Jump to content

Browser redirects, no chkdsk, no defrag


Recommended Posts

Hello!

The problem I'm having started late last week. IE 6 (work standard) has some random redirects or just stops. I also cannot run defrag from Windows or command prompt. I cannot run chkdsk from command prompt and it will not run with reboot.

Also have not had luck getting into safe mode with networking.

I'd like to get some advice before I consult my no-help desk. I've also run Spybot S&D and our corporate virus solution - McAfee Viruscan Enterprise with no luck.

Greatly appreciate any help.

Here are my logs:

Malwarebytes' Anti-Malware 1.36

Database version: 2062

Windows 5.1.2600 Service Pack 2

4/30/2009 7:11:31 PM

mbam-log-2009-04-30 (19-11-31).txt

Scan type: Full Scan (C:\|)

Objects scanned: 184990

Time elapsed: 25 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:02:45 AM, on 4/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\Novell\XTAgent.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

C:\Program Files\iPass\iPassConnect\iPCAgent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Novell\ZENworks\nalntsrv.exe

c:\oracle\products\9.2.0.1\bin\omtsreco.exe

C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

c:\winnt\system32\svrsvc\svrsvc.exe

C:\WINNT\System32\TPHDEXLG.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINNT\system32\SearchIndexer.exe

C:\Program Files\Novell\ZENworks\wm.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINNT\system32\igfxtray.exe

C:\WINNT\system32\hkcmd.exe

C:\WINNT\system32\igfxpers.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Novell\ZENworks\NalAgent.exe

C:\WINNT\system32\TpShocks.exe

C:\WINNT\system32\igfxsrvc.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\WINNT\system32\dpmw32.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

C:\Program Files\eRoom 7\ERClient7.exe

C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onebms.bms.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://onebms.bms.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.bms.com/cs/ie.nsf/thunderbird

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mcd-server/mcd/proxy.pac

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {8131ECC4-78A1-48D0-8BF2-F407F730F028} - C:\WINNT\system32\mlJYpQgh.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Naldesk] "C:\Program Files\Novell\ZENworks\NALDESK.EXE" /ns

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\system32\zentray.exe

O4 - HKLM\..\Run: [bMS Asset Confirmation] C:\i386\Options\ZAM Languages\AssetConfirmation-01.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\bin\CfgDownload.exe

O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\Run: [sfKg6wIP] C:\Documents and Settings\cwiakj\Application Data\Microsoft\Windows\gxhbt.exe

O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BMS-IMSS RemoteAccess VPN Client.lnk = C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\vpngui.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll

O12 - Plugin for .cgi: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O14 - IERESET.INF: START_PAGE_URL=http://onebms.bms.com

O16 - DPF: RightSiteApplet - http://rapid.bms.com/RightSiteDir/applet/rs_applet.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STUrlConLoader.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STAutoAwayLoader.cab

O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - http://hpwnavp01.net.bms.com/eRoomSetup/client.cab

O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STJNILoader.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O17 - HKLM\Software\..\Telephony: DomainName = one.ads.bms.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O20 - AppInit_DLLs: ogrnsm.dll

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINNT\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe

O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe

O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\products\9.2.0.1\bin\omtsreco.exe

O23 - Service: OracleORAHOME92_DTSClientCache - Unknown owner - c:\oracle\products\9.2.0.1\BIN\ONRSD.EXE

O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: svrsvc - Unknown owner - c:\winnt\system32\svrsvc\svrsvc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINNT\System32\Novell\XTAgent.exe

O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--

End of file - 16831 bytes

Link to post
Share on other sites

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click

  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT) by double-clicking the desktop shortcut and choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O2 - BHO: (no name) - {8131ECC4-78A1-48D0-8BF2-F407F730F028} - C:\WINNT\system32\mlJYpQgh.dll (file missing)

O4 - HKCU\..\Run: [sfKg6wIP] C:\Documents and Settings\cwiakj\Application Data\Microsoft\Windows\gxhbt.exe

O20 - AppInit_DLLs: ogrnsm.dll

Exit HijackThis and Reboot

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Disable the active protection component (guard) of your antivirus)- this can usually be accomplished by right-clicking your AV's system tray icon, and then selecting the disable feature from the context menu.
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Re-enable the active protection component (guard) of your antivirus.

Download DDS and save it to your desktop from here or here

dds_scr.gif

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop

    [*]Please copy and paste both logs into your next reply,

I need to see:

1. The RootRepeal file scan report

2. The DDS reports

3. A new HJT scan

Link to post
Share on other sites

RootRepeal Log:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/01 19:40

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: 1394BUS.SYS

Image Path: C:\WINNT\system32\DRIVERS\1394BUS.SYS

Address: 0xF7585000 Size: 53248 File Visible: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF73E6000 Size: 187776 File Visible: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2142208 File Visible: -

Status: -

Name: ACPIEC.sys

Image Path: ACPIEC.sys

Address: 0xF7931000 Size: 11648 File Visible: -

Status: -

Name: ADIHdAud.sys

Image Path: C:\WINNT\system32\drivers\ADIHdAud.sys

Address: 0xA82F1000 Size: 323584 File Visible: -

Status: -

Name: AEAudio.sys

Image Path: C:\WINNT\system32\drivers\AEAudio.sys

Address: 0xA82B8000 Size: 94080 File Visible: -

Status: -

Name: afd.sys

Image Path: C:\WINNT\System32\drivers\afd.sys

Address: 0xA3147000 Size: 138368 File Visible: -

Status: -

Name: ApsHM86.sys

Image Path: ApsHM86.sys

Address: 0xF77A5000 Size: 32768 File Visible: -

Status: -

Name: Apsx86.sys

Image Path: Apsx86.sys

Address: 0xF7120000 Size: 114688 File Visible: -

Status: -

Name: arp1394.sys

Image Path: C:\WINNT\system32\DRIVERS\arp1394.sys

Address: 0xA5A77000 Size: 60800 File Visible: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF735A000 Size: 95360 File Visible: -

Status: -

Name: atmeltpm.sys

Image Path: C:\WINNT\system32\DRIVERS\atmeltpm.sys

Address: 0xF78DD000 Size: 32768 File Visible: -

Status: -

Name: audstub.sys

Image Path: C:\WINNT\system32\DRIVERS\audstub.sys

Address: 0xF7BC5000 Size: 3072 File Visible: -

Status: -

Name: BATTC.SYS

Image Path: C:\WINNT\system32\DRIVERS\BATTC.SYS

Address: 0xF792D000 Size: 16384 File Visible: -

Status: -

Name: Beep.SYS

Image Path: C:\WINNT\System32\Drivers\Beep.SYS

Address: 0xF7A25000 Size: 4224 File Visible: -

Status: -

Name: BlankScr.SYS

Image Path: C:\WINNT\System32\Drivers\BlankScr.SYS

Address: 0x9D70F000 Size: 6432 File Visible: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINNT\system32\BOOTVID.dll

Address: 0xF7925000 Size: 12288 File Visible: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINNT\System32\Drivers\Cdfs.SYS

Address: 0x9DDC0000 Size: 63744 File Visible: -

Status: -

Name: cdrom.sys

Image Path: C:\WINNT\system32\DRIVERS\cdrom.sys

Address: 0xF7645000 Size: 49536 File Visible: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINNT\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF7555000 Size: 53248 File Visible: -

Status: -

Name: CmBatt.sys

Image Path: C:\WINNT\system32\DRIVERS\CmBatt.sys

Address: 0xF702F000 Size: 14080 File Visible: -

Status: -

Name: compbatt.sys

Image Path: compbatt.sys

Address: 0xF7929000 Size: 9344 File Visible: -

Status: -

Name: CVPNDRVA.sys

Image Path: C:\WINNT\system32\Drivers\CVPNDRVA.sys

Address: 0x9D0EF000 Size: 503808 File Visible: -

Status: -

Name: Darpan.sys

Image Path: C:\WINNT\system32\DRIVERS\Darpan.sys

Address: 0xF7B9E000 Size: 2272 File Visible: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7545000 Size: 36352 File Visible: -

Status: -

Name: DLABOIOM.SYS

Image Path: C:\WINNT\System32\DLA\DLABOIOM.SYS

Address: 0x9D5E5000 Size: 25568 File Visible: -

Status: -

Name: DLACDBHM.SYS

Image Path: C:\WINNT\System32\Drivers\DLACDBHM.SYS

Address: 0xF7A63000 Size: 5600 File Visible: -

Status: -

Name: DLADResN.SYS

Image Path: C:\WINNT\System32\DLA\DLADResN.SYS

Address: 0xA2FBB000 Size: 2432 File Visible: -

Status: -

Name: DLAIFS_M.SYS

Image Path: C:\WINNT\System32\DLA\DLAIFS_M.SYS

Address: 0x9D308000 Size: 86592 File Visible: -

Status: -

Name: DLAOPIOM.SYS

Image Path: C:\WINNT\System32\DLA\DLAOPIOM.SYS

Address: 0xF707B000 Size: 14624 File Visible: -

Status: -

Name: DLAPoolM.SYS

Image Path: C:\WINNT\System32\DLA\DLAPoolM.SYS

Address: 0x9DCEE000 Size: 6304 File Visible: -

Status: -

Name: DLARTL_N.SYS

Image Path: C:\WINNT\System32\Drivers\DLARTL_N.SYS

Address: 0xF7855000 Size: 22624 File Visible: -

Status: -

Name: DLAUDF_M.SYS

Image Path: C:\WINNT\System32\DLA\DLAUDF_M.SYS

Address: 0x9D2DA000 Size: 86976 File Visible: -

Status: -

Name: DLAUDFAM.SYS

Image Path: C:\WINNT\System32\DLA\DLAUDFAM.SYS

Address: 0x9D2F0000 Size: 94272 File Visible: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF7372000 Size: 153344 File Visible: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF7A19000 Size: 5888 File Visible: -

Status: -

Name: dne2000.sys

Image Path: C:\WINNT\system32\DRIVERS\dne2000.sys

Address: 0xF4730000 Size: 106848 File Visible: -

Status: -

Name: drmk.sys

Image Path: C:\WINNT\system32\drivers\drmk.sys

Address: 0xA94E2000 Size: 61440 File Visible: -

Status: -

Name: DRVMCDB.SYS

Image Path: DRVMCDB.SYS

Address: 0xF724C000 Size: 87296 File Visible: -

Status: -

Name: DRVNDDM.SYS

Image Path: C:\WINNT\System32\Drivers\DRVNDDM.SYS

Address: 0xA52F6000 Size: 38304 File Visible: -

Status: -

Name: dump_iaStor.sys

Image Path: C:\WINNT\System32\Drivers\dump_iaStor.sys

Address: 0x9D31E000 Size: 815104 File Visible: No

Status: -

Name: Dxapi.sys

Image Path: C:\WINNT\System32\drivers\Dxapi.sys

Address: 0x9DCA9000 Size: 12288 File Visible: -

Status: -

Name: dxg.sys

Image Path: C:\WINNT\System32\drivers\dxg.sys

Address: 0xBF000000 Size: 73728 File Visible: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINNT\System32\drivers\dxgthk.sys

Address: 0xF7B5F000 Size: 4096 File Visible: -

Status: -

Name: e1e5132.sys

Image Path: C:\WINNT\system32\DRIVERS\e1e5132.sys

Address: 0xF4C1C000 Size: 266240 File Visible: -

Status: -

Name: EntDrv51.sys

Image Path: C:\WINNT\system32\drivers\EntDrv51.sys

Address: 0x9B937000 Size: 8320 File Visible: -

Status: -

Name: Fips.SYS

Image Path: C:\WINNT\System32\Drivers\Fips.SYS

Address: 0xA5A57000 Size: 34944 File Visible: -

Status: -

Name: fltMgr.sys

Image Path: fltMgr.sys

Address: 0xF7274000 Size: 124800 File Visible: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINNT\System32\Drivers\Fs_Rec.SYS

Address: 0xF7A23000 Size: 7936 File Visible: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7398000 Size: 125056 File Visible: -

Status: -

Name: hal.dll

Image Path: C:\WINNT\system32\hal.dll

Address: 0x806E2000 Size: 134272 File Visible: -

Status: -

Name: HDAudBus.sys

Image Path: C:\WINNT\system32\DRIVERS\HDAudBus.sys

Address: 0xF4BD4000 Size: 151552 File Visible: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINNT\system32\DRIVERS\HIDPARSE.SYS

Address: 0xA536C000 Size: 28672 File Visible: -

Status: -

Name: HSF_CNXT.sys

Image Path: C:\WINNT\system32\DRIVERS\HSF_CNXT.sys

Address: 0xA80DF000 Size: 730112 File Visible: -

Status: -

Name: HSF_DPV.sys

Image Path: C:\WINNT\system32\DRIVERS\HSF_DPV.sys

Address: 0xA8192000 Size: 988800 File Visible: -

Status: -

Name: HSFHWAZL.sys

Image Path: C:\WINNT\system32\DRIVERS\HSFHWAZL.sys

Address: 0xA8284000 Size: 209664 File Visible: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINNT\system32\DRIVERS\i8042prt.sys

Address: 0xF7625000 Size: 52736 File Visible: -

Status: -

Name: iaStor.sys

Image Path: iaStor.sys

Address: 0xF7293000 Size: 815104 File Visible: -

Status: -

Name: ibmpmdrv.sys

Image Path: C:\WINNT\system32\DRIVERS\ibmpmdrv.sys

Address: 0xF702B000 Size: 14080 File Visible: -

Status: -

Name: igxpdv32.DLL

Image Path: C:\WINNT\System32\igxpdv32.DLL

Address: 0xBF04E000 Size: 1613824 File Visible: -

Status: -

Name: igxpdx32.DLL

Image Path: C:\WINNT\System32\igxpdx32.DLL

Address: 0xBF1D8000 Size: 2600960 File Visible: -

Status: -

Name: igxpgd32.dll

Image Path: C:\WINNT\System32\igxpgd32.dll

Address: 0xBF024000 Size: 172032 File Visible: -

Status: -

Name: igxpmp32.sys

Image Path: C:\WINNT\system32\DRIVERS\igxpmp32.sys

Address: 0xF4C71000 Size: 5700096 File Visible: -

Status: -

Name: igxprd32.dll

Image Path: C:\WINNT\System32\igxprd32.dll

Address: 0xBF012000 Size: 73728 File Visible: -

Status: -

Name: imapi.sys

Image Path: C:\WINNT\system32\DRIVERS\imapi.sys

Address: 0xF7635000 Size: 41856 File Visible: -

Status: -

Name: intelppm.sys

Image Path: C:\WINNT\system32\DRIVERS\intelppm.sys

Address: 0xF7615000 Size: 36096 File Visible: -

Status: -

Name: ipnat.sys

Image Path: C:\WINNT\system32\DRIVERS\ipnat.sys

Address: 0xA319B000 Size: 134912 File Visible: -

Status: -

Name: ipsec.sys

Image Path: C:\WINNT\system32\DRIVERS\ipsec.sys

Address: 0xA323D000 Size: 74752 File Visible: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF7515000 Size: 35840 File Visible: -

Status: -

Name: jnprna.sys

Image Path: C:\WINNT\system32\DRIVERS\jnprna.sys

Address: 0xF467F000 Size: 398720 File Visible: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINNT\system32\DRIVERS\kbdclass.sys

Address: 0xF78CD000 Size: 24576 File Visible: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINNT\system32\KDCOM.DLL

Address: 0xF7A15000 Size: 8192 File Visible: -

Status: -

Name: kmixer.sys

Image Path: C:\WINNT\system32\drivers\kmixer.sys

Address: 0x9B7E9000 Size: 171776 File Visible: -

Status: -

Name: ks.sys

Image Path: C:\WINNT\system32\DRIVERS\ks.sys

Address: 0xF480D000 Size: 143360 File Visible: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7235000 Size: 92032 File Visible: -

Status: -

Name: mbam.sys

Image Path: C:\WINNT\system32\drivers\mbam.sys

Address: 0x9D29A000 Size: 11776 File Visible: -

Status: -

Name: mdc80211.sys

Image Path: C:\WINNT\system32\DRIVERS\mdc80211.sys

Address: 0xA0BF2000 Size: 14176 File Visible: -

Status: -

Name: mdmxsdk.sys

Image Path: C:\WINNT\system32\DRIVERS\mdmxsdk.sys

Address: 0x9D172000 Size: 12672 File Visible: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINNT\System32\Drivers\mnmdd.SYS

Address: 0xF7A27000 Size: 4224 File Visible: -

Status: -

Name: Modem.SYS

Image Path: C:\WINNT\System32\Drivers\Modem.SYS

Address: 0xF7915000 Size: 30080 File Visible: -

Status: -

Name: mouclass.sys

Image Path: C:\WINNT\system32\DRIVERS\mouclass.sys

Address: 0xF78D5000 Size: 23040 File Visible: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7525000 Size: 42240 File Visible: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINNT\system32\DRIVERS\mrxdav.sys

Address: 0x9D236000 Size: 179584 File Visible: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINNT\system32\DRIVERS\mrxsmb.sys

Address: 0xA308D000 Size: 453632 File Visible: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINNT\System32\Drivers\Msfs.SYS

Address: 0xA535C000 Size: 19072 File Visible: -

Status: -

Name: msgpc.sys

Image Path: C:\WINNT\system32\DRIVERS\msgpc.sys

Address: 0xF6342000 Size: 35072 File Visible: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINNT\system32\DRIVERS\mssmbios.sys

Address: 0xF70DD000 Size: 15488 File Visible: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF7105000 Size: 108032 File Visible: -

Status: -

Name: mvstdi5x.sys

Image Path: C:\WINNT\system32\drivers\mvstdi5x.sys

Address: 0xA5AA7000 Size: 59904 File Visible: -

Status: -

Name: naiavf5x.sys

Image Path: C:\WINNT\system32\drivers\naiavf5x.sys

Address: 0x9B953000 Size: 117024 File Visible: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF713C000 Size: 182912 File Visible: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINNT\system32\DRIVERS\ndistapi.sys

Address: 0xF79F9000 Size: 9600 File Visible: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINNT\system32\DRIVERS\ndisuio.sys

Address: 0xA0BEA000 Size: 14592 File Visible: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINNT\system32\DRIVERS\ndiswan.sys

Address: 0xF4668000 Size: 91776 File Visible: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINNT\System32\Drivers\NDProxy.SYS

Address: 0xF5231000 Size: 38016 File Visible: -

Status: -

Name: netbios.sys

Image Path: C:\WINNT\system32\DRIVERS\netbios.sys

Address: 0xA5A87000 Size: 34560 File Visible: -

Status: -

Name: netbt.sys

Image Path: C:\WINNT\system32\DRIVERS\netbt.sys

Address: 0xA3173000 Size: 162816 File Visible: -

Status: -

Name: NETw5x32.sys

Image Path: C:\WINNT\system32\DRIVERS\NETw5x32.sys

Address: 0xF485C000 Size: 3636864 File Visible: -

Status: -

Name: nic1394.sys

Image Path: C:\WINNT\system32\DRIVERS\nic1394.sys

Address: 0xF7705000 Size: 61824 File Visible: -

Status: -

Name: nicm.sys

Image Path: nicm.sys

Address: 0xF7595000 Size: 35328 File Visible: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINNT\System32\Drivers\Npfs.SYS

Address: 0xA5354000 Size: 30848 File Visible: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7169000 Size: 574592 File Visible: -

Status: -

Name: ntkrnlpa.exe

Image Path: C:\WINNT\system32\ntkrnlpa.exe

Address: 0x804D7000 Size: 2142208 File Visible: -

Status: -

Name: Null.SYS

Image Path: C:\WINNT\System32\Drivers\Null.SYS

Address: 0xA545F000 Size: 2944 File Visible: -

Status: -

Name: nwdhcp.sys

Image Path: C:\WINNT\system32\NetWare\nwdhcp.sys

Address: 0xA329F000 Size: 18272 File Visible: -

Status: -

Name: nwdns.sys

Image Path: C:\WINNT\system32\NetWare\nwdns.sys

Address: 0xF7675000 Size: 41376 File Visible: -

Status: -

Name: nwfilter.sys

Image Path: nwfilter.sys

Address: 0xF7935000 Size: 15808 File Visible: No

Status: -

Name: nwfs.sys

Image Path: C:\WINNT\system32\NetWare\nwfs.sys

Address: 0x9D1BA000 Size: 505792 File Visible: -

Status: -

Name: NWHOST.sys

Image Path: C:\WINNT\system32\NetWare\NWHOST.sys

Address: 0xF70BD000 Size: 9216 File Visible: -

Status: -

Name: nwslp.sys

Image Path: C:\WINNT\system32\NetWare\nwslp.sys

Address: 0xA4114000 Size: 20256 File Visible: -

Status: -

Name: NWSNS.sys

Image Path: C:\WINNT\system32\NetWare\NWSNS.sys

Address: 0x9D715000 Size: 6048 File Visible: -

Status: -

Name: odFips.sys

Image Path: odFips.sys

Address: 0xF71F6000 Size: 254208 File Visible: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF7575000 Size: 61056 File Visible: -

Status: -

Name: OPRGHDLR.SYS

Image Path: C:\WINNT\system32\DRIVERS\OPRGHDLR.SYS

Address: 0xF7ADE000 Size: 4096 File Visible: -

Status: -

Name: ovfsthxwowawjns.sys

Image Path: C:\WINNT\system32\drivers\ovfsthxwowawjns.sys

Address: 0xA3250000 Size: 94208 File Visible: -

Status: Hidden from Windows API!

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF779D000 Size: 18688 File Visible: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF73D5000 Size: 68224 File Visible: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7ADD000 Size: 3328 File Visible: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINNT\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF7795000 Size: 28672 File Visible: -

Status: -

Name: pcmcia.sys

Image Path: pcmcia.sys

Address: 0xF73B7000 Size: 119936 File Visible: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2142208 File Visible: -

Status: -

Name: portcls.sys

Image Path: C:\WINNT\system32\drivers\portcls.sys

Address: 0xA82CF000 Size: 139264 File Visible: -

Status: -

Name: psched.sys

Image Path: C:\WINNT\system32\DRIVERS\psched.sys

Address: 0xF462F000 Size: 69120 File Visible: -

Status: -

Name: ptilink.sys

Image Path: C:\WINNT\system32\DRIVERS\ptilink.sys

Address: 0xF77CD000 Size: 17792 File Visible: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF7565000 Size: 35712 File Visible: -

Status: -

Name: rasacd.sys

Image Path: C:\WINNT\system32\DRIVERS\rasacd.sys

Address: 0xF7087000 Size: 8832 File Visible: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINNT\system32\DRIVERS\rasl2tp.sys

Address: 0xF6372000 Size: 51328 File Visible: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINNT\system32\DRIVERS\raspppoe.sys

Address: 0xF6362000 Size: 41472 File Visible: -

Status: -

Name: raspptp.sys

Image Path: C:\WINNT\system32\DRIVERS\raspptp.sys

Address: 0xF6352000 Size: 48384 File Visible: -

Status: -

Name: raspti.sys

Image Path: C:\WINNT\system32\DRIVERS\raspti.sys

Address: 0xF77D5000 Size: 16512 File Visible: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2142208 File Visible: -

Status: -

Name: rdbss.sys

Image Path: C:\WINNT\system32\DRIVERS\rdbss.sys

Address: 0xA30FC000 Size: 174592 File Visible: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINNT\System32\DRIVERS\RDPCDD.sys

Address: 0xF7A29000 Size: 4224 File Visible: -

Status: -

Name: rdpdr.sys

Image Path: C:\WINNT\system32\DRIVERS\rdpdr.sys

Address: 0xF3F80000 Size: 196864 File Visible: -

Status: -

Name: redbook.sys

Image Path: C:\WINNT\system32\DRIVERS\redbook.sys

Address: 0xF7655000 Size: 57472 File Visible: -

Status: -

Name: resmgr.sys

Image Path: C:\WINNT\system32\NetWare\resmgr.sys

Address: 0x9D5A5000 Size: 27168 File Visible: -

Status: -

Name: RimSerial.sys

Image Path: C:\WINNT\system32\DRIVERS\RimSerial.sys

Address: 0xF77DD000 Size: 26496 File Visible: -

Status: -

Name: RootMdm.sys

Image Path: C:\WINNT\System32\Drivers\RootMdm.sys

Address: 0xF7A6B000 Size: 5888 File Visible: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINNT\system32\drivers\rootrepeal.sys

Address: 0x9C213000 Size: 45056 File Visible: No

Status: -

Name: sfc.SYS

Image Path: C:\WINNT\System32\Drivers\sfc.SYS

Address: 0x9BA8C000 Size: 10560 File Visible: No

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xF7262000 Size: 73472 File Visible: -

Status: -

Name: srvloc.sys

Image Path: C:\WINNT\system32\NetWare\srvloc.sys

Address: 0x9D262000 Size: 159904 File Visible: -

Status: -

Name: svrsvc_.sys

Image Path: c:\winnt\system32\svrsvc\svrsvc_.sys

Address: 0xA5334000 Size: 25472 File Visible: -

Status: -

Name: swenum.sys

Image Path: C:\WINNT\system32\DRIVERS\swenum.sys

Address: 0xF7A75000 Size: 4352 File Visible: -

Status: -

Name: SynTP.sys

Image Path: C:\WINNT\system32\DRIVERS\SynTP.sys

Address: 0xF4830000 Size: 177664 File Visible: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINNT\system32\drivers\sysaudio.sys

Address: 0x9CFAF000 Size: 60800 File Visible: -

Status: -

Name: tcpip.sys

Image Path: C:\WINNT\system32\DRIVERS\tcpip.sys

Address: 0xA31E4000 Size: 360960 File Visible: -

Status: -

Name: TDI.SYS

Image Path: C:\WINNT\system32\DRIVERS\TDI.SYS

Address: 0xF791D000 Size: 20480 File Visible: -

Status: -

Name: termdd.sys

Image Path: C:\WINNT\system32\DRIVERS\termdd.sys

Address: 0xF5251000 Size: 40704 File Visible: -

Status: -

Name: TPHKDRV.sys

Image Path: C:\WINNT\system32\DRIVERS\TPHKDRV.sys

Address: 0xA533C000 Size: 16480 File Visible: -

Status: -

Name: Tppwrif.sys

Image Path: C:\WINNT\System32\drivers\Tppwrif.sys

Address: 0xA5344000 Size: 20480 File Visible: -

Status: -

Name: TSMAPIP.SYS

Image Path: C:\WINNT\System32\drivers\TSMAPIP.SYS

Address: 0xA534C000 Size: 24576 File Visible: -

Status: -

Name: update.sys

Image Path: C:\WINNT\system32\DRIVERS\update.sys

Address: 0xF3F4C000 Size: 209408 File Visible: -

Status: -

Name: USBD.SYS

Image Path: C:\WINNT\system32\DRIVERS\USBD.SYS

Address: 0xF7A61000 Size: 8192 File Visible: -

Status: -

Name: usbehci.sys

Image Path: C:\WINNT\system32\DRIVERS\usbehci.sys

Address: 0xF78C5000 Size: 26624 File Visible: -

Status: -

Name: usbhub.sys

Image Path: C:\WINNT\system32\DRIVERS\usbhub.sys

Address: 0xA94F2000 Size: 57856 File Visible: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINNT\system32\DRIVERS\USBPORT.SYS

Address: 0xF4BF9000 Size: 143360 File Visible: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINNT\system32\DRIVERS\usbuhci.sys

Address: 0xF78BD000 Size: 20480 File Visible: -

Status: -

Name: vga.sys

Image Path: C:\WINNT\System32\drivers\vga.sys

Address: 0xA5364000 Size: 20992 File Visible: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINNT\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xF4C5D000 Size: 81920 File Visible: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF7535000 Size: 52352 File Visible: -

Status: -

Name: wanarp.sys

Image Path: C:\WINNT\system32\DRIVERS\wanarp.sys

Address: 0xA5A97000 Size: 34560 File Visible: -

Status: -

Name: watchdog.sys

Image Path: C:\WINNT\System32\watchdog.sys

Address: 0x9DBEF000 Size: 20480 File Visible: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINNT\system32\drivers\wdmaud.sys

Address: 0x9CD42000 Size: 82944 File Visible: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: win32k.sys

Image Path: C:\WINNT\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: wmiacpi.sys

Image Path: C:\WINNT\system32\DRIVERS\wmiacpi.sys

Address: 0xF701F000 Size: 8832 File Visible: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINNT\system32\DRIVERS\WMILIB.SYS

Address: 0xF7A17000 Size: 8192 File Visible: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2142208 File Visible: -

Status: -

Name: WNTHW.SYS

Image Path: C:\WINNT\system32\DRIVERS\WNTHW.SYS

Address: 0x9E31A000 Size: 5760 File Visible: -

Status: -

DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86

Run by cwiakj at 20:07:28.01 on Fri 05/01/2009

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.224 [GMT -4:00]

============== Running Processes ===============

C:\WINNT\System32\Novell\XTAgent.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\svchost -k DcomLaunch

svchost.exe

C:\WINNT\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

C:\Program Files\iPass\iPassConnect\iPCAgent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Novell\ZENworks\nalntsrv.exe

c:\oracle\products\9.2.0.1\bin\omtsreco.exe

C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Novell\ZENworks\NalAgent.exe

C:\WINNT\system32\igfxtray.exe

C:\WINNT\system32\igfxsrvc.exe

C:\WINNT\system32\igfxpers.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\WINNT\system32\TpShocks.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\WINNT\system32\dpmw32.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\eRoom 7\ERClient7.exe

c:\winnt\system32\svrsvc\svrsvc.exe

C:\WINNT\System32\TPHDEXLG.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINNT\system32\SearchIndexer.exe

C:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\SearchProtocolHost.exe

C:\Documents and Settings\cwiakj\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://onebms.bms.com/

mDefault_Page_URL = hxxp://onebms.bms.com

uInternet Connection Wizard,ShellNext = hxxp://ie.bms.com/cs/ie.nsf/thunderbird

uInternet Settings,ProxyOverride = <local>

mWinlogon: System=ziswin.exe

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe

mRun: [Naldesk] "c:\program files\novell\zenworks\NALDESK.EXE" /ns

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\winnt\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe

mRun: [Persistence] c:\winnt\system32\igfxpers.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [TpShocks] TpShocks.exe

mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [DLA] c:\winnt\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [NDPS] c:\winnt\system32\dpmw32.exe

mRun: [ZENRC Tray Icon] c:\winnt\system32\zentray.exe

mRun: [bMS Asset Confirmation] c:\i386\options\zam languages\AssetConfirmation-01.exe

mRun: [shStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey

mRun: [NWTRAY] NWTRAY.EXE

mRun: [CfgDownload] c:\program files\ixos\bin\CfgDownload.exe

mRun: [sKDaemon.exe] c:\program files\lenovo\productivity keyboard\SKDaemon.exe

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [DMXLauncher] "c:\program files\sonic\product\media experience\DMXLauncher.exe"

mRun: [OdTray.exe] "c:\program files\juniper networks\odyssey access client\OdTray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\cwiakj\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe

StartupFolder: c:\docume~1\cwiakj\startm~1\programs\startup\monito~1.lnk - c:\program files\eroom 7\ERClient7.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\winnt\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bms-im~1.lnk - c:\program files\bms-imss\remoteaccess vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = iesetup.exe

uPolicies-disallowrun: 2 = IE7-WindowsXP-x86-enu.exe

mPolicies-explorer: NoViewOnDrive = 4194304 (0x400000)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

DPF: RightSiteApplet - hxxp://rapid.bms.com/RightSiteDir/applet/rs_applet.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} - file://c:\documents and settings\system\local settings\temp\sisd\STUrlConLoader.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab

DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} - file://c:\documents and settings\system\local settings\temp\sisd\STAutoAwayLoader.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://hpwnavp01.net.bms.com/eRoomSetup/client.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - file://c:\documents and settings\system\local settings\temp\sisd\STJNILoader.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

Notify: igfxcui - igfxdev.dll

Notify: NetIdentity Notification - c:\winnt\system32\novell\XtNotify.dll

Notify: OdysseyClient - odyEvent.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 nwv1_0 c:\winnt\system32\mlJYpQgh

============= SERVICES / DRIVERS ===============

R0 odFips;odFips;c:\winnt\system32\drivers\odFIPS.sys [2006-1-23 254208]

R0 Shockprf;Shockprf;c:\winnt\system32\drivers\ApsX86.sys [2007-3-2 100656]

R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [2007-3-2 19760]

R1 NaiAvTdi1;NaiAvTdi1;c:\winnt\system32\drivers\mvstdi5x.sys [2008-1-10 59904]

R1 svrsvc_;svrsvc_;c:\winnt\system32\svrsvc\svrsvc_.sys [2007-2-1 25472]

R1 TPPWRIF;TPPWRIF;c:\winnt\system32\drivers\TPPWRIF.SYS [2008-1-10 4442]

R2 BlankScr;HBDevice;c:\winnt\system32\drivers\blankscr.sys [2005-5-23 6899]

R2 iPCAgent;iPCAgent;c:\program files\ipass\ipassconnect\iPCAgent.exe [2008-1-10 90112]

R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-6-14 87664]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-10-18 179856]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-1-10 98304]

R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2007-11-26 29184]

R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\winnt\system32\drivers\mdc80211.sys [2008-1-10 15793]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 167936]

R2 svrsvc;svrsvc;c:\winnt\system32\svrsvc\svrsvc.exe [2007-2-1 737280]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2008-1-10 49152]

R2 WNTHW;WNTHW;c:\winnt\system32\drivers\WNTHW.SYS [2008-1-10 9176]

R2 XTAgent;Novell XTier Agent Services;c:\winnt\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\winnt\system32\drivers\Darpan.sys [2005-5-23 2773]

R3 jnprna;Juniper Network Agent Miniport;c:\winnt\system32\drivers\jnprna.sys [2007-6-14 398720]

R3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [2008-10-18 15504]

R3 NaiAvFilter1;NaiAvFilter1;c:\winnt\system32\drivers\naiavf5x.sys [2008-1-10 117024]

S1 pxhelp200;pxhelp200;c:\winnt\system32\drivers\pxhelp200.sys --> c:\winnt\system32\drivers\pxhelp200.sys [?]

S2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2007-11-26 221191]

S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2007-6-20 81992]

S3 OracleORAHOME92_DTSClientCache;OracleORAHOME92_DTSClientCache;c:\oracle\products\9.2.0.1\bin\ONRSD.EXE [2002-4-26 242328]

S3 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2008-5-19 189792]

=============== Created Last 30 ================

2009-05-01 19:29 <DIR> --d----- c:\program files\Root Repeal

2009-04-30 08:02 <DIR> --d----- c:\program files\Trend Micro

2009-04-30 07:26 3,636,864 a------- c:\winnt\system32\drivers\NETw5x32.sys

2009-04-30 07:26 2,756,608 a------- c:\winnt\system32\NETw5r32.dll

2009-04-30 07:26 663,552 a------- c:\winnt\system32\NETw5c32.dll

2009-04-28 21:40 <DIR> --d----- c:\program files\Lavasoft

2009-04-28 21:26 162,304 a------- c:\winnt\system32\ztvunrar36.dll

2009-04-28 21:26 77,312 a------- c:\winnt\system32\ztvunace26.dll

2009-04-28 21:26 75,264 a------- c:\winnt\system32\unacev2.dll

2009-04-28 21:26 69,632 a------- c:\winnt\system32\ztvcabinet.dll

2009-04-28 21:26 153,088 a------- c:\winnt\system32\UNRAR3.dll

2009-04-24 14:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GARMIN

2009-04-24 14:25 <DIR> --d----- C:\Garmin

2009-04-23 20:25 <DIR> --d----- c:\docume~1\cwiakj\applic~1\GARMIN

2009-04-23 20:24 <DIR> --d----- c:\program files\Garmin GPS Plugin

2009-04-23 20:24 <DIR> --d----- c:\program files\Garmin

==================== Find3M ====================

2009-04-28 08:14 90,112 a------- c:\winnt\DUMP4b32.tmp

2009-04-06 15:32 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys

2009-04-06 15:32 15,504 a------- c:\winnt\system32\drivers\mbam.sys

2009-02-06 17:00 35,080 a---h--- c:\winnt\system32\mlfcache.dat

2008-01-10 18:08 1,484 a------- c:\program files\INSTALL.LOG

2005-07-29 17:24 472 ac-shr-- c:\winnt\qk1t\k4Yn.vbs

============= FINISH: 20:07:56.04 ===============

Attach.txt:

DDS (Ver_09-03-16.01) - NTFSx86

Run by cwiakj at 20:07:28.01 on Fri 05/01/2009

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.224 [GMT -4:00]

============== Running Processes ===============

C:\WINNT\System32\Novell\XTAgent.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\svchost -k DcomLaunch

svchost.exe

C:\WINNT\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

C:\Program Files\iPass\iPassConnect\iPCAgent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Novell\ZENworks\nalntsrv.exe

c:\oracle\products\9.2.0.1\bin\omtsreco.exe

C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Novell\ZENworks\NalAgent.exe

C:\WINNT\system32\igfxtray.exe

C:\WINNT\system32\igfxsrvc.exe

C:\WINNT\system32\igfxpers.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\WINNT\system32\TpShocks.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\WINNT\system32\dpmw32.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\eRoom 7\ERClient7.exe

c:\winnt\system32\svrsvc\svrsvc.exe

C:\WINNT\System32\TPHDEXLG.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINNT\system32\SearchIndexer.exe

C:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\SearchProtocolHost.exe

C:\Documents and Settings\cwiakj\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://onebms.bms.com/

mDefault_Page_URL = hxxp://onebms.bms.com

uInternet Connection Wizard,ShellNext = hxxp://ie.bms.com/cs/ie.nsf/thunderbird

uInternet Settings,ProxyOverride = <local>

mWinlogon: System=ziswin.exe

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe

mRun: [Naldesk] "c:\program files\novell\zenworks\NALDESK.EXE" /ns

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\winnt\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe

mRun: [Persistence] c:\winnt\system32\igfxpers.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [TpShocks] TpShocks.exe

mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [DLA] c:\winnt\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [NDPS] c:\winnt\system32\dpmw32.exe

mRun: [ZENRC Tray Icon] c:\winnt\system32\zentray.exe

mRun: [bMS Asset Confirmation] c:\i386\options\zam languages\AssetConfirmation-01.exe

mRun: [shStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey

mRun: [NWTRAY] NWTRAY.EXE

mRun: [CfgDownload] c:\program files\ixos\bin\CfgDownload.exe

mRun: [sKDaemon.exe] c:\program files\lenovo\productivity keyboard\SKDaemon.exe

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [DMXLauncher] "c:\program files\sonic\product\media experience\DMXLauncher.exe"

mRun: [OdTray.exe] "c:\program files\juniper networks\odyssey access client\OdTray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\cwiakj\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe

StartupFolder: c:\docume~1\cwiakj\startm~1\programs\startup\monito~1.lnk - c:\program files\eroom 7\ERClient7.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\winnt\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bms-im~1.lnk - c:\program files\bms-imss\remoteaccess vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: DisallowCpl = 1 (0x1)

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: DisallowRun = 1 (0x1)

uPolicies-disallowrun: 1 = iesetup.exe

uPolicies-disallowrun: 2 = IE7-WindowsXP-x86-enu.exe

mPolicies-explorer: NoViewOnDrive = 4194304 (0x400000)

mPolicies-system: CompatibleRUPSecurity = 1 (0x1)

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll

DPF: RightSiteApplet - hxxp://rapid.bms.com/RightSiteDir/applet/rs_applet.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} - file://c:\documents and settings\system\local settings\temp\sisd\STUrlConLoader.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab

DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} - file://c:\documents and settings\system\local settings\temp\sisd\STAutoAwayLoader.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxp://hpwnavp01.net.bms.com/eRoomSetup/client.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - file://c:\documents and settings\system\local settings\temp\sisd\STJNILoader.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

Notify: igfxcui - igfxdev.dll

Notify: NetIdentity Notification - c:\winnt\system32\novell\XtNotify.dll

Notify: OdysseyClient - odyEvent.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll

SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 nwv1_0 c:\winnt\system32\mlJYpQgh

============= SERVICES / DRIVERS ===============

R0 odFips;odFips;c:\winnt\system32\drivers\odFIPS.sys [2006-1-23 254208]

R0 Shockprf;Shockprf;c:\winnt\system32\drivers\ApsX86.sys [2007-3-2 100656]

R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [2007-3-2 19760]

R1 NaiAvTdi1;NaiAvTdi1;c:\winnt\system32\drivers\mvstdi5x.sys [2008-1-10 59904]

R1 svrsvc_;svrsvc_;c:\winnt\system32\svrsvc\svrsvc_.sys [2007-2-1 25472]

R1 TPPWRIF;TPPWRIF;c:\winnt\system32\drivers\TPPWRIF.SYS [2008-1-10 4442]

R2 BlankScr;HBDevice;c:\winnt\system32\drivers\blankscr.sys [2005-5-23 6899]

R2 iPCAgent;iPCAgent;c:\program files\ipass\ipassconnect\iPCAgent.exe [2008-1-10 90112]

R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-6-14 87664]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-10-18 179856]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-1-10 98304]

R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2007-11-26 29184]

R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\winnt\system32\drivers\mdc80211.sys [2008-1-10 15793]

R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 167936]

R2 svrsvc;svrsvc;c:\winnt\system32\svrsvc\svrsvc.exe [2007-2-1 737280]

R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2008-1-10 49152]

R2 WNTHW;WNTHW;c:\winnt\system32\drivers\WNTHW.SYS [2008-1-10 9176]

R2 XTAgent;Novell XTier Agent Services;c:\winnt\system32\novell\xtagent.exe [2006-5-2 61440]

R3 Darpan;Darpan;c:\winnt\system32\drivers\Darpan.sys [2005-5-23 2773]

R3 jnprna;Juniper Network Agent Miniport;c:\winnt\system32\drivers\jnprna.sys [2007-6-14 398720]

R3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [2008-10-18 15504]

R3 NaiAvFilter1;NaiAvFilter1;c:\winnt\system32\drivers\naiavf5x.sys [2008-1-10 117024]

S1 pxhelp200;pxhelp200;c:\winnt\system32\drivers\pxhelp200.sys --> c:\winnt\system32\drivers\pxhelp200.sys [?]

S2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2007-11-26 221191]

S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2007-6-20 81992]

S3 OracleORAHOME92_DTSClientCache;OracleORAHOME92_DTSClientCache;c:\oracle\products\9.2.0.1\bin\ONRSD.EXE [2002-4-26 242328]

S3 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2008-5-19 189792]

=============== Created Last 30 ================

2009-05-01 19:29 <DIR> --d----- c:\program files\Root Repeal

2009-04-30 08:02 <DIR> --d----- c:\program files\Trend Micro

2009-04-30 07:26 3,636,864 a------- c:\winnt\system32\drivers\NETw5x32.sys

2009-04-30 07:26 2,756,608 a------- c:\winnt\system32\NETw5r32.dll

2009-04-30 07:26 663,552 a------- c:\winnt\system32\NETw5c32.dll

2009-04-28 21:40 <DIR> --d----- c:\program files\Lavasoft

2009-04-28 21:26 162,304 a------- c:\winnt\system32\ztvunrar36.dll

2009-04-28 21:26 77,312 a------- c:\winnt\system32\ztvunace26.dll

2009-04-28 21:26 75,264 a------- c:\winnt\system32\unacev2.dll

2009-04-28 21:26 69,632 a------- c:\winnt\system32\ztvcabinet.dll

2009-04-28 21:26 153,088 a------- c:\winnt\system32\UNRAR3.dll

2009-04-24 14:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GARMIN

2009-04-24 14:25 <DIR> --d----- C:\Garmin

2009-04-23 20:25 <DIR> --d----- c:\docume~1\cwiakj\applic~1\GARMIN

2009-04-23 20:24 <DIR> --d----- c:\program files\Garmin GPS Plugin

2009-04-23 20:24 <DIR> --d----- c:\program files\Garmin

==================== Find3M ====================

2009-04-28 08:14 90,112 a------- c:\winnt\DUMP4b32.tmp

2009-04-06 15:32 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys

2009-04-06 15:32 15,504 a------- c:\winnt\system32\drivers\mbam.sys

2009-02-06 17:00 35,080 a---h--- c:\winnt\system32\mlfcache.dat

2008-01-10 18:08 1,484 a------- c:\program files\INSTALL.LOG

2005-07-29 17:24 472 ac-shr-- c:\winnt\qk1t\k4Yn.vbs

============= FINISH: 20:07:56.04 ===============

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:44:08 PM, on 5/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\Novell\XTAgent.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

C:\Program Files\iPass\iPassConnect\iPCAgent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Novell\ZENworks\nalntsrv.exe

c:\oracle\products\9.2.0.1\bin\omtsreco.exe

C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

c:\winnt\system32\svrsvc\svrsvc.exe

C:\WINNT\System32\TPHDEXLG.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINNT\system32\SearchIndexer.exe

C:\Program Files\Novell\ZENworks\wm.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINNT\system32\igfxtray.exe

C:\Program Files\Novell\ZENworks\NalAgent.exe

C:\WINNT\system32\hkcmd.exe

C:\WINNT\system32\igfxpers.exe

C:\WINNT\system32\igfxsrvc.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\WINNT\system32\TpShocks.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\WINNT\system32\dpmw32.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

C:\Program Files\eRoom 7\ERClient7.exe

C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onebms.bms.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://onebms.bms.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.bms.com/cs/ie.nsf/thunderbird

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mcd-server/mcd/proxy.pac

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Naldesk] "C:\Program Files\Novell\ZENworks\NALDESK.EXE" /ns

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\system32\zentray.exe

O4 - HKLM\..\Run: [bMS Asset Confirmation] C:\i386\Options\ZAM Languages\AssetConfirmation-01.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\bin\CfgDownload.exe

O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BMS-IMSS RemoteAccess VPN Client.lnk = C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\vpngui.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll

O12 - Plugin for .cgi: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O14 - IERESET.INF: START_PAGE_URL=http://onebms.bms.com

O16 - DPF: RightSiteApplet - http://rapid.bms.com/RightSiteDir/applet/rs_applet.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STUrlConLoader.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STAutoAwayLoader.cab

O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - http://hpwnavp01.net.bms.com/eRoomSetup/client.cab

O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STJNILoader.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O17 - HKLM\Software\..\Telephony: DomainName = one.ads.bms.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINNT\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe

O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe

O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\products\9.2.0.1\bin\omtsreco.exe

O23 - Service: OracleORAHOME92_DTSClientCache - Unknown owner - c:\oracle\products\9.2.0.1\BIN\ONRSD.EXE

O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: svrsvc - Unknown owner - c:\winnt\system32\svrsvc\svrsvc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINNT\System32\Novell\XTAgent.exe

O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--

End of file - 16502 bytes

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Do NOT run Combofix yet - we are going to launch it using with a script that we will use to manually specify items for deletion .

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

We have some more files, folders and registry entries to clean up that we will manually specify for deletion by using a Combofix script.

http://www.malwarebytes.org/forums/index.php?showtopic=14947&pid=77898&st=0entry77898
Suspect::[75]c:\winnt\qk1t\k4Yn.vbs
KillAll::
Driver::sfcpxhelp200
File::C:\WINNT\System32\Drivers\sfc.SYSc:\winnt\system32\drivers\pxhelp200.sys
FileLook::c:\winnt\qk1t\k4Yn.vbs

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

  • This will cause ComboFix to run .
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HJT log.

Link to post
Share on other sites

Had some issues with the system locking during/after the ComboFix run. Had to stop some of the start up processes and was able to complete boot up.

Here's the ComboFix.txt log:

ComboFix 09-05-02.4 - cwiakj 05/02/2009 20:56:17.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.507 [GMT -4:00]

Running from: C:\Documents and Settings\cwiakj\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\cwiakj\Desktop\CFScript.txt

FILE ::

c:\winnt\system32\drivers\pxhelp200.sys

C:\WINNT\System32\Drivers\sfc.SYS

file zipped: c:\WINNT\Qk1T\Suspect_k4Yn.vbs.vir

.

And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:18:29 PM, on 5/2/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\Novell\XTAgent.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

C:\Program Files\iPass\iPassConnect\iPCAgent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Novell\ZENworks\nalntsrv.exe

c:\oracle\products\9.2.0.1\bin\omtsreco.exe

C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

c:\winnt\system32\svrsvc\svrsvc.exe

C:\WINNT\System32\TPHDEXLG.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\WINNT\system32\SearchIndexer.exe

C:\Program Files\Novell\ZENworks\wm.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\taskmgr.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINNT\system32\igfxtray.exe

C:\WINNT\system32\hkcmd.exe

C:\WINNT\system32\igfxsrvc.exe

C:\WINNT\system32\igfxpers.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Novell\ZENworks\NalAgent.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\WINNT\system32\TpShocks.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\WINNT\system32\dpmw32.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\eRoom 7\ERClient7.exe

C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE

C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\WINNT\system32\msiexec.exe

C:\WINNT\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onebms.bms.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.bms.com/cs/ie.nsf/thunderbird

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://mcd-server/mcd/proxy.pac

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Naldesk] "C:\Program Files\Novell\ZENworks\NALDESK.EXE" /ns

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\system32\zentray.exe

O4 - HKLM\..\Run: [bMS Asset Confirmation] C:\i386\Options\ZAM Languages\AssetConfirmation-01.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\bin\CfgDownload.exe

O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [combofix] C:\WINNT\system32\CF3119.exe /c C:\ComboFix\Combobatch.bat

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BMS-IMSS RemoteAccess VPN Client.lnk = C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\vpngui.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll

O12 - Plugin for .cgi: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O14 - IERESET.INF: START_PAGE_URL=http://onebms.bms.com

O16 - DPF: RightSiteApplet - http://rapid.bms.com/RightSiteDir/applet/rs_applet.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STUrlConLoader.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab

O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STAutoAwayLoader.cab

O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - http://hpwnavp01.net.bms.com/eRoomSetup/client.cab

O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - file://C:\Documents and Settings\SYSTEM\Local Settings\Temp\SISD\STJNILoader.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O17 - HKLM\Software\..\Telephony: DomainName = one.ads.bms.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = one.ads.bms.com

O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\BMS-IMSS\RemoteAccess VPN Client\cvpnd.exe

O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINNT\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe

O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe

O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\products\9.2.0.1\bin\omtsreco.exe

O23 - Service: OracleORAHOME92_DTSClientCache - Unknown owner - c:\oracle\products\9.2.0.1\BIN\ONRSD.EXE

O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\BLUEPR~1\Bin\CTskMstr.exe

O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe

O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)

O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: svrsvc - Unknown owner - c:\winnt\system32\svrsvc\svrsvc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINNT\System32\Novell\XTAgent.exe

O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--

End of file - 16004 bytes

Link to post
Share on other sites

I'm glad your computer is working normally now.

The million dollar question - if it's gone, what the heck was that???

You had a rootkit program on board that I would like a sample of for malware analysis once I see your quarantine log.

C:\qoobox\ComboFix-quarantined-files.txt

The Combofix.txt log you posted is very incomplete and I cannot tell anything by what was posted.

Are you sure that was the entire log? It should be as long as the DDS log.

Upon rechecking, If you find the Combofix.txt log, was incomplete and only as long as you've already posted, then can you rerun Combofix with the same script, but this time do it in safe mode this time.?

Please post the contents of this file before rerunning Combofix in safe mode:

C:\qoobox\ComboFix-quarantined-files.txt

Next, reboot into Safe Mode.

Windows 2000, XP:

1. Restart the computer

2. Watch the screen while it is black. After the BIOS memory check is done,

start tapping the F8 key. If done right, the Windows Advanced Options Menu will

appear.

3. Select Safe Mode from the menu. Starting Windows in Safe Mode may take

several minutes

Relaunch Combofix with the CFScript I supplied in my last reply and post C:\Combofix.txt

I'm glad the problems you've been experiencing have improved that's an indication that Combofix successfully removed the threat.

Please submit this file to the Virus Total Scanner or the Jotti malware scanner and attach the report it generates:

c:\winnt\system32\drivers\WNTHW.SYS

Link to post
Share on other sites

Make sure you can view hidden files and folders

Can you open a run line - Click Start -> Run

Then copy/paste the following bolded text into the Open box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

Does a file open in Notepad? If so post that back here.

If no file opens check to see if you have a C:\qoobox folder using Windows Explorer (hit Windows key + E simultaneously).

Link to post
Share on other sites

I was already able to view hidden files and folders and it's not there, but I should have said previously that I did have the qoobox folder.

In qoobox, I have the following folders:

BackEnv

LastRun

Quarantine

Test

TestC

And the following files:

CFScript_used_2009-05-02_20.56.08.txt

CF-Submit.htm

CurlIt.cmd

LogA

Should I try running CF again in safe mode?

Link to post
Share on other sites

I am interested in knowing if you have a zipped submission archive within the Qoobox\Quarantine folder because that will allow me to see what was deleted and get samples.

For now run RootRepeal file scan and post back the log as per my previous directions, because that will tell us if the rootkit has been removed.

Link to post
Share on other sites

Yes, there is a zipped file in the Qoobox\Quarantine folder.

Here is the Root Repeal log:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/05 21:13

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Hidden/Locked Files

-------------------

Path: C:\WINNT\system32\config\software.LOG

Status: Size mismatch (API: 16384, Raw: 1024)

Path: C:\oracle\products\9.2.0.1\oramts\trace\OracleMTSRecoveryService(1800).trc

Status: Size mismatch (API: 1107047, Raw: 1106683)

Path: C:\Documents and Settings\cwiakj\Application Data\Adobe\Acrobat\7.0\Preferences\AcrobatColorSettings.csf

Status: Could not get file information (Error 0xc0000008)

Link to post
Share on other sites

Great - the RootRepeal log show there is no sign of the rootkit.

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy and paste the url to this topic as follows:

http://www.malwarebytes.org/forums/index.php?act=post&do=reply_post&f=7&t=14947

Next,using the "Browse to the file you want to submit:" function locate the zipped submission file within the C:\Qoobox\Quarantine\ folder

Then click 'Send File'

Thanks!

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's active protection/guard and any antispyware or HIPS programs you are running.
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the boxes the following two boxes:
    • enable "Remove found threats"
    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.
    • Now open a run line by clicking Start >> Run...
    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.