Solved USB Malware Trojan.Packed.NsAnti

[Resolved] USB Malware Trojan.Packed.NsAnti

Greetings Windows BBS Forum!

I was surfing Google, looking for a fix for this nasty bug when I came across this post:

http://www.windowsbbs.com/malware-v...ved-under-attack-disabled-system-restore.html

And I was wondering if I could get some help as well. My symptoms are a little bit different from the referenced case though. An infected file called "yuznxr.dll" which resides in C:\Documents and Settings\User\Local Settings\Temp\ is "deleted" by Symantec every time I start up the computer. I ran a virus scan in safe mode, but it just popped up again. So I disabled System Restore and now when I try to boot in safe mode, the system freezes. I'd really like to get this bug out of the computer and get safe mode working again.

I have a decent amount of computer experience, but I'll have to confess up-front that I've never used HiJackThis. Any help you could offer would be greatly appreciated.

P.S. I currently have the infected computer disconnected from the main network. Should I keep it unplugged or is it safe to reconnect it?

EDIT:

Hai again,

So, I guess reading the "READ THIS BEFORE POSTING" thread would've been a good idea. I feel silly now. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:52 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\ORACLE\ora92\bin\omtsreco.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\Program Files\LANDesk\LDClient\collector.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Intranet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LDS Church
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.189.128.35:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ldsglobal.net;*.lds.org;*.ldschurch.org;*.providentliving.org;*.mormon.org;*.ldsces.org;*.dmba.com;10.*;192.168.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe "
O4 - HKCU\..\Run: [Real Desktop] "C:\Program Files\Real D
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Event Reminder.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://Intranet
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET
O15 - Trusted Zone: http://www.familysearch.org
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://customer-connection.peoplesoft.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://library.lds.org (HKLM)
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORACLE\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\ORACLE\ora92\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 10632 bytes

 

Welcome to WindowsBBS silverbu11et

First, please re-enable System Restore and verify that a new restore point has been created. An infected restore point is better than none at all in the event it's needed.

Then, download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Thanks for the welcome noahdfear.

I downloaded and ran ComboFix. Everything ran smoothly except at the beginning when it tried creating a system restore point (but I did enable it before like you said)

"ERUNT.cfexe -
Instruction at 0x00b2d8d5 referenced memory at 0x00000060. Memory couldn't be written. "

Nevertheless, here's the log:

ComboFix 08-07-23.5 - SANTIAGO1 2008-07-24 9:16:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239 [GMT -4:00]
Running from: C:\Documents and Settings\SANTIAGO1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\nqgcd.com
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

https://mail.ldschurch.org
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-23 20:24 . 2008-07-23 20:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 20:23 . 2008-07-24 08:52 135,342 -r-hs---- C:\ceqfqp.bat
2008-07-22 10:19 . 2008-07-22 10:26 <DIR> d-------- C:\Documents and Settings\SANTIAGO1\Application Data\ImgBurn
2008-07-22 10:14 . 2008-07-22 10:14 <DIR> d-------- C:\Program Files\ImgBurn
2008-07-22 09:06 . 2008-07-22 08:48 1,935,595,520 --a------ C:\EL_HP.ISO
2008-07-18 09:16 . 2008-07-18 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-14 15:15 . 2008-07-14 15:29 <DIR> d-------- C:\Program Files\gaming
2008-07-01 18:23 . 2008-07-21 09:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-01 18:22 . 2008-07-01 18:22 <DIR> dr-h----- C:\MSOCache
2008-07-01 18:22 . 2008-07-01 18:22 41 --a------ C:\WINDOWS\wininit.ini
2008-07-01 18:19 . 2008-07-01 18:19 <DIR> d-------- C:\Outlook2007Config
2008-06-27 15:29 . 2008-06-27 15:29 <DIR> d-------- C:\Program Files\Real
2008-06-25 17:01 . 2008-06-25 17:01 <DIR> d-------- C:\Documents and Settings\SANTIAGO1\Application Data\.BitTornado
2008-06-25 16:32 . 2007-11-22 10:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-07-23 20:57 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-07-22 14:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 14:22 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-22 13:59 --------- d-----w C:\Documents and Settings\SANTIAGO1\Application Data\DVD Flick
2008-07-21 13:08 --------- d-----w C:\Documents and Settings\SANTIAGO1\Application Data\foobar2000
2008-07-17 23:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-12 20:19 --------- d-----w C:\Documents and Settings\SANTIAGO1\Application Data\gtk-2.0
2008-07-11 21:52 --------- d-----w C:\Documents and Settings\SANTIAGO1\Application Data\U3
2008-07-01 22:25 --------- d-----w C:\Program Files\Microsoft Works
2008-06-23 18:37 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-23 18:30 --------- d-----w C:\Program Files\Electronic Arts
2008-06-10 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-04 22:40 --------- d-----w C:\Program Files\Veoh Networks
2008-06-04 22:36 --------- d-----w C:\Documents and Settings\SANTIAGO1\Application Data\Orbit
2008-05-30 22:53 --------- d-----w C:\Program Files\Moffsoft FreeCalc
2008-05-26 22:08 --------- d-----w C:\Program Files\AviSynth 2.5
2008-05-26 22:03 --------- d-----w C:\Program Files\eRightSoft
2008-05-13 01:53 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-13 01:51 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-13 01:51 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-26 19:30 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-26 18:35 8 --sh--r C:\Documents and Settings\All Users\Application Data\9F0AC46D8E.sys
2008-02-28 14:38 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Real Desktop "= "C:\Program Files\Real D" [X]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-03 16:42 171448]
"RocketDock "= "C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS "= "C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 16:27 32859]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 22:26 52896]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-08-03 11:48 124656]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-04-06 00:22 94208]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2005-04-06 00:19 77824]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [2005-04-06 00:23 114688]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"IntelAPMClient "= "C:\Program Files\LANDesk\LDClient\amclient.exe" [2006-08-23 07:09 315392]
"SDClientMonitor "= "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-06-16 03:43 258048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-07-13 12:28 282624]
"WatchDog "= "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 16:47 184320]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 08:04 53248]
"NWTRAY "= "NWTRAY.EXE" [2002-03-12 12:37 28672 C:\WINDOWS\system32\nwtray.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NALDESK.EXE [2004-03-09 15:10:42 1015808]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-03-17 11:11:27 184320]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [2007-10-23 10:23:54 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "= 0 (0x0)
"CompatibleRUPSecurity "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify "= 1 (0x1)
"NoBandCustomize "= 0 (0x0)
"NoSMConfigurePrograms "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "= 0 (0x0)
"NoLogoff "= 0 (0x0)
"Btn_Back "= 0 (0x0)
"Btn_Forward "= 0 (0x0)
"Btn_Stop "= 0 (0x0)
"Btn_Refresh "= 0 (0x0)
"Btn_Home "= 0 (0x0)
"Btn_Search "= 0 (0x0)
"Btn_History "= 0 (0x0)
"Btn_Favorites "= 0 (0x0)
"Btn_Media "= 0 (0x0)
"Btn_Folders "= 0 (0x0)
"Btn_Fullscreen "= 0 (0x0)
"Btn_Tools "= 0 (0x0)
"Btn_MailNews "= 0 (0x0)
"Btn_Size "= 0 (0x0)
"Btn_Print "= 0 (0x0)
"Btn_Edit "= 0 (0x0)
"Btn_Discussions "= 0 (0x0)
"Btn_Cut "= 0 (0x0)
"Btn_Copy "= 0 (0x0)
"Btn_Paste "= 0 (0x0)
"Btn_Encoding "= 0 (0x0)
"Btn_PrintPreview "= 0 (0x0)
"NoSMConfigurePrograms "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D} "= "C:\Program Files\Novell\ZENworks\NalExpEx.dll" [2003-05-05 22:34 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"vidc.yv12 "= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-13 12:28 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001
"AllAlertsDisabled "=dword:00000001
"TermService "=dword:00000001
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 CBA8;LANDesk(R) Management Agent;C:\Program Files\LANDesk\Shared Files\residentagent.exe [2006-06-08 12:38]
R2 Softmon;LANDesk(R) Software Monitoring Service;C:\Program Files\LANDesk\LDClient\softmon.exe [2006-09-15 07:07]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-01 17:48]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-01 17:48]
R3 nscmnt;Novell Local Security Context Manager;C:\WINDOWS\system32\drivers\novell\nscmnt.sys [2004-03-03 13:51]
R3 xauthnt;Novell XTier Authentication Service;C:\WINDOWS\system32\drivers\novell\xauthnt.sys [2002-06-17 16:32]
S3 3xHybrid;Philips SAA713x PCI Card;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2007-06-15 08:59]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINDOWS\system32\drivers\cwbmidi.sys [2001-08-17 08:19]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys [2001-08-17 08:19]
S3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-01 17:48]
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\ORACLE\ora92\BIN\ONRSD.EXE [2002-04-26 21:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683e48ef-e938-11dc-8725-00188b08ff47}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9349f6-58c6-11dd-87ab-00188b08ff47}]
\Shell\AutoRun\command - F:\nqgcd.com
\Shell\explore\Command - F:\nqgcd.com
\Shell\open\Command - F:\nqgcd.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9a2222-6de3-11dc-864b-00188b08ff47}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - ORACLEMTSRECOVERYSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0 LDS Church Desktop 5.6 Cleanup_Settings}]
C:\Windows\Services\Cleanup_Settings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0 LDS Church Desktop 5.6 Cleanup}]
C:\Windows\Services\Cleanup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"%ProgramFiles%\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LDS Church Desktop 5.6 PostFix}]
C:\Windows\Services\PostFix.bat

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LDS Church NAL Info}]
C:\WINDOWS\services\NAL_Info.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LDS Church XPSP2}]
regedit /s C:\WINDOWS\services\wu.reg
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TVTray - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Settings,ProxyOverride = *.ldsglobal.net;*.lds.org;*.ldschurch.org;*.providentliving.org;*.mormon.org;*.ldsces.org;*.dmba.com;10.*;192.168.*;<local>
R1 -: HKCU-Internet Settings,ProxyServer = 209.189.128.35:80
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {88D969C0-F192-11D4-A65F-0040963251E5} - file://C:\WINDOWS\msxml4.cab
C:\WINDOWS\system32\msxml4.inf
C:\WINDOWS\System32\msxml4a.dll
C:\WINDOWS\System32\msxml4r.dll
C:\WINDOWS\System32\msxml4.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 09:20:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xmlparse.dll
-> C:\Program Files\Novell\ZENworks\ZENNW32.DLL

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\ORACLE\ora92\bin\omtsreco.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\LANDesk\LDClient\LDISCN32.EXE
C:\Program Files\LANDesk\LDClient\collector.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\WINDOWS\system32\msgsys.exe
.
**************************************************************************
.
Completion time: 2008-07-24 9:23:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 13:22:53

Pre-Run: 5,552,676,864 bytes free
Post-Run: 6,299,914,240 bytes free

259

[FONT= "Arial Black"]And HijackThis[/FONT]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:31 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\ORACLE\ora92\bin\omtsreco.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\Program Files\LANDesk\LDClient\collector.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.189.128.35:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ldsglobal.net;*.lds.org;*.ldschurch.org;*.providentliving.org;*.mormon.org;*.ldsces.org;*.dmba.com;10.*;192.168.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe "
O4 - HKCU\..\Run: [Real Desktop] "C:\Program Files\Real D
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Event Reminder.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://Intranet
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET
O15 - Trusted Zone: http://www.familysearch.org
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://customer-connection.peoplesoft.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://library.lds.org (HKLM)
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORACLE\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\ORACLE\ora92\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 10644 bytes

I did get another message box while running HijackThis that looked like this:

http://img76.imageshack.us/my.php?image=error1nf0.jpg

Anything I should be concerned about?

 

You have a hidden file at C:\ceqfqp.bat we should get a look at.

Just guessing the F: drive is a usb flash drive? Whatever it is, it is housing an infection.
Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

• Plug in your USB flash drive.
• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Your desktop will vanish for a while, and then reappear. This is normal.
• Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

After running the tool, open the flash drive via Windows Explorer, with hidden files and folders showing, and delete the following file if present.

nqgcd.com

Now, the following registry key needs removed.

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9349f6-58c6-11dd-87ab-00188b08ff47}

You can either do it manually or I will be happy to create a fix for you. Just let me know which you prefer.

No worries where the HJT error is concerned.

Regarding the error in ComboFix, did you disable all of the Symantec products listed on the page I linked to when requesting realtime protections be disabled?

 

Good Morning,

I turned on View Hidden Files and Folders, but couldn't find the .bat file in C:. Maybe it was already deleted?

F: is probably the USB thumb drive that got the computer infected. It wasn't mine and definitely won't be plugged into this computer again.

Deleted the registry key and subfolders.

As for the ComboFix Error, as you might have guessed from the logs, this computer isn't exactly mine. It's got Symantec Antivirus Corp. Edition installed with the "Disable" feature... disabled. So instead, before the scan I went through the task manager and ended every process that had to do with Symantec (Google's a really good search engine, btw). I'm guessing then that I missed one.

Thanks again for your help noahdfear!

 

Open a command window and type or paste the following command then hit enter.

attrib -r -h -s C:\ceqfqp.bat

The file should be visible now. Right click and select Edit.

 

Whoa, that was pretty spiffy.

This .bat doesn't look like any batch file I've made. It's filled with special characters and boxes. Up near the top it says

and near the end it reads

The whole thing is 133 KB.

 

Please upload that batch file to my submission channel for analysis. Leave a link back to this topic.

Thanks!


Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

Here's the main log:

Deckard's System Scanner v20071014.68
Run by SANTIAGO1 on 2008-07-28 18:45:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-07-28 22:46:08 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-07-28 17:38:44 UTC - RP8 - System Checkpoint
7: 2008-07-26 18:39:45 UTC - RP7 - System Checkpoint
6: 2008-07-25 16:40:00 UTC - RP6 - System Checkpoint
5: 2008-07-24 15:00:49 UTC - RP5 - Removed ENLTV/ENLTV-FM Driver Setup


-- First Restore Point --
1: 2008-07-24 12:53:46 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as SANTIAGO1.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:10 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\ORACLE\ora92\bin\omtsreco.exe
C:\Program Files\LANDesk\LDClient\collector.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\SANTIAGO1\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SANTIAGO1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.189.128.35:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ldsglobal.net;*.lds.org;*.ldschurch.org;*.providentliving.org;*.mormon.org;*.ldsces.org;*.dmba.com;10.*;192.168.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe "
O4 - HKCU\..\Run: [Real Desktop] "C:\Program Files\Real D
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Event Reminder.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://Intranet
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET
O15 - Trusted Zone: http://www.familysearch.org
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://customer-connection.peoplesoft.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://library.lds.org (HKLM)
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORACLE\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\ORACLE\ora92\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 10700 bytes

-- File Associations -----------------------------------------------------------

.txt - txtfile - shell\open\command - C:\WINDOWS\notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 nscmnt (Novell Local Security Context Manager) - c:\windows\system32\drivers\novell\nscmnt.sys
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys
R3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSNS (Novell Simple Naming Services) - c:\windows\system32\netware\nwsns.sys
R3 xauthnt (Novell XTier Authentication Service) - c:\windows\system32\drivers\novell\xauthnt.sys

S3 3xHybrid (Philips SAA713x PCI Card) - c:\windows\system32\drivers\3xhybrid.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CBA8 (LANDesk(R) Management Agent) - "c:\program files\landesk\shared files\residentagent.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk(R) Management Agent>
R2 Intel Local Scheduler Service - "c:\program files\landesk\ldclient\localsch.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; LANDesk Software Ltd.; Intel Common Base Agent>
R2 Intel Targeted Multicast (LANDesk Targeted Multicast) - c:\program files\landesk\ldclient\tmcsvc.exe <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 NALNTSERVICE (Novell Application Launcher) - c:\program files\novell\zenworks\nalntsrv.exe <Not Verified; Novell, Inc.; >
R2 OracleMTSRecoveryService - c:\oracle\ora92\bin\omtsreco.exe "oraclemtsrecoveryservice" <Not Verified; Oracle Corporation; Oracle MTS Recovery Service>
R2 Softmon (LANDesk(R) Software Monitoring Service) - "c:\program files\landesk\ldclient\softmon.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 ZFDWM (Workstation Manager) - c:\program files\novell\zenworks\wm.exe <Not Verified; Novell, INC.; ZEN for Desktops>

S3 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 OracleOraHome92ClientCache - c:\oracle\ora92\bin\onrsd.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-26 11:42:37 0 d-------- C:\Documents and Settings\santiago3\Application Data\gtk-2.0
2008-07-26 11:42:34 0 d-------- C:\Documents and Settings\santiago3\.thumbnails
2008-07-26 11:40:56 0 d-------- C:\Documents and Settings\santiago3\.gimp-2.4
2008-07-24 09:14:38 68096 --a------ C:\WINDOWS\zip.exe
2008-07-24 09:14:38 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-24 09:14:38 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-24 09:14:38 98816 --a------ C:\WINDOWS\sed.exe
2008-07-24 09:14:38 80412 --a------ C:\WINDOWS\grep.exe
2008-07-24 09:14:38 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-24 09:14:37 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-24 09:14:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-23 20:24:21 0 d-------- C:\Program Files\Trend Micro
2008-07-23 20:23:28 135342 -----n--- C:\ceqfqp.bat
2008-07-22 10:19:46 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\ImgBurn
2008-07-22 10:14:18 0 d-------- C:\Program Files\ImgBurn
2008-07-18 09:16:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-14 15:15:47 0 d-------- C:\Program Files\gaming
2008-07-01 18:23:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-01 18:22:40 0 dr-h----- C:\MSOCache
2008-07-01 18:19:53 0 d-------- C:\Outlook2007Config


-- Find3M Report ---------------------------------------------------------------

2008-07-28 15:25:49 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\foobar2000
2008-07-26 15:02:59 58360 --a------ C:\WINDOWS\system32\profile.dat
2008-07-25 10:04:42 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-24 11:07:27 0 d-------- C:\Program Files\Finale PrintMusic 2007
2008-07-24 11:00:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 11:00:53 0 d-------- C:\Program Files\Common Files
2008-07-24 10:26:13 0 d-------- C:\Program Files\Java
2008-07-22 10:22:35 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-22 09:59:30 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\DVD Flick
2008-07-12 16:19:21 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\gtk-2.0
2008-07-11 17:52:47 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\U3
2008-07-01 18:25:37 0 d-------- C:\Program Files\Microsoft Works
2008-06-27 15:29:56 0 d-------- C:\Program Files\Real
2008-06-25 17:01:21 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\.BitTornado
2008-06-23 14:30:12 0 d-------- C:\Program Files\Electronic Arts
2008-06-07 17:25:35 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\Adobe
2008-06-07 17:24:49 1289 --a------ C:\WINDOWS\mozver.dat
2008-06-04 18:40:33 0 d-------- C:\Program Files\Veoh Networks
2008-06-04 18:36:22 0 d-------- C:\Documents and Settings\SANTIAGO1\Application Data\Orbit
2008-05-30 18:53:35 0 d-------- C:\Program Files\Moffsoft FreeCalc
2008-05-12 21:53:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 21:50:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-12 21:50:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-12 21:50:08 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-12 21:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-12 21:50:08 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-05-12 21:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-12 21:50:06 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-12 21:49:02 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-04-28 12:31:29 17 --a------ C:\WINDOWS\system32\'


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS "= "C:\WINDOWS\system32\dpmw32.exe" [05/17/2004 04:27 PM]
"NWTRAY "= "NWTRAY.EXE" [03/12/2002 12:37 PM C:\WINDOWS\system32\nwtray.exe]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 10:26 PM]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [08/03/2006 11:48 AM]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [04/06/2005 12:22 AM]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [04/06/2005 12:19 AM]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [04/06/2005 12:23 AM]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 05:42 PM]
"IntelAPMClient "= "C:\Program Files\LANDesk\LDClient\amclient.exe" [08/23/2006 07:09 AM]
"SDClientMonitor "= "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [06/16/2006 03:43 AM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [07/13/2006 12:28 PM]
"WatchDog "= "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [07/04/2005 04:47 PM]
"DVDLauncher "= "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/26/2004 08:04 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/03/2008 04:42 PM]
"RocketDock "= "C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 01:58 PM]
"Real Desktop "= "C:\Program Files\Real D" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NALDESK.EXE [3/9/2004 3:10:42 PM]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [3/17/2008 11:11:27 AM]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\pmremind.exe [10/23/2007 10:23:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "=0 (0x0)
"CompatibleRUPSecurity "=1 (0x1)
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify "=1 (0x1)
"NoBandCustomize "=0 (0x0)
"NoSMConfigurePrograms "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)
"NoSMConfigurePrograms "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D} "= C:\Program Files\Novell\ZENworks\NalExpEx.dll [05/05/2003 10:34 PM 131072]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683e48ef-e938-11dc-8725-00188b08ff47}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9a2222-6de3-11dc-864b-00188b08ff47}]
AutoRun\command- G:\LaunchU3.exe -a

*Newly Created Service* - ORACLEMTSRECOVERYSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0 LDS Church Desktop 5.6 Cleanup_Settings}]
C:\Windows\Services\Cleanup_Settings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0 LDS Church Desktop 5.6 Cleanup}]
C:\Windows\Services\Cleanup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"%ProgramFiles%\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LDS Church Desktop 5.6 PostFix}]
C:\Windows\Services\PostFix.bat

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LDS Church NAL Info}]
C:\WINDOWS\services\NAL_Info.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{LDS Church XPSP2}]
regedit /s C:\WINDOWS\services\wu.reg



-- End of Deckard's System Scanner: finished at 2008-07-28 18:47:41 ------------

By the way, is there any reason to keep "ceqfqp.bat" on the harddrive, or would it be okay if I deleted it now?

 

Well, I don't know. I haven't gotten the upload yet, so I don't know what it's purpose is. I'll wait to get it and analyze it before proceeding.

 

Uploaded the file again, and included a little comment this time.

Thanks again for your help.

 

Sorry for the delay. That batch file (which really isn't a batch file .... don't know why it has a bat extension) is infected. Nuke it.
This file looks useless as well.

C:\WINDOWS\system32\'

Yes, the file name is an exclamation point.

Once you've gotten rid of those, run an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and a fresh HijackThis log.

 

Funny thing happened when I went to delete the file

I went to select the "bat" file and shift+delete it. When it was highlighted, it disappeared. Symantec caught it and deleted, and I ran the DOS attribute magic again just to make sure. I also deleted the other file (') in \system32\ through DOS instead.

Ran the Kaspersky WebScanner and let it run for an hour or so. When I came back, Symantec found and deleted 21 infected files while the WebScanner told me the computer was infected.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 01, 2008 11:37:49 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/08/2008
Kaspersky Anti-Virus database records: 1039806
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 59161
Number of viruses found: 7
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:36:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Client Firewall\System.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Microsoft\Outlook\Default Exchange Mail Profile.srs Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Microsoft\Templates\NormalEmail.dotm Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Microsoft\Word\AutoRecovery save of Document2.asd Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\cert8.db Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\history.dat Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\key3.db Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\parent.lock Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\search.sqlite Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Microsoft\Outlook\Default Exchangmisionsantiago.reembolsos@gmail.com-00000003.pst Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Microsoft\Outlook\~Default Exchangmisionsantiago.reembolsos@gmail.com-00000003.pst.tmp Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Application Data\Mozilla\Firefox\Profiles\zutwcoii.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\temp\6.tmp Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\temp\ExchangePerflog_8484fa3183592d85970b3daf.dat Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\temp\~DF95FC.tmp Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\temp\~DFCC16.tmp Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\temp\~DFF835.tmp Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SANTIAGO1\Local Settings\Temporary Internet Files\Content.Word\~WRS{AA5EAECE-ED87-4F9B-80D2-1871BFA34F05}.tmp Object is locked skipped
C:\Documents and Settings\SANTIAGO1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SANTIAGO1\NTUSER.DAT.LOG Object is locked skipped
C:\ORACLE\ora92\oramts\trace\OracleMTSRecoveryService(784).trc Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0216NAV~.TMP Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0899NAV~.TMP Object is locked skipped
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.eor skipped
C:\QooBox\Quarantine\D\autorun.inf.vir Infected: Worm.Win32.AutoRun.eor skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP1\A0000003.inf Infected: Worm.Win32.AutoRun.eor skipped
C:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP2\A0000013.inf Infected: Worm.Win32.AutoRun.eor skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Services\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\system32\profile.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP1\A0000005.inf Infected: Worm.Win32.AutoRun.eor skipped
D:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP11\change.log Object is locked skipped
D:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP2\A0000015.inf Infected: Worm.Win32.AutoRun.eor skipped
D:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP2\A0000066.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP2\A0000066.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP2\A0000066.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
D:\System Volume Information\_restore{31AEE19E-E5FF-432A-B1D1-AC8CEC304749}\RP2\A0000066.exe Inno: infected - 3 skipped
D:\Users\SANTIAGO1\My Documents\Machado\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe/file36 Infected: not-a-virusSWTool.Win32.PWDump.2 skipped
D:\Users\SANTIAGO1\My Documents\Machado\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe/file63 Infected: not-a-virusSWTool.Win32.PWDump.s skipped
D:\Users\SANTIAGO1\My Documents\Machado\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe/file64 Infected: not-a-virusSWTool.Win32.PWDump.d skipped
D:\Users\SANTIAGO1\My Documents\Machado\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe/file65 Infected: not-a-virusSWTool.Win32.PWDump.d skipped
D:\Users\SANTIAGO1\My Documents\Machado\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe Infected: not-a-virusSWTool.Win32.PWDump.d skipped
D:\Users\SANTIAGO1\My Documents\Machado\ophcrack-livecd-1.2.2.iso ISOimage: infected - 5 skipped

Scan process completed.

Here is the new HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:26 AM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\ORACLE\ora92\bin\omtsreco.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\Program Files\LANDesk\LDClient\collector.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.189.128.35:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ldsglobal.net;*.lds.org;*.ldschurch.org;*.providentliving.org;*.mormon.org;*.ldsces.org;*.dmba.com;10.*;192.168.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe "
O4 - HKCU\..\Run: [Real Desktop] "C:\Program Files\Real D
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Event Reminder.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://Intranet
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET
O15 - Trusted Zone: http://www.familysearch.org
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://*.netdimensions.com
O15 - Trusted Zone: http://customer-connection.peoplesoft.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://library.lds.org (HKLM)
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORACLE\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\ORACLE\ora92\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 10927 bytes

 

Nothing to worry about in those scan results. Legit programs detected for their ability. I am curious as to why this machine has ophcrack. Do you know?

Lets cleanup ComboFix and the items it has quarantined. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.


Delete any items Norton has quarantined as well. Then, download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot


That should wrap things up. How's the computer behaving now?

 

Thanks for all the help noahdfear. Everything seems to be up and running again.

Yes, I'm aware of the copy of ophcrack on the system. In the office I work at, personnel will change every 6-8 months, and sometimes people leave without sharing the admin password to the newcomers. It's really been a lifesaver.

Again, thanks for you skills and time noahdfear. You've saved me and probably 170 others a lot of headaches and trouble!

 

Glad to hear all is normal again, and happy to help.