Jump to content

infected registry keep coming back


Recommended Posts

> I ran the quick scan of MBAM and found 90+3 infections. After removing and rebooting them, they come back. I saw several topics in this forum referring to the same problem. I would really appreciate your help. I pasted both the MBAM log and the Combo-Fix log right under it.

> Malwarebytes' Anti-Malware 1.37

> Database version: 2288

> Windows 5.1.2600 Service Pack 3

> 6/17/2009 9:16:39 PM

> mbam-log-2009-06-17 (21-16-39).txt

> Scan type: Quick Scan

> Objects scanned: 143920

> Time elapsed: 6 minute(s), 14 second(s)

> Memory Processes Infected: 0

> Memory Modules Infected: 0

> Registry Keys Infected: 90

> Registry Values Infected: 0

> Registry Data Items Infected: 3

> Folders Infected: 0

> Files Infected: 0

> Memory Processes Infected:

> (No malicious items detected)

> Memory Modules Infected:

> (No malicious items detected)

> Registry Keys Infected:

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASecurityCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

> Registry Values Infected:

> (No malicious items detected)

> Registry Data Items Infected:

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

> Folders Infected:

> (No malicious items detected)

> Files Infected:

> (No malicious items detected)

Link to post
Share on other sites

Here is my Combofix Log

> COMBOFIX LOG

> ComboFix 09-06-17.02 - fcansiz 06/17/2009 21:44.1 - NTFSx86

> Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3054.2419 [GMT -4:00]

> Running from: c:\documents and settings\fcansiz\Desktop\ComboFix.exe

> AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

> .

> ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

> .

> c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

> c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

> c:\windows\system32\aaclienti.exe

> c:\windows\system32\drivers\e41c4948.sys

> c:\windows\system32\Drivers\gbnuzx.sys

> c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk

> c:\windows\IE4 Error Log.txt

> c:\windows\system32\drivers\gbnuzx.sys

> ----- BITS: Possible infected sites -----

> hxxp://sussrv.burnsmcd.com

> .

> ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

> .

> -------\Legacy_RSERVER3NETTCPPORTSHARING

> -------\Service_e41c4948

> -------\Service_RServer3NetTcpPortSharing

>

> ((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))

> .

> 2009-06-18 01:50 . 2009-06-18 01:50 -------- d-----w- c:\temp\WPDNSE

> 2009-06-18 01:49 . 2009-06-18 01:49 53248 ----a-w- c:\temp\catchme.dll

> 2009-06-18 01:49 . 2009-06-18 01:49 -------- d-----w- c:\temp\tnTempSpool

> 2009-06-18 01:49 . 2009-06-18 01:49 50 ----a-w- c:\temp\tnSvcX.dat

> 2009-06-18 01:49 . 2009-06-18 01:49 16384 ----atw- c:\temp\Perflib_Perfdata_66c.dat

> 2009-06-18 01:49 . 2009-06-18 01:49 16384 ----atw- c:\temp\Perflib_Perfdata_1e8.dat

> 2009-06-18 01:47 . 2009-06-18 01:47 60416 ----a-w- c:\temp\Perflib_Perfdata__755.dat

> 2009-06-15 20:32 . 2009-06-15 20:32 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

> 2009-06-15 20:31 . 2009-06-15 20:31 -------- d-----w- c:\documents and settings\fcansiz\Application Data\Malwarebytes

> 2009-06-15 20:31 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

> 2009-06-15 20:31 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

> 2009-06-15 20:31 . 2009-06-15 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

> 2009-06-15 20:31 . 2009-06-15 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

> 2009-06-15 19:17 . 2009-06-18 01:46 -------- d-----w- c:\temp\TN_SysDiags

> 2009-06-11 19:58 . 2006-12-08 16:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll

> 2009-06-11 19:58 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

> 2009-06-11 19:58 . 2006-11-15 15:38 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll

> 2009-06-11 19:58 . 2006-09-28 20:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll

> 2009-06-11 19:58 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

> 2009-06-11 19:58 . 2006-09-28 20:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll

> 2009-06-11 19:58 . 2006-07-28 13:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll

> 2009-06-11 19:58 . 2006-07-28 13:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll

> 2009-06-11 19:57 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

> 2009-06-10 16:52 . 2009-06-10 16:53 -------- d-----w- C:\Delete

> 2009-06-03 12:03 . 2009-06-03 12:03 32 --s-a-w- c:\windows\system32\1414767022.dat

> 2009-06-02 20:39 . 2009-06-02 20:39 -------- d-----w- c:\temp\OIS

> 2009-06-01 17:20 . 2009-02-03 19:59 56832 -c----w- c:\windows\system32\dllcache\secur32.dll

> 2009-06-01 17:20 . 2009-03-21 14:06 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll

> 2009-06-01 17:17 . 2008-12-16 12:30 354304 -c----w- c:\windows\system32\dllcache\winhttp.dll

> 2009-06-01 17:16 . 2009-02-20 08:10 81920 -c----w- c:\windows\system32\dllcache\ieencode.dll

> 2009-06-01 17:15 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

> 2009-06-01 17:15 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

> 2009-05-21 12:24 . 2009-05-21 12:24 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

> .

> (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

> .

> 2009-06-15 21:39 . 2007-11-12 21:27 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys

> 2009-06-02 17:37 . 2008-10-27 21:32 215957 ----a-w- c:\windows\system32\nvModes.dat

> 2009-05-14 12:09 . 2009-05-14 12:10 410984 ----a-w- c:\windows\system32\deploytk.dll

> 2009-05-14 12:09 . 2008-11-01 14:45 -------- d-----w- c:\program files\Java

> 2009-05-14 12:09 . 2009-05-14 12:09 152576 ----a-w- c:\documents and settings\fcansiz\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

> 2009-04-21 16:18 . 2009-04-21 16:18 1915520 ----a-w- c:\documents and settings\fcansiz\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

> 2009-04-20 17:40 . 2008-10-27 20:38 -------- d-----w- c:\program files\Oracle

> 2009-04-09 17:30 . 2009-04-09 17:30 528384 ----a-w- c:\documents and settings\CM_11\demo32.exe

> 2009-04-09 17:30 . 2009-04-09 17:30 1645320 ----a-w- c:\documents and settings\CM_11\gdiplus.dll

> 2009-04-01 23:28 . 2007-11-09 22:04 110584 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

> 2009-03-31 14:38 . 2009-03-31 14:38 10134 ----a-r- c:\documents and settings\fcansiz\Application Data\Microsoft\Installer\{771B2965-FAB1-473B-9A26-4BDC28E873A3}\ARPPRODUCTICON.exe

> 2005-11-15 20:32 . 2005-11-15 20:32 3638 ----a-r- c:\program files\Common Files\Altiris_Icon.ico

> .

> ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

> .

> .

> *Note* empty entries & legit default entries are not shown

> REGEDIT4

> [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

> "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

> "AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2009-06-18 184320]

> "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]

> "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-21 13524992]

> "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-21 86016]

> "Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-13 483328]

> "AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-03-28 143360]

> "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]

> "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]

> "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]

> "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]

> "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 200704]

> "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 208896]

> "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-15 49168]

> "BMCDCopy2008"="c:\documents and settings\All Users\Application Data\Autodesk\BMCD 2008\BMCDCopy2008.exe" [2007-08-03 13312]

> "dotNetFix"="c:\documents and settings\All Users\Application Data\Autodesk\BMCD 2008\ACADapps\_FixDotNetError.bat" [2007-08-22 126]

> "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-14 148888]

> "TnPopUp"="c:\program files\Common Files\Technesis\PopUp\billbrz.exe" [2007-11-08 638976]

> "Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2008-07-09 1036848]

> "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

> "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-03-21 1630208]

> "TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-29 181808]

> "NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

> c:\documents and settings\All Users\Start Menu\Programs\Startup\

> Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-10-27 25214]

> VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-11-1 6144]

> Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

> "CompatibleRUPSecurity"= 1 (0x1)

> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

> "NoWelcomeScreen"= 1 (0x1)

> [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

> "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

> [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

> 2007-03-15 03:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

> [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

> Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

> Notification Packages REG_MULTI_SZ scecli psqlpwd

> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-433564024-1784799946-3432143216-23693\Scripts\Logon\0\0]

> "Script"=KIX32.exe

> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-433564024-1784799946-3432143216-23742\Scripts\logon\0\0]

> "Script"=CONlogon.vbs

> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-433564024-1784799946-3432143216-32232\Scripts\Logon\0\0]

> "Script"=KIX32.EXE

> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-433564024-1784799946-3432143216-6407\Scripts\Logon\0\0]

> "Script"=KIX32.exe

> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]

> @="Service"

> [HKEY_LOCAL_MACHINE\software\microsoft\security center]

> "AntiVirusOverride"=dword:00000001

> "FirewallOverride"=dword:00000001

> [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

> "EnableFirewall"= 0 (0x0)

> [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

> "%windir%\\system32\\sessmgr.exe"=

> "c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=

> "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

> "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

> "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

> "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

> [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

> "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

> R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [3/2/2007 6:49 PM 100656]

> R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 6:47 PM 19760]

> R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [5/29/2007 7:55 PM 9216]

> R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [7/21/2008 11:31 AM 192256]

> R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [10/31/2007 4:30 PM 45976]

> R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [10/27/2008 5:44 PM 4442]

> R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [7/9/2008 5:05 PM 18704]

> R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]

> R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]

> R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [11/9/2007 2:01 AM 1246536]

> R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 11:10 PM 11152]

> R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [6/7/2007 5:36 PM 81280]

> R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [11/1/2006 6:01 AM 3328]

> R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [4/10/2007 10:03 AM 72576]

> R3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [1/12/2007 3:26 PM 102144]

> S0 mekjpcqx;mekjpcqx;c:\windows\system32\drivers\nkiyqper.sys --> c:\windows\system32\drivers\nkiyqper.sys [?]

> S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\iyuksel\Desktop\VPN509\INSTAL~1.EXE --> c:\docume~1\iyuksel\Desktop\VPN509\INSTAL~1.EXE [?]

> S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/12/2007 1:01 PM 36608]

> .

> Contents of the 'Scheduled Tasks' folder

> 2009-06-18 c:\windows\Tasks\MP Scheduled Quick Scan.job

> - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 21:05]

> 2009-06-18 c:\windows\Tasks\MP Scheduled Scan.job

> - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 21:05]

> 2009-06-18 c:\windows\Tasks\MP Scheduled Signature Update.job

> - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 21:05]

> 2009-06-18 c:\windows\Tasks\PMTask.job

> - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-10-27 16:16]

> .

> - - - - ORPHANS REMOVED - - - -

> Notify-AtiExtEvent - (no file)

>

> .

> ------- Supplementary Scan -------

> .

> uStart Page = hxxp://intranet/

> IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

> IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

> IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

> IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

> IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

> IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

> IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

> IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

> .

> **************************************************************************

> catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

> Rootkit scan 2009-06-17 21:49

> Windows 5.1.2600 Service Pack 3 NTFS

> scanning hidden processes ...

> scanning hidden autostart entries ...

> scanning hidden files ...

>

> c:\temp\TMP0000002D681EBE4742562F3A 524288 bytes executable

> c:\temp\TMP00000036D7EAF51BD7C69D59 524288 bytes executable

> scan completed successfully

> hidden files: 2

> **************************************************************************

> .

> --------------------- DLLs Loaded Under Running Processes ---------------------

> - - - - - - - > 'winlogon.exe'(1760)

> c:\windows\system32\vrlogon.dll

> c:\windows\system32\psqlpwd.dll

> c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

> c:\program files\ThinkVantage Fingerprint Software\infra.dll

> c:\program files\ThinkVantage Fingerprint Software\homepass.dll

> c:\program files\ThinkVantage Fingerprint Software\bio.dll

> c:\program files\ThinkVantage Fingerprint Software\ps2css.dll

> c:\program files\ThinkVantage Fingerprint Software\remote.dll

> c:\program files\ThinkVantage Fingerprint Software\pscssint.dll

> c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL

> c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

> c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

> - - - - - - - > 'lsass.exe'(1816)

> c:\windows\system32\psqlpwd.dll

> c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

> c:\program files\ThinkVantage Fingerprint Software\infra.dll

> - - - - - - - > 'Explorer.exe'(3128)

> c:\windows\system32\nview.dll

> c:\windows\system32\nvwddi.dll

> c:\windows\system32\WPDShServiceObj.dll

> c:\windows\system32\PortableDeviceTypes.dll

> c:\windows\system32\PortableDeviceApi.dll

> .

> ------------------------ Other Running Processes ------------------------

> .

> c:\windows\system32\ibmpmsvc.exe

> c:\program files\Intel\Wireless\Bin\S24EvMon.exe

> c:\windows\system32\scardsvr.exe

> c:\program files\Altiris\AClient\ACLIENT.EXE

> c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe

> c:\windows\system32\CCSRVC.exe

> c:\program files\Altiris\Carbon Copy\ShellKer.exe

> c:\program files\Cisco Systems\VPN Client\cvpnd.exe

> c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

> c:\program files\Intel\Wireless\Bin\EvtEng.exe

> c:\program files\Java\jre6\bin\jqs.exe

> c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

> c:\windows\system32\nvsvc32.exe

> c:\program files\Intel\Wireless\Bin\RegSrvc.exe

> c:\progra~1\Altiris\CARBON~1\Client.exe

> c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

> c:\windows\Technesis\Enterprise\Service\tnSvcNT.exe

> c:\windows\system32\TPHDEXLG.exe

> c:\windows\system32\searchindexer.exe

> c:\windows\system32\rundll32.exe

> c:\windows\system32\rundll32.exe

> c:\program files\Adobe\Distillr\acrodist.exe

> c:\windows\system32\rundll32.exe

> c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

> c:\program files\Adobe\Acrobat\acrobat_sl.exe

> c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe

> .

> **************************************************************************

> .

> Completion time: 2009-06-18 21:53 - machine was rebooted

> ComboFix-quarantined-files.txt 2009-06-18 01:53

> Pre-Run: 68,204,417,024 bytes free

> Post-Run: 68,301,832,192 bytes free

> WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

> [boot loader]

> timeout=2

> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

> [operating systems]

> c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

> multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect

> 268 --- E O F --- 2009-06-04 12:00

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.