareBytes doesn't delete it on reboot!]

For some reason those entries don't want to be deleted. Let's try to tackle this manually.

Now, open Notepad, navigate to your Desktop, and open SystemPolicies.reg, ExplorerPolicies.reg, and ExplorerAdvanced.reg. Post the contents of each.

Hi Screen,

Thank you so much for all of your help. If you guys have a long weekend this weekend, I hope you're having a good one!

I ran the .bat file you told me to; here are the .reg files. I wasn't sure, so I opened them in Notepad, and then copied and pasted the text here. If that's not right, please let me know and I'll do whatever I was meant to do.

Just another symptom I noticed: I'm not able to enable the built-in firewall in XP, the option is greyed out. The same with Windows automatic updates, that's greyed out, too. System restore is also missing.

Thanks again for all of your help to all of these people! You're incredible.

----------------------

SystemPolicies.reg

----------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"RunLogonScriptSync"=dword:00000001

"HideLogonScripts"=dword:00000000

"HideLogoffScripts"=dword:00000000

"DisableChangePassword"=dword:00000001

----------------------

ExplorerPolicies.reg

----------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDriveAutoRun"=dword:03ffffff

"NoDrives"=dword:00000000

"NoSaveSettings"=dword:00000000

"NoDriveTypeAutoRun"=dword:000000b5

"NoWindowsUpdate"=dword:00000001

"MaxRecentDocs"=dword:0000000a

"NoSharedDocuments"=dword:00000001

"NoThumbnailCache"=dword:00000001

"ForceStartMenuLogOff"=dword:00000001

"NoSMBalloonTip"=dword:00000001

"NoStartMenuEjectPC"=dword:00000001

"NoSMConfigurePrograms"=dword:00000001

"NoRecentDocsNetHood"=dword:00000001

"DisablePersonalDirChange"=dword:00000001

"NoDesktopCleanupWizard"=dword:00000001

"DisallowCpl"=dword:00000001

"NoAutoUpdate"=dword:00000001

"NoPublishingWizard"=dword:00000001

"DisallowRun"=dword:00000001

"NoSMHelp"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl]

"2"="gpedit.msc"

"3"="lusrmgr.msc"

"4"="nusrmgr.cpl"

"5"="nwc.cpl"

"6"="wscui.cpl"

"7"="wuaucpl.cpl"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]

"1"="wbsamp.exe"

"2"="webshots.exe"

"3"="webshots.scr"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

----------------------

ExplorerAdvanced.reg

----------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"ServerAdminUI"=dword:00000000

"Hidden"=dword:00000001

"ShowCompColor"=dword:00000001

"HideFileExt"=dword:00000000

"DontPrettyPath"=dword:00000000

"ShowInfoTip"=dword:00000001

"MapNetDrvBtn"=dword:00000000

"WebView"=dword:00000000

"Filter"=dword:00000000

"SuperHidden"=dword:00000001

"SeparateProcess"=dword:00000000

"ListviewAlphaSelect"=dword:00000000

"ListviewShadow"=dword:00000000

"ListviewWatermark"=dword:00000000

"TaskbarAnimations"=dword:00000000

"StartMenuInit"=dword:00000002

"StartButtonBalloonTip"=dword:00000002

"TaskbarSizeMove"=dword:00000000

"TaskbarGlomming"=dword:00000001

"StartMenuLogoff"=dword:00000000

"StartMenuRun"=dword:00000001

"StartMenuChange"=dword:00000001

"CascadeControlPanel"="NO"

"CascadeMyDocuments"="NO"

"CascadeMyPictures"="NO"

"CascadeNetworkConnections"="NO"

"CascadePrinters"="NO"

"StartMenuScrollPrograms"="NO"

"IntelliMenus"=dword:00000000

"NoNetCrawling"=dword:00000000

"FolderContentsInfoTip"=dword:00000001

"FriendlyTree"=dword:00000001

"WebViewBarricade"=dword:00000000

"DisableThumbnailCache"=dword:00000000

"ShowSuperHidden"=dword:00000001

"ClassicViewState"=dword:00000000

"PersistBrowsers"=dword:00000000

"LoosenRudeAppCheck"=dword:00000001

"HideIcons"=dword:00000000

[MalwareBytes doesn't delete it on reboot!]

1. Download FixPolicies.exe by Bill Castner and save it to your Desktop.

After it completes, restart your computer and post a fresh DDS log.

Let me know if MBAM still detects anything.

Hi Screen,

Whoah, that gave me a fright! I came back after rebooting my computer and the screen was blank--after about a minute of holding my breath, white knuckled, the computer booted as normal. Phew! Heh heh, I guess April Fool's came early on me.

Thanks again for all of your help.

I've run FixPolicies as you suggested, rebooted, and run DDS again. I've included the new DDS log below.

MBAM is still picking up infections; I've scanned about 4 times, selected remove each time, rebooted and scanned again, but I'm still getting MBAM finding infections even after the removes and reboots. I've posted the 2 most recent MBAM log below:

I'm running out of ways to say thank you, but I hope you know how much I appreciate your help.

***********************

***********************

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 12:34:25.15 on Wed 31/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.299 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINDOWS\system32\vmnat.exe

c:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\NWTRAY.EXE

c:\Program Files\Novell\ZENworks\NalAgent.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Griffith University

uStart Page = hxxp://www.griffith.edu.au/

uDefault_Page_URL = hxxp://www.griffith.edu.au/

uSearch Bar = hxxp://www.griffith.edu.au/find

mDefault_Page_URL = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [NDPS] c:\windows\system32\dpmw32.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: NoSMHelp = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = wbsamp.exe

uPolicies-disallowrun: 2 = webshots.exe

uPolicies-disallowrun: 3 = webshots.scr

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-12 38224]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVENG.SYS [2010-3-25 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVEX15.SYS [2010-3-25 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-25 23:15:17 0 d-----w- c:\program files\ESET

2010-03-25 10:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure

2010-03-24 17:34:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-24 17:34:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-24 17:30:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:30:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-03-24 17:29:52 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29:19 0 d-----w- c:\program files\Lavasoft

2010-03-24 17:03:30 0 d--h--w- c:\windows\PIF

2010-03-24 16:38:15 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36:56 0 d-----w- c:\windows\ERUNT

2010-03-24 16:36:14 0 d-----w- C:\SDFix

2010-03-23 01:58:24 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58:24 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58:17 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58:13 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58:11 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58:02 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57:32 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57:22 1024 ----a-w- C:\.rnd

2010-03-23 01:57:02 0 d-----w- c:\program files\common files\VMware

2010-03-23 01:56:34 0 d-----w- c:\program files\VMware

2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software

2010-03-21 16:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-21 16:40:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-22 11:58:02 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 10:34:24 252464 ----a-w- c:\windows\system32\vmnc.dll

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 12:34:51.69 ===============

************************************

************************************

MBAM Log 1

************************************

************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3935

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

31/03/2010 12:41:11 PM

mbam-log-2010-03-31 (12-41-11).txt

Scan type: Quick scan

Objects scanned: 128559

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

************************************

************************************

MBAM Log 2

************************************

************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3935

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

31/03/2010 12:56:39 PM

mbam-log-2010-03-31 (12-56-39).txt

Scan type: Quick scan

Objects scanned: 128414

Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[MalwareBytes doesn't delete it on reboot!]

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Hi Screen Wan Kenobi,

Thank you again for all of your help. You are awesome, you are a jedi.

I've re-run ComboFix with the script that you gave me; the log is below, along with a new DDS, and the attachment from DDS.

I don't know how relevant this is, but some of the errors reported in the DDS attach.txt may be due to the fact that lately I've been disabling my wifi connection so that the infection doesn't screw up my home network.

Once again, thank you so much!

**********************************

**********************************

ComboFix 10-03-29.04 - user 31/03/2010 9:53.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.492 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://wus-na.griffith.edu.au

.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))

.

2010-03-25 23:15 . 2010-03-25 23:15 -------- d-----w- c:\program files\ESET

2010-03-25 10:59 . 2010-03-25 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-03-24 17:30 . 2010-03-25 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-24 17:30 . 2010-03-24 17:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:29 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-03-24 17:29 . 2010-03-24 17:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29 . 2010-03-24 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-03-24 17:29 . 2010-03-24 17:30 -------- d-----w- c:\program files\Lavasoft

2010-03-24 17:03 . 2010-03-24 17:03 -------- d--h--w- c:\windows\PIF

2010-03-24 16:38 . 2010-03-24 16:38 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36 . 2010-03-24 16:37 -------- d-----w- c:\windows\ERUNT

2010-03-24 16:36 . 2010-03-24 16:49 -------- d-----w- C:\SDFix

2010-03-23 14:50 . 2010-03-23 16:29 -------- d-----w- c:\windows\BDOSCAN8

2010-03-23 02:01 . 2010-03-23 02:01 -------- d-----w- c:\documents and settings\user\Application Data\VMware

2010-03-23 01:59 . 2010-03-23 01:59 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe

2010-03-23 01:59 . 2010-03-23 01:55 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll

2010-03-23 01:59 . 2010-03-23 01:55 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll

2010-03-23 01:59 . 2010-03-23 01:55 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe

2010-03-23 01:59 . 2010-03-23 01:55 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe

2010-03-23 01:59 . 2010-03-23 01:55 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll

2010-03-23 01:59 . 2010-03-23 01:55 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll

2010-03-23 01:59 . 2010-03-23 01:55 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll

2010-03-23 01:58 . 2010-01-22 07:13 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58 . 2010-01-22 07:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58 . 2010-01-22 11:56 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58 . 2010-01-22 11:57 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58 . 2010-01-22 11:57 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58 . 2010-01-22 07:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57 . 2010-01-22 11:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57 . 2010-01-22 11:57 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57 . 2010-03-31 00:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2010-03-23 01:57 . 2010-03-23 01:57 -------- d-----w- c:\program files\Common Files\VMware

2010-03-23 01:56 . 2010-03-31 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2010-03-23 01:56 . 2010-03-23 01:56 -------- d-----w- c:\program files\VMware

2010-03-22 12:01 . 2010-03-22 12:01 -------- d-----w- c:\documents and settings\user\Application Data\Foxit Software

2010-03-21 16:42 . 2010-03-21 16:42 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcr71.dll

2010-03-21 16:42 . 2010-03-21 16:42 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcp71.dll

2010-03-21 16:42 . 2010-03-21 16:42 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-sse.dll

2010-03-21 16:42 . 2010-03-21 16:42 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\jmc.dll

2010-03-21 16:42 . 2010-03-21 16:42 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-d3d.dll

2010-03-21 16:40 . 2010-03-21 16:40 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:52 . 2010-03-30 14:32 -------- d-----w- c:\documents and settings\user\Application Data\vlc

2010-03-16 14:48 . 2010-03-16 14:48 -------- d-----w- c:\program files\VideoLAN

2010-03-14 09:38 . 2010-03-14 09:38 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-31 00:24 . 2010-02-02 15:14 -------- d-----w- c:\documents and settings\user\Application Data\RSIGuard

2010-03-30 23:43 . 2009-08-12 07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 23:41 . 2010-01-28 02:55 -------- d-----w- c:\documents and settings\user\Application Data\Orbit

2010-03-30 23:40 . 2009-09-11 01:01 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 15:36 . 2009-10-10 01:18 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent

2010-03-29 14:46 . 2009-08-12 07:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45 . 2009-08-12 07:40 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 12:48 . 2010-02-21 14:11 -------- d-----w- c:\program files\Oxford Dictonary With Sound Portable

2010-03-25 01:49 . 2009-08-17 23:24 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 01:47 . 2009-08-17 23:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-21 16:41 . 2009-07-02 04:42 -------- d-----w- c:\program files\Common Files\Java

2010-03-21 16:40 . 2009-07-02 04:42 -------- d-----w- c:\program files\Java

2010-03-19 04:39 . 2009-10-10 01:18 -------- d-----w- c:\program files\uTorrent

2010-03-01 18:13 . 2010-01-28 02:56 -------- d-----w- c:\documents and settings\user\Application Data\GrabPro

2010-02-04 15:53 . 2010-03-24 17:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-04 14:16 . 2010-02-04 14:15 -------- d-----w- c:\program files\CCleaner

2010-02-04 04:09 . 2010-02-04 04:09 -------- d-----w- c:\program files\Comical

2010-02-02 15:53 . 2010-02-02 15:53 -------- d-----w- c:\program files\MAKEMSI Package Documentation

2010-02-02 15:53 . 2010-02-02 15:08 -------- d-----w- c:\program files\RSIGuard

2010-02-02 14:58 . 2010-02-02 14:57 -------- d-----w- c:\documents and settings\user\Application Data\Workrave

2010-01-25 07:42 . 2010-01-24 07:41 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-22 11:58 . 2010-01-22 11:58 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 11:58 . 2010-01-22 11:58 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-01-22 11:57 . 2010-01-22 11:57 854192 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-01-22 11:57 . 2010-01-22 11:57 70704 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-01-22 11:56 . 2010-01-22 11:56 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys

2010-01-22 11:00 . 2010-01-22 11:00 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-01-22 10:34 . 2010-01-22 10:34 252464 ----a-w- c:\windows\system32\vmnc.dll

2010-01-12 07:57 . 2008-10-06 23:08 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys

2010-01-10 07:51 . 2010-01-10 07:51 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-22 160592]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-23 2012912]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]

"ZenWorks Nalview"="c:\program files\Novell\ZENworks\Nalview.exe" [2005-09-27 35840]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"DeskTag"="c:\windows\tag.vbs" [2008-07-07 232]

"SOEFixer"="c:\program files\Griffith\SOEFixer\SOEFixer.exe" [2008-07-15 32768]

"NetcheckOff"="c:\windows\nc-off.exe" [2005-11-22 1169138]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-06 115560]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-22 64048]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NMPSystray.lnk - c:\program files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe [2009-7-2 81920]

RSIGuard Stretch Edition.lnk - c:\program files\RSIGuard\RSIGuard.exe [2008-6-5 7008256]

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-7-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

"SynchronousUserGroupPolicy"= 0 (0x0)

"DisableBkGndGroupPolicy"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"HideShutdownScripts"= 0 (0x0)

"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

"DisableChangePassword"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDisconnect"= 1 (0x1)

"NoNTSecurity"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"MaxRecentDocs"= 10 (0xa)

"NoThumbnailCache"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoStartMenuEjectPC"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"NoAutoUpdate"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-08 03:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 06:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1007\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1008\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-500\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/03/2010 3:34 AM 64288]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/08/2009 4:06 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/08/2009 4:06 PM 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/02/2010 1:52 AM 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [17/08/2006 2:52 PM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2/07/2009 2:23 PM 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/01/2010 9:57 PM 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/01/2010 9:00 PM 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2/07/2009 2:23 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2/05/2006 9:17 AM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/02/2010 2:00 AM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/05/2004 4:26 PM 80384]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/08/2009 4:06 PM 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/10/2008 9:08 AM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dp9ia1g0.default\

FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-31 10:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(212)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'Explorer.exe'(3892)

c:\program files\RSIGuard\RSIWatch.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\IBM\Lotus\Notes\ntmulti.exe

c:\program files\Novell\ZENworks\nalntsrv.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\windows\system32\vmnat.exe

c:\program files\Novell\ZENworks\wm.exe

c:\program files\VMware\VMware Player\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Novell\ZENworks\WMRUNDLL.EXE

c:\program files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\system32\NWTRAY.EXE

c:\program files\Novell\ZENworks\NalAgent.exe

.

**************************************************************************

.

Completion time: 2010-03-31 10:29:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-31 00:29

ComboFix2.txt 2010-03-28 08:12

ComboFix3.txt 2010-03-23 01:15

ComboFix4.txt 2010-03-13 16:33

Pre-Run: 39,773,519,872 bytes free

Post-Run: 39,776,391,168 bytes free

- - End Of File - - 61C7450209CC9F1E329AEA730B1FF583

*******************************

*******************************

DDS Log:

*******************************

*******************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 10:40:48.22 on Wed 31/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.306 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINDOWS\system32\vmnat.exe

c:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [NDPS] c:\windows\system32\dpmw32.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoSMHelp = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVENG.SYS [2010-3-25 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVEX15.SYS [2010-3-25 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-25 23:15:17 0 d-----w- c:\program files\ESET

2010-03-25 10:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure

2010-03-24 17:34:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-24 17:34:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-24 17:30:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:30:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-03-24 17:29:52 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29:19 0 d-----w- c:\program files\Lavasoft

2010-03-24 17:03:30 0 d--h--w- c:\windows\PIF

2010-03-24 16:38:15 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36:56 0 d-----w- c:\windows\ERUNT

2010-03-24 16:36:14 0 d-----w- C:\SDFix

2010-03-23 01:58:24 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58:24 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58:17 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58:13 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58:11 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58:02 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57:32 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57:22 1024 ----a-w- C:\.rnd

2010-03-23 01:57:02 0 d-----w- c:\program files\common files\VMware

2010-03-23 01:56:34 0 d-----w- c:\program files\VMware

2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software

2010-03-21 16:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-21 16:40:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-22 11:58:02 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 10:34:24 252464 ----a-w- c:\windows\system32\vmnc.dll

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 10:42:12.36 ===============

Attach_March31.zip

[MalwareBytes doesn't delete it on reboot!]

Prior to the most recent bout of infection, MBAM scans ran completely clean on my computer. Past infections have been cleaned up by MBAM run in Safe Mode.

Hi Screen,

Just to clarify: in the past, after an infection, MBAM in Safe Mode would remove everything, scans would then run completely clean without turning up any traces at all, and I would be symptom free.

At the moment, I still have pretty bad symptoms. As I mentioned upthread:

MBAM still finds between 1 and 4 infected entries every time I reboot and scan. I

[MalwareBytes doesn't delete it on reboot!]

What sort of computer is this? Is this a work computer?

Hi Screen,

Thanks again for all of your help; you have no idea how much I appreciate it!

The computer is my own computer, but I purchased it as old stock from the university where I am a staff member. I would be surprised if it still had any policies from my university, but perhaps they didn't do a thorough cleanup? I can make absolutely any changes you see fit, without having to worry about work, because the computer is mine.

Prior to the most recent bout of infection, MBAM scans ran completely clean on my computer. Past infections have been cleaned up by MBAM run in Safe Mode.

Are there some residual university settings preventing MBAM from doing its job? Do you have advice on how I should best remove those settings? My computer is no longer supported by my IT Department.

Thanks again for everything, Screen! I'll be so glad when I've got a working computer again!

[MalwareBytes doesn't delete it on reboot!]

Hi Screen,

I've run the CFScript and posted the ComboFix and HJT logs above in the last reply. Just to let you know, after running ComboFix, MBAM still finds infections, including that one persistent one which won't delete on rebooting.

Here are my three most recent MBAM logs, all which were run after running the CFScript. After the first one, MBAM asked if I wanted to reboot to remove, I answered Yes, and it actually *did* reboot. After the next two scans, MBAB found infections, asked if I wanted to reboot, but did not reboot when I said Yes. The last scan was done from Safe Mode.

Thanks again, Screen.

************************************

************************************

Malwarebytes' Anti-Malware 1.44

Database version: 3922

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

28/03/2010 6:37:02 PM

mbam-log-2010-03-28 (18-37-02).txt

Scan type: Quick Scan

Objects scanned: 154370

Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********************************************

***********************************************

Malwarebytes' Anti-Malware 1.44

Database version: 3922

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

28/03/2010 6:50:06 PM

mbam-log-2010-03-28 (18-50-06).txt

Scan type: Quick Scan

Objects scanned: 154417

Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********************************************

************************************************

Malwarebytes' Anti-Malware 1.44

Database version: 3922

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.11

28/03/2010 7:13:52 PM

mbam-log-2010-03-28 (19-13-52).txt

Scan type: Quick Scan

Objects scanned: 152332

Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**************************************

**************************************

[MalwareBytes doesn't delete it on reboot!]

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Hi Screen,

Thanks again for all of your help. One day when you're visiting Australia, you'll have to let me know; I'd love to buy you a beer or two!

I've run ComboFix with the CFScript you provided me with; the ComboFix log is below, along with a new HJT log.

Thanks again for everything. I'm really looking forward to having a computer that works again!

*******************************************

ComboFix 10-03-27.02 - user 28/03/2010 17:54:24.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.527 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\drivers\ctymfns.sys

c:\windows\system32\drivers\geyenxn.sys

c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://wus-na.griffith.edu.au

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_cvirjhs

-------\Service_sgoncha

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))

.

2010-03-25 23:15 . 2010-03-25 23:15 -------- d-----w- c:\program files\ESET

2010-03-25 10:59 . 2010-03-25 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-03-24 17:30 . 2010-03-25 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-24 17:30 . 2010-03-24 17:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:29 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-03-24 17:29 . 2010-03-24 17:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29 . 2010-03-24 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-03-24 17:29 . 2010-03-24 17:30 -------- d-----w- c:\program files\Lavasoft

2010-03-24 17:03 . 2010-03-24 17:03 -------- d--h--w- c:\windows\PIF

2010-03-24 16:38 . 2010-03-24 16:38 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36 . 2010-03-24 16:37 -------- d-----w- c:\windows\ERUNT

2010-03-24 16:36 . 2010-03-24 16:49 -------- d-----w- C:\SDFix

2010-03-23 14:50 . 2010-03-23 16:29 -------- d-----w- c:\windows\BDOSCAN8

2010-03-23 02:01 . 2010-03-23 02:01 -------- d-----w- c:\documents and settings\user\Application Data\VMware

2010-03-23 01:59 . 2010-03-23 01:59 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe

2010-03-23 01:59 . 2010-03-23 01:55 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll

2010-03-23 01:59 . 2010-03-23 01:55 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll

2010-03-23 01:59 . 2010-03-23 01:55 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe

2010-03-23 01:59 . 2010-03-23 01:55 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe

2010-03-23 01:59 . 2010-03-23 01:55 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll

2010-03-23 01:59 . 2010-03-23 01:55 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll

2010-03-23 01:59 . 2010-03-23 01:55 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll

2010-03-23 01:58 . 2010-01-22 07:13 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58 . 2010-01-22 07:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58 . 2010-01-22 11:56 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58 . 2010-01-22 11:57 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58 . 2010-01-22 11:57 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58 . 2010-01-22 07:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57 . 2010-01-22 11:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57 . 2010-01-22 11:57 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57 . 2010-03-28 08:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2010-03-23 01:57 . 2010-03-23 01:57 -------- d-----w- c:\program files\Common Files\VMware

2010-03-23 01:56 . 2010-03-28 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2010-03-23 01:56 . 2010-03-23 01:56 -------- d-----w- c:\program files\VMware

2010-03-22 12:01 . 2010-03-22 12:01 -------- d-----w- c:\documents and settings\user\Application Data\Foxit Software

2010-03-21 16:42 . 2010-03-21 16:42 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcr71.dll

2010-03-21 16:42 . 2010-03-21 16:42 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcp71.dll

2010-03-21 16:42 . 2010-03-21 16:42 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-sse.dll

2010-03-21 16:42 . 2010-03-21 16:42 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\jmc.dll

2010-03-21 16:42 . 2010-03-21 16:42 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-d3d.dll

2010-03-21 16:40 . 2010-03-21 16:40 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:52 . 2010-03-27 16:35 -------- d-----w- c:\documents and settings\user\Application Data\vlc

2010-03-16 14:48 . 2010-03-16 14:48 -------- d-----w- c:\program files\VideoLAN

2010-03-14 09:38 . 2010-03-14 09:38 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 08:06 . 2010-02-02 15:14 -------- d-----w- c:\documents and settings\user\Application Data\RSIGuard

2010-03-28 08:00 . 2010-01-28 02:55 -------- d-----w- c:\documents and settings\user\Application Data\Orbit

2010-03-27 16:08 . 2009-10-10 01:18 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent

2010-03-25 12:48 . 2010-02-21 14:11 -------- d-----w- c:\program files\Oxford Dictonary With Sound Portable

2010-03-25 01:49 . 2009-08-17 23:24 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 01:47 . 2009-08-17 23:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-21 16:41 . 2009-07-02 04:42 -------- d-----w- c:\program files\Common Files\Java

2010-03-21 16:40 . 2009-07-02 04:42 -------- d-----w- c:\program files\Java

2010-03-19 04:39 . 2009-10-10 01:18 -------- d-----w- c:\program files\uTorrent

2010-03-01 18:13 . 2010-01-28 02:56 -------- d-----w- c:\documents and settings\user\Application Data\GrabPro

2010-02-04 15:53 . 2010-03-24 17:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-04 14:16 . 2010-02-04 14:15 -------- d-----w- c:\program files\CCleaner

2010-02-04 04:09 . 2010-02-04 04:09 -------- d-----w- c:\program files\Comical

2010-02-02 15:53 . 2010-02-02 15:53 -------- d-----w- c:\program files\MAKEMSI Package Documentation

2010-02-02 15:53 . 2010-02-02 15:08 -------- d-----w- c:\program files\RSIGuard

2010-02-02 14:58 . 2010-02-02 14:57 -------- d-----w- c:\documents and settings\user\Application Data\Workrave

2010-01-28 02:56 . 2010-01-28 02:56 -------- d-----w- c:\program files\Orbitdownloader

2010-01-25 07:42 . 2010-01-24 07:41 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-22 11:58 . 2010-01-22 11:58 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 11:58 . 2010-01-22 11:58 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-01-22 11:57 . 2010-01-22 11:57 854192 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-01-22 11:57 . 2010-01-22 11:57 70704 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-01-22 11:56 . 2010-01-22 11:56 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys

2010-01-22 11:00 . 2010-01-22 11:00 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-01-22 10:34 . 2010-01-22 10:34 252464 ----a-w- c:\windows\system32\vmnc.dll

2010-01-12 07:57 . 2008-10-06 23:08 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys

2010-01-10 07:51 . 2010-01-10 07:51 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-08 04:45 . 2009-09-11 01:01 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-07 06:07 . 2009-08-12 07:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 06:07 . 2009-08-12 07:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-22 160592]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-23 2012912]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]

"ZenWorks Nalview"="c:\program files\Novell\ZENworks\Nalview.exe" [2005-09-27 35840]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"DeskTag"="c:\windows\tag.vbs" [2008-07-07 232]

"SOEFixer"="c:\program files\Griffith\SOEFixer\SOEFixer.exe" [2008-07-15 32768]

"NetcheckOff"="c:\windows\nc-off.exe" [2005-11-22 1169138]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-06 115560]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-22 64048]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NMPSystray.lnk - c:\program files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe [2009-7-2 81920]

RSIGuard Stretch Edition.lnk - c:\program files\RSIGuard\RSIGuard.exe [2008-6-5 7008256]

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-7-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

"SynchronousUserGroupPolicy"= 0 (0x0)

"DisableBkGndGroupPolicy"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"HideShutdownScripts"= 0 (0x0)

"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

"DisableChangePassword"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDisconnect"= 1 (0x1)

"NoNTSecurity"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"MaxRecentDocs"= 10 (0xa)

"NoThumbnailCache"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoStartMenuEjectPC"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"NoAutoUpdate"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-08 03:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 06:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1007\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1008\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-500\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/03/2010 3:34 AM 64288]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/08/2009 4:06 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/08/2009 4:06 PM 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/02/2010 1:52 AM 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [17/08/2006 2:52 PM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2/07/2009 2:23 PM 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/01/2010 9:57 PM 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/01/2010 9:00 PM 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2/07/2009 2:23 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2/05/2006 9:17 AM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/02/2010 2:00 AM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/05/2004 4:26 PM 80384]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/08/2009 4:06 PM 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/10/2008 9:08 AM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dp9ia1g0.default\

FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-28 18:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(276)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'Explorer.exe'(3736)

c:\program files\RSIGuard\RSIWatch.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\NETWIN32.DLL

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\IBM\Lotus\Notes\ntmulti.exe

c:\program files\Novell\ZENworks\nalntsrv.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\windows\system32\vmnat.exe

c:\program files\Novell\ZENworks\wm.exe

c:\program files\VMware\VMware Player\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Novell\ZENworks\WMRUNDLL.EXE

c:\program files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\system32\NWTRAY.EXE

c:\program files\Novell\ZENworks\NalAgent.exe

.

**************************************************************************

.

Completion time: 2010-03-28 18:12:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-28 08:12

ComboFix2.txt 2010-03-23 01:15

ComboFix3.txt 2010-03-13 16:33

Pre-Run: 40,135,237,632 bytes free

Post-Run: 40,332,173,312 bytes free

- - End Of File - - 8D73798E686BD3CA55E9DA9E66F53B07

***************************************

***************************************

HJT log:

***************************************

***************************************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:22:47 PM, on 28/03/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINDOWS\system32\vmnat.exe

c:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.griffith.edu.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe

O4 - HKLM\..\Run: [ZenWorks Nalview] C:\Program Files\Novell\ZENworks\Nalview.exe /NS

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [DeskTag] C:\WINDOWS\tag.vbs

O4 - HKLM\..\Run: [sOEFixer] C:\Program Files\Griffith\SOEFixer\SOEFixer.exe

O4 - HKLM\..\Run: [NetcheckOff] C:\WINDOWS\nc-off.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

O4 - Global Startup: RSIGuard Stretch Edition.lnk = ?

O4 - Global Startup: VPN Client.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O15 - Trusted Zone: http://*.griffith.edu.au

O15 - Trusted Zone: http://*.gu.edu.au

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191965776190

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191965762450

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = itc.griffith.edu.au,domino.griffith.edu.au,griffith.edu.au,itc.gu.edu.au,gu.edu.

au

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = itc.griffith.edu.au,domino.griffith.edu.au,griffith.edu.au,itc.gu.edu.au,gu.edu.

au

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = itc.griffith.edu.au,domino.griffith.edu.au,griffith.edu.au,itc.gu.edu.au,gu.edu.

au

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: WLANKEEPER - Intel

[MalwareBytes doesn't delete it on reboot!]

Hi,

Let me know how things are running now and what issues remain.

Hi Screen,

Thanks again so much for all of your help. I

[MalwareBytes doesn't delete it on reboot!]

Hi Screen,

In my last reply, I ran Combofix as you suggested, and posted the resulting ComboFix.txt, and I also posted a new DDS log. I'm just posting here to attach the attach.txt that came with the DDS scan. I thought I attached it yesterday, but it doesn't seem to be showing up.

Thanks again for everything!

Attach4.zip

[MalwareBytes doesn't delete it on reboot!]

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.
  

Hi Screen,

Thank you once again for all of your help! You have no idea how lost I was before; I'm really looking forward to having a functional computer again in the future.

I have just finished runing ComboFix, and the ComboFix.txt is below, along with a new DDS log.

Just a quick question: every time that I create a new DDS log, I'm downloading a fresh version of DDS. Do I need to do that, or can I just keep using the same version?

As soon as you let me know what I should do next, I'm on it. Thanks again, so much, Screen.

Here's the ComboFix.txt:

*******************************************************

ComboFix 10-03-22.02 - user 23/03/2010 11:08:41.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.579 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://wus-na.griffith.edu.au

.

((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))

.

2010-03-22 12:01 . 2010-03-22 12:01 -------- d-----w- c:\documents and settings\user\Application Data\Foxit Software

2010-03-21 16:42 . 2010-03-21 16:42 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcr71.dll

2010-03-21 16:42 . 2010-03-21 16:42 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcp71.dll

2010-03-21 16:42 . 2010-03-21 16:42 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-sse.dll

2010-03-21 16:42 . 2010-03-21 16:42 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\jmc.dll

2010-03-21 16:42 . 2010-03-21 16:42 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-d3d.dll

2010-03-21 16:40 . 2010-03-21 16:40 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:52 . 2010-03-22 17:39 -------- d-----w- c:\documents and settings\user\Application Data\vlc

2010-03-16 14:48 . 2010-03-16 14:48 -------- d-----w- c:\program files\VideoLAN

2010-03-14 09:38 . 2010-03-14 09:38 -------- d-----w- c:\program files\Trend Micro

2010-02-21 14:11 . 2009-05-04 21:45 -------- d-----w- c:\program files\Oxford Dictonary With Sound Portable

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-23 01:05 . 2010-02-02 15:14 -------- d-----w- c:\documents and settings\user\Application Data\RSIGuard

2010-03-22 09:59 . 2009-08-17 23:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-21 16:41 . 2009-07-02 04:42 -------- d-----w- c:\program files\Common Files\Java

2010-03-21 16:40 . 2009-07-02 04:42 -------- d-----w- c:\program files\Java

2010-03-19 04:39 . 2009-10-10 01:18 -------- d-----w- c:\program files\uTorrent

2010-03-18 13:54 . 2009-10-10 01:18 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent

2010-03-17 09:30 . 2009-08-17 23:24 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-14 17:04 . 2010-01-28 02:55 -------- d-----w- c:\documents and settings\user\Application Data\Orbit

2010-03-01 18:13 . 2010-01-28 02:56 -------- d-----w- c:\documents and settings\user\Application Data\GrabPro

2010-02-04 14:16 . 2010-02-04 14:15 -------- d-----w- c:\program files\CCleaner

2010-02-04 04:09 . 2010-02-04 04:09 -------- d-----w- c:\program files\Comical

2010-02-02 15:53 . 2010-02-02 15:53 -------- d-----w- c:\program files\MAKEMSI Package Documentation

2010-02-02 15:53 . 2010-02-02 15:08 -------- d-----w- c:\program files\RSIGuard

2010-02-02 14:58 . 2010-02-02 14:57 -------- d-----w- c:\documents and settings\user\Application Data\Workrave

2010-01-28 02:56 . 2010-01-28 02:56 -------- d-----w- c:\program files\Orbitdownloader

2010-01-25 07:42 . 2010-01-24 07:41 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-12 07:57 . 2008-10-06 23:08 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys

2010-01-10 07:51 . 2010-01-10 07:51 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-08 04:45 . 2009-09-11 01:01 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-07 06:07 . 2009-08-12 07:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 06:07 . 2009-08-12 07:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-22 160592]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-24 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]

"ZenWorks Nalview"="c:\program files\Novell\ZENworks\Nalview.exe" [2005-09-27 35840]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"DeskTag"="c:\windows\tag.vbs" [2008-07-07 232]

"SOEFixer"="c:\program files\Griffith\SOEFixer\SOEFixer.exe" [2008-07-15 32768]

"NetcheckOff"="c:\windows\nc-off.exe" [2005-11-22 1169138]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-06 115560]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NMPSystray.lnk - c:\program files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe [2009-7-2 81920]

RSIGuard Stretch Edition.lnk - c:\program files\RSIGuard\RSIGuard.exe [2008-6-5 7008256]

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-7-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

"SynchronousUserGroupPolicy"= 0 (0x0)

"DisableBkGndGroupPolicy"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"HideShutdownScripts"= 0 (0x0)

"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

"DisableChangePassword"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDisconnect"= 1 (0x1)

"NoNTSecurity"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"MaxRecentDocs"= 10 (0xa)

"NoThumbnailCache"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoStartMenuEjectPC"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"NoAutoUpdate"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-08 03:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 06:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1007\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1008\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-500\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/08/2009 4:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/08/2009 4:06 PM 74480]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [17/08/2006 2:52 PM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2/07/2009 2:23 PM 49152]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2/07/2009 2:23 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2/05/2006 9:17 AM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/02/2010 2:00 AM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/05/2004 4:26 PM 80384]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/08/2009 4:06 PM 7408]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/10/2008 9:08 AM 23888]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dp9ia1g0.default\

FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-23 11:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1996)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2010-03-23 11:15:28

ComboFix-quarantined-files.txt 2010-03-23 01:15

ComboFix2.txt 2010-03-13 16:33

Pre-Run: 42,754,691,072 bytes free

Post-Run: 42,769,768,448 bytes free

- - End Of File - - 467E2D385A55E116444908666C32558F

**********************************************************

**********************************************************

This is a new DDS log:

**********************************************************

**********************************************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 11:26:07.16 on Tue 23/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.341 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\Program Files\Novell\ZENworks\wm.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\dpmw32.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [NDPS] c:\windows\system32\dpmw32.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100321.020\NAVENG.SYS [2010-3-22 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100321.020\NAVEX15.SYS [2010-3-22 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-23 01:07:43 0 d-----w- C:\ComboFix

2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software

2010-03-21 16:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-21 16:40:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

2010-02-21 14:11:04 0 d-----w- c:\program files\Oxford Dictonary With Sound Portable

==================== Find3M ====================

2010-01-25 07:42:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 11:26:32.49 ===============