Msa.exe

unluckysam · #1 September 11th, 2008, 09:03 PM

Hi - OS is Windows XP and it's infected and hijacked:

*changed my desktop wallpaper
*started running a program called "MS Antivirus", that I couldn't stop
*displayed several fake virus alerts telling me to "upgrade" my MS Antivirus
*changed my desktop icons
*wouldn't let me open the task manager
*displayed "virus alert" next to the clock (bottom right corner)
*won't let me see my hard drive from "My Computer" folder
*modified my windows menu
*in the console, the "virus alert" is written next to every document or program
*When I run HIJACKTHIS and try to fix entries, I get an alert saying Registry Edit is disabled.
*When I try to use Windows Restore, there are no previous restore points visible.

I will try to post a HIJACKTHIS scanfile in an hour or so - any more info I should provide?

Thanks!

unluckysam · #2 September 12th, 2008, 03:35 AM

Okay, first, is there a way to work around this? I can't even get to the cybertechhelp website cause the browser gets hijacked. It's a pain to get the file over via a pda! Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:11: VIRUS ALERT!, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\mobileclient\bin\webtogo.exe
C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\ntdpsas\jboss\bin\NTDPS_JBoss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\product\10.1.0\lt_1\mobile_oc4j\j2ee\hom e\Oracle_Webtogo.exe
C:\oracle\product\10.1.0\db_1\bin\ocssd.exe
C:\oracle\product\10.1.0\db_1\bin\isqlplussvc.exe
C:\oracle\product\10.1.0\db_1\BIN\TNSLSNR.exe
c:\java\jdk1.5.0_05\bin\java.exe
c:\oracle\product\10.1.0\db_1\bin\ORACLE.EXE

**Jintan** · #3 September 14th, 2008, 04:21 AM

Welcome to CTH unluckysam,

I see enough in this shortened view to go ahead with some suggested repairs here, although in truth a more detailed view sets the stage for better chances of success, and less chance of unwanted changes made. Once you have completed the repairs step parts posted be sure to then post directly here and let's move to a more complete job if it.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Right click Here and download and unzip Miekiemoes' VArestorepolicies.zip to your desktop (Save Target/Link As). Then right click the VArestorepolicies.inf created and select Install. This may correct some of the changes like your use of the Task Manager (Thanks to Miekiemoes for the fix).

---------------------

Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

You should be now back to where you can post here with less problems.

Download OldTimer's OTViewIt from here to your desktop, then click OTViewIt.exe to start the scan.

When the display opens place a check next to:

Scan All Users

Then click the Run Scan button to start the scan. Once that completes a textbox will open - copy/paste those contents here for review please. The log can also be found on your desktop as OTViewIt.Txt.

OTViewIt will also create a second log, Extras.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored on your desktop).

Note - do not press any other buttons or make any other changes when running the scan.

Post those logs along with the Malwarebytes log please.

You can use separate posts here when replying and posting the log files if needed.

unluckysam · #4 September 16th, 2008, 03:29 AM

Thanks - here's the Malware log:

Malwarebytes' Anti-Malware 1.28
Database version: 1142
Windows 5.1.2600 Service Pack 3

9/12/2008 7:24:35 PM
mbam-log-2008-09-12 (19-24-35).txt

Scan type: Quick Scan
Objects scanned: 68297
Time elapsed: 9 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 28
Registry Values Infected: 3
Registry Data Items Infected: 19
Folders Infected: 1
Files Infected: 77

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bghmauge.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\inljqrkp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\opnlLBRI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tuvWnoMG.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ihshri.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dhrdnfvh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kuidxg.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5963a944-2177-4cf1-adaa-e043be03de62} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5963a944-2177-4cf1-adaa-e043be03de62} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6afb6f98-289c-442e-b577-5e5125c742e2} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvwnomg (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6afb6f98-289c-442e-b577-5e5125c742e2} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{cbec910e-c600-44fa-9489-f733111e4847} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{cbec910e-c600-44fa-9489-f733111e4847} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{2b9414f3-1e73-4041-8a8e-da759dfe68ab} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e7af1f35-6f2a-4c48-a4e3-eb8f4d9cbdfd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9119587-89b9-4ee6-a9c5-bfd4706509d0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c01a38ac-2cbf-4291-9d57-6d705f6c19ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{106039ef-ce8e-4054-a308-ff505b1af2a2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{acf5c393-8d70-4ca8-a146-de9a3c394a34} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{39f63908-e12a-4a21-a7eb-67ca3b876c52} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{39f63908-e12a-4a21-a7eb-67ca3b876c52} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.bwmq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Security Tools (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\b46936a8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6afb6f98-289c-442e-b577-5e5125c742e2} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnllbri -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnllbri -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Trace) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-OEM-0011903-00102) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoStartMenuMoreProgram s (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kuidxg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tuvWnoMG.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\opnlLBRI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\IRBLlnpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IRBLlnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bghmauge.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\eguamhgb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inljqrkp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pkrqjlni.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\todhjnjv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vjnjhdot.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihshri.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dhrdnfvh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\mqgldfvo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXOFYpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifcCroL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkJdCTj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrecisej.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjktnt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcjlvkgc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkHYPj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnoNhGv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRIArQk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxUnlM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR11.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR12.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YURF.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Local Settings\Temporary Internet Files\Content.IE5\0YDJ1U0C\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Local Settings\Temporary Internet Files\Content.IE5\ER6D1AFJ\cntr[2].gif (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Local Settings\Temporary Internet Files\Content.IE5\P3115DW1\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Local Settings\Temporary Internet Files\Content.IE5\XTH99KTO\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\MSA\MSA.exe (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\MSA.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSa.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\casino3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\dtseqrxk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fqbewlna.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vmgspntbmtk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Local Settings\Temp\lwpwer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\crewmember1\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

unluckysam · #5 September 16th, 2008, 03:32 AM

OT VIEWIT Log Part 1:

OTViewIt logfile created on: 9/15/2008 10:30:33 PM - Run 1
OTViewIt by OldTimer - Version 1.0.4.0 Folder = C:\Documents and Settings\crewmember1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 50.38% Memory free
3.85 Gb Paging File | 2.54 Gb Available in Paging File | 65.96% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 45.63 Gb Free Space | 61.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NTDPS-SERVER
Current User Name: crewmember1
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On

========== Processes - Non-Microsoft Only ==========

[01/10/2007 01:59:32 | 00,108,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
[01/05/2007 04:19:28 | 00,047,712 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
[07/12/2004 13:33:52 | 00,184,320 | ---- | M] (Oracle Corporation) -- C:\mobileclient\bin\dmagent.exe
[01/10/2007 01:59:52 | 00,115,816 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[07/15/2004 13:57:24 | 00,036,864 | ---- | M] (Oracle Corporation) -- C:\mobileclient\bin\webtogo.exe
[08/29/2002 08:07:06 | 00,131,072 | ---- | M] (ActivCard S.A.) -- C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
[06/09/2004 14:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\Palm\Hotsync.exe
[09/12/2002 05:16:04 | 00,053,248 | ---- | M] (ActivCard S.A.) -- C:\Program Files\Common Files\ActivCard\acautoreg.exe
[06/28/2007 14:54:44 | 00,151,552 | ---- | M] (SprintNextel) -- C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
[08/11/2004 17:09:32 | 00,143,360 | ---- | M] (ActivCard) -- C:\Program Files\Common Files\ActivCard\accoca.exe
[09/12/2007 19:27:24 | 00,554,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
[01/10/2007 01:59:32 | 00,108,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
[01/20/2006 15:48:06 | 00,142,416 | R--- | M] (Command Software Systems, Inc.) -- C:\Program Files\Common Files\Command Software\dvpapi.exe
[05/02/2005 14:42:50 | 00,057,344 | R--- | M] (Alexandria Software Consulting + Multiplan Consultants) -- C:\ntdpsas\jboss\bin\NTDPS_JBoss.exe
[01/18/2006 18:23:09 | 00,053,248 | ---- | M] (Alexandria Software Consulting + Multiplan Consultants) -- C:\oracle\product\10.1.0\lt_1\mobile_oc4j\j2ee\hom e\Oracle_Webtogo.exe
[02/15/2007 20:05:29 | 00,773,444 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\BIN\ocssd.exe
[02/15/2007 20:05:11 | 00,045,056 | ---- | M] (Oracle) -- C:\oracle\product\10.1.0\db_1\BIN\isqlplussvc.exe
[03/05/2004 18:16:58 | 00,279,560 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\BIN\TNSLSNR.EXE
[08/12/2004 10:40:06 | 51,394,492 | ---- | M] (Oracle Corporation) -- c:\oracle\product\10.1.0\db_1\BIN\oracle.exe
[02/15/2007 20:05:29 | 00,773,444 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\BIN\ocssd.exe
[01/23/2008 16:50:21 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[09/15/2008 22:30:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\crewmember1\Desktop\OTViewIt.exe

========== (O23) Win32 Services - Non-Microsoft Only ==========

[09/12/2002 05:16:04 | 00,053,248 | ---- | M] (ActivCard S.A.) -- C:\Program Files\Common Files\ActivCard\acautoreg.exe -- (acautoreg [Auto | Running])
[06/28/2007 14:54:44 | 00,151,552 | ---- | M] (SprintNextel) -- C:\Program Files\Sprint\Mobile Broadband\SMBAUtilSvc.exe -- (Access Utility Service [Auto | Running])
[08/11/2004 17:09:32 | 00,143,360 | ---- | M] (ActivCard) -- C:\Program Files\Common Files\ActivCard\accoca.exe -- (Accoca [Auto | Running])
[09/12/2007 19:27:24 | 00,554,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
[01/10/2007 01:59:32 | 00,108,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
[01/10/2007 01:59:32 | 00,108,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
[01/10/2007 01:59:32 | 00,108,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService [Auto | Running])
[01/12/2007 23:40:58 | 00,049,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost [On_Demand | Stopped])
[01/20/2006 15:48:06 | 00,142,416 | R--- | M] (Command Software Systems, Inc.) -- C:\Program Files\Common Files\Command Software\dvpapi.exe -- (dvpapi [Auto | Running])
[01/14/2007 03:11:06 | 00,080,504 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\isPwdSvc.exe -- (ISPwdSvc [On_Demand | Stopped])
[09/12/2007 19:27:24 | 02,999,664 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])
[01/10/2007 01:59:32 | 00,108,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice Ex [Auto | Running])
[11/28/2007 20:51:10 | 00,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service [Auto | Stopped])
[05/02/2005 14:42:50 | 00,057,344 | R--- | M] (Alexandria Software Consulting + Multiplan Consultants) -- C:\ntdpsas\jboss\bin\NTDPS_JBoss.exe -- (NTDPS_JBoss [Auto | Running])
[01/18/2006 18:23:09 | 00,053,248 | ---- | M] (Alexandria Software Consulting + Multiplan Consultants) -- C:\oracle\product\10.1.0\lt_1\mobile_oc4j\j2ee\hom e\Oracle_Webtogo.exe -- (Oracle Webtogo [Auto | Running])
[02/15/2007 20:05:29 | 00,773,444 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\BIN\ocssd.exe -- (OracleCSService [Auto | Running])
[03/05/2004 00:33:24 | 00,034,579 | ---- | M] (Oracle Corporation) -- C:\oracle\product\10.1.0\db_1\BIN\nmesrvc.exe -- (OracleDBConsolentdps [On_Demand | Stopped])
[08/12/2004 10:40:06 | 00,096,816 | ---- | M] () -- c:\oracle\product\10.1.0\db_1\BIN\extjob.exe -- (OracleJobSchedulerNTDPS [Disabled | Stopped])
[02/15/2007 20:05:11 | 00,045,056 | ---- | M] (Oracle) -- C:\oracle\product\10.1.0\db_1\BIN\isqlplussvc.exe -- (OracleOraDb10g_home1iSQL*Plus [Auto | Running])
[02/15/2007 20:05:51 | 00,187,392 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\BIN\encsvc.exe -- (OracleOraDb10g_home1SNMPPeerEncapsulator [On_Demand | Stopped])
[02/15/2007 20:05:51 | 00,254,464 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\BIN\agntsvc.exe -- (OracleOraDb10g_home1SNMPPeerMasterAgent [On_Demand | Stopped])
[03/05/2004 18:16:58 | 00,279,560 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\BIN\TNSLSNR.EXE -- (OracleOraDb10g_home1TNSListener [Auto | Running])
[08/12/2004 10:40:06 | 51,394,492 | ---- | M] (Oracle Corporation) -- c:\oracle\product\10.1.0\db_1\BIN\oracle.exe -- (OracleServiceNTDPS [Auto | Running])
[01/23/2008 16:50:21 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [On_Demand | Running])
[01/05/2007 04:19:28 | 00,047,712 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- (SymAppCore [Auto | Running])

========== Driver Services - Non-Microsoft Only ==========

[08/02/2002 15:41:08 | 00,047,660 | R--- | M] (ActivCard) -- C:\WINDOWS\system32\drivers\actccid.sys -- (actccid [On_Demand | Stopped])
[02/06/2003 16:27:24 | 00,016,408 | ---- | M] (ActivCard S.A.) -- C:\WINDOWS\System32\drivers\ACTR.SYS -- (ACTR [Auto | Stopped])
[09/16/2003 17:20:40 | 00,014,784 | ---- | M] (ActivCard) -- C:\WINDOWS\system32\drivers\actrpcsc.sys -- (Actrpcsc [On_Demand | Running])
[12/13/2004 17:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
[01/20/2006 15:40:42 | 00,783,984 | R--- | M] (Command Software Systems, Inc.) -- C:\WINDOWS\system32\drivers\css-dvp.sys -- (CSS DVP [Auto | Running])
[08/30/2007 04:00:00 | 00,395,312 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[08/30/2007 04:00:00 | 00,112,688 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[07/17/2007 04:00:00 | 00,081,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071108.016\NAVENG.SYS -- (NAVENG [On_Demand | Running])
[07/17/2007 04:00:00 | 00,865,904 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071108.016\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
[06/14/2006 00:56:34 | 00,155,264 | ---- | M] (Novatel Wireless Inc) -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI [On_Demand | Running])
[01/30/2006 13:42:54 | 00,009,728 | ---- | M] (June Fabrics Technology Inc.) -- C:\WINDOWS\system32\drivers\palmmdm.sys -- (palmmdm [On_Demand | Running])
[03/19/2007 20:44:16 | 00,016,694 | ---- | M] (PalmSource, Inc.) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
[04/14/2007 02:49:32 | 00,418,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
[12/01/2007 00:57:12 | 00,279,088 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP [System | Running])
[12/01/2007 00:57:12 | 00,317,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL [On_Demand | Stopped])
[12/01/2007 00:57:12 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX [System | Running])
[03/07/2008 13:39:54 | 00,012,848 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symdns.sys -- (SYMDNS [On_Demand | Running])
[05/30/2008 19:26:23 | 00,123,952 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[03/07/2008 13:39:54 | 00,145,968 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symfw.sys -- (SYMFW [On_Demand | Running])
[03/07/2008 13:39:54 | 00,039,984 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symids.sys -- (SYMIDS [On_Demand | Running])
[11/06/2007 12:07:07 | 00,158,064 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\20071107.002\SymIDSCo.sys -- (SYMIDSCO [On_Demand | Running])
[02/17/2007 15:04:10 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])
[03/07/2008 13:39:54 | 00,035,120 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symndis.sys -- (SYMNDIS [On_Demand | Running])
[03/07/2008 13:39:54 | 00,027,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Running])
[03/07/2008 13:39:54 | 00,191,536 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[03/01/2006 18:39:18 | 00,028,800 | ---- | M] (UPEK Inc.) -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb [On_Demand | Running])
File not found -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS -- (UIUSys [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Secondary_Page_URL" =
"Extensions Off Page" = about:NoAdd-ons
"Local Page" = %SystemRoot%\system32\blank.htm
"Security Risk Page" = about:SecurityRisk
"Start Page" = http://www.msn.com/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL" = http://www.google.com/ie
"SearchAssistant" = http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Page_Transitions" =
"Search Page" = http://www.google.com
"SearchMigratedDefaultName" = Google
"SearchMigratedDefaultURL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
"Start Page" = http://www.google.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant" = http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"" = http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-448539723-823518204-839522115-1055\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Page_Transitions" =
"Search Page" = http://www.google.com
"SearchMigratedDefaultName" = Google
"SearchMigratedDefaultURL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
"Start Page" = http://www.google.com/

[HKEY_USERS\S-1-5-21-448539723-823518204-839522115-1055\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant" = http://www.google.com/ie

[HKEY_USERS\S-1-5-21-448539723-823518204-839522115-1055\Software\Microsoft\Internet Explorer\SearchURL]
"" = http://www.google.com/search?q=%s

[HKEY_USERS\S-1-5-21-448539723-823518204-839522115-1055\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (837 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 localhost.ntdps.navy.mil
127.0.0.1 NTDPS-SERVER
127.0.0.1 NTDPS-SERVER.ntdps.navy.mil

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75} (HKLM) -- C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll (Symantec Corporation)
{3049C3E9-B461-4BC5-8870-4C09146192CA} (HKLM) -- C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{C4069E3A-68F1-403E-B40E-20066696354B}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
"{29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-448539723-823518204-839522115-1055\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{C4069E3A-68F1-403E-B40E-20066696354B}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
"{29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Adobe Reader Speed Launcher" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"ccApp" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"DVDLauncher" = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" (CyberLink Corp.)
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"OracleLite_DMC" = C:\mobileclient\bin\dmagent.exe /a (Oracle Corporation)
"OracleLite_WTG" = C:\mobileclient\bin\webtogo.exe (Oracle Corporation)
"osCheck" = "C:\Program Files\Norton Internet Security\osCheck.exe" (Symantec Corporation)
"QuickPassword" = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe (ActivCard S.A.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"Symantec PIF AlertEng" = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" (Symantec Corporation)
"TkBellExe" = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)

unluckysam · #6 September 16th, 2008, 03:32 AM

OTVIEWIT Log Part 2:

========== (O4) Startup Folders ==========

[06/09/2004 14:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
[02/20/2007 12:45:56 | 00,000,079 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NTDPSautostart.lnk = C:\mobileclient\bin\ntdps_auto_launch.bat

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-21-448539723-823518204-839522115-1055\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer]
"NoDriveTypeAutoRun" = 145

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/control...ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\URL\DefaultPrefix]
"" = http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{166B1BCA-3F9C-11CF-8075-444553540000}: http://download.macromedia.com/pub/s...irector/sw.cab -- Reg Error: Key does not exist or could not be opened.
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get.../ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277}: http://office.microsoft.com/officeup...tent/opuc4.cab -- Office Update Installation Engine
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab -- Java Plug-in 1.5.0_05
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab -- Java Plug-in 1.5.0_11
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/s...sh/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{0CAF49EA-88A2-491B-9155-58032A004691} (Servers: | Description: Broadcom NetXtreme 57xx Gigabit Controller)
{20202D3D-754B-4FCA-893D-65A31D3B2D52} (Servers: | Description: 1394 Net Adapter)
{2F6F5EE2-D20E-4FB0-9816-D8E1B1950BAD} (Servers: | Description: 1394 Net Adapter)
{4940C21F-57DC-4792-99D6-4A438D4B2DF1} (Servers: | Description: Intel(R) PRO/Wireless 3945ABG Network Connection)

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[02/15/2007 18:29:22 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

Autoexec.ex5 []
[02/15/2007 18:29:22 | 00,000,000 | ---- | M] () -- C:\Autoexec.ex5 -- [ NTFS ]

========== Files/Folders - Created Within 30 days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[08/19/2008 21:20:12 | 00,059,392 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\ACQUISITION CORPS #2 - MINORITY MEMBER - CAPT JABALEY (1120).doc
[08/19/2008 21:31:24 | 00,029,895 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\USS DALLAS.pdf
[08/19/2008 21:54:45 | 00,033,792 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\CAPT Jabaley Bio.doc
[08/19/2008 22:08:54 | 01,203,200 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\NTDPS SNADIS Brief to USE 26 Aug 2008 r6.ppt
[08/21/2008 15:43:54 | 00,000,711 | ---- | C] () -- C:\Settings.ini
[08/24/2008 16:39:28 | 01,731,303 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\Pre-Decisional, 2008-08-25, GAO, VA Overview, PMS450W.pdf
[09/03/2008 22:55:18 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\Jabaley Remarks.doc
[09/04/2008 19:04:18 | 00,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[09/04/2008 19:04:24 | 00,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[09/04/2008 19:04:39 | 00,000,974 | ---- | C] () -- C:\WINDOWS\System32\pid.inf
[09/04/2008 19:05:13 | 00,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[09/04/2008 20:26:16 | 00,020,480 | ---- | C] (Ascentive LLC) -- C:\WINDOWS\System32\SysRestore.dll
[09/04/2008 20:26:16 | 00,208,896 | ---- | C] (Ascentive) -- C:\WINDOWS\System32\ConTest.dll
[09/04/2008 20:29:48 | 00,024,576 | ---- | C] (iipl) -- C:\WINDOWS\System32\BAZLib.dll
[09/06/2008 16:10:51 | 00,023,040 | ---- | C] () -- C:\Documents and Settings\crewmember1\My Documents\Jabaley Remarks.doc
[09/08/2008 15:28:20 | 00,376,320 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\DC Final Presentation 07SEP-DBG.ppt
[09/08/2008 15:28:20 | 06,174,720 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 07Sept08-MJD.doc
[09/08/2008 15:34:31 | 00,119,042 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\QPPC #38 Letter & Agenda.pdf
[09/08/2008 16:06:06 | 06,109,184 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 08Sept08-MEJ .doc
[09/10/2008 23:32:03 | 00,143,360 | ---- | C] () -- C:\WINDOWS\edka.exe
[09/10/2008 23:32:57 | 00,000,120 | ---- | C] () -- C:\WINDOWS\System32\tdsspopup1.url
[09/10/2008 23:32:58 | 00,000,120 | ---- | C] () -- C:\WINDOWS\System32\tdsspopup2.url
[09/10/2008 23:32:58 | 00,000,120 | ---- | C] () -- C:\WINDOWS\System32\tdsspopup3.url
[09/11/2008 17:44:28 | 22,999,392 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\masterwanker2008_09_1 1_3_part1.wmv
[09/12/2008 19:06:41 | 00,000,695 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RogueRemover FREE.lnk
[09/12/2008 19:13:34 | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/12/2008 19:13:35 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[09/12/2008 19:13:35 | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[09/13/2008 07:39:58 | 00,045,056 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\dts key info sheet.doc
[09/14/2008 12:37:36 | 06,276,608 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 13Sept08-MJD2.doc
[09/14/2008 22:41:39 | 19,849,843 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\5461694005.wmv
[09/14/2008 22:43:19 | 19,857,694 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\9865836103.wmv
[09/14/2008 22:48:54 | 06,432,768 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 14Sept08-JHR.doc
[09/15/2008 00:03:07 | 06,367,232 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 14Sept08-MEJ.doc
[09/15/2008 00:32:33 | 00,038,400 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\MMSU-WSATS_091208.ppt
[09/15/2008 22:23:43 | 00,000,570 | ---- | C] () -- C:\Documents and Settings\crewmember1\Desktop\VArestorepolicies.zip
[09/15/2008 22:30:11 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\crewmember1\Desktop\OTViewIt.exe

========== Files - Modified Within 30 days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[08/19/2008 21:20:12 | 00,059,392 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\ACQUISITION CORPS #2 - MINORITY MEMBER - CAPT JABALEY (1120).doc
[08/19/2008 21:31:24 | 00,029,895 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\USS DALLAS.pdf
[08/19/2008 21:54:46 | 00,033,792 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\CAPT Jabaley Bio.doc
[08/19/2008 22:08:59 | 01,203,200 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\NTDPS SNADIS Brief to USE 26 Aug 2008 r6.ppt
[08/21/2008 15:43:54 | 00,000,711 | ---- | M] () -- C:\Settings.ini
[08/24/2008 16:39:31 | 01,731,303 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\Pre-Decisional, 2008-08-25, GAO, VA Overview, PMS450W.pdf
[09/01/2008 21:34:21 | 00,037,888 | ---- | M] () -- C:\Documents and Settings\crewmember1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[09/03/2008 22:55:19 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\Jabaley Remarks.doc
[09/06/2008 16:10:51 | 00,023,040 | ---- | M] () -- C:\Documents and Settings\crewmember1\My Documents\Jabaley Remarks.doc
[09/07/2008 09:05:13 | 00,250,048 | RHS- | M] () -- C:\ntldr
[09/07/2008 09:22:57 | 00,140,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[09/08/2008 08:25:04 | 00,376,320 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\DC Final Presentation 07SEP-DBG.ppt
[09/08/2008 08:25:30 | 06,174,720 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 07Sept08-MJD.doc
[09/08/2008 15:23:14 | 00,054,010 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[09/08/2008 15:23:14 | 00,383,822 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[09/08/2008 15:23:14 | 00,443,556 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[09/08/2008 15:34:32 | 00,119,042 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\QPPC #38 Letter & Agenda.pdf
[09/08/2008 15:51:30 | 00,025,672 | ---- | M] () -- C:\Documents and Settings\crewmember1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[09/08/2008 16:28:24 | 06,109,184 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 08Sept08-MEJ .doc
[09/10/2008 00:03:56 | 00,017,200 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[09/10/2008 00:04:02 | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/10/2008 16:26:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[09/10/2008 16:58:37 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[09/10/2008 17:29:16 | 00,143,360 | ---- | M] () -- C:\WINDOWS\edka.exe
[09/10/2008 23:32:57 | 00,000,120 | ---- | M] () -- C:\WINDOWS\System32\tdsspopup1.url
[09/10/2008 23:32:58 | 00,000,120 | ---- | M] () -- C:\WINDOWS\System32\tdsspopup2.url
[09/10/2008 23:32:58 | 00,000,120 | ---- | M] () -- C:\WINDOWS\System32\tdsspopup3.url
[09/11/2008 17:44:28 | 22,999,392 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\masterwanker2008_09_1 1_3_part1.wmv
[09/12/2008 19:06:41 | 00,000,695 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RogueRemover FREE.lnk
[09/12/2008 19:13:35 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[09/13/2008 07:49:31 | 00,045,056 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\dts key info sheet.doc
[09/13/2008 21:28:50 | 00,023,655 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[09/13/2008 21:50:41 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[09/14/2008 12:37:36 | 06,276,608 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 13Sept08-MJD2.doc
[09/14/2008 21:08:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[09/14/2008 21:09:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[09/14/2008 22:41:40 | 19,849,843 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\5461694005.wmv
[09/14/2008 22:43:19 | 19,857,694 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\9865836103.wmv
[09/14/2008 22:48:54 | 06,432,768 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 14Sept08-JHR.doc
[09/15/2008 00:03:08 | 06,367,232 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\DC Draft Final 14Sept08-MEJ.doc
[09/15/2008 00:32:33 | 00,038,400 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\MMSU-WSATS_091208.ppt
[09/15/2008 20:04:48 | 00,023,655 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[09/15/2008 22:23:43 | 00,000,570 | ---- | M] () -- C:\Documents and Settings\crewmember1\Desktop\VArestorepolicies.zip
[09/15/2008 22:30:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\crewmember1\Desktop\OTViewIt.exe

< End of report >

unluckysam · #7 September 16th, 2008, 03:33 AM

EXTRAS Log:

OTViewIt Extras logfile created on: 9/15/2008 10:30:33 PM - Run 1
OTViewIt by OldTimer - Version 1.0.4.0 Folder = C:\Documents and Settings\crewmember1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 50.38% Memory free
3.85 Gb Paging File | 2.54 Gb Available in Paging File | 65.96% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 45.63 Gb Free Space | 61.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]
[04/13/2008 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res. dll,-22019
[04/13/2008 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
[04/13/2008 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res. dll,-22019
File not found -- C:\Documents and Settings\siteadmin\Local Settings\Temp\OraInstall2007-02-15_07-00-34PM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw
[02/15/2007 20:06:24 | 00,028,771 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\jdk\jre\bin\javaw.ex e:*:Enabled:javaw
[02/15/2007 20:06:22 | 00,024,673 | ---- | M] () -- C:\oracle\product\10.1.0\db_1\jdk\jre\bin\java.exe :*:Enabled:java
[07/15/2004 13:57:24 | 00,036,864 | ---- | M] (Oracle Corporation) -- C:\mobileclient\bin\webtogo.exe:*:Enabled:WEBTOGO. EXE
[07/12/2004 13:33:52 | 00,184,320 | ---- | M] (Oracle Corporation) -- C:\mobileclient\bin\dmagent.exe:*:Enabled:Oracle Lite DMAGENT
[04/13/2008 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[01/15/2008 04:22:48 | 19,926,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Hand ler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]
[11/16/2006 13:28:00 | 00,374,272 | ---- | M] () c:\WINDOWS\Downloaded Program Files\mimectl.dll (x-excid:{9D6CC632-1337-4a33-9214-2DA092E776F4} (HKLM) [DB2XMLPlugProt Class])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0EF0BA00-C37A-4635-9092-E93E97544439}" = Symantec Real Time Storage Protection Component
"{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}" = Security Update for CAPICOM (KB931906)
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}" = Rhapsody Player Engine
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{27ABD540-0A6E-4288-BFB3-7042C44F34F6}" = ActivCard USB Reader V2 (2.0.3)
"{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48}" = OZ776 SCR CardBus Windows Driver
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0150050}" = J2SE Development Kit 5.0 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37477865-A3F1-4772-AD43-AAFC6BCFF99F}" = MSXML 4.0 SP2 (KB927978)
"{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}" = ccCommon
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{40ACEAF4-1EB2-45FC-90C3-6810700C0595}" = Verizon PC Security Checkup
"{44D21B77-D4FC-49E8-A726-CD00D5016703}" = DBsign Web Signer
"{48185814-A224-447A-81DA-71BD20580E1B}" = Norton Internet Security
"{4843B611-8FCB-4428-8C23-31D0A5EAE164}" = Norton Confidential Browser Component
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6846389C-BAC0-4374-808E-B120F86AF5D7}" = Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
"{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}" = Oracle Data Provider for .NET Help
"{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}" = Microsoft Outlook Web Access S/MIME
"{6D6011AC-79B9-4B7A-9062-DDA8ADB20A62}" = What'sBest!
"{6E82345B-C2F5-4BDC-9692-4CBF5E531C9B}" = ActivCard Gold
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{830D8CBD-C668-49e2-A969-C2C2106332E0}" = Norton AntiVirus
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8AA1A39F-8241-4939-A0BA-7523A9A68FB5}" = NTDPS J2EE 1.4 Application Server
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8F5EE99C-CA1E-11D6-9FE0-0050BA8AEE3E}" = Decision Making with Insight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{93356AC9-C222-4547-B743-FF1903ACCE04}" = Sprint Mobile Broadband
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-0038-0409-0000-0000000FF1CE}" = Time Zone Data Update Tool for Microsoft Office Outlook
"{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}" = Norton Protection Center
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A90DCEC1-22DE-11D4-B8A9-0050DAB648C6}" = AvantGo Client
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC76BA86-7AD7-1033-7B44-A81200000003}_Adobe Reader 8.1.2" = Adobe Reader 8.1.2 Security Update 1 (KB403742)
"{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}" = Palm
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}" = Citrix Presentation Server Client
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}" = iTunes
"{BD78DE74-95DB-429D-A66F-6306BCEDA640}" = Arena 10.0 (CPR 7)
"{C04E32E0-0416-434D-AFB9-6969D703A9EF}" = MSXML 4.0 SP2 (KB936181)
"{C2444FA0-04AA-4221-B652-73713947ED22}" = Anti-Spyware
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D3386797-A836-4030-AB5D-4E89F2F15F33}" = Authentium
"{D353CC51-430D-4C6F-9B7E-52003DA1E05A}" = Norton Confidential Web Protection Component
"{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}" = Apple Mobile Device Support
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{DDC63227-BA06-4855-B002-BDB49E9F677E}" = Symantec Technical Support Web Controls
"{DF62D775-BB7C-4AFA-9CA4-DDA1C4855F28}" = Dell Mobile Broadband Card Utility
"{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EB807EB6-5179-48B7-98D4-7B4934A57A81}" = Documents To Go
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F4DB525F-A986-4249-B98B-42A8066251CA}" = AV
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F10 0C3" = Conexant HDA D110 MDC V.92 Modem
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48}" = OZ776 SCR CardBus Windows Driver
"InstallShield_{8AA1A39F-8241-4939-A0BA-7523A9A68FB5}" = NTDPS J2EE 1.4 Application Server
"KB888111WXPSP2" = High Definition Audio Driver Package - KB888111
"KB892130" = Windows Genuine Advantage Validation Tool (KB892130)
"KB911564" = Security Update for Windows Media Player (KB911564)
"KB917734_WMP9" = Security Update for Windows Media Player 9 (KB917734)
"KB925398_WMP64" = Security Update for Windows Media Player 6.4 (KB925398)
"KB929399" = Hotfix for Windows Media Format 11 SDK (KB929399)
"KB931906" = Security Update for CAPICOM (KB931906)
"KB936782_WMP11" = Security Update for Windows Media Player 11 (KB936782)
"KB938127-IE7" = Security Update for Windows Internet Explorer 7 (KB938127)
"KB939653-IE7" = Security Update for Windows Internet Explorer 7 (KB939653)
"KB939683" = Hotfix for Windows Media Player 11 (KB939683)
"KB942615-IE7" = Security Update for Windows Internet Explorer 7 (KB942615)
"KB944533-IE7" = Security Update for Windows Internet Explorer 7 (KB944533)
"KB947864-IE7" = Hotfix for Windows Internet Explorer 7 (KB947864)
"KB950759-IE7" = Security Update for Windows Internet Explorer 7 (KB950759)
"KB953838-IE7" = Security Update for Windows Internet Explorer 7 (KB953838)
"KB954154_WM11" = Security Update for Windows Media Player 11 (KB954154)
"Lexmark 640 Series" = Lexmark 640 Series
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"M928366" = Microsoft .NET Framework 1.1 Hotfix (KB928366)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Malwarebytes' RogueRemover FREE_is1" = Malwarebytes' RogueRemover
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel(R) PROSet/Wireless Software
"Qtrax 20080125" = Qtrax 0.2beta (20080125)
"RealPlayer 6.0" = RealPlayer
"Rp Scan and Clean {40ACEAF4-1EB2-45FC-90C3-6810700C0595}" = Verizon PC Security Checkup
"Switch" = Switch Sound File Converter
"SymSetup.{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security (Symantec Corporation)
"WGA" = Windows Genuine Advantage Validation Tool (KB892130)
"WgaNotify" = Windows Genuine Advantage Notifications (KB905474)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-448539723-823518204-839522115-1055\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/2/2008 5:59:20 PM | Computer Name = NTDPS-SERVER | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting
module mshtml.dll, version 7.0.6000.16705, fault address 0x00037856.

Error - 9/2/2008 6:00:56 PM | Computer Name = NTDPS-SERVER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/2/2008 6:00:58 PM | Computer Name = NTDPS-SERVER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/8/2008 4:46:50 PM | Computer Name = NTDPS-SERVER | Source = Application Error | ID = 1000
Description = Faulting application dot1xcfg.exe, version 10.1.0.79, faulting module
msvcrt.dll, version 7.0.2600.5512, fault address 0x000378c0.

Error - 9/11/2008 7:41:57 AM | Computer Name = NTDPS-SERVER | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting
module vmgspntbmtk.dll, version 0.0.0.0, fault address 0x00004d18.

Error - 9/11/2008 5:23:57 PM | Computer Name = NTDPS-SERVER | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting
module kernel32.dll, version 5.1.2600.5512, fault address 0x00012aeb.

Error - 9/11/2008 5:24:04 PM | Computer Name = NTDPS-SERVER | Source = Application Error | ID = 1001
Description = Fault bucket 882266704.

Error - 9/11/2008 5:48:30 PM | Computer Name = NTDPS-SERVER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/11/2008 5:48:34 PM | Computer Name = NTDPS-SERVER | Source = Application Hang | ID = 1001
Description = Fault bucket 854786114.

Error - 9/13/2008 9:30:50 PM | Computer Name = NTDPS-SERVER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 9/13/2008 9:34:39 PM | Computer Name = NTDPS-SERVER | Source = SCardSvr | ID = 602
Description = WDM Reader driver initialization cannot open reader device: The system
cannot find the path specified.

Error - 9/13/2008 9:36:40 PM | Computer Name = NTDPS-SERVER | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 9/13/2008 9:36:40 PM | Computer Name = NTDPS-SERVER | Source = Service Control Manager | ID = 7000
Description = The Smart Card Reader service failed to start due to the following
error: %%20

Error - 9/13/2008 9:50:39 PM | Computer Name = NTDPS-SERVER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 9/14/2008 8:37:17 AM | Computer Name = NTDPS-SERVER | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0019D247ECFE has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 9/14/2008 9:09:05 PM | Computer Name = NTDPS-SERVER | Source = SCardSvr | ID = 602
Description = WDM Reader driver initialization cannot open reader device: The system
cannot find the path specified.

Error - 9/14/2008 9:09:16 PM | Computer Name = NTDPS-SERVER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 9/14/2008 9:10:28 PM | Computer Name = NTDPS-SERVER | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 9/14/2008 9:10:28 PM | Computer Name = NTDPS-SERVER | Source = Service Control Manager | ID = 7000
Description = The Smart Card Reader service failed to start due to the following
error: %%20

Error - 9/15/2008 8:04:41 PM | Computer Name = NTDPS-SERVER | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.206 on
the Network Card with network address 0015C5CEFEEF.

< End of report >

**Jintan** · #8 September 16th, 2008, 03:44 AM

Malwarebytes is a free scan available for public use, but the other tools we use here are primarily non-commercial use only. I mention this because the logs identify this system as one used for obviously more than just a personal home computer. As such I can at this time only suggest you now ask those in charge of IT repairs where you work to follow up with any repairs on this system.

To add to that so you might understand, this system also has specialty software, as well as unique access settings our scans may not be pre-set for, and use of them could cause damage to those softwares and settings.

arckangel6983 · #9 August 29th, 2009, 12:51 AM

As per the CTH guidelines for the Malware Removal Forum shown Here, this post has been deleted. Members who have not been approved by the CTH Staff to provide infection removal/repair steps are prohibited from posting advice. Please disregard any information/steps that had been posted here.