Trojan.Packed.NsAnti virus - please help

[Peedo]

Hi

My laptop is a business laptop. I have enterprise version of Symantec antivirus installed. I
cannot update the antivirus definitions or disable the auto detection even though I have admin
rights. The antivirus definitions update when I log onto my company network through vpn.

Here is the trick. I have the virus Trojan.Packed.NsAnti. I beleive this is causing my VPN program
not to respond. Thus I cannot connect to the network and cannot update the definitions.

Even though I have admin rights, there are some things I cannot do because I am not IT admin. I
cannot for instance get into add/remove programs in the control panel.

Here's the other problem: I work from South Africa and my company is in the UK, I doubt if the IT
department will be able to help (any time soon anyway) so I really need your help.

Log attached

[Saving space, attachment deleted by admin]

[evilfantasy]

Welcome to CH.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• O4 - HKCU\..\Run: [cdoosoft] C:\Temp\herss.exe
• O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Peedo]

Hi

I have done all this now, but because my Symantec AV is an enterprise one I couldn't disable the realtime scanner before doing the combofix scan.

Here's the log:

ComboFix 09-10-28.08 - pwesthuiz 29/10/2009 15:54.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.44.1033.18.2038.1140 [GMT 0:00]
Running from: c:\documents and settings\pwesthuiz\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3n8awsyg.exe
C:\autorun.inf
C:\b00ijwpu.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\hjvjte.exe
c:\temp\cvasds0.dll
c:\temp\cvasds1.dll
c:\windows\AegisP.inf

----- BITS: Possible infected sites -----

hxxp://as-ifh01
.
(((((((((((((((((((((((((   Files Created from 2009-09-28 to 2009-10-29  )))))))))))))))))))))))))))))))
.

2009-10-29 16:01 . 2009-10-29 16:01   53248   ----a-w-   c:\temp\catchme.dll
2009-10-29 15:54 . 2009-10-29 15:54   --------   d-----w-   c:\temp\WPDNSE
2009-10-28 21:22 . 2009-10-28 21:22   --------   d-----w-   c:\program files\Trend Micro
2009-10-28 21:17 . 2009-10-29 12:14   --------   d-----w-   c:\temp\hsperfdata_pwesthuiz
2009-10-28 21:17 . 2009-10-28 21:16   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-10-28 20:47 . 2009-10-28 20:47   --------   d-----w-   c:\documents and settings\pwesthuiz\Application Data\Malwarebytes
2009-10-28 20:47 . 2009-09-10 14:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 20:47 . 2009-10-28 20:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 20:47 . 2009-10-28 20:47   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-10-28 20:47 . 2009-09-10 14:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-10-28 19:14 . 2009-10-28 19:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-28 19:14 . 2009-10-28 19:14   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-10-28 19:14 . 2009-10-28 19:14   --------   d-----w-   c:\documents and settings\pwesthuiz\Application Data\SUPERAntiSpyware.com
2009-10-28 19:14 . 2009-10-28 19:14   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-10-28 19:00 . 2009-10-28 19:00   --------   d-----w-   c:\temp\Google Toolbar
2009-10-28 18:53 . 2009-10-28 18:53   --------   d-----w-   c:\program files\CCleaner
2009-10-27 04:14 . 2009-10-27 04:14   --------   d-----w-   c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\Apple Computer
2009-10-27 04:14 . 2009-10-27 04:14   --------   d-----w-   c:\documents and settings\pwesthuiz.Q16296.000\Application Data\FaxCtr
2009-10-27 04:14 . 2009-10-27 04:14   --------   d-----w-   c:\documents and settings\pwesthuiz.Q16296.000\Application Data\Vodafone
2009-10-27 04:13 . 2008-01-30 14:27   67480   ----a-w-   c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 20:14 . 2009-10-13 20:15   --------   d-----w-   c:\program files\QuickTime
2009-10-13 20:12 . 2009-10-13 20:12   32441648   ----a-w-   C:\QuickTimeInstaller.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:38 . 2009-04-10 11:16   --------   d-----w-   c:\documents and settings\pwesthuiz\Application Data\Chief Architect X1
2009-10-29 04:36 . 2008-01-29 14:33   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2009-10-28 22:10 . 2008-05-08 14:33   40   ----a-w-   c:\windows\system32\profile.dat
2009-10-28 21:16 . 2008-05-16 21:39   --------   d-----w-   c:\program files\Java
2009-10-28 15:58 . 2008-05-10 21:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2009-10-20 12:36 . 2008-06-08 06:42   --------   d-----w-   c:\program files\TomTom HOME 2
2009-10-13 20:14 . 2008-09-28 15:43   --------   d-----w-   c:\program files\Common Files\Apple
2009-09-25 14:42 . 2009-03-02 14:58   103720   ----a-w-   c:\documents and settings\pwesthuiz\GoToAssistDownloadHelper.exe
2009-09-14 18:11 . 2009-09-14 18:11   --------   d-----w-   c:\program files\PrintKey2000
2009-09-01 03:57 . 2009-09-01 03:57   --------   d-----w-   c:\documents and settings\pwesthuiz\Application Data\FaxCtr
2009-08-31 16:36 . 2009-08-31 14:50   --------   d-----w-   c:\program files\Lexmark Toolbar
2009-08-31 16:02 . 2009-08-31 14:53   --------   d-----w-   c:\program files\Abbyy FineReader 6.0 Sprint
2009-08-31 15:05 . 2009-08-31 14:49   --------   d-----w-   c:\program files\Lexmark 3600-4600 Series
2009-08-31 14:59 . 2009-08-31 14:59   --------   d-----w-   c:\documents and settings\pwesthuiz\Application Data\Lexmark Productivity Studio
2009-08-31 14:55 . 2009-08-31 14:53   --------   d-----w-   c:\program files\Lexmark Fax Solutions
2009-08-31 14:54 . 2009-08-31 14:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\FaxCtr
2009-08-24 20:21 . 2009-08-24 20:21   8278155   ----a-w-   C:\MameUI32_0.133.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-10 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-06-03 251240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-07-31 65536]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-07-04 2072576]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2008-03-24 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-7-30 2158592]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2008-5-8 73780]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-9-14 869376]
Shortcut to Bginfo.lnk - c:\program files\BGinfo\Bginfo.exe [2008-1-29 290816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-261903793-839522115-16738\Scripts\Logon\0\0]
"Script"=creations_drive.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxlscn.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 17:00 26624]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [08/05/2008 14:35 136760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 BT Common Client;BT Common Client;c:\program files\BT Common Client\btomosrv.exe [01/07/2005 13:36 57344]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [08/05/2008 14:35 536634]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [31/08/2009 14:56 98984]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [27/09/2006 19:33 116464]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [08/05/2008 14:34 36188]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 17:00 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [31/08/2009 16:54 102448]
S3 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\drivers\btwsp50.sys [07/09/2004 14:42 17664]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [02/11/2004 17:33 17536]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [10/03/2006 14:55 39424]
S3 Lotus Domino Server (LotusDominoData);Lotus Domino Server (LotusDominoData);c:\lotus\Domino\nservice.exe =c:\lotus\Domino\notes.ini --> c:\lotus\Domino\nservice.exe =c:\lotus\Domino\notes.ini [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 00:28 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 06:01 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 01:49 242712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-10-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-10 14:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
mStart Page = hxxp://unicom
uInternet Settings,ProxyServer = ukisa01:8080
uInternet Settings,ProxyOverride = 88.96.69.213;hxxp://88.96.69.213;http://147.2.*;147.2*;http://147.2*;unicom.uniquk.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 16:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

disk.sys @ 0xBA158000 0x8E00 bytes

\Driver\disk [ IRP_MJ_POWER ] 0xCD3F7EF3 != 0xA7EDBE21 aksfridge.sys
\Driver\disk IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-29 16:03
ComboFix-quarantined-files.txt  2009-10-29 16:03

Pre-Run: 17,157,853,184 bytes free
Post-Run: 17,206,132,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7A5A6D09526018F22951FCF620ED672D

[Peedo]

Oh, and the problem that triggered me to write to you seems to be gone.

Is this the end of the process?

Regards

[evilfantasy]

Is this the end of the process?

No. You had some pretty bad malware and we should make sure it is completely gone especially since this is a work computer.

Is this yours?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-261903793-839522115-16738\Scripts\Logon\0\0]
"Script"=creations_drive.bat

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).

[Peedo]

Hi

Not sure what you mean by

Is this yours?

.

I do have a lotus notes application installed called Creations.

I'll do what is best for the computer.

Here is the Latest log:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 7.0.5730.13
.
C:\  [Fixed-NTFS] .. ( Total:74 Go - Free:16 Go )
D:\  [CD_Rom]
H:\  [Network] .. ( Total:74 Go - Free:16 Go )
N:\  [Network] .. ( Total:0 Go - Free:0 Go )
P:\  [Network] .. ( Total:0 Go - Free:0 Go )
V:\  [Network] .. ( Total:0 Go - Free:0 Go )
W:\  [Network] .. ( Total:0 Go - Free:0 Go )
Y:\  [Network] .. ( Total:0 Go - Free:0 Go )
.
Scan : 17:39.40
Path : C:\Documents and Settings\pwesthuiz\Desktop\Rooter.exe
User : pwesthuiz ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (1196)
______ \??\C:\WINDOWS\system32\csrss.exe (1248)
______ \??\C:\WINDOWS\system32\winlogon.exe (1276)
______ C:\WINDOWS\system32\services.exe (1320)
______ C:\WINDOWS\system32\lsass.exe (1332)
______ C:\WINDOWS\system32\svchost.exe (1492)
______ C:\WINDOWS\system32\svchost.exe (1592)
______ C:\WINDOWS\System32\svchost.exe (1640)
______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1820)
______ C:\WINDOWS\system32\svchost.exe (1908)
______ C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe (1924)
______ C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe (1996)
______ C:\WINDOWS\system32\svchost.exe (2024)
______ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (420)
______ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (452)
______ C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (864)
______ C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (908)
______ C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (1048)
______ C:\WINDOWS\system32\spoolsv.exe (1488)
______ C:\WINDOWS\System32\SCardSvr.exe (1536)
______ C:\WINDOWS\system32\svchost.exe (1744)
______ C:\Program Files\Citrix\ICA Client\ssonsvr.exe (1896)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (568)
______ C:\Program Files\Bonjour\mDNSResponder.exe (596)
______ C:\WINDOWS\Explorer.EXE (584)
______ C:\Program Files\BT Common Client\btomosrv.exe (640)
______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (652)
______ C:\WINDOWS\system32\DWRCS.EXE (792)
______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (984)
______ C:\WINDOWS\system32\hasplms.exe (2148)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2236)
______ C:\WINDOWS\system32\taskswitch.exe (2260)
______ C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (2284)
______ C:\Program Files\DellTPad\Apoint.exe (2300)
______ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe (2332)
______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (2356)
______ C:\WINDOWS\system32\lxdxcoms.exe (2368)
______ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (2388)
______ C:\Program Files\DellTPad\ApMsgFwd.exe (2440)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (2484)
______ C:\Program Files\DellTPad\Apntex.exe (2508)
______ C:\Program Files\DellTPad\HidFind.exe (2516)
______ C:\WINDOWS\system32\hkcmd.exe (2544)
______ c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (2580)
______ C:\WINDOWS\system32\igfxpers.exe (2584)
______ C:\WINDOWS\system32\igfxsrvc.exe (2588)
______ C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (2668)
______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (2712)
______ C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe (2720)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2820)
______ C:\Program Files\iTunes\iTunesHelper.exe (2888)
______ C:\Program Files\Winamp\winampa.exe (2904)
______ C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (2952)
______ C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe (2980)
______ C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe (3004)
______ C:\WINDOWS\system32\DWRCST.exe (3088)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3128)
______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (3144)
______ C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (3200)
______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (3216)
______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (3384)
______ C:\WINDOWS\system32\StacSV.exe (3412)
______ C:\WINDOWS\system32\svchost.exe (3436)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (3480)
______ C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe (3540)
______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (3608)
______ C:\Program Files\PrintKey2000\Printkey2000.exe (3628)
______ C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (3844)
______ C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (3896)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (3932)
______ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (3960)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (4020)
______ C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (4080)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (1984)
______ C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (2732)
______ C:\Program Files\iPod\bin\iPodService.exe (3044)
______ C:\WINDOWS\System32\alg.exe (4528)
______ C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (5572)
______ C:\WINDOWS\system32\ctfmon.exe (4900)
______ C:\Documents and Settings\pwesthuiz\Desktop\Rooter.exe (5680)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:98671104)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:99614720 | Length:79925608448)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Google Software Updater.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 17:39.44
.
H:\Rooter$\Rooter_1.txt - (29/10/2009 | 17:39.44)

[evilfantasy]

Everything looks OK now but I would suggest running the Kaspersky Lab Online Scanner just to be 100% sure.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Peedo]

Thanks a lot.

I have reccommended your service to both my IT departments.

Cheers
Piet

[evilfantasy]

Your welcome.

Safe surfing...