Jump to content

MalwareBytes doesn't delete it on reboot!


Recommended Posts

Hi,

Thank you in advance for your help. I've tried to follow the instructions on posting here, my DDS.txt and a brief description of my problem are below.

I've been having problems, and MalwareBytes keeps detecting problems, but even when I scan in safe mode multiple times, there is one registry value that keeps showing up as infected:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

MalwareBytes then asks if I want to reboot, in order to remove that registry value, and when I click "Yes", instead of rebooting, nothing happens.

Below is my DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86

Run by user at 19:13:26.55 on Sun 14/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.403 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: avast! antivirus 4.8.1351 [VPS 091103-1] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\Program Files\Novell\ZENworks\wm.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\dpmw32.exe

c:\Program Files\Novell\ZENworks\NalAgent.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Griffith University

uStart Page = hxxp://www.griffith.edu.au/

uDefault_Page_URL = hxxp://www.griffith.edu.au/

uSearch Bar = hxxp://www.griffith.edu.au/find

mDefault_Page_URL = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_15\bin\ssv.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NDPS] c:\windows\system32\dpmw32.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = wbsamp.exe

uPolicies-disallowrun: 2 = webshots.exe

uPolicies-disallowrun: 3 = webshots.scr

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJPI150_15.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPOJI610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-5 114768]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-24 11608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-24 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-24 185089]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-5 20560]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-24 56816]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100201.048\NAVENG.SYS [2010-2-3 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100201.048\NAVEX15.SYS [2010-2-3 1323568]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-5 138680]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-5 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-5 352920]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

2010-02-21 14:11:04 0 d-----w- c:\program files\Oxford Dictonary With Sound Portable

==================== Find3M ====================

2010-01-25 07:42:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 19:14:39.36 ===============

attach.zip

Link to post
Share on other sites

Please update MBAM, run a Quick Scan, and post its entire log. Also post a new DDS log and we'll take it from there.

Also, please have this topic closed:

http://forums.techguy.org/malware-removal-...ete-reboot.html

Hi Chris,

Thank you so much for your help! I've just enabled notifications of replies to this thread, so I'll always respond more quickly in the future.

As you suggested, I've messaged the Tech Guy forums and asked them to close the thread.

I'm still getting this registry value showing up as infected:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

and when I click on the option to remove and restart, MBAM only returns to the Scanner screen, without restarting.

I've included:

MBAM log

DDS

Ark and attach.txt in a zip file.

Thank you again. If there's any info I forgot to include, please let me know.

Below is the MBAM log:

********************

Malwarebytes' Anti-Malware 1.44

Database version: 3891

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

22/03/2010 1:38:51 AM

mbam-log-2010-03-22 (01-38-51).txt

Scan type: Quick Scan

Objects scanned: 152715

Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Below is my DDS:

***************

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 2:26:18.39 on Mon 22/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.209 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: avast! antivirus 4.8.1351 [VPS 091103-1] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\dpmw32.exe

c:\Program Files\Novell\ZENworks\NalAgent.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\user\Desktop\2hkpz2vk.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Griffith University

uStart Page = hxxp://www.griffith.edu.au/

uDefault_Page_URL = hxxp://www.griffith.edu.au/

uSearch Bar = hxxp://www.griffith.edu.au/find

mDefault_Page_URL = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_15\bin\ssv.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NDPS] c:\windows\system32\dpmw32.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = wbsamp.exe

uPolicies-disallowrun: 2 = webshots.exe

uPolicies-disallowrun: 3 = webshots.scr

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPJPI150_15.dll

FF - plugin: c:\program files\java\jre1.5.0_15\bin\NPOJI610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-5 114768]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-24 11608]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-24 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-24 185089]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-5 20560]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-24 56816]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-12 38224]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100201.048\NAVENG.SYS [2010-2-3 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100201.048\NAVEX15.SYS [2010-2-3 1323568]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-5 138680]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-5 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-5 352920]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-21 15:38:55 54016 ----a-w- c:\windows\system32\drivers\umvfe.sys

2010-03-21 15:25:04 54016 ----a-w- c:\windows\system32\drivers\ldflh.sys

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

2010-02-21 14:11:04 0 d-----w- c:\program files\Oxford Dictonary With Sound Portable

==================== Find3M ====================

2010-01-25 07:42:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 2:27:34.75 ===============

newAttach.zip

Link to post
Share on other sites

  • Staff

Hi,

It's possible that your protection software is reverting the change.

I notice that you are using more than one antivirus program (Avira, Symantec, and avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

After you do that, restart your computer, then update MBAM, run a Quick Scan, and see if the entry still remains.

-screen317

Link to post
Share on other sites

I notice that you are using more than one antivirus program (Avira, Symantec, and avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

After you do that, restart your computer, then update MBAM, run a Quick Scan, and see if the entry still remains.

Hi Screen,

Thank you so much for your help; this has been giving me trouble for so long!

I've removed Avira and Avast, and, unfortunately, the entry still remains. In fact, after the first reboot after deleting Avira and Avast, MBAM found 4 entries:

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

After selecting remove and reboot, I only get one entry:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

but, once again, when I select remove and reboot for this entry, MBAM does not reboot, but just goes back to the scan screen.

I wonder if two things are relevant at all?

1. Normally if I have malware problems, I disable System Restore when running scans. At the moment, I can't disable System Restore, because the System Restore tab/option does not show up when I right click My Computer, presumably because the infected registry value disables my ability to change System Restore.

2. I have Windows Recovery Console installed. Could that be causing problems?

Thank you again for everything.

Below is my most recent MBAM log:

Malwarebytes' Anti-Malware 1.44

Database version: 3898

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

22/03/2010 8:15:48 PM

mbam-log-2010-03-22 (20-15-48).txt

Scan type: Quick Scan

Objects scanned: 153259

Time elapsed: 8 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi Screen,

In the above reply, I removed Avast and Avira, as you suggested, and MBAM still found the registry entry infected. The MBAM log is posted in that reply, but I thought I should include a DDS, ark.txt and attach.txt as well, just in case.

Below is a current DDS, and I've rescanned and attached a new ark.txt and a new attach.txt:

Thank you again for all of your help!

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 20:32:29.68 on Mon 22/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.347 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\Program Files\Novell\ZENworks\wm.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\Program Files\Novell\ZENworks\NalAgent.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Griffith University

uStart Page = hxxp://www.griffith.edu.au/

uDefault_Page_URL = hxxp://www.griffith.edu.au/

uSearch Bar = hxxp://www.griffith.edu.au/find

mDefault_Page_URL = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NDPS] c:\windows\system32\dpmw32.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = wbsamp.exe

uPolicies-disallowrun: 2 = webshots.exe

uPolicies-disallowrun: 3 = webshots.scr

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-12 38224]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100321.020\NAVENG.SYS [2010-3-22 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100321.020\NAVEX15.SYS [2010-3-22 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-22 10:15:53 54016 ----a-w- c:\windows\system32\drivers\rtdxp.sys

2010-03-21 16:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-21 16:40:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

2010-02-21 14:11:04 0 d-----w- c:\program files\Oxford Dictonary With Sound Portable

==================== Find3M ====================

2010-01-25 07:42:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 20:33:07.25 ===============

attach3.zip

Link to post
Share on other sites

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Hi Screen,

Thank you once again for all of your help! You have no idea how lost I was before; I'm really looking forward to having a functional computer again in the future.

I have just finished runing ComboFix, and the ComboFix.txt is below, along with a new DDS log.

Just a quick question: every time that I create a new DDS log, I'm downloading a fresh version of DDS. Do I need to do that, or can I just keep using the same version?

As soon as you let me know what I should do next, I'm on it. Thanks again, so much, Screen.

Here's the ComboFix.txt:

*******************************************************

ComboFix 10-03-22.02 - user 23/03/2010 11:08:41.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.579 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://wus-na.griffith.edu.au

.

((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))

.

2010-03-22 12:01 . 2010-03-22 12:01 -------- d-----w- c:\documents and settings\user\Application Data\Foxit Software

2010-03-21 16:42 . 2010-03-21 16:42 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcr71.dll

2010-03-21 16:42 . 2010-03-21 16:42 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcp71.dll

2010-03-21 16:42 . 2010-03-21 16:42 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-sse.dll

2010-03-21 16:42 . 2010-03-21 16:42 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\jmc.dll

2010-03-21 16:42 . 2010-03-21 16:42 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-d3d.dll

2010-03-21 16:40 . 2010-03-21 16:40 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:52 . 2010-03-22 17:39 -------- d-----w- c:\documents and settings\user\Application Data\vlc

2010-03-16 14:48 . 2010-03-16 14:48 -------- d-----w- c:\program files\VideoLAN

2010-03-14 09:38 . 2010-03-14 09:38 -------- d-----w- c:\program files\Trend Micro

2010-02-21 14:11 . 2009-05-04 21:45 -------- d-----w- c:\program files\Oxford Dictonary With Sound Portable

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-23 01:05 . 2010-02-02 15:14 -------- d-----w- c:\documents and settings\user\Application Data\RSIGuard

2010-03-22 09:59 . 2009-08-17 23:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-21 16:41 . 2009-07-02 04:42 -------- d-----w- c:\program files\Common Files\Java

2010-03-21 16:40 . 2009-07-02 04:42 -------- d-----w- c:\program files\Java

2010-03-19 04:39 . 2009-10-10 01:18 -------- d-----w- c:\program files\uTorrent

2010-03-18 13:54 . 2009-10-10 01:18 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent

2010-03-17 09:30 . 2009-08-17 23:24 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-14 17:04 . 2010-01-28 02:55 -------- d-----w- c:\documents and settings\user\Application Data\Orbit

2010-03-01 18:13 . 2010-01-28 02:56 -------- d-----w- c:\documents and settings\user\Application Data\GrabPro

2010-02-04 14:16 . 2010-02-04 14:15 -------- d-----w- c:\program files\CCleaner

2010-02-04 04:09 . 2010-02-04 04:09 -------- d-----w- c:\program files\Comical

2010-02-02 15:53 . 2010-02-02 15:53 -------- d-----w- c:\program files\MAKEMSI Package Documentation

2010-02-02 15:53 . 2010-02-02 15:08 -------- d-----w- c:\program files\RSIGuard

2010-02-02 14:58 . 2010-02-02 14:57 -------- d-----w- c:\documents and settings\user\Application Data\Workrave

2010-01-28 02:56 . 2010-01-28 02:56 -------- d-----w- c:\program files\Orbitdownloader

2010-01-25 07:42 . 2010-01-24 07:41 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-12 07:57 . 2008-10-06 23:08 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys

2010-01-10 07:51 . 2010-01-10 07:51 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-08 04:45 . 2009-09-11 01:01 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-07 06:07 . 2009-08-12 07:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 06:07 . 2009-08-12 07:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-22 160592]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-24 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]

"ZenWorks Nalview"="c:\program files\Novell\ZENworks\Nalview.exe" [2005-09-27 35840]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"DeskTag"="c:\windows\tag.vbs" [2008-07-07 232]

"SOEFixer"="c:\program files\Griffith\SOEFixer\SOEFixer.exe" [2008-07-15 32768]

"NetcheckOff"="c:\windows\nc-off.exe" [2005-11-22 1169138]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-06 115560]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NMPSystray.lnk - c:\program files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe [2009-7-2 81920]

RSIGuard Stretch Edition.lnk - c:\program files\RSIGuard\RSIGuard.exe [2008-6-5 7008256]

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-7-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

"SynchronousUserGroupPolicy"= 0 (0x0)

"DisableBkGndGroupPolicy"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"HideShutdownScripts"= 0 (0x0)

"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

"DisableChangePassword"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDisconnect"= 1 (0x1)

"NoNTSecurity"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"MaxRecentDocs"= 10 (0xa)

"NoThumbnailCache"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoStartMenuEjectPC"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"NoAutoUpdate"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-08 03:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 06:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1007\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1008\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-500\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/08/2009 4:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/08/2009 4:06 PM 74480]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [17/08/2006 2:52 PM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2/07/2009 2:23 PM 49152]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2/07/2009 2:23 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2/05/2006 9:17 AM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/02/2010 2:00 AM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/05/2004 4:26 PM 80384]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/08/2009 4:06 PM 7408]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/10/2008 9:08 AM 23888]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dp9ia1g0.default\

FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-23 11:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1996)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2010-03-23 11:15:28

ComboFix-quarantined-files.txt 2010-03-23 01:15

ComboFix2.txt 2010-03-13 16:33

Pre-Run: 42,754,691,072 bytes free

Post-Run: 42,769,768,448 bytes free

- - End Of File - - 467E2D385A55E116444908666C32558F

**********************************************************

**********************************************************

This is a new DDS log:

**********************************************************

**********************************************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 11:26:07.16 on Tue 23/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.341 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\Program Files\Novell\ZENworks\wm.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\dpmw32.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [NDPS] c:\windows\system32\dpmw32.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100321.020\NAVENG.SYS [2010-3-22 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100321.020\NAVEX15.SYS [2010-3-22 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-23 01:07:43 0 d-----w- C:\ComboFix

2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software

2010-03-21 16:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-21 16:40:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

2010-02-21 14:11:04 0 d-----w- c:\program files\Oxford Dictonary With Sound Portable

==================== Find3M ====================

2010-01-25 07:42:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 11:26:32.49 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

DDS::

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

Link to post
Share on other sites

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Hi Screen,

Thanks again for all of your help. One day when you're visiting Australia, you'll have to let me know; I'd love to buy you a beer or two!

I've run ComboFix with the CFScript you provided me with; the ComboFix log is below, along with a new HJT log.

Thanks again for everything. I'm really looking forward to having a computer that works again!

*******************************************

ComboFix 10-03-27.02 - user 28/03/2010 17:54:24.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.527 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\drivers\ctymfns.sys

c:\windows\system32\drivers\geyenxn.sys

c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://wus-na.griffith.edu.au

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_cvirjhs

-------\Service_sgoncha

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))

.

2010-03-25 23:15 . 2010-03-25 23:15 -------- d-----w- c:\program files\ESET

2010-03-25 10:59 . 2010-03-25 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-03-24 17:30 . 2010-03-25 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-24 17:30 . 2010-03-24 17:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:29 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-03-24 17:29 . 2010-03-24 17:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29 . 2010-03-24 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-03-24 17:29 . 2010-03-24 17:30 -------- d-----w- c:\program files\Lavasoft

2010-03-24 17:03 . 2010-03-24 17:03 -------- d--h--w- c:\windows\PIF

2010-03-24 16:38 . 2010-03-24 16:38 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36 . 2010-03-24 16:37 -------- d-----w- c:\windows\ERUNT

2010-03-24 16:36 . 2010-03-24 16:49 -------- d-----w- C:\SDFix

2010-03-23 14:50 . 2010-03-23 16:29 -------- d-----w- c:\windows\BDOSCAN8

2010-03-23 02:01 . 2010-03-23 02:01 -------- d-----w- c:\documents and settings\user\Application Data\VMware

2010-03-23 01:59 . 2010-03-23 01:59 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe

2010-03-23 01:59 . 2010-03-23 01:55 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll

2010-03-23 01:59 . 2010-03-23 01:55 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll

2010-03-23 01:59 . 2010-03-23 01:55 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe

2010-03-23 01:59 . 2010-03-23 01:55 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe

2010-03-23 01:59 . 2010-03-23 01:55 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll

2010-03-23 01:59 . 2010-03-23 01:55 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll

2010-03-23 01:59 . 2010-03-23 01:55 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll

2010-03-23 01:58 . 2010-01-22 07:13 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58 . 2010-01-22 07:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58 . 2010-01-22 11:56 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58 . 2010-01-22 11:57 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58 . 2010-01-22 11:57 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58 . 2010-01-22 07:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57 . 2010-01-22 11:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57 . 2010-01-22 11:57 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57 . 2010-03-28 08:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2010-03-23 01:57 . 2010-03-23 01:57 -------- d-----w- c:\program files\Common Files\VMware

2010-03-23 01:56 . 2010-03-28 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2010-03-23 01:56 . 2010-03-23 01:56 -------- d-----w- c:\program files\VMware

2010-03-22 12:01 . 2010-03-22 12:01 -------- d-----w- c:\documents and settings\user\Application Data\Foxit Software

2010-03-21 16:42 . 2010-03-21 16:42 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcr71.dll

2010-03-21 16:42 . 2010-03-21 16:42 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcp71.dll

2010-03-21 16:42 . 2010-03-21 16:42 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-sse.dll

2010-03-21 16:42 . 2010-03-21 16:42 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\jmc.dll

2010-03-21 16:42 . 2010-03-21 16:42 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-d3d.dll

2010-03-21 16:40 . 2010-03-21 16:40 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:52 . 2010-03-27 16:35 -------- d-----w- c:\documents and settings\user\Application Data\vlc

2010-03-16 14:48 . 2010-03-16 14:48 -------- d-----w- c:\program files\VideoLAN

2010-03-14 09:38 . 2010-03-14 09:38 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 08:06 . 2010-02-02 15:14 -------- d-----w- c:\documents and settings\user\Application Data\RSIGuard

2010-03-28 08:00 . 2010-01-28 02:55 -------- d-----w- c:\documents and settings\user\Application Data\Orbit

2010-03-27 16:08 . 2009-10-10 01:18 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent

2010-03-25 12:48 . 2010-02-21 14:11 -------- d-----w- c:\program files\Oxford Dictonary With Sound Portable

2010-03-25 01:49 . 2009-08-17 23:24 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 01:47 . 2009-08-17 23:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-21 16:41 . 2009-07-02 04:42 -------- d-----w- c:\program files\Common Files\Java

2010-03-21 16:40 . 2009-07-02 04:42 -------- d-----w- c:\program files\Java

2010-03-19 04:39 . 2009-10-10 01:18 -------- d-----w- c:\program files\uTorrent

2010-03-01 18:13 . 2010-01-28 02:56 -------- d-----w- c:\documents and settings\user\Application Data\GrabPro

2010-02-04 15:53 . 2010-03-24 17:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-04 14:16 . 2010-02-04 14:15 -------- d-----w- c:\program files\CCleaner

2010-02-04 04:09 . 2010-02-04 04:09 -------- d-----w- c:\program files\Comical

2010-02-02 15:53 . 2010-02-02 15:53 -------- d-----w- c:\program files\MAKEMSI Package Documentation

2010-02-02 15:53 . 2010-02-02 15:08 -------- d-----w- c:\program files\RSIGuard

2010-02-02 14:58 . 2010-02-02 14:57 -------- d-----w- c:\documents and settings\user\Application Data\Workrave

2010-01-28 02:56 . 2010-01-28 02:56 -------- d-----w- c:\program files\Orbitdownloader

2010-01-25 07:42 . 2010-01-24 07:41 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-22 11:58 . 2010-01-22 11:58 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 11:58 . 2010-01-22 11:58 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-01-22 11:57 . 2010-01-22 11:57 854192 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-01-22 11:57 . 2010-01-22 11:57 70704 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-01-22 11:56 . 2010-01-22 11:56 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys

2010-01-22 11:00 . 2010-01-22 11:00 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-01-22 10:34 . 2010-01-22 10:34 252464 ----a-w- c:\windows\system32\vmnc.dll

2010-01-12 07:57 . 2008-10-06 23:08 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys

2010-01-10 07:51 . 2010-01-10 07:51 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-08 04:45 . 2009-09-11 01:01 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-07 06:07 . 2009-08-12 07:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 06:07 . 2009-08-12 07:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-22 160592]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-23 2012912]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]

"ZenWorks Nalview"="c:\program files\Novell\ZENworks\Nalview.exe" [2005-09-27 35840]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"DeskTag"="c:\windows\tag.vbs" [2008-07-07 232]

"SOEFixer"="c:\program files\Griffith\SOEFixer\SOEFixer.exe" [2008-07-15 32768]

"NetcheckOff"="c:\windows\nc-off.exe" [2005-11-22 1169138]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-06 115560]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-22 64048]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NMPSystray.lnk - c:\program files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe [2009-7-2 81920]

RSIGuard Stretch Edition.lnk - c:\program files\RSIGuard\RSIGuard.exe [2008-6-5 7008256]

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-7-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

"SynchronousUserGroupPolicy"= 0 (0x0)

"DisableBkGndGroupPolicy"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"HideShutdownScripts"= 0 (0x0)

"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

"DisableChangePassword"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDisconnect"= 1 (0x1)

"NoNTSecurity"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"MaxRecentDocs"= 10 (0xa)

"NoThumbnailCache"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoStartMenuEjectPC"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"NoAutoUpdate"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-08 03:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 06:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1007\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1008\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-500\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/03/2010 3:34 AM 64288]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/08/2009 4:06 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/08/2009 4:06 PM 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/02/2010 1:52 AM 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [17/08/2006 2:52 PM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2/07/2009 2:23 PM 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/01/2010 9:57 PM 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/01/2010 9:00 PM 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2/07/2009 2:23 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2/05/2006 9:17 AM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/02/2010 2:00 AM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/05/2004 4:26 PM 80384]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/08/2009 4:06 PM 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/10/2008 9:08 AM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dp9ia1g0.default\

FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-28 18:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(276)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'Explorer.exe'(3736)

c:\program files\RSIGuard\RSIWatch.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\NETWIN32.DLL

c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL

c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\IBM\Lotus\Notes\ntmulti.exe

c:\program files\Novell\ZENworks\nalntsrv.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\windows\system32\vmnat.exe

c:\program files\Novell\ZENworks\wm.exe

c:\program files\VMware\VMware Player\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Novell\ZENworks\WMRUNDLL.EXE

c:\program files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\system32\NWTRAY.EXE

c:\program files\Novell\ZENworks\NalAgent.exe

.

**************************************************************************

.

Completion time: 2010-03-28 18:12:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-28 08:12

ComboFix2.txt 2010-03-23 01:15

ComboFix3.txt 2010-03-13 16:33

Pre-Run: 40,135,237,632 bytes free

Post-Run: 40,332,173,312 bytes free

- - End Of File - - 8D73798E686BD3CA55E9DA9E66F53B07

***************************************

***************************************

HJT log:

***************************************

***************************************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:22:47 PM, on 28/03/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINDOWS\system32\vmnat.exe

c:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.griffith.edu.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\system32\zentray.exe

O4 - HKLM\..\Run: [ZenWorks Nalview] C:\Program Files\Novell\ZENworks\Nalview.exe /NS

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [DeskTag] C:\WINDOWS\tag.vbs

O4 - HKLM\..\Run: [sOEFixer] C:\Program Files\Griffith\SOEFixer\SOEFixer.exe

O4 - HKLM\..\Run: [NetcheckOff] C:\WINDOWS\nc-off.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

O4 - Global Startup: RSIGuard Stretch Edition.lnk = ?

O4 - Global Startup: VPN Client.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O15 - Trusted Zone: http://*.griffith.edu.au

O15 - Trusted Zone: http://*.gu.edu.au

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191965776190

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191965762450

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = itc.griffith.edu.au,domino.griffith.edu.au,griffith.edu.au,itc.gu.edu.au,gu.edu.

au

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = itc.griffith.edu.au,domino.griffith.edu.au,griffith.edu.au,itc.gu.edu.au,gu.edu.

au

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = itc.griffith.edu.au,domino.griffith.edu.au,griffith.edu.au,itc.gu.edu.au,gu.edu.

au

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - c:\Program Files\Novell\ZENworks\nalntsrv.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Hi Screen,

I've run the CFScript and posted the ComboFix and HJT logs above in the last reply. Just to let you know, after running ComboFix, MBAM still finds infections, including that one persistent one which won't delete on rebooting.

Here are my three most recent MBAM logs, all which were run after running the CFScript. After the first one, MBAM asked if I wanted to reboot to remove, I answered Yes, and it actually *did* reboot. After the next two scans, MBAB found infections, asked if I wanted to reboot, but did not reboot when I said Yes. The last scan was done from Safe Mode.

Thanks again, Screen.

************************************

************************************

Malwarebytes' Anti-Malware 1.44

Database version: 3922

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

28/03/2010 6:37:02 PM

mbam-log-2010-03-28 (18-37-02).txt

Scan type: Quick Scan

Objects scanned: 154370

Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********************************************

***********************************************

Malwarebytes' Anti-Malware 1.44

Database version: 3922

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

28/03/2010 6:50:06 PM

mbam-log-2010-03-28 (18-50-06).txt

Scan type: Quick Scan

Objects scanned: 154417

Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********************************************

************************************************

Malwarebytes' Anti-Malware 1.44

Database version: 3922

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.11

28/03/2010 7:13:52 PM

mbam-log-2010-03-28 (19-13-52).txt

Scan type: Quick Scan

Objects scanned: 152332

Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**************************************

**************************************

Link to post
Share on other sites

What sort of computer is this? Is this a work computer?

Hi Screen,

Thanks again for all of your help; you have no idea how much I appreciate it!

The computer is my own computer, but I purchased it as old stock from the university where I am a staff member. I would be surprised if it still had any policies from my university, but perhaps they didn't do a thorough cleanup? I can make absolutely any changes you see fit, without having to worry about work, because the computer is mine.

Prior to the most recent bout of infection, MBAM scans ran completely clean on my computer. Past infections have been cleaned up by MBAM run in Safe Mode.

Are there some residual university settings preventing MBAM from doing its job? Do you have advice on how I should best remove those settings? My computer is no longer supported by my IT Department.

Thanks again for everything, Screen! I'll be so glad when I've got a working computer again!

Link to post
Share on other sites

Prior to the most recent bout of infection, MBAM scans ran completely clean on my computer. Past infections have been cleaned up by MBAM run in Safe Mode.

Hi Screen,

Just to clarify: in the past, after an infection, MBAM in Safe Mode would remove everything, scans would then run completely clean without turning up any traces at all, and I would be symptom free.

At the moment, I still have pretty bad symptoms. As I mentioned upthread:

MBAM still finds between 1 and 4 infected entries every time I reboot and scan. I

Link to post
Share on other sites

  • Staff

Hi,

Thanks for letting me know.

Let's try tackling this again.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

KILLALL::

DDS::

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Hi Screen Wan Kenobi,

Thank you again for all of your help. You are awesome, you are a jedi.

I've re-run ComboFix with the script that you gave me; the log is below, along with a new DDS, and the attachment from DDS.

I don't know how relevant this is, but some of the errors reported in the DDS attach.txt may be due to the fact that lately I've been disabling my wifi connection so that the infection doesn't screw up my home network.

Once again, thank you so much!

**********************************

**********************************

ComboFix 10-03-29.04 - user 31/03/2010 9:53.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.492 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://wus-na.griffith.edu.au

.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))

.

2010-03-25 23:15 . 2010-03-25 23:15 -------- d-----w- c:\program files\ESET

2010-03-25 10:59 . 2010-03-25 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2010-03-24 17:30 . 2010-03-25 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-24 17:30 . 2010-03-24 17:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:29 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-03-24 17:29 . 2010-03-24 17:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29 . 2010-03-24 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-03-24 17:29 . 2010-03-24 17:30 -------- d-----w- c:\program files\Lavasoft

2010-03-24 17:03 . 2010-03-24 17:03 -------- d--h--w- c:\windows\PIF

2010-03-24 16:38 . 2010-03-24 16:38 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36 . 2010-03-24 16:37 -------- d-----w- c:\windows\ERUNT

2010-03-24 16:36 . 2010-03-24 16:49 -------- d-----w- C:\SDFix

2010-03-23 14:50 . 2010-03-23 16:29 -------- d-----w- c:\windows\BDOSCAN8

2010-03-23 02:01 . 2010-03-23 02:01 -------- d-----w- c:\documents and settings\user\Application Data\VMware

2010-03-23 01:59 . 2010-03-23 01:59 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe

2010-03-23 01:59 . 2010-03-23 01:55 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll

2010-03-23 01:59 . 2010-03-23 01:55 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll

2010-03-23 01:59 . 2010-03-23 01:55 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe

2010-03-23 01:59 . 2010-03-23 01:55 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe

2010-03-23 01:59 . 2010-03-23 01:55 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll

2010-03-23 01:59 . 2010-03-23 01:55 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll

2010-03-23 01:59 . 2010-03-23 01:55 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll

2010-03-23 01:58 . 2010-01-22 07:13 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58 . 2010-01-22 07:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58 . 2010-01-22 11:56 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58 . 2010-01-22 11:57 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58 . 2010-01-22 11:57 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58 . 2010-01-22 07:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57 . 2010-01-22 11:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57 . 2010-01-22 11:57 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57 . 2010-03-31 00:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2010-03-23 01:57 . 2010-03-23 01:57 -------- d-----w- c:\program files\Common Files\VMware

2010-03-23 01:56 . 2010-03-31 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2010-03-23 01:56 . 2010-03-23 01:56 -------- d-----w- c:\program files\VMware

2010-03-22 12:01 . 2010-03-22 12:01 -------- d-----w- c:\documents and settings\user\Application Data\Foxit Software

2010-03-21 16:42 . 2010-03-21 16:42 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcr71.dll

2010-03-21 16:42 . 2010-03-21 16:42 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\msvcp71.dll

2010-03-21 16:42 . 2010-03-21 16:42 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-sse.dll

2010-03-21 16:42 . 2010-03-21 16:42 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-77443784-n\jmc.dll

2010-03-21 16:42 . 2010-03-21 16:42 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5e2e5fe3-n\decora-d3d.dll

2010-03-21 16:40 . 2010-03-21 16:40 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:52 . 2010-03-30 14:32 -------- d-----w- c:\documents and settings\user\Application Data\vlc

2010-03-16 14:48 . 2010-03-16 14:48 -------- d-----w- c:\program files\VideoLAN

2010-03-14 09:38 . 2010-03-14 09:38 -------- d-----w- c:\program files\Trend Micro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-31 00:24 . 2010-02-02 15:14 -------- d-----w- c:\documents and settings\user\Application Data\RSIGuard

2010-03-30 23:43 . 2009-08-12 07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 23:41 . 2010-01-28 02:55 -------- d-----w- c:\documents and settings\user\Application Data\Orbit

2010-03-30 23:40 . 2009-09-11 01:01 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 15:36 . 2009-10-10 01:18 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent

2010-03-29 14:46 . 2009-08-12 07:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45 . 2009-08-12 07:40 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 12:48 . 2010-02-21 14:11 -------- d-----w- c:\program files\Oxford Dictonary With Sound Portable

2010-03-25 01:49 . 2009-08-17 23:24 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 01:47 . 2009-08-17 23:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-21 16:41 . 2009-07-02 04:42 -------- d-----w- c:\program files\Common Files\Java

2010-03-21 16:40 . 2009-07-02 04:42 -------- d-----w- c:\program files\Java

2010-03-19 04:39 . 2009-10-10 01:18 -------- d-----w- c:\program files\uTorrent

2010-03-01 18:13 . 2010-01-28 02:56 -------- d-----w- c:\documents and settings\user\Application Data\GrabPro

2010-02-04 15:53 . 2010-03-24 17:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-04 14:16 . 2010-02-04 14:15 -------- d-----w- c:\program files\CCleaner

2010-02-04 04:09 . 2010-02-04 04:09 -------- d-----w- c:\program files\Comical

2010-02-02 15:53 . 2010-02-02 15:53 -------- d-----w- c:\program files\MAKEMSI Package Documentation

2010-02-02 15:53 . 2010-02-02 15:08 -------- d-----w- c:\program files\RSIGuard

2010-02-02 14:58 . 2010-02-02 14:57 -------- d-----w- c:\documents and settings\user\Application Data\Workrave

2010-01-25 07:42 . 2010-01-24 07:41 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-22 11:58 . 2010-01-22 11:58 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 11:58 . 2010-01-22 11:58 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-01-22 11:57 . 2010-01-22 11:57 854192 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-01-22 11:57 . 2010-01-22 11:57 70704 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-01-22 11:56 . 2010-01-22 11:56 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys

2010-01-22 11:00 . 2010-01-22 11:00 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-01-22 10:34 . 2010-01-22 10:34 252464 ----a-w- c:\windows\system32\vmnc.dll

2010-01-12 07:57 . 2008-10-06 23:08 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys

2010-01-10 07:51 . 2010-01-10 07:51 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-22 160592]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-23 2012912]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]

"ZenWorks Nalview"="c:\program files\Novell\ZENworks\Nalview.exe" [2005-09-27 35840]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"DeskTag"="c:\windows\tag.vbs" [2008-07-07 232]

"SOEFixer"="c:\program files\Griffith\SOEFixer\SOEFixer.exe" [2008-07-15 32768]

"NetcheckOff"="c:\windows\nc-off.exe" [2005-11-22 1169138]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-06 115560]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-22 64048]

"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NMPSystray.lnk - c:\program files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe [2009-7-2 81920]

RSIGuard Stretch Edition.lnk - c:\program files\RSIGuard\RSIGuard.exe [2008-6-5 7008256]

VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-7-2 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

"SynchronousUserGroupPolicy"= 0 (0x0)

"DisableBkGndGroupPolicy"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 0 (0x0)

"HideShutdownScripts"= 0 (0x0)

"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

"DisableChangePassword"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDisconnect"= 1 (0x1)

"NoNTSecurity"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"MaxRecentDocs"= 10 (0xa)

"NoThumbnailCache"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoStartMenuEjectPC"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

"DisallowCpl"= 1 (0x1)

"NoAutoUpdate"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-08 03:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 06:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]

2006-05-01 23:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1007\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-1008\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1738760140-488227965-1200548808-500\Scripts\Logoff\0\0]

"Script"=c:\windows\nc-off.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/03/2010 3:34 AM 64288]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/08/2009 4:06 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/08/2009 4:06 PM 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [17/01/2005 12:23 PM 6899]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/02/2010 1:52 AM 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [17/08/2006 2:52 PM 167936]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2/07/2009 2:23 PM 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/01/2010 9:57 PM 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/01/2010 9:00 PM 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2/07/2009 2:23 PM 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2/05/2006 9:17 AM 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [10/01/2005 11:37 AM 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/02/2010 2:00 AM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/05/2004 4:26 PM 80384]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/08/2009 4:06 PM 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/10/2008 9:08 AM 23888]

.

Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dp9ia1g0.default\

FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-31 10:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(212)

c:\windows\system32\NETWIN32.DLL

c:\program files\Novell\ZENworks\ZENPOL32.DLL

c:\windows\system32\xmlparse.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'Explorer.exe'(3892)

c:\program files\RSIGuard\RSIWatch.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\IBM\Lotus\Notes\ntmulti.exe

c:\program files\Novell\ZENworks\nalntsrv.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\program files\Novell\ZENworks\Asset Management\bin\CClient.exe

c:\windows\system32\vmnat.exe

c:\program files\Novell\ZENworks\wm.exe

c:\program files\VMware\VMware Player\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Novell\ZENworks\WMRUNDLL.EXE

c:\program files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\system32\NWTRAY.EXE

c:\program files\Novell\ZENworks\NalAgent.exe

.

**************************************************************************

.

Completion time: 2010-03-31 10:29:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-31 00:29

ComboFix2.txt 2010-03-28 08:12

ComboFix3.txt 2010-03-23 01:15

ComboFix4.txt 2010-03-13 16:33

Pre-Run: 39,773,519,872 bytes free

Post-Run: 39,776,391,168 bytes free

- - End Of File - - 61C7450209CC9F1E329AEA730B1FF583

*******************************

*******************************

DDS Log:

*******************************

*******************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 10:40:48.22 on Wed 31/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.306 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINDOWS\system32\vmnat.exe

c:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\NWTRAY.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [NDPS] c:\windows\system32\dpmw32.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoSMHelp = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVENG.SYS [2010-3-25 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVEX15.SYS [2010-3-25 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-25 23:15:17 0 d-----w- c:\program files\ESET

2010-03-25 10:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure

2010-03-24 17:34:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-24 17:34:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-24 17:30:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:30:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-03-24 17:29:52 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29:19 0 d-----w- c:\program files\Lavasoft

2010-03-24 17:03:30 0 d--h--w- c:\windows\PIF

2010-03-24 16:38:15 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36:56 0 d-----w- c:\windows\ERUNT

2010-03-24 16:36:14 0 d-----w- C:\SDFix

2010-03-23 01:58:24 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58:24 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58:17 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58:13 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58:11 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58:02 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57:32 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57:22 1024 ----a-w- C:\.rnd

2010-03-23 01:57:02 0 d-----w- c:\program files\common files\VMware

2010-03-23 01:56:34 0 d-----w- c:\program files\VMware

2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software

2010-03-21 16:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-21 16:40:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-22 11:58:02 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 10:34:24 252464 ----a-w- c:\windows\system32\vmnc.dll

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 10:42:12.36 ===============

Attach_March31.zip

Link to post
Share on other sites

  • Staff

Hi,

Try this please:

1. Download FixPolicies.exe by Bill Castner and save it to your Desktop.

2. Double click on FixPolicies.exe to run it.

3. Click on Install. It will create a folder named FixPolicies on your desktop.

4. Open the FixPolicies folder.

5. Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

After it completes, restart your computer and post a fresh DDS log.

Let me know if MBAM still detects anything.

Link to post
Share on other sites

1. Download FixPolicies.exe by Bill Castner and save it to your Desktop.

After it completes, restart your computer and post a fresh DDS log.

Let me know if MBAM still detects anything.

Hi Screen,

Whoah, that gave me a fright! I came back after rebooting my computer and the screen was blank--after about a minute of holding my breath, white knuckled, the computer booted as normal. Phew! Heh heh, I guess April Fool's came early on me.

Thanks again for all of your help.

I've run FixPolicies as you suggested, rebooted, and run DDS again. I've included the new DDS log below.

MBAM is still picking up infections; I've scanned about 4 times, selected remove each time, rebooted and scanned again, but I'm still getting MBAM finding infections even after the removes and reboots. I've posted the 2 most recent MBAM log below:

I'm running out of ways to say thank you, but I hope you know how much I appreciate your help.

***********************

***********************

DDS (Ver_10-03-17.01) - NTFSx86

Run by user at 12:34:25.15 on Wed 31/03/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.299 [GMT 10:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k eapsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k dot3svc

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\IBM\Lotus\Notes\ntmulti.exe

c:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINDOWS\system32\vmnat.exe

c:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\NWTRAY.EXE

c:\Program Files\Novell\ZENworks\NalAgent.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\WINDOWS\system32\dpmw32.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe

C:\Program Files\RSIGuard\RSIGuard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Griffith University

uStart Page = hxxp://www.griffith.edu.au/

uDefault_Page_URL = hxxp://www.griffith.edu.au/

uSearch Bar = hxxp://www.griffith.edu.au/find

mDefault_Page_URL = hxxp://www.griffith.edu.au/

uInternet Settings,ProxyOverride = <local>

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe

mRun: [ZenWorks Nalview] c:\program files\novell\zenworks\Nalview.exe /NS

mRun: [NWTRAY] NWTRAY.EXE

mRun: [DeskTag] c:\windows\tag.vbs

mRun: [sOEFixer] c:\program files\griffith\soefixer\SOEFixer.exe

mRun: [NetcheckOff] c:\windows\nc-off.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [NDPS] c:\windows\system32\dpmw32.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nmpsys~1.lnk - c:\program files\cassetica\cassetica notesmedic pro\NMPSystray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rsigua~1.lnk - c:\program files\rsiguard\RSIGuard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: NoSMHelp = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 10 (0xa)

uPolicies-explorer: NoThumbnailCache = 1 (0x1)

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

uPolicies-explorer: NoSMBalloonTip = 1 (0x1)

uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoPublishingWizard = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = wbsamp.exe

uPolicies-disallowrun: 2 = webshots.exe

uPolicies-disallowrun: 3 = webshots.scr

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: DisableChangePassword = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-explorer: NoNTSecurity = 1 (0x1)

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

mPolicies-explorer: NoPublishingWizard = 1 (0x1)

mPolicies-explorer: NoWebServices = 1 (0x1)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

mPolicies-system: DisableBkGndGroupPolicy = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: HideShutdownScripts = 0 (0x0)

mPolicies-system: LogonType = 0 (0x0)

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: griffith.edu.au

Trusted Zone: gu.edu.au

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191965776190

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191965762450

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\dp9ia1g0.default\

FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-25 64288]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-10-7 108392]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1263728]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-10-7 2436536]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2009-7-2 49152]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]

R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2009-7-2 9176]

R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-12 38224]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVENG.SYS [2010-3-25 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100324.037\NAVEX15.SYS [2010-3-25 1324720]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-10-7 23888]

=============== Created Last 30 ================

2010-03-25 23:15:17 0 d-----w- c:\program files\ESET

2010-03-25 10:59:25 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure

2010-03-24 17:34:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-24 17:34:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-24 17:30:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 17:30:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-03-24 17:29:52 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-24 17:29:19 0 d-----w- c:\program files\Lavasoft

2010-03-24 17:03:30 0 d--h--w- c:\windows\PIF

2010-03-24 16:38:15 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-03-24 16:36:56 0 d-----w- c:\windows\ERUNT

2010-03-24 16:36:14 0 d-----w- C:\SDFix

2010-03-23 01:58:24 59952 ----a-r- c:\windows\system32\vnetinst.dll

2010-03-23 01:58:24 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys

2010-03-23 01:58:17 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-03-23 01:58:13 395824 ----a-w- c:\windows\system32\vmnat.exe

2010-03-23 01:58:11 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-03-23 01:58:02 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys

2010-03-23 01:57:57 760368 ----a-w- c:\windows\system32\vnetlib.dll

2010-03-23 01:57:32 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-03-23 01:57:22 1024 ----a-w- C:\.rnd

2010-03-23 01:57:02 0 d-----w- c:\program files\common files\VMware

2010-03-23 01:56:34 0 d-----w- c:\program files\VMware

2010-03-22 12:01:00 0 d-----w- c:\docume~1\user\applic~1\Foxit Software

2010-03-21 16:40:56 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-21 16:40:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-16 14:48:52 0 d-----w- c:\program files\VideoLAN

2010-03-14 09:38:22 0 d-----w- c:\program files\Trend Micro

2010-03-14 09:12:51 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-03-13 16:01:30 0 d-sha-r- C:\cmdcons

2010-03-13 15:59:56 98816 ----a-w- c:\windows\sed.exe

2010-03-13 15:59:56 77312 ----a-w- c:\windows\MBR.exe

2010-03-13 15:59:56 261632 ----a-w- c:\windows\PEV.exe

2010-03-13 15:59:56 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-22 11:58:02 51248 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-01-22 10:34:24 252464 ----a-w- c:\windows\system32\vmnc.dll

2008-05-14 00:53:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-13 06:00:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 12:34:51.69 ===============

************************************

************************************

MBAM Log 1

************************************

************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3935

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

31/03/2010 12:41:11 PM

mbam-log-2010-03-31 (12-41-11).txt

Scan type: Quick scan

Objects scanned: 128559

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

************************************

************************************

MBAM Log 2

************************************

************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3935

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

31/03/2010 12:56:39 PM

mbam-log-2010-03-31 (12-56-39).txt

Scan type: Quick scan

Objects scanned: 128414

Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

For some reason those entries don't want to be deleted. Let's try to tackle this manually.

Please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as RegExport.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@echo off
REGEDIT.exe /E "%userprofile%\DESKTOP\ExplorerAdvanced.reg" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
REGEDIT.exe /E "%userprofile%\DESKTOP\ExplorerPolicies.reg" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
REGEDIT.exe /E "%userprofile%\DESKTOP\SystemPolicies.reg" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
EXIT

Now navigate to your Desktop, and double click RegExport.bat

A black window will open and close quickly. This is normal.

Now, open Notepad, navigate to your Desktop, and open SystemPolicies.reg, ExplorerPolicies.reg, and ExplorerAdvanced.reg. Post the contents of each.

-screen317

Link to post
Share on other sites

For some reason those entries don't want to be deleted. Let's try to tackle this manually.

Now, open Notepad, navigate to your Desktop, and open SystemPolicies.reg, ExplorerPolicies.reg, and ExplorerAdvanced.reg. Post the contents of each.

Hi Screen,

Thank you so much for all of your help. If you guys have a long weekend this weekend, I hope you're having a good one!

I ran the .bat file you told me to; here are the .reg files. I wasn't sure, so I opened them in Notepad, and then copied and pasted the text here. If that's not right, please let me know and I'll do whatever I was meant to do.

Just another symptom I noticed: I'm not able to enable the built-in firewall in XP, the option is greyed out. The same with Windows automatic updates, that's greyed out, too. System restore is also missing.

Thanks again for all of your help to all of these people! You're incredible.

----------------------

SystemPolicies.reg

----------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"RunLogonScriptSync"=dword:00000001

"HideLogonScripts"=dword:00000000

"HideLogoffScripts"=dword:00000000

"DisableChangePassword"=dword:00000001

----------------------

ExplorerPolicies.reg

----------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoDriveAutoRun"=dword:03ffffff

"NoDrives"=dword:00000000

"NoSaveSettings"=dword:00000000

"NoDriveTypeAutoRun"=dword:000000b5

"NoWindowsUpdate"=dword:00000001

"MaxRecentDocs"=dword:0000000a

"NoSharedDocuments"=dword:00000001

"NoThumbnailCache"=dword:00000001

"ForceStartMenuLogOff"=dword:00000001

"NoSMBalloonTip"=dword:00000001

"NoStartMenuEjectPC"=dword:00000001

"NoSMConfigurePrograms"=dword:00000001

"NoRecentDocsNetHood"=dword:00000001

"DisablePersonalDirChange"=dword:00000001

"NoDesktopCleanupWizard"=dword:00000001

"DisallowCpl"=dword:00000001

"NoAutoUpdate"=dword:00000001

"NoPublishingWizard"=dword:00000001

"DisallowRun"=dword:00000001

"NoSMHelp"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl]

"2"="gpedit.msc"

"3"="lusrmgr.msc"

"4"="nusrmgr.cpl"

"5"="nwc.cpl"

"6"="wscui.cpl"

"7"="wuaucpl.cpl"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]

"1"="wbsamp.exe"

"2"="webshots.exe"

"3"="webshots.scr"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

----------------------

ExplorerAdvanced.reg

----------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"ServerAdminUI"=dword:00000000

"Hidden"=dword:00000001

"ShowCompColor"=dword:00000001

"HideFileExt"=dword:00000000

"DontPrettyPath"=dword:00000000

"ShowInfoTip"=dword:00000001

"MapNetDrvBtn"=dword:00000000

"WebView"=dword:00000000

"Filter"=dword:00000000

"SuperHidden"=dword:00000001

"SeparateProcess"=dword:00000000

"ListviewAlphaSelect"=dword:00000000

"ListviewShadow"=dword:00000000

"ListviewWatermark"=dword:00000000

"TaskbarAnimations"=dword:00000000

"StartMenuInit"=dword:00000002

"StartButtonBalloonTip"=dword:00000002

"TaskbarSizeMove"=dword:00000000

"TaskbarGlomming"=dword:00000001

"StartMenuLogoff"=dword:00000000

"StartMenuRun"=dword:00000001

"StartMenuChange"=dword:00000001

"CascadeControlPanel"="NO"

"CascadeMyDocuments"="NO"

"CascadeMyPictures"="NO"

"CascadeNetworkConnections"="NO"

"CascadePrinters"="NO"

"StartMenuScrollPrograms"="NO"

"IntelliMenus"=dword:00000000

"NoNetCrawling"=dword:00000000

"FolderContentsInfoTip"=dword:00000001

"FriendlyTree"=dword:00000001

"WebViewBarricade"=dword:00000000

"DisableThumbnailCache"=dword:00000000

"ShowSuperHidden"=dword:00000001

"ClassicViewState"=dword:00000000

"PersistBrowsers"=dword:00000000

"LoosenRudeAppCheck"=dword:00000001

"HideIcons"=dword:00000000

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Let's address the System Restore issue.

First, please back your Registry with ERUNT.

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please open Notepad. Copy and paste the following text (starting with Windows Registry Editor Version 5.00) into the Notepad document.

Navigate to File --> Save As..., and save the file as Fix.reg (make sure the Save As Type is set to All Files).

Save it to your Desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,73,00,72,00,2e,00,73,00,79,00,73,\
00,00,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000000
"DontBackup"=dword:00000000
"MachineGuid"="{EAAFAEEC-4AFE-42BE-83D9-C12FDD4942A6}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer and see if System Restore is functional now.

Link to post
Share on other sites

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer and see if System Restore is functional now.

Hi Screen,

I ran the fix.reg you provided, but unfortunately when I reboot and right click on My Computer>Properties, there is no System Restore tab.

I know that if I go into regedit, and delete "SystemRestore\DisableSR" and "SystemRestore\DisableConfig" then I temporarily have access to the System Restore tab, but as soon as I reboot, those two registry keys are back, and System Restore is gone.

Once again, thank you for your help, Screen!

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.