Jump to content

Malwarbytes cannot clean !!!


kyozai
 Share

Recommended Posts

Hello Guys !

Im realy new here so sorry if i made something unusual....

In the last few days jus always got this 7 malware and hijack when i scan with malwarebytes...After deleting and reboot seems everything ok with the next scan but few hours later the 7 malware and hijack jus come back. So I do in again the scan...the deleting but same thing happening everytime...

Any Ideal how to remove this "7" forever???

Thx a Lot 4 any HELP !!!!

here is the picture:

xmveid.jpg

...I cannot install or run anything new...

Logfiles:

Malwarebytes:

Malwarebytes' Anti-Malware 1.40

Adatb

Link to post
Share on other sites

I run ComboFix 2 days ago....

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\kungsfelawpjyy.dat

c:\windows\system32\kungsfipvoamsk.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_kungsfyfktacxn

-------\Service_kungsfyfktacxn

...seems everything go back to normal but few hours later malwarebytes still find 4 hijack, malware from that 7....after few cleaning and restart all the 7 jus come back...any ideal???

heres the LOG (ComboFix) 2 days ago and above the todays LOG:

ComboFix 09-08-22.06 - Administrator 08/23/2009 13:58.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.484 [GMT 2:00]

Running from: c:\combo-fix\ComboFix.exe

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\kungsfelawpjyy.dat

c:\windows\system32\kungsfipvoamsk.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_kungsfyfktacxn

-------\Service_kungsfyfktacxn

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))

.

2009-08-23 12:06 . 2009-08-10 11:45 368 ----a-w- c:\windows\system32\GroupPolicy\User\Scripts\Logoff\logoutscript.bat

2009-08-23 11:54 . 2009-08-23 11:55 -------- d-----w- C:\Combo-Fix

2009-08-21 21:52 . 2009-08-21 21:57 -------- d-----w- c:\windows\BDOSCAN8

2009-08-21 21:36 . 2009-08-21 21:36 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-08-21 21:36 . 2009-08-21 23:38 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6

2009-08-21 21:24 . 2009-08-21 21:24 -------- d-----w- C:\Autoruns

2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\program files\Common Files\DailyToast

2009-08-19 00:59 . 2009-08-19 00:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2009-08-16 21:11 . 2009-08-16 21:11 13312 --sha-w- c:\windows\system32\acctresg.dll

2009-08-15 15:47 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll

2009-08-15 15:46 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2009-08-15 15:46 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll

2009-08-15 15:46 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll

2009-08-15 15:46 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-08-15 15:46 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2009-08-15 15:46 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll

2009-08-15 15:46 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-15 15:46 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-14 07:36 . 2009-08-14 07:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead

2009-08-14 01:10 . 2009-08-14 01:10 13312 --sha-w- c:\windows\system32\3076n.dll

2009-08-13 23:58 . 2009-08-13 23:58 13312 --sha-w- c:\windows\system32\acluil.dll

2009-08-13 12:22 . 2009-08-13 12:22 13312 --sha-w- c:\windows\system32\amdpcom32s.dll

2009-08-08 10:43 . 2009-08-08 10:45 -------- d-----w- c:\documents and settings\Administrator\.dvdcss

2009-08-06 11:36 . 2009-08-06 11:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-06 11:36 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-06 11:36 . 2009-08-06 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-06 11:36 . 2009-08-06 11:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-06 11:36 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 15:09 . 2009-08-23 11:58 -------- d-----w- C:\quarantine

2009-08-04 21:24 . 2009-08-04 21:24 -------- d-----w- c:\windows\Sun

2009-08-04 20:04 . 2009-08-04 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco

2009-08-04 18:59 . 2009-08-04 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\ASAP Utilities

2009-08-04 18:38 . 2009-08-04 18:38 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-08-04 18:19 . 2009-08-04 18:19 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-08-04 18:14 . 2009-08-04 18:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org

2009-08-04 17:22 . 2009-08-04 17:22 -------- d-----w- c:\program files\Office Assistance

2009-08-04 17:07 . 2009-08-04 17:07 249856 ------w- c:\windows\Setup1.exe

2009-08-04 17:07 . 2009-08-04 17:07 73216 ----a-w- c:\windows\ST6UNST.EXE

2009-08-04 15:08 . 2009-08-04 15:09 -------- d-----w- c:\program files\Easy Duplicate Finder

2009-08-02 14:44 . 2009-08-02 14:45 -------- d-----w- c:\windows\system32\win32deps

2009-08-02 14:44 . 2009-08-02 14:44 -------- d-----w- c:\windows\system32\osxdeps

2009-08-02 14:44 . 2009-08-02 14:45 -------- d-----w- c:\program files\TaoFramework

2009-08-02 14:41 . 2009-08-02 14:41 -------- d-----w- c:\program files\OpenAL

2009-08-02 14:41 . 2009-08-02 14:41 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2009-08-02 14:41 . 2009-08-02 14:41 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2009-07-30 22:14 . 2009-07-30 22:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\COWON

2009-07-30 22:13 . 2009-07-30 22:14 -------- d-----w- c:\program files\Common Files\COWON

2009-07-30 22:13 . 2009-07-30 22:14 -------- d-----w- c:\program files\JetAudio

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ashampoo

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ashampoo

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\program files\Ashampoo

2009-07-28 15:31 . 2009-07-28 15:31 -------- d-----w- c:\program files\MKVtoolnix

2009-07-28 13:31 . 2009-07-28 13:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2009-07-28 13:30 . 2009-07-28 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-07-28 13:30 . 2009-07-28 13:30 -------- d-----w- c:\program files\QT Lite

2009-07-27 07:33 . 2009-07-27 07:33 -------- d-----w- c:\program files\URUSoft

2009-07-26 09:38 . 2009-07-26 09:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\EmailNotifier

2009-07-26 09:38 . 2009-07-26 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Megaupload

2009-07-26 09:38 . 2009-07-26 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier

2009-07-26 08:45 . 2009-07-26 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Estsoft

2009-07-26 08:44 . 2009-07-26 10:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\ESTsoft

2009-07-25 14:57 . 2009-08-16 21:11 3032 --s-a-w- c:\windows\system32\825871622.dat

2009-07-24 21:39 . 2009-07-24 21:39 -------- d-----w- c:\program files\JotSmart

2009-07-24 21:14 . 2009-07-24 21:14 -------- d-----w- c:\program files\DiskInternals

2009-07-24 21:08 . 2009-07-24 21:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WinZip

2009-07-24 21:06 . 2009-07-24 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-07-24 20:39 . 2009-07-24 20:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-24 19:12 . 2009-07-24 19:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\GHISLER

2009-07-24 18:57 . 2009-07-24 19:28 -------- d-----w- c:\program files\Unlocker

2009-07-24 18:54 . 2009-07-24 18:54 -------- d-----w- C:\totalcmd

2009-07-24 18:54 . 2008-08-08 05:04 545 ----a-w- c:\windows\UC.PIF

2009-07-24 18:54 . 2008-08-08 05:04 545 ----a-w- c:\windows\RAR.PIF

2009-07-24 18:54 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKZIP.PIF

2009-07-24 18:54 . 2008-08-08 05:04 545 ----a-w- c:\windows\PKUNZIP.PIF

2009-07-24 18:54 . 2008-08-08 05:04 545 ----a-w- c:\windows\NOCLOSE.PIF

2009-07-24 18:54 . 2008-08-08 05:04 545 ----a-w- c:\windows\LHA.PIF

2009-07-24 18:54 . 2008-08-08 05:04 545 ----a-w- c:\windows\ARJ.PIF

2009-07-24 14:07 . 2009-07-24 14:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Dan2010

2009-07-24 13:40 . 2009-07-24 13:40 198064 ----a-w- c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

2009-07-24 13:40 . 2009-08-23 12:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache

2009-07-24 13:40 . 2009-07-28 10:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\IDM

2009-07-24 13:40 . 2009-07-24 13:40 -------- d-----w- c:\program files\Internet Download Manager

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-15 15:46 . 2008-08-04 12:19 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-08-04 20:07 . 2008-07-29 08:48 46304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-04 18:19 . 2008-07-31 07:51 -------- d-----w- c:\program files\Java

2009-07-30 22:13 . 2008-07-29 08:33 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-28 16:50 . 2008-07-30 11:15 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-24 11:37 . 2008-07-30 11:08 -------- d-----w- c:\program files\7-Zip

2009-07-24 11:34 . 2009-07-24 11:34 -------- d-----w- c:\program files\CCleaner

2009-07-24 11:31 . 2009-07-24 11:31 0 ----a-w- c:\windows\nsreg.dat

2009-07-24 10:57 . 2009-07-24 10:57 -------- d-----w- c:\program files\Common Files\Ahead

2009-07-24 10:57 . 2009-07-24 10:57 -------- d-----w- c:\program files\Nero

2009-06-18 14:31 . 2009-06-18 14:31 71696 ----a-w- c:\windows\system32\drivers\DefragFs.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-27 2815408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1036288]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-04 148888]

"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-05-28 40960]

"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-05-28 45056]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Internet Explorer.lnk - c:\program files\Internet Explorer\iexplore.exe [2008-7-24 636088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Notify.lnk - c:\novell\GroupWise\notify.exe [2008-3-9 192570]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 1 (0x1)

"NoNetworkConnections"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoStartMenuNetworkPlaces"= 1 (0x1)

"NoSetTaskbar"= 1 (0x1)

"NoTaskGrouping"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoDeletePrinter"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"RestrictCpl"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoManageMyComputerVerb"= 1 (0x1)

"NoChangeStartMenu"= 1 (0x1)

"NoPropertiesMyComputer"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2007-08-08 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2007-01-10 10:52 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1214440339-839522115-500\Scripts\Logoff\0\0]

"Script"=\\JUPITER\APPS\!W2K\Policy\staff\User\Scripts\Logoff\logoutscript.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1214440339-839522115-500\Scripts\Logon\0\0]

"Script"=\\JUPITER\APPS\!W2K\Policy\staff\User\Scripts\Logon\loginscript.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpmw32.exe"=

"c:\\Novell\\GroupWise\\grpwise.exe"=

"c:\\Novell\\GroupWise\\notify.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [7/30/2008 1:28 PM 59904]

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [10/22/2008 3:30 PM 34671]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 2:47 PM 6899]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/6/2009 1:36 PM 232720]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 10:59 AM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [7/30/2008 12:27 PM 49152]

R2 USBDLM;USBDLM;c:\program files\USBDLM\USBDLM.exe [7/30/2008 1:09 PM 134144]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [7/30/2008 12:27 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [1/10/2007 12:52 PM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 2:11 PM 2773]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/29/2008 10:54 AM 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/6/2009 1:36 PM 19096]

S4 Rx2Agent;Rx2Agent;"c:\program files\Raxco\PerfectSpeed20\Rx2Agent.exe" --> c:\program files\Raxco\PerfectSpeed20\Rx2Agent.exe [?]

S4 Rx2Engine;Rx2Engine;"c:\program files\Raxco\PerfectSpeed20\Rx2Engine.exe" --> c:\program files\Raxco\PerfectSpeed20\Rx2Engine.exe [?]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = https://infosys.ceu.hu/ora_io/cis_report.html

uInternet Settings,ProxyServer = proxy.ceu.hu:8080

uInternet Settings,ProxyOverride = <local>

IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ceu.hu\infosys

Trusted Zone: ceu.hu\www

Trusted Zone: ceu.hu\www.personal

Trusted Zone: tdnet.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8sk5581s.default\

FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-23 14:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\windows\system32\ZenMup.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\Novell\ZENworks\WMNTAPI.DLL

- - - - - - - > 'lsass.exe'(732)

c:\windows\system32\EntApi.dll

- - - - - - - > 'Explorer.exe'(7612)

c:\windows\system32\EntApi.dll

c:\program files\Common Files\Ahead\lib\NeroDigitalExt.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\Network Associates\VirusScan\mcshield.exe

c:\program files\Network Associates\VirusScan\vstskmgr.exe

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Novell\ZENworks\NALNTSRV.EXE

c:\program files\Novell\ZENworks\Asset Management\Bin\cclient.exe

c:\program files\Novell\ZENworks\WM.EXE

c:\program files\Novell\ZENworks\WMRUNDLL.EXE

c:\program files\Novell\ZENworks\NALWIN32.EXE

c:\program files\Novell\ZENworks\NalWin.exe

c:\program files\Novell\ZENworks\NalAgent.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

JUPITER\SYS\PROGRAMS\PESTAFF\annrtf.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2009-08-23 14:09 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-23 12:09

Pre-Run: 8,223,150,080 bytes free

Post-Run: 8,161,173,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

281 --- E O F --- 2009-08-21 20:26

TODAY

ComboFix 09-08-24.06 - Administrator 08/25/2009 12:15.8.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.131 [GMT 2:00]

Running from: c:\combo-fix\ComboFix.exe

* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))

.

2009-08-25 10:06 . 2009-08-10 11:45 368 ----a-w- c:\windows\system32\GroupPolicy\User\Scripts\Logoff\logoutscript.bat

2009-08-25 09:59 . 2009-08-25 09:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-25 09:54 . 2009-08-25 09:12 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-08-25 09:17 . 2009-08-25 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-25 09:16 . 2009-08-25 09:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-08-25 09:16 . 2009-08-25 09:45 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-25 09:12 . 2009-08-25 09:11 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-08-25 09:12 . 2009-08-25 09:12 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-08-25 09:12 . 2009-08-25 09:12 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2009-08-25 09:12 . 2009-08-25 09:12 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-08-25 09:12 . 2009-08-25 09:12 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-08-25 09:10 . 2009-08-25 09:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-08-25 09:10 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

2009-08-25 09:10 . 2009-08-25 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-25 09:10 . 2009-08-25 09:10 -------- d-----w- c:\program files\Lavasoft

2009-08-24 04:34 . 2009-08-24 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-08-23 17:33 . 2009-08-23 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2009-08-23 15:45 . 2009-08-23 18:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso

2009-08-23 15:45 . 2009-08-23 15:45 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2009-08-23 15:45 . 2009-08-23 15:45 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys

2009-08-23 15:45 . 2007-03-18 19:37 65602 ----a-w- c:\windows\system32\cook3260.dll

2009-08-23 15:45 . 2006-09-29 11:26 176165 ----a-w- c:\windows\system32\drv23260.dll

2009-08-23 15:45 . 2006-09-29 11:25 208935 ----a-w- c:\windows\system32\drv33260.dll

2009-08-23 15:45 . 2006-09-29 11:24 217127 ----a-w- c:\windows\system32\drv43260.dll

2009-08-23 15:45 . 2002-12-10 01:20 102439 ----a-w- c:\windows\system32\sipr3260.dll

2009-08-23 15:45 . 2006-05-20 15:16 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll

2009-08-23 15:45 . 2006-05-11 18:21 626688 ----a-w- c:\windows\system32\vp7vfw.dll

2009-08-23 15:45 . 2009-08-23 15:45 -------- d-----w- c:\program files\VSO

2009-08-23 11:54 . 2009-08-25 10:13 -------- d-----w- C:\Combo-Fix

2009-08-21 21:52 . 2009-08-21 21:57 -------- d-----w- c:\windows\BDOSCAN8

2009-08-21 21:36 . 2009-08-23 21:44 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6

2009-08-21 21:24 . 2009-08-21 21:24 -------- d-----w- C:\Autoruns

2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\program files\Common Files\DailyToast

2009-08-19 00:59 . 2009-08-19 00:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2009-08-16 21:11 . 2009-08-16 21:11 13312 --sha-w- c:\windows\system32\acctresg.dll

2009-08-15 15:47 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll

2009-08-15 15:46 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2009-08-15 15:46 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll

2009-08-15 15:46 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll

2009-08-15 15:46 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-08-15 15:46 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2009-08-15 15:46 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll

2009-08-15 15:46 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-15 15:46 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-14 07:36 . 2009-08-14 07:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead

2009-08-14 01:10 . 2009-08-14 01:10 13312 --sha-w- c:\windows\system32\3076n.dll

2009-08-13 23:58 . 2009-08-13 23:58 13312 --sha-w- c:\windows\system32\acluil.dll

2009-08-13 12:22 . 2009-08-13 12:22 13312 --sha-w- c:\windows\system32\amdpcom32s.dll

2009-08-08 10:43 . 2009-08-08 10:45 -------- d-----w- c:\documents and settings\Administrator\.dvdcss

2009-08-06 11:36 . 2009-08-06 11:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-06 11:36 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-06 11:36 . 2009-08-06 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-06 11:36 . 2009-08-06 11:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-06 11:36 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 15:09 . 2009-08-25 10:15 -------- d-----w- C:\quarantine

2009-08-04 21:24 . 2009-08-04 21:24 -------- d-----w- c:\windows\Sun

2009-08-04 20:04 . 2009-08-04 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco

2009-08-04 18:59 . 2009-08-04 18:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\ASAP Utilities

2009-08-04 18:38 . 2009-08-04 18:38 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-08-04 18:19 . 2009-08-04 18:19 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-08-04 18:14 . 2009-08-04 18:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org

2009-08-04 17:22 . 2009-08-04 17:22 -------- d-----w- c:\program files\Office Assistance

2009-08-04 17:07 . 2009-08-04 17:07 249856 ------w- c:\windows\Setup1.exe

2009-08-04 17:07 . 2009-08-04 17:07 73216 ----a-w- c:\windows\ST6UNST.EXE

2009-08-04 15:08 . 2009-08-04 15:09 -------- d-----w- c:\program files\Easy Duplicate Finder

2009-08-02 14:44 . 2009-08-02 14:45 -------- d-----w- c:\windows\system32\win32deps

2009-08-02 14:44 . 2009-08-02 14:44 -------- d-----w- c:\windows\system32\osxdeps

2009-08-02 14:44 . 2009-08-02 14:45 -------- d-----w- c:\program files\TaoFramework

2009-08-02 14:41 . 2009-08-02 14:41 -------- d-----w- c:\program files\OpenAL

2009-08-02 14:41 . 2009-08-02 14:41 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2009-08-02 14:41 . 2009-08-02 14:41 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2009-07-30 22:14 . 2009-07-30 22:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\COWON

2009-07-30 22:13 . 2009-07-30 22:14 -------- d-----w- c:\program files\Common Files\COWON

2009-07-30 22:13 . 2009-07-30 22:14 -------- d-----w- c:\program files\JetAudio

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ashampoo

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ashampoo

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo

2009-07-28 21:14 . 2009-07-28 21:14 -------- d-----w- c:\program files\Ashampoo

2009-07-28 15:31 . 2009-07-28 15:31 -------- d-----w- c:\program files\MKVtoolnix

2009-07-28 13:31 . 2009-07-28 13:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2009-07-28 13:30 . 2009-07-28 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-07-28 13:30 . 2009-07-28 13:30 -------- d-----w- c:\program files\QT Lite

2009-07-27 07:33 . 2009-07-27 07:33 -------- d-----w- c:\program files\URUSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-25 10:21 . 2009-07-24 13:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache

2009-08-16 21:11 . 2009-07-25 14:57 3032 --s-a-w- c:\windows\system32\825871622.dat

2009-08-15 15:46 . 2008-08-04 12:19 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-08-04 20:07 . 2008-07-29 08:48 46304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-04 18:19 . 2008-07-31 07:51 -------- d-----w- c:\program files\Java

2009-07-30 22:13 . 2008-07-29 08:33 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-28 16:50 . 2008-07-30 11:15 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-28 10:17 . 2009-07-24 13:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\IDM

2009-07-26 10:13 . 2009-07-26 08:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\ESTsoft

2009-07-26 09:38 . 2009-07-26 09:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\EmailNotifier

2009-07-26 09:38 . 2009-07-26 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Megaupload

2009-07-26 09:38 . 2009-07-26 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier

2009-07-26 08:45 . 2009-07-26 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Estsoft

2009-07-24 21:39 . 2009-07-24 21:39 -------- d-----w- c:\program files\JotSmart

2009-07-24 21:14 . 2009-07-24 21:14 -------- d-----w- c:\program files\DiskInternals

2009-07-24 21:10 . 2009-07-24 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-07-24 20:41 . 2009-07-24 20:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-24 19:28 . 2009-07-24 18:57 -------- d-----w- c:\program files\Unlocker

2009-07-24 13:40 . 2009-07-24 13:40 198064 ----a-w- c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

2009-07-24 13:40 . 2009-07-24 13:40 -------- d-----w- c:\program files\Internet Download Manager

2009-07-24 11:37 . 2008-07-30 11:08 -------- d-----w- c:\program files\7-Zip

2009-07-24 11:34 . 2009-07-24 11:34 -------- d-----w- c:\program files\CCleaner

2009-07-24 11:31 . 2009-07-24 11:31 0 ----a-w- c:\windows\nsreg.dat

2009-07-24 10:57 . 2009-07-24 10:57 -------- d-----w- c:\program files\Common Files\Ahead

2009-07-24 10:57 . 2009-07-24 10:57 -------- d-----w- c:\program files\Nero

2009-06-18 14:31 . 2009-06-18 14:31 71696 ----a-w- c:\windows\system32\drivers\DefragFs.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-27 2815408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1036288]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]

"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-05-28 40960]

"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-05-28 45056]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_13\bin\jusched.exe" [2007-09-25 75256]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-25 520024]

"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 1 (0x1)

"NoNetworkConnections"= 1 (0x1)

"NoStartMenuNetworkPlaces"= 1 (0x1)

"NoSetTaskbar"= 1 (0x1)

"NoTaskGrouping"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"NoDeletePrinter"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"RestrictCpl"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoManageMyComputerVerb"= 1 (0x1)

"NoChangeStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2007-08-08 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2007-01-10 10:52 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1214440339-839522115-500\Scripts\Logoff\0\0]

"Script"=\\JUPITER\APPS\!W2K\Policy\staff\User\Scripts\Logoff\logoutscript.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1214440339-839522115-500\Scripts\Logon\0\0]

"Script"=\\JUPITER\APPS\!W2K\Policy\staff\User\Scripts\Logon\loginscript.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpmw32.exe"=

"c:\\Novell\\GroupWise\\grpwise.exe"=

"c:\\Novell\\GroupWise\\notify.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/25/2009 11:12 AM 64160]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [7/30/2008 1:28 PM 59904]

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [10/22/2008 3:30 PM 34671]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 2:47 PM 6899]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 9:06 PM 1029456]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/6/2009 1:36 PM 232720]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 10:59 AM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [7/30/2008 12:27 PM 49152]

R2 USBDLM;USBDLM;c:\program files\USBDLM\USBDLM.exe [7/30/2008 1:09 PM 134144]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [7/30/2008 12:27 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [1/10/2007 12:52 PM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 2:11 PM 2773]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/29/2008 10:54 AM 36608]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/6/2009 1:36 PM 19096]

S4 Rx2Agent;Rx2Agent;"c:\program files\Raxco\PerfectSpeed20\Rx2Agent.exe" --> c:\program files\Raxco\PerfectSpeed20\Rx2Agent.exe [?]

S4 Rx2Engine;Rx2Engine;"c:\program files\Raxco\PerfectSpeed20\Rx2Engine.exe" --> c:\program files\Raxco\PerfectSpeed20\Rx2Engine.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

.

.

------- Supplementary Scan -------

.

uStart Page = https://infosys.ceu.hu/ora_io/cis_report.html

uInternet Settings,ProxyServer = proxy.ceu.hu:8080

uInternet Settings,ProxyOverride = <local>

IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ceu.hu\infosys

Trusted Zone: ceu.hu\www

Trusted Zone: ceu.hu\www.personal

Trusted Zone: tdnet.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8sk5581s.default\

FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJPI150_13.dll

FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPOJI610.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-25 12:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\windows\system32\ZenMup.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\Novell\ZENworks\WMNTAPI.DLL

- - - - - - - > 'lsass.exe'(740)

c:\windows\system32\EntApi.dll

- - - - - - - > 'Explorer.exe'(15012)

c:\windows\system32\EntApi.dll

.

Completion time: 2009-08-25 12:23

ComboFix-quarantined-files.txt 2009-08-25 10:22

ComboFix2.txt 2009-08-25 07:46

Pre-Run: 7,684,116,480 bytes free

Post-Run: 8,100,782,080 bytes free

261 --- E O F --- 2009-08-24 13:00

Link to post
Share on other sites

  • Staff

Hi,

What malwarebytes found here are policies being set. These policies may be set by malware, but in your case, I'm pretty sure they were set by you or the sysadmin here. (Because this computer setup looks like a a setup from a work computer)

I see there are a lot of other policies set as well here:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 1 (0x1)

"NoNetworkConnections"= 1 (0x1)

"NoStartMenuNetworkPlaces"= 1 (0x1)

"NoSetTaskbar"= 1 (0x1)

"NoTaskGrouping"= 1 (0x1)

"NoSimpleStartMenu"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"NoDeletePrinter"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"RestrictCpl"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoManageMyComputerVerb"= 1 (0x1)

"NoChangeStartMenu"= 1 (0x1)

Anyway, please ignore the detections from malwarebytes, because it looks like the system administrator has set these policies here.

Link to post
Share on other sites

  • Staff

Hi,

yes, but I'm pretty sure that these policies were already set there before and a script restores them again after reboot :lol:

Please let the IT people deal with this one since it's a borderline case here, so we cannot help you to delete certain policies that your System admin may have set. That's why, it's better to ignore these detections in mbam. :)

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.