Solve : Trojan.Packed.NsAnti virus - please help?

1.	Solve : Trojan.Packed.NsAnti virus - please help?
Answer» Hi My laptop is a business laptop. I have enterprise version of Symantec antivirus installed. I cannot update the antivirus definitions or disable the auto detection even though I have admin rights. The antivirus definitions update when I log onto my company network through vpn. Here is the trick. I have the virus Trojan.Packed.NsAnti. I beleive this is causing my VPN program not to respond. Thus I cannot connect to the network and cannot update the definitions. Even though I have admin rights, there are some things I cannot do because I am not IT admin. I cannot for instance get into add/remove programs in the control panel. Here's the other problem: I work from South Africa and my company is in the UK, I doubt if the IT department will be able to help (any time soon anyway) so I really need your help. Log attached [Saving space, attachment deleted by admin]Welcome to CH. Open HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there) O4 - HKCU\..\Run: [cdoosoft] C:\Temp\herss.exe O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) . Important: Close all open windows EXCEPT for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixHi I have done all this now, but because my Symantec AV is an enterprise one I couldn't disable the realtime scanner before doing the combofix scan. Here's the log: ComboFix 09-10-28.08 - pwesthuiz 29/10/2009 15:54.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2038.1140 [GMT 0:00] Running from: c:\documents and settings\pwesthuiz\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning enabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Client Firewall disabled {5CB76A43-5FAD-476B-B9FF-26FA61F13187} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\3n8awsyg.exe C:\autorun.inf C:\b00ijwpu.exe c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\hjvjte.exe c:\temp\cvasds0.dll c:\temp\cvasds1.dll c:\windows\AegisP.inf ----- BITS: Possible infected sites ----- hxxp://as-ifh01 . ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 ))))))))))))))))))))))))))))))) . 2009-10-29 16:01 . 2009-10-29 16:0153248----a-w-c:\temp\catchme.dll 2009-10-29 15:54 . 2009-10-29 15:54--------d-----w-c:\temp\WPDNSE 2009-10-28 21:22 . 2009-10-28 21:22--------d-----w-c:\program files\Trend Micro 2009-10-28 21:17 . 2009-10-29 12:14--------d-----w-c:\temp\hsperfdata_pwesthuiz 2009-10-28 21:17 . 2009-10-28 21:16411368----a-w-c:\windows\system32\deploytk.dll 2009-10-28 20:47 . 2009-10-28 20:47--------d-----w-c:\documents and settings\pwesthuiz\Application Data\Malwarebytes 2009-10-28 20:47 . 2009-09-10 14:5438224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-28 20:47 . 2009-10-28 20:47--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-28 20:47 . 2009-10-28 20:47--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2009-10-28 20:47 . 2009-09-10 14:5319160----a-w-c:\windows\system32\drivers\mbam.sys 2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\program files\SUPERAntiSpyware 2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\documents and settings\pwesthuiz\Application Data\SUPERAntiSpyware.com 2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2009-10-28 19:00 . 2009-10-28 19:00--------d-----w-c:\temp\Google Toolbar 2009-10-28 18:53 . 2009-10-28 18:53--------d-----w-c:\program files\CCleaner 2009-10-27 04:14 . 2009-10-27 04:14--------d-----w-c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\Apple Computer 2009-10-27 04:14 . 2009-10-27 04:14--------d-----w-c:\documents and settings\pwesthuiz.Q16296.000\Application Data\FaxCtr 2009-10-27 04:14 . 2009-10-27 04:14--------d-----w-c:\documents and settings\pwesthuiz.Q16296.000\Application Data\Vodafone 2009-10-27 04:13 . 2008-01-30 14:2767480----a-w-c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-13 20:14 . 2009-10-13 20:15--------d-----w-c:\program files\QuickTime 2009-10-13 20:12 . 2009-10-13 20:1232441648----a-w-C:\QuickTimeInstaller.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-29 04:38 . 2009-04-10 11:16--------d-----w-c:\documents and settings\pwesthuiz\Application Data\Chief Architect X1 2009-10-29 04:36 . 2008-01-29 14:33--------d-----w-c:\program files\Common Files\Symantec Shared 2009-10-28 22:10 . 2008-05-08 14:3340----a-w-c:\windows\system32\profile.dat 2009-10-28 21:16 . 2008-05-16 21:39--------d-----w-c:\program files\Java 2009-10-28 15:58 . 2008-05-10 21:14--------d-----w-c:\documents and settings\All Users\Application Data\Google Updater 2009-10-20 12:36 . 2008-06-08 06:42--------d-----w-c:\program files\TomTom HOME 2 2009-10-13 20:14 . 2008-09-28 15:43--------d-----w-c:\program files\Common Files\Apple 2009-09-25 14:42 . 2009-03-02 14:58103720----a-w-c:\documents and settings\pwesthuiz\GoToAssistDownloadHelper.exe 2009-09-14 18:11 . 2009-09-14 18:11--------d-----w-c:\program files\PrintKey2000 2009-09-01 03:57 . 2009-09-01 03:57--------d-----w-c:\documents and settings\pwesthuiz\Application Data\FaxCtr 2009-08-31 16:36 . 2009-08-31 14:50--------d-----w-c:\program files\Lexmark Toolbar 2009-08-31 16:02 . 2009-08-31 14:53--------d-----w-c:\program files\Abbyy FineReader 6.0 Sprint 2009-08-31 15:05 . 2009-08-31 14:49--------d-----w-c:\program files\Lexmark 3600-4600 Series 2009-08-31 14:59 . 2009-08-31 14:59--------d-----w-c:\documents and settings\pwesthuiz\Application Data\Lexmark Productivity Studio 2009-08-31 14:55 . 2009-08-31 14:53--------d-----w-c:\program files\Lexmark Fax Solutions 2009-08-31 14:54 . 2009-08-31 14:54--------d-----w-c:\documents and settings\All Users\Application Data\FaxCtr 2009-08-24 20:21 . 2009-08-24 20:218278155----a-w-C:\MameUI32_0.133.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-10 68856] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-06-03 251240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-07-31 65536] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896] "vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-07-04 2072576] "lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328] "lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2008-03-24 78848] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-7-30 2158592] NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2008-5-8 73780] Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-9-14 869376] Shortcut to Bginfo.lnk - c:\program files\BGinfo\Bginfo.exe [2008-1-29 290816] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoNetworkConnections"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 15:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-261903793-839522115-16738\Scripts\Logon\0\0] "Script"=creations_drive.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\lxdxcoms.exe"= "c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"= "c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"= "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"= "c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"= "c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"= "c:\\WINDOWS\\system32\\lxdxcfg.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"= "c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxlscn.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"= "c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"= "c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog "c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp "c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1947:TCP"= 1947:TCP:HASP SRM "1947:UDP"= 1947:UDP:HASP SRM R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 17:00 26624] R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [08/05/2008 14:35 136760] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480] R2 BT Common Client;BT Common Client;c:\program files\BT Common Client\btomosrv.exe [01/07/2005 13:36 57344] R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [08/05/2008 14:35 536634] R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?] R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?] R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [31/08/2009 14:56 98984] R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [27/09/2006 19:33 116464] R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [08/05/2008 14:34 36188] R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 17:00 3712] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [31/08/2009 16:54 102448] S3 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\drivers\btwsp50.sys [07/09/2004 14:42 17664] S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [02/11/2004 17:33 17536] S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [10/03/2006 14:55 39424] S3 Lotus Domino Server (LotusDominoData);Lotus Domino Server (LotusDominoData);c:\lotus\Domino\nservice.exe =c:\lotus\Domino\NOTES.ini --> c:\lotus\Domino\nservice.exe =c:\lotus\Domino\notes.ini [?] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 00:28 47128] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 06:01 2799808] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 01:49 242712] --- Other Services/Drivers In Memory --- NewlyCreated - CLASSPNP_2 NewlyCreated - MBR NewlyCreated - PCIIDEX_2 Deregistered - CLASSPNP_2 Deregistered - mbr Deregistered - PCIIDEX_2 . Contents of the 'Scheduled Tasks' folder 2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-10-29 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-10 14:11] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.gmail.com/ mStart Page = hxxp://unicom uInternet Settings,ProxyServer = ukisa01:8080 uInternet Settings,ProxyOverride = 88.96.69.213;hxxp://88.96.69.213;http://147.2.;147.2;http://147.2;unicom.uniquk.local; IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab . - - - - ORPHANS REMOVED - - - - HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-29 16:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS kernel: MBR read successfully user & kernel MBR OK Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net disk.sys @ 0xBA158000 0x8E00 bytes \Driver\disk [ IRP_MJ_POWER ] 0xCD3F7EF3 != 0xA7EDBE21 aksfridge.sys \Driver\disk IRP hooks detected ! ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1276) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\netprovcredman.dll c:\windows\system32\igfxdev.dll . Completion time: 2009-10-29 16:03 ComboFix-quarantined-files.txt 2009-10-29 16:03 Pre-Run: 17,157,853,184 bytes free Post-Run: 17,206,132,736 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 7A5A6D09526018F22951FCF620ED672D Oh, and the problem that triggered me to write to you seems to be gone. Is this the end of the process? RegardsQuote from: Peedo on October 29, 2009, 10:16:31 AM Is this the end of the process? No. You had some pretty bad malware and we should make sure it is completely gone especially since this is a work computer. Is this yours? Quote [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-261903793-839522115-16738\Scripts\Logon\0\0] "Script"=creations_drive.bat Download Rooter.exe to your desktop * Double click Rooter.exe to start the TOOL. * A DOS window will appear and show the scan progress. * Once complete a notepad file containing the report will open. * Copy & paste the results in your next reply. * Close notepad and Rooter will close. A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed). Hi Not sure what you mean by Quote Is this yours? . I do have a lotus notes application installed called Creations. I'll do what is best for the computer. Here is the Latest log: Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows XP . (5.1.2600) Service Pack 2 [32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel . [wscsvc] STOPPED (state:1) : Security Center -> Disabled ! [SharedAccess] RUNNING (state:4) Windows Firewall -> Disabled ! . Internet Explorer 7.0.5730.13 . C:\ [Fixed-NTFS] .. ( Total:74 Go - Free:16 Go ) D:\ [CD_Rom] H:\ [Network] .. ( Total:74 Go - Free:16 Go ) N:\ [Network] .. ( Total:0 Go - Free:0 Go ) P:\ [Network] .. ( Total:0 Go - Free:0 Go ) V:\ [Network] .. ( Total:0 Go - Free:0 Go ) W:\ [Network] .. ( Total:0 Go - Free:0 Go ) Y:\ [Network] .. ( Total:0 Go - Free:0 Go ) . Scan : 17:39.40 Path : C:\Documents and Settings\pwesthuiz\Desktop\Rooter.exe User : pwesthuiz ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) ______ System (4) ______ \SystemRoot\System32\smss.exe (1196) ______ \??\C:\WINDOWS\system32\csrss.exe (1248) ______ \??\C:\WINDOWS\system32\winlogon.exe (1276) ______ C:\WINDOWS\system32\services.exe (1320) ______ C:\WINDOWS\system32\lsass.exe (1332) ______ C:\WINDOWS\system32\svchost.exe (1492) ______ C:\WINDOWS\system32\svchost.exe (1592) ______ C:\WINDOWS\System32\svchost.exe (1640) ______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1820) ______ C:\WINDOWS\system32\svchost.exe (1908) ______ C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe (1924) ______ C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe (1996) ______ C:\WINDOWS\system32\svchost.exe (2024) ______ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (420) ______ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (452) ______ C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (864) ______ C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (908) ______ C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (1048) ______ C:\WINDOWS\system32\spoolsv.exe (1488) ______ C:\WINDOWS\System32\SCardSvr.exe (1536) ______ C:\WINDOWS\system32\svchost.exe (1744) ______ C:\Program Files\Citrix\ICA Client\ssonsvr.exe (1896) ______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (568) ______ C:\Program Files\Bonjour\mDNSResponder.exe (596) ______ C:\WINDOWS\Explorer.EXE (584) ______ C:\Program Files\BT Common Client\btomosrv.exe (640) ______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (652) ______ C:\WINDOWS\system32\DWRCS.EXE (792) ______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (984) ______ C:\WINDOWS\system32\hasplms.exe (2148) ______ C:\Program Files\Java\jre6\bin\jqs.exe (2236) ______ C:\WINDOWS\system32\taskswitch.exe (2260) ______ C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (2284) ______ C:\Program Files\DellTPad\Apoint.exe (2300) ______ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe (2332) ______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (2356) ______ C:\WINDOWS\system32\lxdxcoms.exe (2368) ______ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (2388) ______ C:\Program Files\DellTPad\ApMsgFwd.exe (2440) ______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (2484) ______ C:\Program Files\DellTPad\Apntex.exe (2508) ______ C:\Program Files\DellTPad\HidFind.exe (2516) ______ C:\WINDOWS\system32\hkcmd.exe (2544) ______ c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (2580) ______ C:\WINDOWS\system32\igfxpers.exe (2584) ______ C:\WINDOWS\system32\igfxsrvc.exe (2588) ______ C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (2668) ______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (2712) ______ C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe (2720) ______ C:\Program Files\Java\jre6\bin\jusched.exe (2820) ______ C:\Program Files\iTunes\iTunesHelper.exe (2888) ______ C:\Program Files\Winamp\winampa.exe (2904) ______ C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (2952) ______ C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe (2980) ______ C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe (3004) ______ C:\WINDOWS\system32\DWRCST.exe (3088) ______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3128) ______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (3144) ______ C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (3200) ______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (3216) ______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (3384) ______ C:\WINDOWS\system32\StacSV.exe (3412) ______ C:\WINDOWS\system32\svchost.exe (3436) ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (3480) ______ C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe (3540) ______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (3608) ______ C:\Program Files\PrintKey2000\Printkey2000.exe (3628) ______ C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (3844) ______ C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (3896) ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (3932) ______ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (3960) ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (4020) ______ C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (4080) ______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (1984) ______ C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (2732) ______ C:\Program Files\iPod\bin\iPodService.exe (3044) ______ C:\WINDOWS\System32\alg.exe (4528) ______ C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (5572) ______ C:\WINDOWS\system32\ctfmon.exe (4900) ______ C:\Documents and Settings\pwesthuiz\Desktop\Rooter.exe (5680) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 (Start_Offset:32256 \| Length:98671104) \Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:99614720 \| Length:79925608448) . ----------------------\\ Scheduled Tasks . C:\WINDOWS\Tasks\AppleSoftwareUpdate.job C:\WINDOWS\Tasks\desktop.ini C:\WINDOWS\Tasks\Google Software Updater.job C:\WINDOWS\Tasks\SA.DAT . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 17:39.44 . H:\Rooter$\Rooter_1.txt - (29/10/2009 \| 17:39.44) Everything looks OK now but I would suggest running the Kaspersky Lab Online Scanner just to be 100% sure. Click START then RUN Now type Combofix /U in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest IMMUNIZATIONS always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Thanks a lot. I have reccommended your service to both my IT departments. Cheers PietYour welcome. Safe surfing...

Answer»

Hi

My laptop is a business laptop. I have enterprise version of Symantec antivirus installed. I
cannot update the antivirus definitions or disable the auto detection even though I have admin
rights. The antivirus definitions update when I log onto my company network through vpn.

Here is the trick. I have the virus Trojan.Packed.NsAnti. I beleive this is causing my VPN program
not to respond. Thus I cannot connect to the network and cannot update the definitions.

Even though I have admin rights, there are some things I cannot do because I am not IT admin. I
cannot for instance get into add/remove programs in the control panel.

Here's the other problem: I work from South Africa and my company is in the UK, I doubt if the IT
department will be able to help (any time soon anyway) so I really need your help.

Log attached

[Saving space, attachment deleted by admin]Welcome to CH.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKCU\..\Run: [cdoosoft] C:\Temp\herss.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

.
Important: Close all open windows EXCEPT for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixHi

I have done all this now, but because my Symantec AV is an enterprise one I couldn't disable the realtime scanner before doing the combofix scan.

Here's the log:

ComboFix 09-10-28.08 - pwesthuiz 29/10/2009 15:54.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2038.1140 [GMT 0:00]
Running from: c:\documents and settings\pwesthuiz\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3n8awsyg.exe
C:\autorun.inf
C:\b00ijwpu.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\hjvjte.exe
c:\temp\cvasds0.dll
c:\temp\cvasds1.dll
c:\windows\AegisP.inf

----- BITS: Possible infected sites -----

hxxp://as-ifh01
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 16:01 . 2009-10-29 16:0153248----a-w-c:\temp\catchme.dll
2009-10-29 15:54 . 2009-10-29 15:54--------d-----w-c:\temp\WPDNSE
2009-10-28 21:22 . 2009-10-28 21:22--------d-----w-c:\program files\Trend Micro
2009-10-28 21:17 . 2009-10-29 12:14--------d-----w-c:\temp\hsperfdata_pwesthuiz
2009-10-28 21:17 . 2009-10-28 21:16411368----a-w-c:\windows\system32\deploytk.dll
2009-10-28 20:47 . 2009-10-28 20:47--------d-----w-c:\documents and settings\pwesthuiz\Application Data\Malwarebytes
2009-10-28 20:47 . 2009-09-10 14:5438224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 20:47 . 2009-10-28 20:47--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 20:47 . 2009-10-28 20:47--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2009-10-28 20:47 . 2009-09-10 14:5319160----a-w-c:\windows\system32\drivers\mbam.sys
2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\program files\SUPERAntiSpyware
2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\documents and settings\pwesthuiz\Application Data\SUPERAntiSpyware.com
2009-10-28 19:14 . 2009-10-28 19:14--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-10-28 19:00 . 2009-10-28 19:00--------d-----w-c:\temp\Google Toolbar
2009-10-28 18:53 . 2009-10-28 18:53--------d-----w-c:\program files\CCleaner
2009-10-27 04:14 . 2009-10-27 04:14--------d-----w-c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\Apple Computer
2009-10-27 04:14 . 2009-10-27 04:14--------d-----w-c:\documents and settings\pwesthuiz.Q16296.000\Application Data\FaxCtr
2009-10-27 04:14 . 2009-10-27 04:14--------d-----w-c:\documents and settings\pwesthuiz.Q16296.000\Application Data\Vodafone
2009-10-27 04:13 . 2008-01-30 14:2767480----a-w-c:\documents and settings\pwesthuiz.Q16296.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 20:14 . 2009-10-13 20:15--------d-----w-c:\program files\QuickTime
2009-10-13 20:12 . 2009-10-13 20:1232441648----a-w-C:\QuickTimeInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 04:38 . 2009-04-10 11:16--------d-----w-c:\documents and settings\pwesthuiz\Application Data\Chief Architect X1
2009-10-29 04:36 . 2008-01-29 14:33--------d-----w-c:\program files\Common Files\Symantec Shared
2009-10-28 22:10 . 2008-05-08 14:3340----a-w-c:\windows\system32\profile.dat
2009-10-28 21:16 . 2008-05-16 21:39--------d-----w-c:\program files\Java
2009-10-28 15:58 . 2008-05-10 21:14--------d-----w-c:\documents and settings\All Users\Application Data\Google Updater
2009-10-20 12:36 . 2008-06-08 06:42--------d-----w-c:\program files\TomTom HOME 2
2009-10-13 20:14 . 2008-09-28 15:43--------d-----w-c:\program files\Common Files\Apple
2009-09-25 14:42 . 2009-03-02 14:58103720----a-w-c:\documents and settings\pwesthuiz\GoToAssistDownloadHelper.exe
2009-09-14 18:11 . 2009-09-14 18:11--------d-----w-c:\program files\PrintKey2000
2009-09-01 03:57 . 2009-09-01 03:57--------d-----w-c:\documents and settings\pwesthuiz\Application Data\FaxCtr
2009-08-31 16:36 . 2009-08-31 14:50--------d-----w-c:\program files\Lexmark Toolbar
2009-08-31 16:02 . 2009-08-31 14:53--------d-----w-c:\program files\Abbyy FineReader 6.0 Sprint
2009-08-31 15:05 . 2009-08-31 14:49--------d-----w-c:\program files\Lexmark 3600-4600 Series
2009-08-31 14:59 . 2009-08-31 14:59--------d-----w-c:\documents and settings\pwesthuiz\Application Data\Lexmark Productivity Studio
2009-08-31 14:55 . 2009-08-31 14:53--------d-----w-c:\program files\Lexmark Fax Solutions
2009-08-31 14:54 . 2009-08-31 14:54--------d-----w-c:\documents and settings\All Users\Application Data\FaxCtr
2009-08-24 20:21 . 2009-08-24 20:218278155----a-w-C:\MameUI32_0.133.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-10 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-06-03 251240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-07-31 65536]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-07-04 2072576]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2008-03-24 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-7-30 2158592]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2008-5-8 73780]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-9-14 869376]
Shortcut to Bginfo.lnk - c:\program files\BGinfo\Bginfo.exe [2008-1-29 290816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetworkConnections"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-261903793-839522115-16738\Scripts\Logon\0\0]
"Script"=creations_drive.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxlscn.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 17:00 26624]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [08/05/2008 14:35 136760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 BT Common Client;BT Common Client;c:\program files\BT Common Client\btomosrv.exe [01/07/2005 13:36 57344]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [08/05/2008 14:35 536634]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [31/08/2009 14:56 98984]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [27/09/2006 19:33 116464]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [08/05/2008 14:34 36188]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 17:00 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [31/08/2009 16:54 102448]
S3 BTWSp50;BTWSp50 NDIS Protocol Driver;c:\windows\system32\drivers\btwsp50.sys [07/09/2004 14:42 17664]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [02/11/2004 17:33 17536]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [10/03/2006 14:55 39424]
S3 Lotus Domino Server (LotusDominoData);Lotus Domino Server (LotusDominoData);c:\lotus\Domino\nservice.exe =c:\lotus\Domino\NOTES.ini --> c:\lotus\Domino\nservice.exe =c:\lotus\Domino\notes.ini [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 00:28 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 06:01 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 01:49 242712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-10-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-10 14:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
mStart Page = hxxp://unicom
uInternet Settings,ProxyServer = ukisa01:8080
uInternet Settings,ProxyOverride = 88.96.69.213;hxxp://88.96.69.213;http://147.2.*;147.2*;http://147.2*;unicom.uniquk.local;
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 16:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

disk.sys @ 0xBA158000 0x8E00 bytes

\Driver\disk [ IRP_MJ_POWER ] 0xCD3F7EF3 != 0xA7EDBE21 aksfridge.sys
\Driver\disk IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-29 16:03
ComboFix-quarantined-files.txt 2009-10-29 16:03

Pre-Run: 17,157,853,184 bytes free
Post-Run: 17,206,132,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7A5A6D09526018F22951FCF620ED672D

Oh, and the problem that triggered me to write to you seems to be gone.

Is this the end of the process?

RegardsQuote from: Peedo on October 29, 2009, 10:16:31 AM

Is this the end of the process?

No. You had some pretty bad malware and we should make sure it is completely gone especially since this is a work computer.

Is this yours?

Quote

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1482476501-261903793-839522115-16738\Scripts\Logon\0\0]
"Script"=creations_drive.bat

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the TOOL.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).

Hi

Not sure what you mean by Quote

Is this yours?

.

I do have a lotus notes application installed called Creations.

I'll do what is best for the computer.

Here is the Latest log:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 7.0.5730.13
.
C:\ [Fixed-NTFS] .. ( Total:74 Go - Free:16 Go )
D:\ [CD_Rom]
H:\ [Network] .. ( Total:74 Go - Free:16 Go )
N:\ [Network] .. ( Total:0 Go - Free:0 Go )
P:\ [Network] .. ( Total:0 Go - Free:0 Go )
V:\ [Network] .. ( Total:0 Go - Free:0 Go )
W:\ [Network] .. ( Total:0 Go - Free:0 Go )
Y:\ [Network] .. ( Total:0 Go - Free:0 Go )
.
Scan : 17:39.40
Path : C:\Documents and Settings\pwesthuiz\Desktop\Rooter.exe
User : pwesthuiz ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (1196)
______ \??\C:\WINDOWS\system32\csrss.exe (1248)
______ \??\C:\WINDOWS\system32\winlogon.exe (1276)
______ C:\WINDOWS\system32\services.exe (1320)
______ C:\WINDOWS\system32\lsass.exe (1332)
______ C:\WINDOWS\system32\svchost.exe (1492)
______ C:\WINDOWS\system32\svchost.exe (1592)
______ C:\WINDOWS\System32\svchost.exe (1640)
______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1820)
______ C:\WINDOWS\system32\svchost.exe (1908)
______ C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe (1924)
______ C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe (1996)
______ C:\WINDOWS\system32\svchost.exe (2024)
______ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (420)
______ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (452)
______ C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (864)
______ C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (908)
______ C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (1048)
______ C:\WINDOWS\system32\spoolsv.exe (1488)
______ C:\WINDOWS\System32\SCardSvr.exe (1536)
______ C:\WINDOWS\system32\svchost.exe (1744)
______ C:\Program Files\Citrix\ICA Client\ssonsvr.exe (1896)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (568)
______ C:\Program Files\Bonjour\mDNSResponder.exe (596)
______ C:\WINDOWS\Explorer.EXE (584)
______ C:\Program Files\BT Common Client\btomosrv.exe (640)
______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (652)
______ C:\WINDOWS\system32\DWRCS.EXE (792)
______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (984)
______ C:\WINDOWS\system32\hasplms.exe (2148)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2236)
______ C:\WINDOWS\system32\taskswitch.exe (2260)
______ C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe (2284)
______ C:\Program Files\DellTPad\Apoint.exe (2300)
______ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe (2332)
______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (2356)
______ C:\WINDOWS\system32\lxdxcoms.exe (2368)
______ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (2388)
______ C:\Program Files\DellTPad\ApMsgFwd.exe (2440)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (2484)
______ C:\Program Files\DellTPad\Apntex.exe (2508)
______ C:\Program Files\DellTPad\HidFind.exe (2516)
______ C:\WINDOWS\system32\hkcmd.exe (2544)
______ c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (2580)
______ C:\WINDOWS\system32\igfxpers.exe (2584)
______ C:\WINDOWS\system32\igfxsrvc.exe (2588)
______ C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (2668)
______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (2712)
______ C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe (2720)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2820)
______ C:\Program Files\iTunes\iTunesHelper.exe (2888)
______ C:\Program Files\Winamp\winampa.exe (2904)
______ C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (2952)
______ C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe (2980)
______ C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe (3004)
______ C:\WINDOWS\system32\DWRCST.exe (3088)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3128)
______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (3144)
______ C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (3200)
______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (3216)
______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (3384)
______ C:\WINDOWS\system32\StacSV.exe (3412)
______ C:\WINDOWS\system32\svchost.exe (3436)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (3480)
______ C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe (3540)
______ C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (3608)
______ C:\Program Files\PrintKey2000\Printkey2000.exe (3628)
______ C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (3844)
______ C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (3896)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (3932)
______ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (3960)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (4020)
______ C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (4080)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (1984)
______ C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (2732)
______ C:\Program Files\iPod\bin\iPodService.exe (3044)
______ C:\WINDOWS\System32\alg.exe (4528)
______ C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (5572)
______ C:\WINDOWS\system32\ctfmon.exe (4900)
______ C:\Documents and Settings\pwesthuiz\Desktop\Rooter.exe (5680)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:98671104)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:99614720 | Length:79925608448)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Google Software Updater.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 17:39.44
.
H:\Rooter$\Rooter_1.txt - (29/10/2009 | 17:39.44)
Everything looks OK now but I would suggest running the Kaspersky Lab Online Scanner just to be 100% sure.

Click START then RUN
Now type Combofix /U in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest IMMUNIZATIONS always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Thanks a lot.

I have reccommended your service to both my IT departments.

Cheers
PietYour welcome.

Safe surfing...

Solve : Trojan.Packed.NsAnti virus - please help?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment